1 /** 2 * \file ecdsa.h 3 * 4 * \brief This file contains ECDSA definitions and functions. 5 * 6 * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in 7 * <em>Standards for Efficient Cryptography Group (SECG): 8 * SEC1 Elliptic Curve Cryptography</em>. 9 * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve 10 * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>. 11 * 12 */ 13 /* 14 * Copyright The Mbed TLS Contributors 15 * SPDX-License-Identifier: Apache-2.0 16 * 17 * Licensed under the Apache License, Version 2.0 (the "License"); you may 18 * not use this file except in compliance with the License. 19 * You may obtain a copy of the License at 20 * 21 * http://www.apache.org/licenses/LICENSE-2.0 22 * 23 * Unless required by applicable law or agreed to in writing, software 24 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 25 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 26 * See the License for the specific language governing permissions and 27 * limitations under the License. 28 */ 29 30 #ifndef MBEDTLS_ECDSA_H 31 #define MBEDTLS_ECDSA_H 32 #include "mbedtls/private_access.h" 33 34 #include "mbedtls/build_info.h" 35 36 #include "mbedtls/ecp.h" 37 #include "mbedtls/md.h" 38 39 /** 40 * \brief Maximum ECDSA signature size for a given curve bit size 41 * 42 * \param bits Curve size in bits 43 * \return Maximum signature size in bytes 44 * 45 * \note This macro returns a compile-time constant if its argument 46 * is one. It may evaluate its argument multiple times. 47 */ 48 /* 49 * Ecdsa-Sig-Value ::= SEQUENCE { 50 * r INTEGER, 51 * s INTEGER 52 * } 53 * 54 * For each of r and s, the value (V) may include an extra initial "0" bit. 55 */ 56 #define MBEDTLS_ECDSA_MAX_SIG_LEN(bits) \ 57 (/*T,L of SEQUENCE*/ ((bits) >= 61 * 8 ? 3 : 2) + \ 58 /*T,L of r,s*/ 2 * (((bits) >= 127 * 8 ? 3 : 2) + \ 59 /*V of r,s*/ ((bits) + 8) / 8)) 60 61 /** The maximal size of an ECDSA signature in Bytes. */ 62 #define MBEDTLS_ECDSA_MAX_LEN MBEDTLS_ECDSA_MAX_SIG_LEN(MBEDTLS_ECP_MAX_BITS) 63 64 #ifdef __cplusplus 65 extern "C" { 66 #endif 67 68 /** 69 * \brief The ECDSA context structure. 70 * 71 * \warning Performing multiple operations concurrently on the same 72 * ECDSA context is not supported; objects of this type 73 * should not be shared between multiple threads. 74 * 75 * \note pk_wrap module assumes that "ecdsa_context" is identical 76 * to "ecp_keypair" (see for example structure 77 * "mbedtls_eckey_info" where ECDSA sign/verify functions 78 * are used also for EC key) 79 */ 80 typedef mbedtls_ecp_keypair mbedtls_ecdsa_context; 81 82 #if defined(MBEDTLS_ECP_RESTARTABLE) 83 84 /** 85 * \brief Internal restart context for ecdsa_verify() 86 * 87 * \note Opaque struct, defined in ecdsa.c 88 */ 89 typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx; 90 91 /** 92 * \brief Internal restart context for ecdsa_sign() 93 * 94 * \note Opaque struct, defined in ecdsa.c 95 */ 96 typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx; 97 98 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 99 /** 100 * \brief Internal restart context for ecdsa_sign_det() 101 * 102 * \note Opaque struct, defined in ecdsa.c 103 */ 104 typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx; 105 #endif 106 107 /** 108 * \brief General context for resuming ECDSA operations 109 */ 110 typedef struct { 111 mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(ecp); /*!< base context for ECP restart and 112 shared administrative info */ 113 mbedtls_ecdsa_restart_ver_ctx *MBEDTLS_PRIVATE(ver); /*!< ecdsa_verify() sub-context */ 114 mbedtls_ecdsa_restart_sig_ctx *MBEDTLS_PRIVATE(sig); /*!< ecdsa_sign() sub-context */ 115 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 116 mbedtls_ecdsa_restart_det_ctx *MBEDTLS_PRIVATE(det); /*!< ecdsa_sign_det() sub-context */ 117 #endif 118 } mbedtls_ecdsa_restart_ctx; 119 120 #else /* MBEDTLS_ECP_RESTARTABLE */ 121 122 /* Now we can declare functions that take a pointer to that */ 123 typedef void mbedtls_ecdsa_restart_ctx; 124 125 #endif /* MBEDTLS_ECP_RESTARTABLE */ 126 127 /** 128 * \brief This function checks whether a given group can be used 129 * for ECDSA. 130 * 131 * \param gid The ECP group ID to check. 132 * 133 * \return \c 1 if the group can be used, \c 0 otherwise 134 */ 135 int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid); 136 137 /** 138 * \brief This function computes the ECDSA signature of a 139 * previously-hashed message. 140 * 141 * \note The deterministic version implemented in 142 * mbedtls_ecdsa_sign_det_ext() is usually preferred. 