mbedtls/include/mbedtls/ecp.h

1174 lines
51 KiB
C
Raw Normal View History

2012-10-31 09:26:55 +01:00
/**
* \file ecp.h
*
* \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
2012-10-31 09:26:55 +01:00
*
* The use of ECP in cryptography and TLS is defined in
* <em>Standards for Efficient Cryptography Group (SECG): SEC1
* Elliptic Curve Cryptography</em> and
2018-04-17 11:56:55 +02:00
* <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
* for Transport Layer Security (TLS)</em>.
*
2018-04-17 11:56:55 +02:00
* <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
* group types.
*
*/
2018-04-17 11:56:55 +02:00
/*
2018-04-17 11:56:55 +02:00
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
2015-09-04 14:21:07 +02:00
* SPDX-License-Identifier: Apache-2.0
2012-10-31 09:26:55 +01:00
*
2015-09-04 14:21:07 +02:00
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
2012-10-31 09:26:55 +01:00
*
2015-09-04 14:21:07 +02:00
* http://www.apache.org/licenses/LICENSE-2.0
2012-10-31 09:26:55 +01:00
*
2015-09-04 14:21:07 +02:00
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
2012-10-31 09:26:55 +01:00
*
2018-04-17 11:56:55 +02:00
* This file is part of Mbed TLS (https://tls.mbed.org)
2012-10-31 09:26:55 +01:00
*/
#ifndef MBEDTLS_ECP_H
#define MBEDTLS_ECP_H
2012-10-31 09:26:55 +01:00
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
2013-10-03 11:50:39 +02:00
#include "bignum.h"
2012-10-31 09:26:55 +01:00
/*
2012-11-05 10:06:12 +01:00
* ECP error codes
2012-10-31 09:26:55 +01:00
*/
#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA -0x4F80 /**< Bad input parameters to function. */
#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL -0x4F00 /**< The buffer is too small to write to. */
2018-04-23 17:12:42 +02:00
#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE -0x4E80 /**< The requested feature is not available, for example, the requested curve is not supported. */
#define MBEDTLS_ERR_ECP_VERIFY_FAILED -0x4E00 /**< The signature is not valid. */
#define MBEDTLS_ERR_ECP_ALLOC_FAILED -0x4D80 /**< Memory allocation failed. */
2018-04-17 11:56:55 +02:00
#define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00 /**< Generation of random value, such as ephemeral key, failed. */
#define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 /**< Invalid private or public key. */
#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 /**< The buffer contains a valid signature followed by more data. */
/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */
2018-04-17 11:56:55 +02:00
#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED -0x4B80 /**< The ECP hardware accelerator failed. */
2018-10-15 13:22:41 +02:00
#define MBEDTLS_ERR_ECP_IN_PROGRESS -0x4B00 /**< Operation in progress, call again with the same parameters to continue. */
#ifdef __cplusplus
extern "C" {
#endif
/**
* Domain-parameter identifiers: curve, subgroup, and generator.
*
2018-04-17 11:56:55 +02:00
* \note Only curves over prime fields are supported.
*
* \warning This library does not support validation of arbitrary domain
* parameters. Therefore, only standardized domain parameters from trusted
* sources should be used. See mbedtls_ecp_group_load().
*/
typedef enum
{
2018-04-17 11:56:55 +02:00
MBEDTLS_ECP_DP_NONE = 0, /*!< Curve not defined. */
MBEDTLS_ECP_DP_SECP192R1, /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP224R1, /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP256R1, /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP384R1, /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP521R1, /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
2018-04-17 11:56:55 +02:00
MBEDTLS_ECP_DP_BP256R1, /*!< Domain parameters for 256-bit Brainpool curve. */
MBEDTLS_ECP_DP_BP384R1, /*!< Domain parameters for 384-bit Brainpool curve. */
MBEDTLS_ECP_DP_BP512R1, /*!< Domain parameters for 512-bit Brainpool curve. */
MBEDTLS_ECP_DP_CURVE25519, /*!< Domain parameters for Curve25519. */
2018-04-17 11:56:55 +02:00
MBEDTLS_ECP_DP_SECP192K1, /*!< Domain parameters for 192-bit "Koblitz" curve. */
MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */
MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */
MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */
} mbedtls_ecp_group_id;
/**
* The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
2013-12-03 14:12:26 +01:00
*
2018-04-17 11:56:55 +02:00
* \note Montgomery curves are currently excluded.
*/
#define MBEDTLS_ECP_DP_MAX 12
/*
* Curve types
*/
typedef enum
{
MBEDTLS_ECP_TYPE_NONE = 0,
MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS, /* y^2 = x^3 + a x + b */
MBEDTLS_ECP_TYPE_MONTGOMERY, /* y^2 = x^3 + a x^2 + x */
} mbedtls_ecp_curve_type;
/**
2018-04-17 11:56:55 +02:00
* Curve information, for use by other modules.
*/
typedef struct mbedtls_ecp_curve_info
{
2018-04-17 11:56:55 +02:00
mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */
uint16_t tls_id; /*!< The TLS NamedCurve identifier. */
uint16_t bit_size; /*!< The curve size in bits. */
2018-04-17 11:56:55 +02:00
const char *name; /*!< A human-friendly name. */
} mbedtls_ecp_curve_info;
2012-10-31 09:26:55 +01:00
/**
* \brief The ECP point structure, in Jacobian coordinates.
