1 /** 2 * \file ecp.h 3 * 4 * \brief This file provides an API for Elliptic Curves over GF(P) (ECP). 5 * 6 * The use of ECP in cryptography and TLS is defined in 7 * <em>Standards for Efficient Cryptography Group (SECG): SEC1 8 * Elliptic Curve Cryptography</em> and 9 * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites 10 * for Transport Layer Security (TLS)</em>. 11 * 12 * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP 13 * group types. 14 * 15 */ 16 17 /* 18 * Copyright The Mbed TLS Contributors 19 * SPDX-License-Identifier: Apache-2.0 20 * 21 * Licensed under the Apache License, Version 2.0 (the "License"); you may 22 * not use this file except in compliance with the License. 23 * You may obtain a copy of the License at 24 * 25 * http://www.apache.org/licenses/LICENSE-2.0 26 * 27 * Unless required by applicable law or agreed to in writing, software 28 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 29 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 30 * See the License for the specific language governing permissions and 31 * limitations under the License. 32 */ 33 34 #ifndef MBEDTLS_ECP_H 35 #define MBEDTLS_ECP_H 36 37 #if !defined(MBEDTLS_CONFIG_FILE) 38 #include "mbedtls/config.h" 39 #else 40 #include MBEDTLS_CONFIG_FILE 41 #endif 42 43 #include "mbedtls/bignum.h" 44 45 /* 46 * ECP error codes 47 */ 48 /** Bad input parameters to function. */ 49 #define MBEDTLS_ERR_ECP_BAD_INPUT_DATA -0x4F80 50 /** The buffer is too small to write to. */ 51 #define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL -0x4F00 52 /** The requested feature is not available, for example, the requested curve is not supported. */ 53 #define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE -0x4E80 54 /** The signature is not valid. */ 55 #define MBEDTLS_ERR_ECP_VERIFY_FAILED -0x4E00 56 /** Memory allocation failed. */ 57 #define MBEDTLS_ERR_ECP_ALLOC_FAILED -0x4D80 58 /** Generation of random value, such as ephemeral key, failed. */ 59 #define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00 60 /** Invalid private or public key. */ 61 #define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 62 /** The buffer contains a valid signature followed by more data. */ 63 #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 64 65 /* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */ 66 /** The ECP hardware accelerator failed. */ 67 #define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED -0x4B80 68 69 /** Operation in progress, call again with the same parameters to continue. */ 70 #define MBEDTLS_ERR_ECP_IN_PROGRESS -0x4B00 71 72 /* Flags indicating whether to include code that is specific to certain 73 * types of curves. These flags are for internal library use only. */ 74 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ 75 defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ 76 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ 77 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \ 78 defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \ 79 defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \ 80 defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \ 81 defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \ 82 defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \ 83 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \ 84 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 85 #define MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED 86 #endif 87 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \ 88 defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 89 #define MBEDTLS_ECP_MONTGOMERY_ENABLED 90 #endif 91 92 #ifdef __cplusplus 93 extern "C" { 94 #endif 95 96 /** 97 * Domain-parameter identifiers: curve, subgroup, and generator. 98 * 99 * \note Only curves over prime fields are supported. 100 * 101 * \warning This library does not support validation of arbitrary domain 102 * parameters. Therefore, only standardized domain parameters from trusted 103 * sources should be used. See mbedtls_ecp_group_load(). 104 */ 105 /* Note: when adding a new curve: 106 * - Add it at the end of this enum, otherwise you'll break the ABI by 107 * changing the numerical value for existing curves. 108 * - Increment MBEDTLS_ECP_DP_MAX below if needed. 109 * - Update the calculation of MBEDTLS_ECP_MAX_BITS_MIN below. 110 * - Add the corresponding MBEDTLS_ECP_DP_xxx_ENABLED macro definition to 111 * config.h. 112 * - List the curve as a dependency of MBEDTLS_ECP_C and 113 * MBEDTLS_ECDSA_C if supported in check_config.h. 114 * - Add the curve to the appropriate curve type macro 115 * MBEDTLS_ECP_yyy_ENABLED above. 116 * - Add the necessary definitions to ecp_curves.c. 117 * - Add the curve to the ecp_supported_curves array in ecp.c. 118 * - Add the curve to applicable profiles in x509_crt.c if applicable. 119 */ 120 typedef enum 121 { 122 MBEDTLS_ECP_DP_NONE = 0, /*!< Curve not defined. */ 123 MBEDTLS_ECP_DP_SECP192R1, /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */ 124 MBEDTLS_ECP_DP_SECP224R1, /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */ 125 MBEDTLS_ECP_DP_SECP256R1, /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */ 126 MBEDTLS_ECP_DP_SECP384R1, /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */ 127 MBEDTLS_ECP_DP_SECP521R1, /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */ 128 MBEDTLS_ECP_DP_BP256R1, /*!< Domain parameters for 256-bit Brainpool curve. */ 129 MBEDTLS_ECP_DP_BP384R1, /*!< Domain parameters for 384-bit Brainpool curve. */ 130 MBEDTLS_ECP_DP_BP512R1, /*!< Domain parameters for 512-bit Brainpool curve. */ 131 MBEDTLS_ECP_DP_CURVE25519, /*!< Domain parameters for Curve25519. */ 132 MBEDTLS_ECP_DP_SECP192K1, /*!< Domain parameters for 192-bit "Koblitz" curve. */ 133 MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */ 134 MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */ 135 MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */ 136 } mbedtls_ecp_group_id; 137 138 /** 139 * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE. 140 * 141 * \note Montgomery curves are currently excluded. 142 */ 143 #define MBEDTLS_ECP_DP_MAX 12 144 145 /* 146 * Curve types 147 */ 148 typedef enum 149 { 150 MBEDTLS_ECP_TYPE_NONE = 0, 151 MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS, /* y^2 = x^3 + a x + b */ 152 MBEDTLS_ECP_TYPE_MONTGOMERY, /* y^2 = x^3 + a x^2 + x */ 153 } mbedtls_ecp_curve_type; 154 155 /** 156 * Curve information, for use by other modules. 157 */ 158 typedef struct mbedtls_ecp_curve_info 159 { 160 mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */ 161 uint16_t tls_id; /*!