143 * 144 * \note If the bitlength of the message hash is larger than the 145 * bitlength of the group order, then the hash is truncated 146 * as defined in <em>Standards for Efficient Cryptography Group 147 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 148 * 4.1.3, step 5. 149 * 150 * \see ecp.h 151 * 152 * \param grp The context for the elliptic curve to use. 153 * This must be initialized and have group parameters 154 * set, for example through mbedtls_ecp_group_load(). 155 * \param r The MPI context in which to store the first part 156 * the signature. This must be initialized. 157 * \param s The MPI context in which to store the second part 158 * the signature. This must be initialized. 159 * \param d The private signing key. This must be initialized. 160 * \param buf The content to be signed. This is usually the hash of 161 * the original data to be signed. This must be a readable 162 * buffer of length \p blen Bytes. It may be \c NULL if 163 * \p blen is zero. 164 * \param blen The length of \p buf in Bytes. 165 * \param f_rng The RNG function. This must not be \c NULL. 166 * \param p_rng The RNG context to be passed to \p f_rng. This may be 167 * \c NULL if \p f_rng doesn't need a context parameter. 168 * 169 * \return \c 0 on success. 170 * \return An \c MBEDTLS_ERR_ECP_XXX 171 * or \c MBEDTLS_MPI_XXX error code on failure. 172 */ 173 int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, 174 const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 175 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng); 176 177 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 178 /** 179 * \brief This function computes the ECDSA signature of a 180 * previously-hashed message, deterministic version. 181 * 182 * For more information, see <em>RFC-6979: Deterministic 183 * Usage of the Digital Signature Algorithm (DSA) and Elliptic 184 * Curve Digital Signature Algorithm (ECDSA)</em>. 185 * 186 * \note If the bitlength of the message hash is larger than the 187 * bitlength of the group order, then the hash is truncated as 188 * defined in <em>Standards for Efficient Cryptography Group 189 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 190 * 4.1.3, step 5. 191 * 192 * \see ecp.h 193 * 194 * \param grp The context for the elliptic curve to use. 195 * This must be initialized and have group parameters 196 * set, for example through mbedtls_ecp_group_load(). 197 * \param r The MPI context in which to store the first part 198 * the signature. This must be initialized. 199 * \param s The MPI context in which to store the second part 200 * the signature. This must be initialized. 201 * \param d The private signing key. This must be initialized 202 * and setup, for example through mbedtls_ecp_gen_privkey(). 203 * \param buf The hashed content to be signed. This must be a readable 204 * buffer of length \p blen Bytes. It may be \c NULL if 205 * \p blen is zero. 206 * \param blen The length of \p buf in Bytes. 207 * \param md_alg The hash algorithm used to hash the original data. 208 * \param f_rng_blind The RNG function used for blinding. This must not be 209 * \c NULL. 210 * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be 211 * \c NULL if \p f_rng doesn't need a context parameter. 212 * 213 * \return \c 0 on success. 214 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 215 * error code on failure. 216 */ 217 int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r, 218 mbedtls_mpi *s, const mbedtls_mpi *d, 219 const unsigned char *buf, size_t blen, 220 mbedtls_md_type_t md_alg, 221 int (*f_rng_blind)(void *, unsigned char *, size_t), 222 void *p_rng_blind); 223 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 224 225 #if !defined(MBEDTLS_ECDSA_SIGN_ALT) 226 /** 227 * \brief This function computes the ECDSA signature of a 228 * previously-hashed message, in a restartable way. 229 * 230 * \note The deterministic version implemented in 231 * mbedtls_ecdsa_sign_det_restartable() is usually 232 * preferred. 233 * 234 * \note This function is like \c mbedtls_ecdsa_sign() but 235 * it can return early and restart according to the 236 * limit set with \c mbedtls_ecp_set_max_ops() to 237 * reduce blocking. 238 * 239 * \note If the bitlength of the message hash is larger 240 * than the bitlength of the group order, then the 241 * hash is truncated as defined in <em>Standards for 242 * Efficient Cryptography Group (SECG): SEC1 Elliptic 243 * Curve Cryptography</em>, section 4.1.3, step 5. 