*
* \note All functions expect and return points satisfying
* the following condition: <code>Z == 0</code> or
* <code>Z == 1</code>. Other values of \p Z are
* used only by internal functions.
* The point is zero, or "at infinity", if <code>Z == 0</code>.
* Otherwise, \p X and \p Y are its standard (affine)
* coordinates.
2012-10-31 09:26:55 +01:00
*/
typedef struct mbedtls_ecp_point
2012-10-31 09:26:55 +01:00
{
2018-04-17 11:56:55 +02:00
mbedtls_mpi X; /*!< The X coordinate of the ECP point. */
mbedtls_mpi Y; /*!< The Y coordinate of the ECP point. */
mbedtls_mpi Z; /*!< The Z coordinate of the ECP point. */
2012-10-31 09:26:55 +01:00
}
mbedtls_ecp_point;
2012-10-31 09:26:55 +01:00
#if !defined(MBEDTLS_ECP_ALT)
/*
* default mbed TLS elliptic curve arithmetic implementation
2012-11-18 13:19:07 +01:00
*
* (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
* alternative implementation for the whole module and it will replace this
* one.)
2012-10-31 09:26:55 +01:00
*/
/**
2018-04-17 11:56:55 +02:00
* \brief The ECP group structure.
*
* We consider two types of curve equations:
* <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
2018-04-17 11:56:55 +02:00
* (SEC1 + RFC-4492)</li>
* <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
* Curve448)</li></ul>
* In both cases, the generator (\p G) for a prime-order subgroup is fixed.
2012-10-31 09:26:55 +01:00
*
2018-04-17 11:56:55 +02:00
* For Short Weierstrass, this subgroup is the whole curve, and its
* cardinality is denoted by \p N. Our code requires that \p N is an
* odd prime as mbedtls_ecp_mul() requires an odd number, and
* mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
*
* For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
* which is the quantity used in the formulas. Additionally, \p nbits is
* not the size of \p N but the required size for private keys.
*
* If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
* Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
* range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
* which is congruent mod \p P to the given MPI, and is close enough to \p pbits
* in size, so that it may be efficiently brought in the 0..P-1 range by a few
* additions or subtractions. Therefore, it is only an approximative modular
* reduction. It must return 0 on success and non-zero on failure.
*
* \note Alternative implementations must keep the group IDs distinct. If
* two group structures have the same ID, then they must be
* identical.
*
*/
typedef struct mbedtls_ecp_group
{
2018-04-17 11:56:55 +02:00
mbedtls_ecp_group_id id; /*!< An internal group identifier. */
mbedtls_mpi P; /*!< The prime modulus of the base field. */
mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. For
Montgomery curves: <code>(A + 2) / 4</code>. */
mbedtls_mpi B; /*!< For Short Weierstrass: \p B in the equation.
For Montgomery curves: unused. */
mbedtls_ecp_point G; /*!< The generator of the subgroup used. */
2018-04-17 11:56:55 +02:00
mbedtls_mpi N; /*!< The order of \p G. */
size_t pbits; /*!< The number of bits in \p P.*/
size_t nbits; /*!< For Short Weierstrass: The number of bits in \p P.
For Montgomery curves: the number of bits in the
private keys. */
2018-04-17 11:56:55 +02:00
unsigned int h; /*!< \internal 1 if the constants are static. */
int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction
mod \p P (see above).*/
2018-04-17 11:56:55 +02:00
int (*t_pre)(mbedtls_ecp_point *, void *); /*!< Unused. */
int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */
void *t_data; /*!< Unused. */
mbedtls_ecp_point *T; /*!< Pre-computed points for ecp_mul_comb(). */
size_t T_size; /*!< The number of pre-computed points. */
}
mbedtls_ecp_group;
/**
* \name SECTION: Module settings
*
* The configuration options you can set for this module are in this section.
* Either change them in config.h, or define them using the compiler command line.
* \{
*/
#if !defined(MBEDTLS_ECP_MAX_BITS)
/**
* The maximum size of the groups, that is, of \c N and \c P.
*/
#define MBEDTLS_ECP_MAX_BITS 521 /**< The maximum size of groups, in bits. */
#endif
#define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )
#define MBEDTLS_ECP_MAX_PT_LEN ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 )
#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
/*
* Maximum "window" size used for point multiplication.
* Default: 6.
* Minimum value: 2. Maximum value: 7.
*
* Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
* points used for point multiplication. This value is directly tied to EC
* peak memory usage, so decreasing it by one should roughly cut memory usage
* by two (if large curves are in use).
*
* Reduction in size may reduce speed, but larger curves are impacted first.
* Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
* w-size: 6 5 4 3 2
* 521 145 141 135 120 97
* 384 214 209 198 177 146
* 256 320 320 303 262 226
* 224 475 475 453 398 342
* 192 640 640 633 587 476
*/
#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< The maximum window size used. */
#endif /* MBEDTLS_ECP_WINDOW_SIZE */
#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
/*
* Trade memory for speed on fixed-point multiplication.
*
* This speeds up repeated multiplication of the generator (that is, the
* multiplication in ECDSA signatures, and half of the multiplications in
* ECDSA verification and ECDHE) by a factor roughly 3 to 4.