< The TLS NamedCurve identifier. */ 162 uint16_t bit_size; /*!< The curve size in bits. */ 163 const char *name; /*!< A human-friendly name. */ 164 } mbedtls_ecp_curve_info; 165 166 /** 167 * \brief The ECP point structure, in Jacobian coordinates. 168 * 169 * \note All functions expect and return points satisfying 170 * the following condition: <code>Z == 0</code> or 171 * <code>Z == 1</code>. Other values of \p Z are 172 * used only by internal functions. 173 * The point is zero, or "at infinity", if <code>Z == 0</code>. 174 * Otherwise, \p X and \p Y are its standard (affine) 175 * coordinates. 176 */ 177 typedef struct mbedtls_ecp_point 178 { 179 mbedtls_mpi X; /*!< The X coordinate of the ECP point. */ 180 mbedtls_mpi Y; /*!< The Y coordinate of the ECP point. */ 181 mbedtls_mpi Z; /*!< The Z coordinate of the ECP point. */ 182 } 183 mbedtls_ecp_point; 184 185 /* Determine the minimum safe value of MBEDTLS_ECP_MAX_BITS. */ 186 #if !defined(MBEDTLS_ECP_C) 187 #define MBEDTLS_ECP_MAX_BITS_MIN 0 188 /* Note: the curves must be listed in DECREASING size! */ 189 #elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 190 #define MBEDTLS_ECP_MAX_BITS_MIN 521 191 #elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 192 #define MBEDTLS_ECP_MAX_BITS_MIN 512 193 #elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 194 #define MBEDTLS_ECP_MAX_BITS_MIN 448 195 #elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 196 #define MBEDTLS_ECP_MAX_BITS_MIN 384 197 #elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 198 #define MBEDTLS_ECP_MAX_BITS_MIN 384 199 #elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 200 #define MBEDTLS_ECP_MAX_BITS_MIN 256 201 #elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) 202 #define MBEDTLS_ECP_MAX_BITS_MIN 256 203 #elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 204 #define MBEDTLS_ECP_MAX_BITS_MIN 256 205 #elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 206 #define MBEDTLS_ECP_MAX_BITS_MIN 255 207 #elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) 208 #define MBEDTLS_ECP_MAX_BITS_MIN 225 // n is slightly above 2^224 209 #elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) 210 #define MBEDTLS_ECP_MAX_BITS_MIN 224 211 #elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) 212 #define MBEDTLS_ECP_MAX_BITS_MIN 192 213 #elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) 214 #define MBEDTLS_ECP_MAX_BITS_MIN 192 215 #else 216 #error "MBEDTLS_ECP_C enabled, but no curve?" 217 #endif 218 219 #if !defined(MBEDTLS_ECP_ALT) 220 /* 221 * default mbed TLS elliptic curve arithmetic implementation 222 * 223 * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an 224 * alternative implementation for the whole module and it will replace this 225 * one.) 226 */ 227 228 /** 229 * \brief The ECP group structure. 230 * 231 * We consider two types of curve equations: 232 * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code> 233 * (SEC1 + RFC-4492)</li> 234 * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519, 235 * Curve448)</li></ul> 236 * In both cases, the generator (\p G) for a prime-order subgroup is fixed. 237 * 238 * For Short Weierstrass, this subgroup is the whole curve, and its 239 * cardinality is denoted by \p N. Our code requires that \p N is an 240 * odd prime as mbedtls_ecp_mul() requires an odd number, and 241 * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes. 242 * 243 * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>, 244 * which is the quantity used in the formulas. Additionally, \p nbits is 245 * not the size of \p N but the required size for private keys. 246 * 247 * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm. 248 * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the 249 * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer 250 * which is congruent mod \p P to the given MPI, and is close enough to \p pbits 251 * in size, so that it may be efficiently brought in the 0..P-1 range by a few 252 * additions or subtractions. Therefore, it is only an approximative modular 253 * reduction. It must return 0 on success and non-zero on failure. 254 * 255 * \note Alternative implementations must keep the group IDs distinct. If 256 * two group structures have the same ID, then they must be 257 * identical. 258 * 259 */ 260 typedef struct mbedtls_ecp_group 261 { 262 mbedtls_ecp_group_id id; /*!< An internal group identifier. */ 263 mbedtls_mpi P; /*!< The prime modulus of the base field. */ 264 mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. For 265 Montgomery curves: <code>(A + 2) / 4</code>. */ 266 mbedtls_mpi B; /*!< For Short Weierstrass: \p B in the equation. 267 For Montgomery curves: unused. */ 268 mbedtls_ecp_point G; /*!< The generator of the subgroup used. */ 269 mbedtls_mpi N; /*!< The order of \p G. */ 270 size_t pbits; /*!< The number of bits in \p P.*/ 271 size_t nbits; /*!< For Short Weierstrass: The number of bits in \p P. 272 For Montgomery curves: the number of bits in the 273 private keys. */ 274 unsigned int h; /*!< \internal 1 if the constants are static. */ 275 int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction 276 mod \p P (see above).*/ 277 int (*t_pre)(mbedtls_ecp_point *, void *); /*!< Unused. */ 278 int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */ 279 void *t_data; /*!< Unused. */ 280 mbedtls_ecp_point *T; /*!< Pre-computed points for ecp_mul_comb(). */ 281 size_t T_size; /*!< The number of pre-computed points. */ 282 } 283 mbedtls_ecp_group; 284 285 /** 286 * \name SECTION: Module settings 287 * 288 * The configuration options you can set for this module are in this section. 289 * Either change them in config.h, or define them using the compiler command line. 290 * \{ 291 */ 292 293 #if defined(MBEDTLS_ECP_MAX_BITS) 294 295 #if MBEDTLS_ECP_MAX_BITS < MBEDTLS_ECP_MAX_BITS_MIN 296 #error "MBEDTLS_ECP_MAX_BITS is smaller than the largest supported curve" 297 #endif 298 299 #elif defined(MBEDTLS_ECP_C) 300 /** 301 * The maximum size of the groups, that is, of \c N and \c P. 302 */ 303 #define MBEDTLS_ECP_MAX_BITS MBEDTLS_ECP_MAX_BITS_MIN 304 305 #else 306 /* MBEDTLS_ECP_MAX_BITS is not relevant without MBEDTLS_ECP_C, but set it 307 * to a nonzero value so that code that unconditionally allocates an array 308 * of a size based on it keeps working if built without ECC support. */ 309 #define MBEDTLS_ECP_MAX_BITS 1 310 #endif 311 312 #define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 ) 313 #define MBEDTLS_ECP_MAX_PT_LEN ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 ) 314 315 #if !defined(MBEDTLS_ECP_WINDOW_SIZE) 316 /* 317 * Maximum "window" size used for point multiplication. 