466 lines
19 KiB
C
Executable File
466 lines
19 KiB
C
Executable File
/**
|
||
* \file ecdh.h
|
||
*
|
||
* \brief This file contains ECDH definitions and functions.
|
||
*
|
||
* The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
|
||
* key agreement protocol allowing two parties to establish a shared
|
||
* secret over an insecure channel. Each party must have an
|
||
* elliptic-curve public–private key pair.
|
||
*
|
||
* For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
|
||
* Pair-Wise Key Establishment Schemes Using Discrete Logarithm
|
||
* Cryptography</em>.
|
||
*/
|
||
/*
|
||
* Copyright The Mbed TLS Contributors
|
||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||
*
|
||
* This file is provided under the Apache License 2.0, or the
|
||
* GNU General Public License v2.0 or later.
|
||
*
|
||
* **********
|
||
* Apache License 2.0:
|
||
*
|
||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||
* not use this file except in compliance with the License.
|
||
* You may obtain a copy of the License at
|
||
*
|
||
* http://www.apache.org/licenses/LICENSE-2.0
|
||
*
|
||
* Unless required by applicable law or agreed to in writing, software
|
||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
* See the License for the specific language governing permissions and
|
||
* limitations under the License.
|
||
*
|
||
* **********
|
||
*
|
||
* **********
|
||
* GNU General Public License v2.0 or later:
|
||
*
|
||
* This program is free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* This program is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* You should have received a copy of the GNU General Public License along
|
||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||
*
|
||
* **********
|
||
*/
|
||
|
||
#ifndef MBEDTLS_ECDH_H
|
||
#define MBEDTLS_ECDH_H
|
||
|
||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||
#include "config.h"
|
||
#else
|
||
#include MBEDTLS_CONFIG_FILE
|
||
#endif
|
||
|
||
#include "ecp.h"
|
||
|
||
/*
|
||
* Use a backward compatible ECDH context.
|
||
*
|
||
* This flag is always enabled for now and future versions might add a
|
||
* configuration option that conditionally undefines this flag.
|
||
* The configuration option in question may have a different name.
|
||
*
|
||
* Features undefining this flag, must have a warning in their description in
|
||
* config.h stating that the feature breaks backward compatibility.
|
||
*/
|
||
#define MBEDTLS_ECDH_LEGACY_CONTEXT
|
||
|
||
#ifdef __cplusplus
|
||
extern "C" {
|
||
#endif
|
||
|
||
/**
|
||
* Defines the source of the imported EC key.
|
||
*/
|
||
typedef enum
|
||
{
|
||
MBEDTLS_ECDH_OURS, /**< Our key. */
|
||
MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
|
||
} mbedtls_ecdh_side;
|
||
|
||
#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
||
/**
|
||
* Defines the ECDH implementation used.
|
||
*
|
||
* Later versions of the library may add new variants, therefore users should
|
||
* not make any assumptions about them.
|
||
*/
|
||
typedef enum
|
||
{
|
||
MBEDTLS_ECDH_VARIANT_NONE = 0, /*!< Implementation not defined. */
|
||
MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
|
||
} mbedtls_ecdh_variant;
|
||
|
||
/**
|
||
* The context used by the default ECDH implementation.
|
||
*
|
||
* Later versions might change the structure of this context, therefore users
|
||
* should not make any assumptions about the structure of
|
||
* mbedtls_ecdh_context_mbed.
|
||
*/
|
||
typedef struct mbedtls_ecdh_context_mbed
|
||
{
|
||
mbedtls_ecp_group grp; /*!< The elliptic curve used. */
|
||
mbedtls_mpi d; /*!< The private key. */
|
||
mbedtls_ecp_point Q; /*!< The public key. */
|
||
mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */
|
||
mbedtls_mpi z; /*!< The shared secret. */
|
||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||
mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
|
||
#endif
|
||
} mbedtls_ecdh_context_mbed;
|
||
#endif
|
||
|
||
/**
|
||
*
|
||
* \warning Performing multiple operations concurrently on the same
|
||
* ECDSA context is not supported; objects of this type
|
||
* should not be shared between multiple threads.
|
||
* \brief The ECDH context structure.