*
* The cost is increasing EC peak memory usage by a factor roughly 2.
*
* Change this value to 0 to reduce peak memory usage.
*/
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up. */
#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
/* \} name SECTION: Module settings */
#else /* MBEDTLS_ECP_ALT */
#include "ecp_alt.h"
#endif /* MBEDTLS_ECP_ALT */
#if defined(MBEDTLS_ECP_RESTARTABLE)
2017-04-20 09:31:00 +02:00
/**
* \brief Internal restart context for multiplication
*
* \note Opaque struct
*/
typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
/**
* \brief Internal restart context for ecp_muladd()
*
* \note Opaque struct
*/
typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
/**
* \brief General context for resuming ECC operations
*/
typedef struct
{
unsigned ops_done; /*!< current ops count */
unsigned depth; /*!< call depth (0 = top-level) */
mbedtls_ecp_restart_mul_ctx *rsm; /*!< ecp_mul_comb() sub-context */
mbedtls_ecp_restart_muladd_ctx *ma; /*!< ecp_muladd() sub-context */
} mbedtls_ecp_restart_ctx;
/*
* Operation counts for restartable functions
*/
#define MBEDTLS_ECP_OPS_CHK 3 /*!< basic ops count for ecp_check_pubkey() */
#define MBEDTLS_ECP_OPS_DBL 8 /*!< basic ops count for ecp_double_jac() */
#define MBEDTLS_ECP_OPS_ADD 11 /*!< basic ops count for see ecp_add_mixed() */
#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv() */
/**
* \brief Internal; for restartable functions in other modules.
* Check and update basic ops budget.
*
* \param grp Group structure
* \param rs_ctx Restart context
* \param ops Number of basic ops to do
*
* \return \c 0 if doing \p ops basic ops is still allowed,
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
*/
int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
mbedtls_ecp_restart_ctx *rs_ctx,
unsigned ops );
/* Utility macro for checking and updating ops budget */
#define MBEDTLS_ECP_BUDGET( ops ) \
MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \
(unsigned) (ops) ) );
#else /* MBEDTLS_ECP_RESTARTABLE */
#define MBEDTLS_ECP_BUDGET( ops ) /* no-op; for compatibility */
/* We want to declare restartable versions of existing functions anyway */
typedef void mbedtls_ecp_restart_ctx;
#endif /* MBEDTLS_ECP_RESTARTABLE */
/**
* \brief The ECP key-pair structure.
*
* A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
*
* \note Members are deliberately in the same order as in the
* ::mbedtls_ecdsa_context structure.
*/
typedef struct mbedtls_ecp_keypair
{
mbedtls_ecp_group grp; /*!< Elliptic curve and base point */
mbedtls_mpi d; /*!< our secret value */
mbedtls_ecp_point Q; /*!< our public value */
}
mbedtls_ecp_keypair;
/*
* Point formats, from RFC 4492's enum ECPointFormat
*/
2018-04-17 11:56:55 +02:00
#define MBEDTLS_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format. */
#define MBEDTLS_ECP_PF_COMPRESSED 1 /**< Compressed point format. */
/*
* Some other constants from RFC 4492
*/
2018-04-17 11:56:55 +02:00
#define MBEDTLS_ECP_TLS_NAMED_CURVE 3 /**< The named_curve of ECCurveType. */
#if defined(MBEDTLS_ECP_RESTARTABLE)
/**
* \brief Set the maximum number of basic operations done in a row.
*
* If more operations are needed to complete a computation,
* #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
* function performing the computation. It is then the
* caller's responsibility to either call again with the same
2017-08-23 14:30:36 +02:00
* parameters until it returns 0 or an error code; or to free
* the restart context if the operation is to be aborted.
*
2017-08-23 14:30:36 +02:00
* It is strictly required that all input parameters and the
* restart context be the same on successive calls for the
* same operation, but output parameters need not be the
* same; they must not be used until the function finally
* returns 0.
*
* This only applies to functions whose documentation mentions
* they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
* `MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS` for functions in the
* Mbed TLS SSL module). For functions that accept a "restart
* context" argument, passing NULL disables restart and makes
* the function equivalent to the function with the same name
* with \c _restartable removed. For functions in the ECDH
* module, restart is disabled unless the function accepts an
* "ECDH context" argument and mbedtls_ecdh_enable_restart()
* was previously called on that context. For function in the
* Mbed TLS SSL module, restart is only enabled for specific
* sides and key exchanges (currently only for clients and
* ECDHE-ECDSA).
*
* \param max_ops Maximum number of basic operations done in a row.
* Default: 0 (unlimited).
* Lower (non-zero) values mean ECC functions will block for
* a lesser maximum amount of time.
*
* \note A "basic operation" is defined as a rough equivalent of a
* multiplication in GF(p) for the NIST P-256 curve.
* As an indication, with default settings, a scalar
* multiplication (full run of \c mbedtls_ecp_mul()) is:
* - about 3300 basic operations for P-256
* - about 9400 basic operations for P-384
*
* \note Very low values are not always respected: sometimes
* functions need to block for a minimum number of
* operations, and will do so even if max_ops is set to a
* lower value. That minimum depends on the curve size, and
* can be made lower by decreasing the value of
2017-08-23 14:30:36 +02:00
* \c MBEDTLS_ECP_WINDOW_SIZE. As an indication, here is the
* lowest effective value for various curves and values of
* that parameter (w for short):
* w=6 w=5 w=4 w=3 w=2
* P-256 208 208 160 136 124
* P-384 682 416 320 272 248
* P-521 1364 832 640 544 496
*
* \note This setting is currently ignored by Curve25519.