244 * 245 * \see ecp.h 246 * 247 * \param grp The context for the elliptic curve to use. 248 * This must be initialized and have group parameters 249 * set, for example through mbedtls_ecp_group_load(). 250 * \param r The MPI context in which to store the first part 251 * the signature. This must be initialized. 252 * \param s The MPI context in which to store the second part 253 * the signature. This must be initialized. 254 * \param d The private signing key. This must be initialized 255 * and setup, for example through 256 * mbedtls_ecp_gen_privkey(). 257 * \param buf The hashed content to be signed. This must be a readable 258 * buffer of length \p blen Bytes. It may be \c NULL if 259 * \p blen is zero. 260 * \param blen The length of \p buf in Bytes. 261 * \param f_rng The RNG function. This must not be \c NULL. 262 * \param p_rng The RNG context to be passed to \p f_rng. This may be 263 * \c NULL if \p f_rng doesn't need a context parameter. 264 * \param f_rng_blind The RNG function used for blinding. This must not be 265 * \c NULL. 266 * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be 267 * \c NULL if \p f_rng doesn't need a context parameter. 268 * \param rs_ctx The restart context to use. This may be \c NULL 269 * to disable restarting. If it is not \c NULL, it 270 * must point to an initialized restart context. 271 * 272 * \return \c 0 on success. 273 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 274 * operations was reached: see \c 275 * mbedtls_ecp_set_max_ops(). 276 * \return Another \c MBEDTLS_ERR_ECP_XXX, \c 277 * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX 278 * error code on failure. 279 */ 280 int mbedtls_ecdsa_sign_restartable( 281 mbedtls_ecp_group *grp, 282 mbedtls_mpi *r, mbedtls_mpi *s, 283 const mbedtls_mpi *d, 284 const unsigned char *buf, size_t blen, 285 int (*f_rng)(void *, unsigned char *, size_t), 286 void *p_rng, 287 int (*f_rng_blind)(void *, unsigned char *, size_t), 288 void *p_rng_blind, 289 mbedtls_ecdsa_restart_ctx *rs_ctx); 290 291 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 292 293 /** 294 * \brief This function computes the ECDSA signature of a 295 * previously-hashed message, in a restartable way. 296 * 297 * \note This function is like \c 298 * mbedtls_ecdsa_sign_det_ext() but it can return 299 * early and restart according to the limit set with 300 * \c mbedtls_ecp_set_max_ops() to reduce blocking. 301 * 302 * \note If the bitlength of the message hash is larger 303 * than the bitlength of the group order, then the 304 * hash is truncated as defined in <em>Standards for 305 * Efficient Cryptography Group (SECG): SEC1 Elliptic 306 * Curve Cryptography</em>, section 4.1.3, step 5. 307 * 308 * \see ecp.h 309 * 310 * \param grp The context for the elliptic curve to use. 311 * This must be initialized and have group parameters 312 * set, for example through mbedtls_ecp_group_load(). 313 * \param r The MPI context in which to store the first part 314 * the signature. This must be initialized. 315 * \param s The MPI context in which to store the second part 316 * the signature. This must be initialized. 317 * \param d The private signing key. This must be initialized 318 * and setup, for example through 319 * mbedtls_ecp_gen_privkey(). 320 * \param buf The hashed content to be signed. This must be a readable 321 * buffer of length \p blen Bytes. It may be \c NULL if 322 * \p blen is zero. 323 * \param blen The length of \p buf in Bytes. 324 * \param f_rng_blind The RNG function used for blinding. This must not be 325 * \c NULL. 326 * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be 327 * \c NULL if \p f_rng doesn't need a context parameter. 328 * \param rs_ctx The restart context to use. This may be \c NULL 329 * to disable restarting. If it is not \c NULL, it 330 * must point to an initialized restart context. 331 * 332 * \return \c 0 on success. 333 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 334 * operations was reached: see \c 335 * mbedtls_ecp_set_max_ops(). 336 * \return Another \c MBEDTLS_ERR_ECP_XXX, \c 337 * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX 338 * error code on failure. 339 */ 340 int mbedtls_ecdsa_sign_det_restartable( 341 mbedtls_ecp_group *grp, 342 mbedtls_mpi *r, mbedtls_mpi *s, 343 const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 344 mbedtls_md_type_t md_alg, 345 int (*f_rng_blind)(void *, unsigned char *, size_t), 346 void *p_rng_blind, 347 mbedtls_ecdsa_restart_ctx *rs_ctx); 348 349 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 350 351 #endif /* !MBEDTLS_ECDSA_SIGN_ALT */ 352 353 /** 354 * \brief This function verifies the ECDSA signature of a 355 * previously-hashed message. 