|
||
*/
|
||
typedef struct mbedtls_ecdh_context
|
||
{
|
||
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
||
mbedtls_ecp_group grp; /*!< The elliptic curve used. */
|
||
mbedtls_mpi d; /*!< The private key. */
|
||
mbedtls_ecp_point Q; /*!< The public key. */
|
||
mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */
|
||
mbedtls_mpi z; /*!< The shared secret. */
|
||
int point_format; /*!< The format of point export in TLS messages. */
|
||
mbedtls_ecp_point Vi; /*!< The blinding value. */
|
||
mbedtls_ecp_point Vf; /*!< The unblinding value. */
|
||
mbedtls_mpi _d; /*!< The previous \p d. */
|
||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||
int restart_enabled; /*!< The flag for restartable mode. */
|
||
mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
|
||
#endif /* MBEDTLS_ECP_RESTARTABLE */
|
||
#else
|
||
uint8_t point_format; /*!< The format of point export in TLS messages
|
||
as defined in RFC 4492. */
|
||
mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
|
||
mbedtls_ecdh_variant var; /*!< The ECDH implementation/structure used. */
|
||
union
|
||
{
|
||
mbedtls_ecdh_context_mbed mbed_ecdh;
|
||
} ctx; /*!< Implementation-specific context. The
|
||
context in use is specified by the \c var
|
||
field. */
|
||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||
uint8_t restart_enabled; /*!< The flag for restartable mode. Functions of
|
||
an alternative implementation not supporting
|
||
restartable mode must return
|
||
MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
|
||
if this flag is set. */
|
||
#endif /* MBEDTLS_ECP_RESTARTABLE */
|
||
#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
|
||
}
|
||
mbedtls_ecdh_context;
|
||
|
||
/**
|
||
* \brief This function generates an ECDH keypair on an elliptic
|
||
* curve.
|
||
*
|
||
* This function performs the first of two core computations
|
||
* implemented during the ECDH key exchange. The second core
|
||
* computation is performed by mbedtls_ecdh_compute_shared().
|
||
*
|
||
* \see ecp.h
|
||
*
|
||
* \param grp The ECP group to use. This must be initialized and have
|
||
* domain parameters loaded, for example through
|
||
* mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
|
||
* \param d The destination MPI (private key).
|
||
* This must be initialized.
|
||
* \param Q The destination point (public key).
|
||
* This must be initialized.
|
||
* \param f_rng The RNG function to use. This must not be \c NULL.
|
||
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
||
* \c NULL in case \p f_rng doesn't need a context argument.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return Another \c MBEDTLS_ERR_ECP_XXX or
|
||
* \c MBEDTLS_MPI_XXX error code on failure.
|
||
*/
|
||
int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
|
||
int (*f_rng)(void *, unsigned char *, size_t),
|
||
void *p_rng );
|
||
|
||
/**
|
||
* \brief This function computes the shared secret.
|
||
*
|
||
* This function performs the second of two core computations
|
||
* implemented during the ECDH key exchange. The first core
|
||
* computation is performed by mbedtls_ecdh_gen_public().
|
||
*
|
||
* \see ecp.h
|
||
*
|
||
* \note If \p f_rng is not NULL, it is used to implement
|
||
* countermeasures against side-channel attacks.
|
||
* For more information, see mbedtls_ecp_mul().
|
||
*
|
||
* \param grp The ECP group to use. This must be initialized and have
|
||
* domain parameters loaded, for example through
|
||
* mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
|
||
* \param z The destination MPI (shared secret).
|
||
* This must be initialized.
|
||
* \param Q The public key from another party.
|
||
* This must be initialized.
|
||
* \param d Our secret exponent (private key).
|
||
* This must be initialized.
|
||
* \param f_rng The RNG function. This may be \c NULL if randomization
|
||
* of intermediate results during the ECP computations is
|
||
* not needed (discouraged). See the documentation of
|
||
* mbedtls_ecp_mul() for more.
|
||
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
||
* \c NULL if \p f_rng is \c NULL or doesn't need a
|
||
* context argument.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return Another \c MBEDTLS_ERR_ECP_XXX or
|
||
* \c MBEDTLS_MPI_XXX error code on failure.