*/
void mbedtls_ecp_set_max_ops( unsigned max_ops );
/**
* \brief Check if restart is enabled (max_ops != 0)
*
* \return \c 0 if \c max_ops == 0 (restart disabled)
* \return \c 1 otherwise (restart enabled)
*/
2018-10-16 10:41:31 +02:00
int mbedtls_ecp_restart_is_enabled( void );
#endif /* MBEDTLS_ECP_RESTARTABLE */
/*
* Get the type of a curve
*/
mbedtls_ecp_curve_type mbedtls_ecp_get_type( const mbedtls_ecp_group *grp );
/**
2018-04-17 11:56:55 +02:00
* \brief This function retrieves the information defined in
* mbedtls_ecp_curve_info() for all supported curves in order
2018-04-17 11:56:55 +02:00
* of preference.
*
2018-04-17 11:56:55 +02:00
* \return A statically allocated array. The last entry is 0.
*/
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
2014-02-04 14:48:50 +01:00
/**
* \brief This function retrieves the list of internal group
* identifiers of all supported curves in the order of
* preference.
2014-02-04 14:48:50 +01:00
*
* \return A statically allocated array,
* terminated with MBEDTLS_ECP_DP_NONE.
2014-02-04 14:48:50 +01:00
*/
const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void );
2014-02-04 14:48:50 +01:00
2013-10-23 20:19:57 +02:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function retrieves curve information from an internal
* group identifier.
2013-10-23 20:19:57 +02:00
*
2018-04-17 11:56:55 +02:00
* \param grp_id An \c MBEDTLS_ECP_DP_XXX value.
2013-10-23 20:19:57 +02:00
*
* \return The associated curve information on success.
* \return NULL on failure.
2013-10-23 20:19:57 +02:00
*/
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id );
2013-10-23 20:19:57 +02:00
/**
* \brief This function retrieves curve information from a TLS
2018-04-17 11:56:55 +02:00
* NamedCurve value.
2013-10-23 20:19:57 +02:00
*
2018-04-17 11:56:55 +02:00
* \param tls_id An \c MBEDTLS_ECP_DP_XXX value.
2013-10-23 20:19:57 +02:00
*
* \return The associated curve information on success.
* \return NULL on failure.
2013-10-23 20:19:57 +02:00
*/
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id );
2013-10-23 20:19:57 +02:00
2013-11-30 15:10:14 +01:00
/**
* \brief This function retrieves curve information from a
2018-04-17 11:56:55 +02:00
* human-readable name.
2013-11-30 15:10:14 +01:00
*
2018-04-17 11:56:55 +02:00
* \param name The human-readable name.
2013-11-30 15:10:14 +01:00
*
* \return The associated curve information on success.
* \return NULL on failure.
2013-11-30 15:10:14 +01:00
*/
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name );
2013-11-30 15:10:14 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function initializes a point as zero.
*
* \param pt The point to initialize.
*/
void mbedtls_ecp_point_init( mbedtls_ecp_point *pt );
/**
* \brief This function initializes an ECP group context
* without loading any domain parameters.
*
* \note After this function is called, domain parameters
* for various ECP groups can be loaded through the
2018-11-07 22:06:48 +01:00
* mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
* functions.
*/
void mbedtls_ecp_group_init( mbedtls_ecp_group *grp );
/**
2018-04-17 11:56:55 +02:00
* \brief This function initializes a key pair as an invalid one.
*
* \param key The key pair to initialize.
*/
void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key );
2012-11-02 09:40:25 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function frees the components of a point.
*
* \param pt The point to free.
2012-11-02 09:40:25 +01:00
*/
void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );
2012-11-02 09:40:25 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function frees the components of an ECP group.
*
* \param grp The group to free. This may be \c NULL, in which
* case this function returns immediately. If it is not
* \c NULL, it must point to an initialized ECP group.
2012-11-02 09:40:25 +01:00
*/
void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );
2012-11-02 09:40:25 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function frees the components of a key pair.
*
* \param key The key pair to free. This may be \c NULL, in which
* case this function returns immediately. If it is not
* \c NULL, it must point to an initialized ECP key pair.
*/
void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );
#if defined(MBEDTLS_ECP_RESTARTABLE)
/**
* \brief Initialize a restart context.
*
* \param ctx The restart context to initialize. This must
* not be \c NULL.
*/
void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx );
/**
* \brief Free the components of a restart context.
*
* \param ctx The restart context to free. This may be \c NULL, in which
* case this function returns immediately. If it is not
* \c NULL, it must point to an initialized restart context.
*/
void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx );
#endif /* MBEDTLS_ECP_RESTARTABLE */
/**
* \brief This function copies the contents of point \p Q into
2018-04-17 11:56:55 +02:00
* point \p P.
*
* \param P The destination point. This must be initialized.
* \param Q The source point. This must be initialized.
2013-01-26 16:05:22 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return Another negative error code for other kinds of failure.