356 * 357 * \note If the bitlength of the message hash is larger than the 358 * bitlength of the group order, then the hash is truncated as 359 * defined in <em>Standards for Efficient Cryptography Group 360 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 361 * 4.1.4, step 3. 362 * 363 * \see ecp.h 364 * 365 * \param grp The ECP group to use. 366 * This must be initialized and have group parameters 367 * set, for example through mbedtls_ecp_group_load(). 368 * \param buf The hashed content that was signed. This must be a readable 369 * buffer of length \p blen Bytes. It may be \c NULL if 370 * \p blen is zero. 371 * \param blen The length of \p buf in Bytes. 372 * \param Q The public key to use for verification. This must be 373 * initialized and setup. 374 * \param r The first integer of the signature. 375 * This must be initialized. 376 * \param s The second integer of the signature. 377 * This must be initialized. 378 * 379 * \return \c 0 on success. 380 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 381 * error code on failure. 382 */ 383 int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp, 384 const unsigned char *buf, size_t blen, 385 const mbedtls_ecp_point *Q, const mbedtls_mpi *r, 386 const mbedtls_mpi *s); 387 388 #if !defined(MBEDTLS_ECDSA_VERIFY_ALT) 389 /** 390 * \brief This function verifies the ECDSA signature of a 391 * previously-hashed message, in a restartable manner 392 * 393 * \note If the bitlength of the message hash is larger than the 394 * bitlength of the group order, then the hash is truncated as 395 * defined in <em>Standards for Efficient Cryptography Group 396 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 397 * 4.1.4, step 3. 398 * 399 * \see ecp.h 400 * 401 * \param grp The ECP group to use. 402 * This must be initialized and have group parameters 403 * set, for example through mbedtls_ecp_group_load(). 404 * \param buf The hashed content that was signed. This must be a readable 405 * buffer of length \p blen Bytes. It may be \c NULL if 406 * \p blen is zero. 407 * \param blen The length of \p buf in Bytes. 408 * \param Q The public key to use for verification. This must be 409 * initialized and setup. 410 * \param r The first integer of the signature. 411 * This must be initialized. 412 * \param s The second integer of the signature. 413 * This must be initialized. 414 * \param rs_ctx The restart context to use. This may be \c NULL to disable 415 * restarting. If it is not \c NULL, it must point to an 416 * initialized restart context. 417 * 418 * \return \c 0 on success. 419 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 420 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 421 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 422 * error code on failure. 423 */ 424 int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp, 425 const unsigned char *buf, size_t blen, 426 const mbedtls_ecp_point *Q, 427 const mbedtls_mpi *r, 428 const mbedtls_mpi *s, 429 mbedtls_ecdsa_restart_ctx *rs_ctx); 430 431 #endif /* !MBEDTLS_ECDSA_VERIFY_ALT */ 432 433 /** 434 * \brief This function computes the ECDSA signature and writes it 435 * to a buffer, serialized as defined in <em>RFC-4492: 436 * Elliptic Curve Cryptography (ECC) Cipher Suites for 437 * Transport Layer Security (TLS)</em>. 438 * 439 * \warning It is not thread-safe to use the same context in 440 * multiple threads. 441 * 442 * \note The deterministic version is used if 443 * #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more 444 * information, see <em>RFC-6979: Deterministic Usage 445 * of the Digital Signature Algorithm (DSA) and Elliptic 446 * Curve Digital Signature Algorithm (ECDSA)</em>. 447 * 448 * \note If the bitlength of the message hash is larger than the 449 * bitlength of the group order, then the hash is truncated as 450 * defined in <em>Standards for Efficient Cryptography Group 451 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 452 * 4.1.3, step 5. 453 * 454 * \see ecp.h 455 * 456 * \param ctx The ECDSA context to use. This must be initialized 457 * and have a group and private key bound to it, for example 458 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 459 * \param md_alg The message digest that was used to hash the message. 460 * \param hash The message hash to be signed. This must be a readable 461 * buffer of length \p blen Bytes. 462 * \param hlen The length of the hash \p hash in Bytes. 