318 * Default: a point where higher memory usage yields disminishing performance 319 * returns. 320 * Minimum value: 2. Maximum value: 7. 321 * 322 * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) ) 323 * points used for point multiplication. This value is directly tied to EC 324 * peak memory usage, so decreasing it by one should roughly cut memory usage 325 * by two (if large curves are in use). 326 * 327 * Reduction in size may reduce speed, but larger curves are impacted first. 328 * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1): 329 * w-size: 6 5 4 3 2 330 * 521 145 141 135 120 97 331 * 384 214 209 198 177 146 332 * 256 320 320 303 262 226 333 * 224 475 475 453 398 342 334 * 192 640 640 633 587 476 335 */ 336 #define MBEDTLS_ECP_WINDOW_SIZE 4 /**< The maximum window size used. */ 337 #endif /* MBEDTLS_ECP_WINDOW_SIZE */ 338 339 #if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM) 340 /* 341 * Trade memory for speed on fixed-point multiplication. 342 * 343 * This speeds up repeated multiplication of the generator (that is, the 344 * multiplication in ECDSA signatures, and half of the multiplications in 345 * ECDSA verification and ECDHE) by a factor roughly 3 to 4. 346 * 347 * The cost is increasing EC peak memory usage by a factor roughly 2. 348 * 349 * Change this value to 0 to reduce peak memory usage. 350 */ 351 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up. */ 352 #endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */ 353 354 /* \} name SECTION: Module settings */ 355 356 #else /* MBEDTLS_ECP_ALT */ 357 #include "ecp_alt.h" 358 #endif /* MBEDTLS_ECP_ALT */ 359 360 #if defined(MBEDTLS_ECP_RESTARTABLE) 361 362 /** 363 * \brief Internal restart context for multiplication 364 * 365 * \note Opaque struct 366 */ 367 typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx; 368 369 /** 370 * \brief Internal restart context for ecp_muladd() 371 * 372 * \note Opaque struct 373 */ 374 typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx; 375 376 /** 377 * \brief General context for resuming ECC operations 378 */ 379 typedef struct 380 { 381 unsigned ops_done; /*!< current ops count */ 382 unsigned depth; /*!< call depth (0 = top-level) */ 383 mbedtls_ecp_restart_mul_ctx *rsm; /*!< ecp_mul_comb() sub-context */ 384 mbedtls_ecp_restart_muladd_ctx *ma; /*!< ecp_muladd() sub-context */ 385 } mbedtls_ecp_restart_ctx; 386 387 /* 388 * Operation counts for restartable functions 389 */ 390 #define MBEDTLS_ECP_OPS_CHK 3 /*!< basic ops count for ecp_check_pubkey() */ 391 #define MBEDTLS_ECP_OPS_DBL 8 /*!< basic ops count for ecp_double_jac() */ 392 #define MBEDTLS_ECP_OPS_ADD 11 /*!< basic ops count for see ecp_add_mixed() */ 393 #define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv() */ 394 395 /** 396 * \brief Internal; for restartable functions in other modules. 397 * Check and update basic ops budget. 398 * 399 * \param grp Group structure 400 * \param rs_ctx Restart context 401 * \param ops Number of basic ops to do 402 * 403 * \return \c 0 if doing \p ops basic ops is still allowed, 404 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise. 405 */ 406 int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp, 407 mbedtls_ecp_restart_ctx *rs_ctx, 408 unsigned ops ); 409 410 /* Utility macro for checking and updating ops budget */ 411 #define MBEDTLS_ECP_BUDGET( ops ) \ 412 MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \ 413 (unsigned) (ops) ) ); 414 415 #else /* MBEDTLS_ECP_RESTARTABLE */ 416 417 #define MBEDTLS_ECP_BUDGET( ops ) /* no-op; for compatibility */ 418 419 /* We want to declare restartable versions of existing functions anyway */ 420 typedef void mbedtls_ecp_restart_ctx; 421 422 #endif /* MBEDTLS_ECP_RESTARTABLE */ 423 424 /** 425 * \brief The ECP key-pair structure. 426 * 427 * A generic key-pair that may be used for ECDSA and fixed ECDH, for example. 428 * 429 * \note Members are deliberately in the same order as in the 430 * ::mbedtls_ecdsa_context structure. 431 */ 432 typedef struct mbedtls_ecp_keypair 433 { 434 mbedtls_ecp_group grp; /*!< Elliptic curve and base point */ 435 mbedtls_mpi d; /*!< our secret value */ 436 mbedtls_ecp_point Q; /*!< our public value */ 437 } 438 mbedtls_ecp_keypair; 439 440 /* 441 * Point formats, from RFC 4492's enum ECPointFormat 442 */ 443 #define MBEDTLS_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format. */ 444 #define MBEDTLS_ECP_PF_COMPRESSED 1 /**< Compressed point format. */ 445 446 /* 447 * Some other constants from RFC 4492 448 */ 449 #define MBEDTLS_ECP_TLS_NAMED_CURVE 3 /**< The named_curve of ECCurveType. */ 450 451 #if defined(MBEDTLS_ECP_RESTARTABLE) 452 /** 453 * \brief Set the maximum number of basic operations done in a row. 454 * 455 * If more operations are needed to complete a computation, 456 * #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the 457 * function performing the computation. It is then the 458 * caller's responsibility to either call again with the same 459 * parameters until it returns 0 or an error code; or to free 460 * the restart context if the operation is to be aborted. 461 * 462 * It is strictly required that all input parameters and the 463 * restart context be the same on successive calls for the 464 * same operation, but output parameters need not be the 465 * same; they must not be used until the function finally 466 * returns 0. 467 * 468 * This only applies to functions whose documentation 469 * mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or 470 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the 471 * SSL module). For functions that accept a "restart context" 472 * argument, passing NULL disables restart and makes the 473 * function equivalent to the function with the same name 474 * with \c _restartable removed. For functions in the ECDH 475 * module, restart is disabled unless the function accepts 476 * an "ECDH context" argument and 477 * mbedtls_ecdh_enable_restart() was previously called on 478 * that context. For function in the SSL module, restart is 479 * only enabled for specific sides and key exchanges 480 * (currently only for clients and ECDHE-ECDSA). 481 * 482 * \param max_ops Maximum number of basic operations done in a row. 483 * Default: 0 (unlimited). 484 * Lower (non-zero) values mean ECC functions will block for 485 * a lesser maximum amount of time. 486 * 487 * \note A "basic operation" is defined as a rough equivalent of a 488 * multiplication in GF(p) for the NIST P-256 curve. 