*/
int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
2013-01-26 16:05:22 +01:00
/**
* \brief This function copies the contents of group \p src into
2018-04-17 11:56:55 +02:00
* group \p dst.
2013-01-26 16:05:22 +01:00
*
* \param dst The destination group. This must be initialized.
* \param src The source group. This must be initialized.
2013-01-26 16:05:22 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return Another negative error code on other kinds of failure.
2013-01-26 16:05:22 +01:00
*/
int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst,
const mbedtls_ecp_group *src );
2013-01-26 16:05:22 +01:00
2012-11-02 09:40:25 +01:00
/**
* \brief This function sets a point to the point at infinity.
2012-11-02 09:40:25 +01:00
*
* \param pt The point to set. This must be initialized.
2012-11-02 09:40:25 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return Another negative error code on other kinds of failure.
2012-11-02 09:40:25 +01:00
*/
int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );
2012-11-02 09:40:25 +01:00
2013-08-12 15:44:31 +02:00
/**
* \brief This function checks if a point is the point at infinity.
2013-08-12 15:44:31 +02:00
*
* \param pt The point to test. This must be initialized.
2013-08-12 15:44:31 +02:00
*
* \return \c 1 if the point is zero.
* \return \c 0 if the point is non-zero.
* \return A negative error code on failure.
2013-08-12 15:44:31 +02:00
*/
int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
2013-08-12 15:44:31 +02:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function compares two points.
*
2018-04-17 11:56:55 +02:00
* \note This assumes that the points are normalized. Otherwise,
* they may compare as "not equal" even if they are.
*
* \param P The first point to compare. This must be initialized.
* \param Q The second point to compare. This must be initialized.
*
2018-04-17 11:56:55 +02:00
* \return \c 0 if the points are equal.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
*/
int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
const mbedtls_ecp_point *Q );
2012-11-05 13:13:44 +01:00
/**
* \brief This function imports a non-zero point from two ASCII
2018-04-17 11:56:55 +02:00
* strings.
2012-11-05 13:13:44 +01:00
*
* \param P The destination point. This must be initialized.
2018-04-17 11:56:55 +02:00
* \param radix The numeric base of the input.
* \param x The first affine coordinate, as a null-terminated string.
* \param y The second affine coordinate, as a null-terminated string.
2012-11-05 13:13:44 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_MPI_XXX error code on failure.
2012-11-05 13:13:44 +01:00
*/
int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
2012-11-05 13:13:44 +01:00
const char *x, const char *y );
2012-11-24 14:10:14 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function exports a point into unsigned binary data.
2012-11-24 14:10:14 +01:00
*
2018-04-17 11:56:55 +02:00
* \param grp The group to which the point should belong.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param P The point to export. This must be initialized.
* \param format The point format. This must be either
* #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
* (For groups without these formats, this parameter is
* ignored. But it still has to be either of the above
* values.)
* \param olen The address at which to store the length of
* the output in Bytes. This must not be \c NULL.
* \param buf The output buffer. This must be a writable buffer
* of length \p buflen Bytes.
* \param buflen The length of the output buffer \p buf in Bytes.
2012-11-24 14:10:14 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
* is too small to hold the point.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
* or the export for the given group is not implemented.
* \return Another negative error code on other kinds of failure.
2012-11-24 14:10:14 +01:00
*/
int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp,
const mbedtls_ecp_point *P,
int format, size_t *olen,
unsigned char *buf, size_t buflen );
2012-11-24 14:10:14 +01:00
2012-11-24 16:19:42 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function imports a point from unsigned binary data.
2012-11-24 16:19:42 +01:00
*
2018-04-17 11:56:55 +02:00
* \note This function does not check that the point actually
* belongs to the given group, see mbedtls_ecp_check_pubkey()
2018-04-17 11:56:55 +02:00
* for that.
2012-11-24 16:19:42 +01:00
*
2018-04-17 11:56:55 +02:00
* \param grp The group to which the point should belong.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param P The destination context to import the point to.
* This must be initialized.
* \param buf The input buffer. This must be a readable buffer
* of length \p ilen Bytes.
* \param ilen The length of the input buffer \p buf in Bytes.
2012-11-24 16:19:42 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the
* given group is not implemented.
2012-11-24 16:19:42 +01:00
*/
int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
mbedtls_ecp_point *P,
const unsigned char *buf, size_t ilen );
2012-11-07 20:24:05 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief This function imports a point from a TLS ECPoint record.
*
* \note On function return, \p *buf is updated to point immediately
* after the ECPoint record.
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
2018-04-17 11:56:55 +02:00
* \param pt The destination point.
* \param buf The address of the pointer to the start of the input buffer.
2018-04-17 11:56:55 +02:00
* \param len The length of the buffer.
2014-11-21 09:14:52 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization
* failure.
2018-04-17 11:56:55 +02:00
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
2012-11-07 20:24:05 +01:00
*/
int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
mbedtls_ecp_point *pt,
const unsigned char **buf, size_t len );
2012-11-07 20:24:05 +01:00
2013-02-10 12:06:19 +01:00
/**
* \brief This function exports a point as a TLS ECPoint record
* defined in RFC 4492, Section 5.4.
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param pt The point to be exported. This must be initialized.
* \param format The point format to use. This must be either
* #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
* \param olen The address at which to store the length in Bytes
* of the data written.