463 * \param sig The buffer to which to write the signature. This must be a 464 * writable buffer of length at least twice as large as the 465 * size of the curve used, plus 9. For example, 73 Bytes if 466 * a 256-bit curve is used. A buffer length of 467 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 468 * \param sig_size The size of the \p sig buffer in bytes. 469 * \param slen The address at which to store the actual length of 470 * the signature written. Must not be \c NULL. 471 * \param f_rng The RNG function. This must not be \c NULL if 472 * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, 473 * it is used only for blinding and may be set to \c NULL, but 474 * doing so is DEPRECATED. 475 * \param p_rng The RNG context to be passed to \p f_rng. This may be 476 * \c NULL if \p f_rng is \c NULL or doesn't use a context. 477 * 478 * \return \c 0 on success. 479 * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 480 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 481 */ 482 int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx, 483 mbedtls_md_type_t md_alg, 484 const unsigned char *hash, size_t hlen, 485 unsigned char *sig, size_t sig_size, size_t *slen, 486 int (*f_rng)(void *, unsigned char *, size_t), 487 void *p_rng); 488 489 /** 490 * \brief This function computes the ECDSA signature and writes it 491 * to a buffer, in a restartable way. 492 * 493 * \see \c mbedtls_ecdsa_write_signature() 494 * 495 * \note This function is like \c mbedtls_ecdsa_write_signature() 496 * but it can return early and restart according to the limit 497 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking. 498 * 499 * \param ctx The ECDSA context to use. This must be initialized 500 * and have a group and private key bound to it, for example 501 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 502 * \param md_alg The message digest that was used to hash the message. 503 * \param hash The message hash to be signed. This must be a readable 504 * buffer of length \p blen Bytes. 505 * \param hlen The length of the hash \p hash in Bytes. 506 * \param sig The buffer to which to write the signature. This must be a 507 * writable buffer of length at least twice as large as the 508 * size of the curve used, plus 9. For example, 73 Bytes if 509 * a 256-bit curve is used. A buffer length of 510 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 511 * \param sig_size The size of the \p sig buffer in bytes. 512 * \param slen The address at which to store the actual length of 513 * the signature written. Must not be \c NULL. 514 * \param f_rng The RNG function. This must not be \c NULL if 515 * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, 516 * it is unused and may be set to \c NULL. 517 * \param p_rng The RNG context to be passed to \p f_rng. This may be 518 * \c NULL if \p f_rng is \c NULL or doesn't use a context. 519 * \param rs_ctx The restart context to use. This may be \c NULL to disable 520 * restarting. If it is not \c NULL, it must point to an 521 * initialized restart context. 522 * 523 * \return \c 0 on success. 524 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 525 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 526 * \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 527 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 528 */ 529 int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx, 530 mbedtls_md_type_t md_alg, 531 const unsigned char *hash, size_t hlen, 532 unsigned char *sig, size_t sig_size, size_t *slen, 533 int (*f_rng)(void *, unsigned char *, size_t), 534 void *p_rng, 535 mbedtls_ecdsa_restart_ctx *rs_ctx); 536 537 /** 538 * \brief This function reads and verifies an ECDSA signature. 539 * 540 * \note If the bitlength of the message hash is larger than the 541 * bitlength of the group order, then the hash is truncated as 542 * defined in <em>Standards for Efficient Cryptography Group 543 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 544 * 4.1.4, step 3. 545 * 546 * \see ecp.h 547 * 548 * \param ctx The ECDSA context to use. This must be initialized 549 * and have a group and public key bound to it. 550 * \param hash The message hash that was signed. This must be a readable 551 * buffer of length \p size Bytes. 552 * \param hlen The size of the hash \p hash. 553 * \param sig The signature to read and verify. This must be a readable 554 * buffer of length \p slen Bytes. 555 * \param slen The size of \p sig in Bytes. 556 * 557 * \return \c 0 on success. 558 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. 559 * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid 560 * signature in \p sig, but its length is less than \p siglen. 