489 * As an indication, with default settings, a scalar 490 * multiplication (full run of \c mbedtls_ecp_mul()) is: 491 * - about 3300 basic operations for P-256 492 * - about 9400 basic operations for P-384 493 * 494 * \note Very low values are not always respected: sometimes 495 * functions need to block for a minimum number of 496 * operations, and will do so even if max_ops is set to a 497 * lower value. That minimum depends on the curve size, and 498 * can be made lower by decreasing the value of 499 * \c MBEDTLS_ECP_WINDOW_SIZE. As an indication, here is the 500 * lowest effective value for various curves and values of 501 * that parameter (w for short): 502 * w=6 w=5 w=4 w=3 w=2 503 * P-256 208 208 160 136 124 504 * P-384 682 416 320 272 248 505 * P-521 1364 832 640 544 496 506 * 507 * \note This setting is currently ignored by Curve25519. 508 */ 509 void mbedtls_ecp_set_max_ops( unsigned max_ops ); 510 511 /** 512 * \brief Check if restart is enabled (max_ops != 0) 513 * 514 * \return \c 0 if \c max_ops == 0 (restart disabled) 515 * \return \c 1 otherwise (restart enabled) 516 */ 517 int mbedtls_ecp_restart_is_enabled( void ); 518 #endif /* MBEDTLS_ECP_RESTARTABLE */ 519 520 /* 521 * Get the type of a curve 522 */ 523 mbedtls_ecp_curve_type mbedtls_ecp_get_type( const mbedtls_ecp_group *grp ); 524 525 /** 526 * \brief This function retrieves the information defined in 527 * mbedtls_ecp_curve_info() for all supported curves. 528 * 529 * \note This function returns information about all curves 530 * supported by the library. Some curves may not be 531 * supported for all algorithms. Call mbedtls_ecdh_can_do() 532 * or mbedtls_ecdsa_can_do() to check if a curve is 533 * supported for ECDH or ECDSA. 534 * 535 * \return A statically allocated array. The last entry is 0. 536 */ 537 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void ); 538 539 /** 540 * \brief This function retrieves the list of internal group 541 * identifiers of all supported curves in the order of 542 * preference. 543 * 544 * \note This function returns information about all curves 545 * supported by the library. Some curves may not be 546 * supported for all algorithms. Call mbedtls_ecdh_can_do() 547 * or mbedtls_ecdsa_can_do() to check if a curve is 548 * supported for ECDH or ECDSA. 549 * 550 * \return A statically allocated array, 551 * terminated with MBEDTLS_ECP_DP_NONE. 552 */ 553 const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void ); 554 555 /** 556 * \brief This function retrieves curve information from an internal 557 * group identifier. 558 * 559 * \param grp_id An \c MBEDTLS_ECP_DP_XXX value. 560 * 561 * \return The associated curve information on success. 562 * \return NULL on failure. 563 */ 564 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id ); 565 566 /** 567 * \brief This function retrieves curve information from a TLS 568 * NamedCurve value. 569 * 570 * \param tls_id An \c MBEDTLS_ECP_DP_XXX value. 571 * 572 * \return The associated curve information on success. 573 * \return NULL on failure. 574 */ 575 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id ); 576 577 /** 578 * \brief This function retrieves curve information from a 579 * human-readable name. 580 * 581 * \param name The human-readable name. 582 * 583 * \return The associated curve information on success. 584 * \return NULL on failure. 585 */ 586 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name ); 587 588 /** 589 * \brief This function initializes a point as zero. 590 * 591 * \param pt The point to initialize. 592 */ 593 void mbedtls_ecp_point_init( mbedtls_ecp_point *pt ); 594 595 /** 596 * \brief This function initializes an ECP group context 597 * without loading any domain parameters. 598 * 599 * \note After this function is called, domain parameters 600 * for various ECP groups can be loaded through the 601 * mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() 602 * functions. 603 */ 604 void mbedtls_ecp_group_init( mbedtls_ecp_group *grp ); 605 606 /** 607 * \brief This function initializes a key pair as an invalid one. 608 * 609 * \param key The key pair to initialize. 610 */ 611 void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key ); 612 613 /** 614 * \brief This function frees the components of a point. 615 * 616 * \param pt The point to free. 617 */ 618 void mbedtls_ecp_point_free( mbedtls_ecp_point *pt ); 619 620 /** 621 * \brief This function frees the components of an ECP group. 622 * 623 * \param grp The group to free. This may be \c NULL, in which 624 * case this function returns immediately. If it is not 625 * \c NULL, it must point to an initialized ECP group. 626 */ 627 void mbedtls_ecp_group_free( mbedtls_ecp_group *grp ); 628 629 /** 630 * \brief This function frees the components of a key pair. 631 * 632 * \param key The key pair to free. This may be \c NULL, in which 633 * case this function returns immediately. If it is not 634 * \c NULL, it must point to an initialized ECP key pair. 635 */ 636 void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key ); 637 638 #if defined(MBEDTLS_ECP_RESTARTABLE) 639 /** 640 * \brief Initialize a restart context. 641 * 642 * \param ctx The restart context to initialize. This must 643 * not be \c NULL. 644 */ 645 void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx ); 646 647 /** 648 * \brief Free the components of a restart context. 649 * 650 * \param ctx The restart context to free. This may be \c NULL, in which 651 * case this function returns immediately. If it is not 652 * \c NULL, it must point to an initialized restart context. 653 */ 654 void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx ); 655 #endif /* MBEDTLS_ECP_RESTARTABLE */ 656 657 /** 658 * \brief This function copies the contents of point \p Q into 659 * point \p P. 660 * 661 * \param P The destination point. This must be initialized. 662 * \param Q The source point. This must be initialized. 663 * 664 * \return \c 0 on success. 665 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 666 * \return Another negative error code for other kinds of failure. 667 */ 668 int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q ); 669 670 /** 671 * \brief This function copies the contents of group \p src into 672 * group \p dst. 673 * 674 * \param dst The destination group. This must be initialized. 675 * \param src The source group. This must be initialized. 676 * 677 * \return \c 0 on success. 678 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 679 * \return Another negative error code on other kinds of failure. 