|
||
*/
|
||
int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
|
||
const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
|
||
int (*f_rng)(void *, unsigned char *, size_t),
|
||
void *p_rng );
|
||
|
||
/**
|
||
* \brief This function initializes an ECDH context.
|
||
*
|
||
* \param ctx The ECDH context to initialize. This must not be \c NULL.
|
||
*/
|
||
void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
|
||
|
||
/**
|
||
* \brief This function sets up the ECDH context with the information
|
||
* given.
|
||
*
|
||
* This function should be called after mbedtls_ecdh_init() but
|
||
* before mbedtls_ecdh_make_params(). There is no need to call
|
||
* this function before mbedtls_ecdh_read_params().
|
||
*
|
||
* This is the first function used by a TLS server for ECDHE
|
||
* ciphersuites.
|
||
*
|
||
* \param ctx The ECDH context to set up. This must be initialized.
|
||
* \param grp_id The group id of the group to set up the context for.
|
||
*
|
||
* \return \c 0 on success.
|
||
*/
|
||
int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx,
|
||
mbedtls_ecp_group_id grp_id );
|
||
|
||
/**
|
||
* \brief This function frees a context.
|
||
*
|
||
* \param ctx The context to free. This may be \c NULL, in which
|
||
* case this function does nothing. If it is not \c NULL,
|
||
* it must point to an initialized ECDH context.
|
||
*/
|
||
void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
|
||
|
||
/**
|
||
* \brief This function generates an EC key pair and exports its
|
||
* in the format used in a TLS ServerKeyExchange handshake
|
||
* message.
|
||
*
|
||
* This is the second function used by a TLS server for ECDHE
|
||
* ciphersuites. (It is called after mbedtls_ecdh_setup().)
|
||
*
|
||
* \see ecp.h
|
||
*
|
||
* \param ctx The ECDH context to use. This must be initialized
|
||
* and bound to a group, for example via mbedtls_ecdh_setup().
|
||
* \param olen The address at which to store the number of Bytes written.
|
||
* \param buf The destination buffer. This must be a writable buffer of
|
||
* length \p blen Bytes.
|
||
* \param blen The length of the destination buffer \p buf in Bytes.
|
||
* \param f_rng The RNG function to use. This must not be \c NULL.
|
||
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
||
* \c NULL in case \p f_rng doesn't need a context argument.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
||
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
||
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
||
*/
|
||
int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
|
||
unsigned char *buf, size_t blen,
|
||
int (*f_rng)(void *, unsigned char *, size_t),
|
||
void *p_rng );
|
||
|
||
/**
|
||
* \brief This function parses the ECDHE parameters in a
|
||
* TLS ServerKeyExchange handshake message.
|
||
*
|
||
* \note In a TLS handshake, this is the how the client
|
||
* sets up its ECDHE context from the server's public
|
||
* ECDHE key material.
|
||
*
|
||
* \see ecp.h
|
||
*
|
||
* \param ctx The ECDHE context to use. This must be initialized.
|
||
* \param buf On input, \c *buf must be the start of the input buffer.
|
||
* On output, \c *buf is updated to point to the end of the
|
||
* data that has been read. On success, this is the first byte
|
||
* past the end of the ServerKeyExchange parameters.
|
||
* On error, this is the point at which an error has been
|
||
* detected, which is usually not useful except to debug
|
||
* failures.
|
||
* \param end The end of the input buffer.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
||
*
|
||
*/
|
||
int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
|
||
const unsigned char **buf,
|
||
const unsigned char *end );
|
||
|
||
/**
|
||
* \brief This function sets up an ECDH context from an EC key.
|
||
*
|
||
* It is used by clients and servers in place of the
|
||
* ServerKeyEchange for static ECDH, and imports ECDH
|
||
* parameters from the EC key information of a certificate.
|
||
*
|
||
* \see ecp.h
|
||
*
|
||
* \param ctx The ECDH context to set up. This must be initialized.
|
||
* \param key The EC key to use. This must be initialized.
|
||
* \param side Defines the source of the key. Possible values are:
|
||
* - #MBEDTLS_ECDH_OURS: The key is ours.