* \param buf The target buffer. This must be a writable buffer of
* length \p blen Bytes.
* \param blen The length of the target buffer \p buf in Bytes.
2013-02-10 12:06:19 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
* \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
* is too small to hold the exported point.
* \return Another negative error code on other kinds of failure.
2013-02-10 12:06:19 +01:00
*/
int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp,
const mbedtls_ecp_point *pt,
int format, size_t *olen,
unsigned char *buf, size_t blen );
2013-02-10 12:06:19 +01:00
/**
* \brief This function sets up an ECP group context
* from a standardized set of domain parameters.
*
2018-04-17 11:56:55 +02:00
* \note The index should be a value of the NamedCurve enum,
* as defined in <em>RFC-4492: Elliptic Curve Cryptography
2018-04-17 11:56:55 +02:00
* (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
* usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
*
* \param grp The group context to setup. This must be initialized.
* \param id The identifier of the domain parameter set to load.
2013-10-23 20:19:57 +02:00
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
* correspond to a known group.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
/**
* \brief This function sets up an ECP group context from a TLS
* ECParameters record as defined in RFC 4492, Section 5.4.
*
* \note The read pointer \p buf is updated to point right after
* the ECParameters record on exit.
*
* \param grp The group context to setup. This must be initialized.
* \param buf The address of the pointer to the start of the input buffer.
* \param len The length of the input buffer \c *buf in Bytes.
2014-11-21 09:14:52 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
* recognized.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
const unsigned char **buf, size_t len );
/**
* \brief This function extracts an elliptic curve group ID from a
* TLS ECParameters record as defined in RFC 4492, Section 5.4.
*
* \note The read pointer \p buf is updated to point right after
* the ECParameters record on exit.
*
* \param grp The address at which to store the group id.
* This must not be \c NULL.
* \param buf The address of the pointer to the start of the input buffer.
* \param len The length of the input buffer \c *buf in Bytes.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
* recognized.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
const unsigned char **buf,
size_t len );
/**
* \brief This function exports an elliptic curve as a TLS
* ECParameters record as defined in RFC 4492, Section 5.4.
*
* \param grp The ECP group to be exported.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param olen The address at which to store the number of Bytes written.
* This must not be \c NULL.
* \param buf The buffer to write to. This must be a writable buffer
* of length \p blen Bytes.
* \param blen The length of the output buffer \p buf in Bytes.
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
* buffer is too small to hold the exported group.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
size_t *olen,
unsigned char *buf, size_t blen );
2012-10-31 09:26:55 +01:00
/**
* \brief This function performs a scalar multiplication of a point
* by an integer: \p R = \p m * \p P.
2018-04-17 11:56:55 +02:00
*
* It is not thread-safe to use same group in multiple threads.
2012-10-31 09:26:55 +01:00
*
2018-04-17 11:56:55 +02:00
* \note To prevent timing attacks, this function
* executes the exact same sequence of base-field
* operations for any valid \p m. It avoids any if-branch or
* array index depending on the value of \p m.
2015-05-11 18:40:45 +02:00
*
2018-04-17 11:56:55 +02:00
* \note If \p f_rng is not NULL, it is used to randomize
* intermediate results to prevent potential timing attacks
* targeting these results. We recommend always providing
* a non-NULL \p f_rng. The overhead is negligible.
2015-05-11 18:40:45 +02:00
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param R The point in which to store the result of the calculation.
* This must be initialized.
* \param m The integer by which to multiply. This must be initialized.
* \param P The point to multiply. This must be initialized.
* \param f_rng The RNG function. This may be \c NULL if randomization
* of intermediate results isn't desired (discouraged).
* \param p_rng The RNG context to be passed to \p p_rng.
2012-10-31 09:26:55 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
* key, or \p P is not a valid public key.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \brief This function performs multiplication of a point by
* an integer: \p R = \p m * \p P in a restartable way.
*
* \see mbedtls_ecp_mul()
*
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \note This function does the same as \c mbedtls_ecp_mul(), but
* it can return early and restart according to the limit set
* with \c mbedtls_ecp_set_max_ops() to reduce blocking.
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param R The point in which to store the result of the calculation.
* This must be initialized.
* \param m The integer by which to multiply. This must be initialized.
* \param P The point to multiply. This must be initialized.
* \param f_rng The RNG function. This may be \c NULL if randomization
* of intermediate results isn't desired (discouraged).
* \param p_rng The RNG context to be passed to \p p_rng.
2018-10-15 13:22:41 +02:00
* \param rs_ctx The restart context (NULL disables restart).
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
* key, or \p P is not a valid public key.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
* operations was reached: see \c mbedtls_ecp_set_max_ops().
* \return Another negative error code on other kinds of failure.
2012-10-31 09:26:55 +01:00
*/
int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_ecp_restart_ctx *rs_ctx );
2012-10-31 09:26:55 +01:00
2015-05-11 18:40:45 +02:00
/**
* \brief This function performs multiplication and addition of two
2018-04-17 11:56:55 +02:00
* points by integers: \p R = \p m * \p P + \p n * \p Q
2015-05-11 18:40:45 +02:00
*
2018-04-17 11:56:55 +02:00
* It is not thread-safe to use same group in multiple threads.