680 */ 681 int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, 682 const mbedtls_ecp_group *src ); 683 684 /** 685 * \brief This function sets a point to the point at infinity. 686 * 687 * \param pt The point to set. This must be initialized. 688 * 689 * \return \c 0 on success. 690 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 691 * \return Another negative error code on other kinds of failure. 692 */ 693 int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt ); 694 695 /** 696 * \brief This function checks if a point is the point at infinity. 697 * 698 * \param pt The point to test. This must be initialized. 699 * 700 * \return \c 1 if the point is zero. 701 * \return \c 0 if the point is non-zero. 702 * \return A negative error code on failure. 703 */ 704 int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt ); 705 706 /** 707 * \brief This function compares two points. 708 * 709 * \note This assumes that the points are normalized. Otherwise, 710 * they may compare as "not equal" even if they are. 711 * 712 * \param P The first point to compare. This must be initialized. 713 * \param Q The second point to compare. This must be initialized. 714 * 715 * \return \c 0 if the points are equal. 716 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal. 717 */ 718 int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P, 719 const mbedtls_ecp_point *Q ); 720 721 /** 722 * \brief This function imports a non-zero point from two ASCII 723 * strings. 724 * 725 * \param P The destination point. This must be initialized. 726 * \param radix The numeric base of the input. 727 * \param x The first affine coordinate, as a null-terminated string. 728 * \param y The second affine coordinate, as a null-terminated string. 729 * 730 * \return \c 0 on success. 731 * \return An \c MBEDTLS_ERR_MPI_XXX error code on failure. 732 */ 733 int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix, 734 const char *x, const char *y ); 735 736 /** 737 * \brief This function exports a point into unsigned binary data. 738 * 739 * \param grp The group to which the point should belong. 740 * This must be initialized and have group parameters 741 * set, for example through mbedtls_ecp_group_load(). 742 * \param P The point to export. This must be initialized. 743 * \param format The point format. This must be either 744 * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. 745 * (For groups without these formats, this parameter is 746 * ignored. But it still has to be either of the above 747 * values.) 748 * \param olen The address at which to store the length of 749 * the output in Bytes. This must not be \c NULL. 750 * \param buf The output buffer. This must be a writable buffer 751 * of length \p buflen Bytes. 752 * \param buflen The length of the output buffer \p buf in Bytes. 753 * 754 * \return \c 0 on success. 755 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer 756 * is too small to hold the point. 757 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format 758 * or the export for the given group is not implemented. 759 * \return Another negative error code on other kinds of failure. 760 */ 761 int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, 762 const mbedtls_ecp_point *P, 763 int format, size_t *olen, 764 unsigned char *buf, size_t buflen ); 765 766 /** 767 * \brief This function imports a point from unsigned binary data. 768 * 769 * \note This function does not check that the point actually 770 * belongs to the given group, see mbedtls_ecp_check_pubkey() 771 * for that. 772 * 773 * \param grp The group to which the point should belong. 774 * This must be initialized and have group parameters 775 * set, for example through mbedtls_ecp_group_load(). 776 * \param P The destination context to import the point to. 777 * This must be initialized. 778 * \param buf The input buffer. This must be a readable buffer 779 * of length \p ilen Bytes. 780 * \param ilen The length of the input buffer \p buf in Bytes. 781 * 782 * \return \c 0 on success. 783 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. 784 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 785 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the 786 * given group is not implemented. 787 */ 788 int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, 789 mbedtls_ecp_point *P, 790 const unsigned char *buf, size_t ilen ); 791 792 /** 793 * \brief This function imports a point from a TLS ECPoint record. 794 * 795 * \note On function return, \p *buf is updated to point immediately 796 * after the ECPoint record. 797 * 798 * \param grp The ECP group to use. 799 * This must be initialized and have group parameters 800 * set, for example through mbedtls_ecp_group_load(). 801 * \param pt The destination point. 802 * \param buf The address of the pointer to the start of the input buffer. 803 * \param len The length of the buffer. 804 * 805 * \return \c 0 on success. 806 * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization 807 * failure. 808 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. 809 */ 810 int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, 811 mbedtls_ecp_point *pt, 812 const unsigned char **buf, size_t len ); 813 814 /** 815 * \brief This function exports a point as a TLS ECPoint record 816 * defined in RFC 4492, Section 5.4. 817 * 818 * \param grp The ECP group to use. 819 * This must be initialized and have group parameters 820 * set, for example through mbedtls_ecp_group_load(). 821 * \param pt The point to be exported. This must be initialized. 822 * \param format The point format to use. This must be either 823 * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. 824 * \param olen The address at which to store the length in Bytes 825 * of the data written. 826 * \param buf The target buffer. This must be a writable buffer of 827 * length \p blen Bytes. 828 * \param blen The length of the target buffer \p buf in Bytes. 829 * 830 * \return \c 0 on success. 831 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid. 832 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer 833 * is too small to hold the exported point. 834 * \return Another negative error code on other kinds of failure. 835 */ 836 int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, 837 const mbedtls_ecp_point *pt, 838 int format, size_t *olen, 839 unsigned char *buf, size_t blen ); 840 841 /** 842 * \brief This function sets up an ECP group context 843 * from a standardized set of domain parameters. 