|
||
* - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
||
*
|
||
*/
|
||
int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
|
||
const mbedtls_ecp_keypair *key,
|
||
mbedtls_ecdh_side side );
|
||
|
||
/**
|
||
* \brief This function generates a public key and exports it
|
||
* as a TLS ClientKeyExchange payload.
|
||
*
|
||
* This is the second function used by a TLS client for ECDH(E)
|
||
* ciphersuites.
|
||
*
|
||
* \see ecp.h
|
||
*
|
||
* \param ctx The ECDH context to use. This must be initialized
|
||
* and bound to a group, the latter usually by
|
||
* mbedtls_ecdh_read_params().
|
||
* \param olen The address at which to store the number of Bytes written.
|
||
* This must not be \c NULL.
|
||
* \param buf The destination buffer. This must be a writable buffer
|
||
* of length \p blen Bytes.
|
||
* \param blen The size of the destination buffer \p buf in Bytes.
|
||
* \param f_rng The RNG function to use. This must not be \c NULL.
|
||
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
||
* \c NULL in case \p f_rng doesn't need a context argument.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
||
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
||
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
||
*/
|
||
int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
|
||
unsigned char *buf, size_t blen,
|
||
int (*f_rng)(void *, unsigned char *, size_t),
|
||
void *p_rng );
|
||
|
||
/**
|
||
* \brief This function parses and processes the ECDHE payload of a
|
||
* TLS ClientKeyExchange message.
|
||
*
|
||
* This is the third function used by a TLS server for ECDH(E)
|
||
* ciphersuites. (It is called after mbedtls_ecdh_setup() and
|
||
* mbedtls_ecdh_make_params().)
|
||
*
|
||
* \see ecp.h
|
||
*
|
||
* \param ctx The ECDH context to use. This must be initialized
|
||
* and bound to a group, for example via mbedtls_ecdh_setup().
|
||
* \param buf The pointer to the ClientKeyExchange payload. This must
|
||
* be a readable buffer of length \p blen Bytes.
|
||
* \param blen The length of the input buffer \p buf in Bytes.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
||
*/
|
||
int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
|
||
const unsigned char *buf, size_t blen );
|
||
|
||
/**
|
||
* \brief This function derives and exports the shared secret.
|
||
*
|
||
* This is the last function used by both TLS client
|
||
* and servers.
|
||
*
|
||
* \note If \p f_rng is not NULL, it is used to implement
|
||
* countermeasures against side-channel attacks.
|
||
* For more information, see mbedtls_ecp_mul().
|
||
*
|
||
* \see ecp.h
|
||
|
||
* \param ctx The ECDH context to use. This must be initialized
|
||
* and have its own private key generated and the peer's
|
||
* public key imported.
|
||
* \param olen The address at which to store the total number of
|
||
* Bytes written on success. This must not be \c NULL.
|
||
* \param buf The buffer to write the generated shared key to. This
|
||
* must be a writable buffer of size \p blen Bytes.
|
||
* \param blen The length of the destination buffer \p buf in Bytes.
|
||
* \param f_rng The RNG function, for blinding purposes. This may
|
||
* b \c NULL if blinding isn't needed.
|
||
* \param p_rng The RNG context. This may be \c NULL if \p f_rng
|
||
* doesn't need a context argument.
|
||
*
|
||
* \return \c 0 on success.
|
||
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
||
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
||
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
||
*/
|
||
int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
|
||
unsigned char *buf, size_t blen,
|
||
int (*f_rng)(void *, unsigned char *, size_t),
|
||
void *p_rng );
|
||
|
||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||
/**
|
||
* \brief This function enables restartable EC computations for this
|
||
* context. (Default: disabled.)
|
||
*
|
||
* \see \c mbedtls_ecp_set_max_ops()
|
||
*
|
||
* \note It is not possible to safely disable restartable
|
||
* computations once enabled, except by free-ing the context,
|
||
* which cancels possible in-progress operations.
|
||
*
|
||
* \param ctx The ECDH context to use. This must be initialized.
|
||
*/
|
||
void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx );
|
||
#endif /* MBEDTLS_ECP_RESTARTABLE */
|
||
|
||
#ifdef __cplusplus
|
||
}
|
||
#endif
|
||
|
||
#endif /* ecdh.h */
|