561 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX 562 * error code on failure for any other reason. 563 */ 564 int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx, 565 const unsigned char *hash, size_t hlen, 566 const unsigned char *sig, size_t slen); 567 568 /** 569 * \brief This function reads and verifies an ECDSA signature, 570 * in a restartable way. 571 * 572 * \see \c mbedtls_ecdsa_read_signature() 573 * 574 * \note This function is like \c mbedtls_ecdsa_read_signature() 575 * but it can return early and restart according to the limit 576 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking. 577 * 578 * \param ctx The ECDSA context to use. This must be initialized 579 * and have a group and public key bound to it. 580 * \param hash The message hash that was signed. This must be a readable 581 * buffer of length \p size Bytes. 582 * \param hlen The size of the hash \p hash. 583 * \param sig The signature to read and verify. This must be a readable 584 * buffer of length \p slen Bytes. 585 * \param slen The size of \p sig in Bytes. 586 * \param rs_ctx The restart context to use. This may be \c NULL to disable 587 * restarting. If it is not \c NULL, it must point to an 588 * initialized restart context. 589 * 590 * \return \c 0 on success. 591 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. 592 * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid 593 * signature in \p sig, but its length is less than \p siglen. 594 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 595 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 596 * \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX 597 * error code on failure for any other reason. 598 */ 599 int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx, 600 const unsigned char *hash, size_t hlen, 601 const unsigned char *sig, size_t slen, 602 mbedtls_ecdsa_restart_ctx *rs_ctx); 603 604 /** 605 * \brief This function generates an ECDSA keypair on the given curve. 606 * 607 * \see ecp.h 608 * 609 * \param ctx The ECDSA context to store the keypair in. 610 * This must be initialized. 611 * \param gid The elliptic curve to use. One of the various 612 * \c MBEDTLS_ECP_DP_XXX macros depending on configuration. 613 * \param f_rng The RNG function to use. This must not be \c NULL. 614 * \param p_rng The RNG context to be passed to \p f_rng. This may be 615 * \c NULL if \p f_rng doesn't need a context argument. 616 * 617 * \return \c 0 on success. 618 * \return An \c MBEDTLS_ERR_ECP_XXX code on failure. 619 */ 620 int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, 621 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng); 622 623 /** 624 * \brief This function sets up an ECDSA context from an EC key pair. 625 * 626 * \see ecp.h 627 * 628 * \param ctx The ECDSA context to setup. This must be initialized. 629 * \param key The EC key to use. This must be initialized and hold 630 * a private-public key pair or a public key. In the former 631 * case, the ECDSA context may be used for signature creation 632 * and verification after this call. In the latter case, it 633 * may be used for signature verification. 634 * 635 * \return \c 0 on success. 636 * \return An \c MBEDTLS_ERR_ECP_XXX code on failure. 637 */ 638 int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, 639 const mbedtls_ecp_keypair *key); 640 641 /** 642 * \brief This function initializes an ECDSA context. 643 * 644 * \param ctx The ECDSA context to initialize. 645 * This must not be \c NULL. 646 */ 647 void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx); 648 649 /** 650 * \brief This function frees an ECDSA context. 651 * 652 * \param ctx The ECDSA context to free. This may be \c NULL, 653 * in which case this function does nothing. If it 654 * is not \c NULL, it must be initialized. 655 */ 656 void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx); 657 658 #if defined(MBEDTLS_ECP_RESTARTABLE) 659 /** 660 * \brief Initialize a restart context. 661 * 662 * \param ctx The restart context to initialize. 663 * This must not be \c NULL. 664 */ 665 void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx); 666 667 /** 668 * \brief Free the components of a restart context. 669 * 670 * \param ctx The restart context to free. This may be \c NULL, 671 * in which case this function does nothing. If it 672 * is not \c NULL, it must be initialized. 673 */ 674 void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx); 675 #endif /* MBEDTLS_ECP_RESTARTABLE */ 676 677 #ifdef __cplusplus 678 } 679 #endif 680 681 #endif /* ecdsa.h */ 682