844 * 845 * \note The index should be a value of the NamedCurve enum, 846 * as defined in <em>RFC-4492: Elliptic Curve Cryptography 847 * (ECC) Cipher Suites for Transport Layer Security (TLS)</em>, 848 * usually in the form of an \c MBEDTLS_ECP_DP_XXX macro. 849 * 850 * \param grp The group context to setup. This must be initialized. 851 * \param id The identifier of the domain parameter set to load. 852 * 853 * \return \c 0 on success. 854 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't 855 * correspond to a known group. 856 * \return Another negative error code on other kinds of failure. 857 */ 858 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ); 859 860 /** 861 * \brief This function sets up an ECP group context from a TLS 862 * ECParameters record as defined in RFC 4492, Section 5.4. 863 * 864 * \note The read pointer \p buf is updated to point right after 865 * the ECParameters record on exit. 866 * 867 * \param grp The group context to setup. This must be initialized. 868 * \param buf The address of the pointer to the start of the input buffer. 869 * \param len The length of the input buffer \c *buf in Bytes. 870 * 871 * \return \c 0 on success. 872 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. 873 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not 874 * recognized. 875 * \return Another negative error code on other kinds of failure. 876 */ 877 int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, 878 const unsigned char **buf, size_t len ); 879 880 /** 881 * \brief This function extracts an elliptic curve group ID from a 882 * TLS ECParameters record as defined in RFC 4492, Section 5.4. 883 * 884 * \note The read pointer \p buf is updated to point right after 885 * the ECParameters record on exit. 886 * 887 * \param grp The address at which to store the group id. 888 * This must not be \c NULL. 889 * \param buf The address of the pointer to the start of the input buffer. 890 * \param len The length of the input buffer \c *buf in Bytes. 891 * 892 * \return \c 0 on success. 893 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. 894 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not 895 * recognized. 896 * \return Another negative error code on other kinds of failure. 897 */ 898 int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp, 899 const unsigned char **buf, 900 size_t len ); 901 /** 902 * \brief This function exports an elliptic curve as a TLS 903 * ECParameters record as defined in RFC 4492, Section 5.4. 904 * 905 * \param grp The ECP group to be exported. 906 * This must be initialized and have group parameters 907 * set, for example through mbedtls_ecp_group_load(). 908 * \param olen The address at which to store the number of Bytes written. 909 * This must not be \c NULL. 910 * \param buf The buffer to write to. This must be a writable buffer 911 * of length \p blen Bytes. 912 * \param blen The length of the output buffer \p buf in Bytes. 913 * 914 * \return \c 0 on success. 915 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output 916 * buffer is too small to hold the exported group. 917 * \return Another negative error code on other kinds of failure. 918 */ 919 int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, 920 size_t *olen, 921 unsigned char *buf, size_t blen ); 922 923 /** 924 * \brief This function performs a scalar multiplication of a point 925 * by an integer: \p R = \p m * \p P. 926 * 927 * It is not thread-safe to use same group in multiple threads. 928 * 929 * \note To prevent timing attacks, this function 930 * executes the exact same sequence of base-field 931 * operations for any valid \p m. It avoids any if-branch or 932 * array index depending on the value of \p m. 933 * 934 * \note If \p f_rng is not NULL, it is used to randomize 935 * intermediate results to prevent potential timing attacks 936 * targeting these results. We recommend always providing 937 * a non-NULL \p f_rng. The overhead is negligible. 938 * Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when 939 * \p f_rng is NULL, an internal RNG (seeded from the value 940 * of \p m) will be used instead. 941 * 942 * \param grp The ECP group to use. 943 * This must be initialized and have group parameters 944 * set, for example through mbedtls_ecp_group_load(). 945 * \param R The point in which to store the result of the calculation. 946 * This must be initialized. 947 * \param m The integer by which to multiply. This must be initialized. 948 * \param P The point to multiply. This must be initialized. 949 * \param f_rng The RNG function. This may be \c NULL if randomization 950 * of intermediate results isn't desired (discouraged). 951 * \param p_rng The RNG context to be passed to \p p_rng. 952 * 953 * \return \c 0 on success. 954 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private 955 * key, or \p P is not a valid public key. 956 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 957 * \return Another negative error code on other kinds of failure. 958 */ 959 int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, 960 const mbedtls_mpi *m, const mbedtls_ecp_point *P, 961 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 962 963 /** 964 * \brief This function performs multiplication of a point by 965 * an integer: \p R = \p m * \p P in a restartable way. 966 * 967 * \see mbedtls_ecp_mul() 968 * 969 * \note This function does the same as \c mbedtls_ecp_mul(), but 970 * it can return early and restart according to the limit set 971 * with \c mbedtls_ecp_set_max_ops() to reduce blocking. 972 * 973 * \param grp The ECP group to use. 974 * This must be initialized and have group parameters 975 * set, for example through mbedtls_ecp_group_load(). 976 * \param R The point in which to store the result of the calculation. 977 * This must be initialized. 978 * \param m The integer by which to multiply. This must be initialized. 979 * \param P The point to multiply. This must be initialized. 980 * \param f_rng The RNG function. This may be \c NULL if randomization 981 * of intermediate results isn't desired (discouraged). 982 * \param p_rng The RNG context to be passed to \p p_rng. 983 * \param rs_ctx The restart context (NULL disables restart). 984 * 985 * \return \c 0 on success. 986 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private 987 * key, or \p P is not a valid public key. 988 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 989 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 990 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 991 * \return Another negative error code on other kinds of failure. 