2015-05-11 18:40:45 +02:00
*
* \note In contrast to mbedtls_ecp_mul(), this function does not
2018-04-17 11:56:55 +02:00
* guarantee a constant execution flow and timing.
2015-05-11 18:40:45 +02:00
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param R The point in which to store the result of the calculation.
* This must be initialized.
2018-04-17 11:56:55 +02:00
* \param m The integer by which to multiply \p P.
* This must be initialized.
* \param P The point to multiply by \p m. This must be initialized.
2018-04-17 11:56:55 +02:00
* \param n The integer by which to multiply \p Q.
* This must be initialized.
2018-04-17 11:56:55 +02:00
* \param Q The point to be multiplied by \p n.
* This must be initialized.
2015-05-11 18:40:45 +02:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
* valid private keys, or \p P or \p Q are not valid public
2018-04-17 11:56:55 +02:00
* keys.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return Another negative error code on other kinds of failure.
2015-05-11 18:40:45 +02:00
*/
int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P,
const mbedtls_mpi *n, const mbedtls_ecp_point *Q );
/**
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \brief This function performs multiplication and addition of two
* points by integers: \p R = \p m * \p P + \p n * \p Q in a
* restartable way.
*
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \see \c mbedtls_ecp_muladd()
*
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \note This function works the same as \c mbedtls_ecp_muladd(),
* but it can return early and restart according to the limit
* set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param R The point in which to store the result of the calculation.
* This must be initialized.
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \param m The integer by which to multiply \p P.
* This must be initialized.
* \param P The point to multiply by \p m. This must be initialized.
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \param n The integer by which to multiply \p Q.
* This must be initialized.
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \param Q The point to be multiplied by \p n.
* This must be initialized.
2018-10-15 13:22:41 +02:00
* \param rs_ctx The restart context (NULL disables restart).
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
* valid private keys, or \p P or \p Q are not valid public
* keys.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
* operations was reached: see \c mbedtls_ecp_set_max_ops().
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_muladd_restartable(
mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P,
const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
mbedtls_ecp_restart_ctx *rs_ctx );
/**
* \brief This function checks that a point is a valid public key
2018-04-17 11:56:55 +02:00
* on this curve.
*
* It only checks that the point is non-zero, has
* valid coordinates and lies on the curve. It does not verify
* that it is indeed a multiple of \p G. This additional
2018-04-17 11:56:55 +02:00
* check is computationally more expensive, is not required
* by standards, and should not be necessary if the group
* used has a small cofactor. In particular, it is useless for
2018-04-17 11:56:55 +02:00
* the NIST groups which all have a cofactor of 1.
*
* \note This function uses bare components rather than an
* ::mbedtls_ecp_keypair structure, to ease use with other
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
*
* \param grp The ECP group the point should belong to.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param pt The point to check. This must be initialized.
*
2018-04-17 11:56:55 +02:00
* \return \c 0 if the point is a valid public key.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
* a valid public key for the given curve.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
const mbedtls_ecp_point *pt );
/**
* \brief This function checks that an \p mbedtls_mpi is a
* valid private key for this curve.
*
* \note This function uses bare components rather than an
* ::mbedtls_ecp_keypair structure to ease use with other
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
*
* \param grp The ECP group the private key should belong to.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param d The integer to check. This must be initialized.
*
2018-04-17 11:56:55 +02:00
* \return \c 0 if the point is a valid private key.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
* private key for the given curve.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
const mbedtls_mpi *d );
/**
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \brief This function generates a private key.
*
* \param grp The ECP group to generate a private key for.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param d The destination MPI (secret part). This must be initialized.
* \param f_rng The RNG function. This must not be \c NULL.
* \param p_rng The RNG parameter to be passed to \p f_rng. This may be
* \c NULL if \p f_rng doesn't need a context argument.
*
Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted Summary of merge conflicts: include/mbedtls/ecdh.h -> documentation style include/mbedtls/ecdsa.h -> documentation style include/mbedtls/ecp.h -> alt style, new error codes, documentation style include/mbedtls/error.h -> new error codes library/error.c -> new error codes (generated anyway) library/ecp.c: - code of an extracted function was changed library/ssl_cli.c: - code addition on one side near code change on the other side (ciphersuite validation) library/x509_crt.c -> various things - top fo file: helper structure added near old zeroize removed - documentation of find_parent_in()'s signature: improved on one side, added arguments on the other side - documentation of find_parent()'s signature: same as above - verify_chain(): variables initialised later to give compiler an opportunity to warn us if not initialised on a code path - find_parent(): funcion structure completely changed, for some reason git tried to insert a paragraph of the old structure... - merge_flags_with_cb(): data structure changed, one line was fixed with a cast to keep MSVC happy, this cast is already in the new version - in verify_restratable(): adjacent independent changes (function signature on one line, variable type on the next) programs/ssl/ssl_client2.c: - testing for IN_PROGRESS return code near idle() (event-driven): don't wait for data in the the socket if ECP_IN_PROGRESS tests/data_files/Makefile: adjacent independent additions tests/suites/test_suite_ecdsa.data: adjacent independent additions tests/suites/test_suite_x509parse.data: adjacent independent additions * development: (1059 commits) Change symlink to hardlink to avoid permission issues Fix out-of-tree testing symlinks on Windows Updated version number to 2.10.0 for release Add a disabled CMAC define in the no-entropy configuration Adapt the ARIA test cases for new ECB function Fix file permissions for ssl.h Add ChangeLog entry for PR#1651 Fix MicroBlaze register typo. Fix typo in doc and copy missing warning Fix edit mistake in cipher_wrap.c Update CTR doc for the 64-bit block cipher Update CTR doc for other 128-bit block ciphers Slightly tune ARIA CTR documentation Remove double declaration of mbedtls_ssl_list_ciphersuites Update CTR documentation Use zeroize function from new platform_util Move to new header style for ALT implementations Add ifdef for selftest in header file Fix typo in comments Use more appropriate type for local variable ...