992 */ 993 int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, 994 const mbedtls_mpi *m, const mbedtls_ecp_point *P, 995 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 996 mbedtls_ecp_restart_ctx *rs_ctx ); 997 998 #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) 999 /** 1000 * \brief This function performs multiplication and addition of two 1001 * points by integers: \p R = \p m * \p P + \p n * \p Q 1002 * 1003 * It is not thread-safe to use same group in multiple threads. 1004 * 1005 * \note In contrast to mbedtls_ecp_mul(), this function does not 1006 * guarantee a constant execution flow and timing. 1007 * 1008 * \note This function is only defined for short Weierstrass curves. 1009 * It may not be included in builds without any short 1010 * Weierstrass curve. 1011 * 1012 * \param grp The ECP group to use. 1013 * This must be initialized and have group parameters 1014 * set, for example through mbedtls_ecp_group_load(). 1015 * \param R The point in which to store the result of the calculation. 1016 * This must be initialized. 1017 * \param m The integer by which to multiply \p P. 1018 * This must be initialized. 1019 * \param P The point to multiply by \p m. This must be initialized. 1020 * \param n The integer by which to multiply \p Q. 1021 * This must be initialized. 1022 * \param Q The point to be multiplied by \p n. 1023 * This must be initialized. 1024 * 1025 * \return \c 0 on success. 1026 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not 1027 * valid private keys, or \p P or \p Q are not valid public 1028 * keys. 1029 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 1030 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not 1031 * designate a short Weierstrass curve. 1032 * \return Another negative error code on other kinds of failure. 1033 */ 1034 int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, 1035 const mbedtls_mpi *m, const mbedtls_ecp_point *P, 1036 const mbedtls_mpi *n, const mbedtls_ecp_point *Q ); 1037 1038 /** 1039 * \brief This function performs multiplication and addition of two 1040 * points by integers: \p R = \p m * \p P + \p n * \p Q in a 1041 * restartable way. 1042 * 1043 * \see \c mbedtls_ecp_muladd() 1044 * 1045 * \note This function works the same as \c mbedtls_ecp_muladd(), 1046 * but it can return early and restart according to the limit 1047 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking. 1048 * 1049 * \note This function is only defined for short Weierstrass curves. 1050 * It may not be included in builds without any short 1051 * Weierstrass curve. 1052 * 1053 * \param grp The ECP group to use. 1054 * This must be initialized and have group parameters 1055 * set, for example through mbedtls_ecp_group_load(). 1056 * \param R The point in which to store the result of the calculation. 1057 * This must be initialized. 1058 * \param m The integer by which to multiply \p P. 1059 * This must be initialized. 1060 * \param P The point to multiply by \p m. This must be initialized. 1061 * \param n The integer by which to multiply \p Q. 1062 * This must be initialized. 1063 * \param Q The point to be multiplied by \p n. 1064 * This must be initialized. 1065 * \param rs_ctx The restart context (NULL disables restart). 1066 * 1067 * \return \c 0 on success. 1068 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not 1069 * valid private keys, or \p P or \p Q are not valid public 1070 * keys. 1071 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure. 1072 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not 1073 * designate a short Weierstrass curve. 1074 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 1075 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 1076 * \return Another negative error code on other kinds of failure. 1077 */ 1078 int mbedtls_ecp_muladd_restartable( 1079 mbedtls_ecp_group *grp, mbedtls_ecp_point *R, 1080 const mbedtls_mpi *m, const mbedtls_ecp_point *P, 1081 const mbedtls_mpi *n, const mbedtls_ecp_point *Q, 1082 mbedtls_ecp_restart_ctx *rs_ctx ); 1083 #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 1084 1085 /** 1086 * \brief This function checks that a point is a valid public key 1087 * on this curve. 1088 * 1089 * It only checks that the point is non-zero, has 1090 * valid coordinates and lies on the curve. It does not verify 1091 * that it is indeed a multiple of \p G. This additional 1092 * check is computationally more expensive, is not required 1093 * by standards, and should not be necessary if the group 1094 * used has a small cofactor. In particular, it is useless for 1095 * the NIST groups which all have a cofactor of 1. 1096 * 1097 * \note This function uses bare components rather than an 1098 * ::mbedtls_ecp_keypair structure, to ease use with other 1099 * structures, such as ::mbedtls_ecdh_context or 1100 * ::mbedtls_ecdsa_context. 1101 * 1102 * \param grp The ECP group the point should belong to. 1103 * This must be initialized and have group parameters 1104 * set, for example through mbedtls_ecp_group_load(). 1105 * \param pt The point to check. This must be initialized. 1106 * 1107 * \return \c 0 if the point is a valid public key. 1108 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not 1109 * a valid public key for the given curve. 1110 * \return Another negative error code on other kinds of failure. 1111 */ 1112 int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, 1113 const mbedtls_ecp_point *pt ); 1114 1115 /** 1116 * \brief This function checks that an \p mbedtls_mpi is a 1117 * valid private key for this curve. 1118 * 1119 * \note This function uses bare components rather than an 1120 * ::mbedtls_ecp_keypair structure to ease use with other 1121 * structures, such as ::mbedtls_ecdh_context or 1122 * ::mbedtls_ecdsa_context. 1123 * 1124 * \param grp The ECP group the private key should belong to. 1125 * This must be initialized and have group parameters 1126 * set, for example through mbedtls_ecp_group_load(). 1127 * \param d The integer to check. This must be initialized. 1128 * 1129 * \return \c 0 if the point is a valid private key. 1130 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid 1131 * private key for the given curve. 1132 * \return Another negative error code on other kinds of failure. 1133 */ 1134 int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, 1135 const mbedtls_mpi *d ); 1136 1137 /** 1138 * \brief This function generates a private key. 1139 * 1140 * \param grp The ECP group to generate a private key for. 1141 * This must be initialized and have group parameters 1142 * set, for example through mbedtls_ecp_group_load(). 1143 * \param d The destination MPI (secret part). This must be initialized. 1144 * \param f_rng The RNG function. This must not be \c NULL. 1145 * \param p_rng The RNG parameter to be passed to \p f_rng. This may be 1146 * \c NULL if \p f_rng doesn't need a context argument. 1147 * 1148 * \return \c 0 on success. 1149 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code 1150 * on failure. 1151 */ 1152 int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp, 1153 mbedtls_mpi *d, 1154 int (*f_rng)(void *, unsigned char *, size_t), 1155 void *p_rng ); 1156 1157 /** 1158 * \brief This function generates a keypair with a configurable base 1159 * point. 1160 * 1161 * \note This function uses bare components rather than an 1162 * ::mbedtls_ecp_keypair structure to ease use with other 1163 * structures, such as ::mbedtls_ecdh_context or 1164 * ::mbedtls_ecdsa_context. 1165 * 1166 * \param grp The ECP group to generate a key pair for. 1167 * This must be initialized and have group parameters 1168 * set, for example through mbedtls_ecp_group_load(). 1169 * \param G The base point to use. This must be initialized 1170 * and belong to \p grp. It replaces the default base 1171 * point \c grp->G used by mbedtls_ecp_gen_keypair(). 1172 * \param d The destination MPI (secret part). 1173 * This must be initialized. 1174 * \param Q The destination point (public part). 1175 * This must be initialized. 1176 * \param f_rng The RNG function. This must not be \c NULL. 1177 * \param p_rng The RNG context to be passed to \p f_rng. This may 1178 * be \c NULL if \p f_rng doesn't need a context argument. 1179 * 1180 * \return \c 0 on success. 1181 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code 1182 * on failure. 1183 */ 1184 int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, 1185 const mbedtls_ecp_point *G, 1186 mbedtls_mpi *d, mbedtls_ecp_point *Q, 1187 int (*f_rng)(void *, unsigned char *, size_t), 1188 void *p_rng ); 1189 1190 /** 1191 * \brief This function generates an ECP keypair. 1192 * 1193 * \note This function uses bare components rather than an 1194 * ::mbedtls_ecp_keypair structure to ease use with other 1195 * structures, such as ::mbedtls_ecdh_context or 1196 * ::mbedtls_ecdsa_context. 1197 * 1198 * \param grp The ECP group to generate a key pair for. 1199 * This must be initialized and have group parameters 1200 * set, for example through mbedtls_ecp_group_load(). 1201 * \param d The destination MPI (secret part). 1202 * This must be initialized. 1203 * \param Q The destination point (public part). 1204 * This must be initialized. 1205 * \param f_rng The RNG function. This must not be \c NULL. 1206 * \param p_rng The RNG context to be passed to \p f_rng. This may 1207 * be \c NULL if \p f_rng doesn't need a context argument. 1208 * 1209 * \return \c 0 on success. 1210 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code 1211 * on failure. 1212 */ 1213 int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, 1214 mbedtls_ecp_point *Q, 1215 int (*f_rng)(void *, unsigned char *, size_t), 1216 void *p_rng ); 1217 1218 /** 1219 * \brief This function generates an ECP key. 1220 * 1221 * \param grp_id The ECP group identifier. 1222 * \param key The destination key. This must be initialized. 1223 * \param f_rng The RNG function to use. This must not be \c NULL. 1224 * \param p_rng The RNG context to be passed to \p f_rng. This may 1225 * be \c NULL if \p f_rng doesn't need a context argument. 1226 * 1227 * \return \c 0 on success. 1228 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code 1229 * on failure. 1230 */ 1231 int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, 1232 int (*f_rng)(void *, unsigned char *, size_t), 1233 void *p_rng ); 1234 1235 /** 1236 * \brief This function reads an elliptic curve private key. 1237 * 1238 * \param grp_id The ECP group identifier. 1239 * \param key The destination key. 1240 * \param buf The buffer containing the binary representation of the 1241 * key. (Big endian integer for Weierstrass curves, byte 1242 * string for Montgomery curves.) 1243 * \param buflen The length of the buffer in bytes. 1244 * 1245 * \return \c 0 on success. 1246 * \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is 1247 * invalid. 1248 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 1249 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for 1250 * the group is not implemented. 1251 * \return Another negative error code on different kinds of failure. 1252 */ 1253 int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, 1254 const unsigned char *buf, size_t buflen ); 1255 1256 /** 1257 * \brief This function exports an elliptic curve private key. 1258 * 1259 * \param key The private key. 1260 * \param buf The output buffer for containing the binary representation 1261 * of the key. (Big endian integer for Weierstrass curves, byte 1262 * string for Montgomery curves.) 1263 * \param buflen The total length of the buffer in bytes. 1264 * 1265 * \return \c 0 on success. 1266 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key 1267 representation is larger than the available space in \p buf. 1268 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for 1269 * the group is not implemented. 1270 * \return Another negative error code on different kinds of failure. 1271 */ 1272 int mbedtls_ecp_write_key( mbedtls_ecp_keypair *key, 1273 unsigned char *buf, size_t buflen ); 1274 1275 /** 1276 * \brief This function checks that the keypair objects 1277 * \p pub and \p prv have the same group and the 1278 * same public point, and that the private key in 1279 * \p prv is consistent with the public key. 1280 * 1281 * \param pub The keypair structure holding the public key. This 1282 * must be initialized. If it contains a private key, that 1283 * part is ignored. 1284 * \param prv The keypair structure holding the full keypair. 1285 * This must be initialized. 1286 * 1287 * \return \c 0 on success, meaning that the keys are valid and match. 1288 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match. 1289 * \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX 1290 * error code on calculation failure. 1291 */ 1292 int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, 1293 const mbedtls_ecp_keypair *prv ); 1294 1295 #if defined(MBEDTLS_SELF_TEST) 1296 1297 /** 1298 * \brief The ECP checkup routine. 1299 * 1300 * \return \c 0 on success. 1301 * \return \c 1 on failure. 1302 */ 1303 int mbedtls_ecp_self_test( int verbose ); 1304 1305 #endif /* MBEDTLS_SELF_TEST */ 1306 1307 #ifdef __cplusplus 1308 } 1309 #endif 1310 1311 #endif /* ecp.h */ 1312