2018-06-12 12:40:54 +02:00
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
*/
int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
mbedtls_mpi *d,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
2015-08-11 14:31:03 +02:00
/**
* \brief This function generates a keypair with a configurable base
2018-04-17 11:56:55 +02:00
* point.
2015-08-11 14:31:03 +02:00
*
* \note This function uses bare components rather than an
* ::mbedtls_ecp_keypair structure to ease use with other
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
2015-08-11 14:31:03 +02:00
*
* \param grp The ECP group to generate a key pair for.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param G The base point to use. This must be initialized
* and belong to \p grp. It replaces the default base
* point \c grp->G used by mbedtls_ecp_gen_keypair().
2018-04-17 11:56:55 +02:00
* \param d The destination MPI (secret part).
* This must be initialized.
2018-04-17 11:56:55 +02:00
* \param Q The destination point (public part).
* This must be initialized.
* \param f_rng The RNG function. This must not be \c NULL.
* \param p_rng The RNG context to be passed to \p f_rng. This may
* be \c NULL if \p f_rng doesn't need a context argument.
2015-08-11 14:31:03 +02:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
2015-08-11 14:31:03 +02:00
*/
int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
const mbedtls_ecp_point *G,
mbedtls_mpi *d, mbedtls_ecp_point *Q,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
2015-08-11 14:31:03 +02:00
2013-01-26 14:42:45 +01:00
/**
* \brief This function generates an ECP keypair.
2013-01-26 14:42:45 +01:00
*
* \note This function uses bare components rather than an
* ::mbedtls_ecp_keypair structure to ease use with other
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
2013-01-26 14:42:45 +01:00
*
* \param grp The ECP group to generate a key pair for.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
2018-04-17 11:56:55 +02:00
* \param d The destination MPI (secret part).
* This must be initialized.
2018-04-17 11:56:55 +02:00
* \param Q The destination point (public part).
* This must be initialized.
* \param f_rng The RNG function. This must not be \c NULL.
* \param p_rng The RNG context to be passed to \p f_rng. This may
* be \c NULL if \p f_rng doesn't need a context argument.
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
2013-01-26 14:42:45 +01:00
*/
int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d,
mbedtls_ecp_point *Q,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
2013-01-26 14:42:45 +01:00
2013-11-30 14:13:16 +01:00
/**
* \brief This function generates an ECP key.
2013-11-30 14:13:16 +01:00
*
2018-04-17 11:56:55 +02:00
* \param grp_id The ECP group identifier.
* \param key The destination key. This must be initialized.
* \param f_rng The RNG function to use. This must not be \c NULL.
* \param p_rng The RNG context to be passed to \p f_rng. This may
* be \c NULL if \p f_rng doesn't need a context argument.
2013-11-30 14:13:16 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
2013-11-30 14:13:16 +01:00
*/
int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
2013-11-30 14:13:16 +01:00
/**
* \brief This function reads an elliptic curve private key.
*
* \param grp_id The ECP group identifier.
* \param key The destination key.
* \param buf The the buffer containing the binary representation of the
* key. (Big endian integer for Weierstrass curves, byte
* string for Montgomery curves.)
* \param buflen The length of the buffer in bytes.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is
* invalid.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
* the group is not implemented.
* \return Another negative error code on different kinds of failure.
*/
int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
const unsigned char *buf, size_t buflen );
2014-11-06 15:25:32 +01:00
/**
* \brief This function checks that the keypair objects
* \p pub and \p prv have the same group and the
* same public point, and that the private key in
* \p prv is consistent with the public key.
2014-11-06 15:25:32 +01:00
*
* \param pub The keypair structure holding the public key. This
* must be initialized. If it contains a private key, that
* part is ignored.
* \param prv The keypair structure holding the full keypair.
* This must be initialized.
2014-11-06 15:25:32 +01:00
*
* \return \c 0 on success, meaning that the keys are valid and match.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
* \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
* error code on calculation failure.
2014-11-06 15:25:32 +01:00
*/
int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub,
const mbedtls_ecp_keypair *prv );
2014-11-06 15:25:32 +01:00
#if defined(MBEDTLS_SELF_TEST)
2012-10-31 09:26:55 +01:00
/**
2018-04-17 11:56:55 +02:00
* \brief The ECP checkup routine.
2012-10-31 09:26:55 +01:00
*
2018-04-17 11:56:55 +02:00
* \return \c 0 on success.
* \return \c 1 on failure.
2012-10-31 09:26:55 +01:00
*/
int mbedtls_ecp_self_test( int verbose );
#endif /* MBEDTLS_SELF_TEST */
2012-10-31 09:26:55 +01:00
#ifdef __cplusplus
}
#endif
#endif /* ecp.h */