1817466cbSJens Wiklander /** 2817466cbSJens Wiklander * \file ecdh.h 3817466cbSJens Wiklander * 43d3b0591SJens Wiklander * \brief This file contains ECDH definitions and functions. 5817466cbSJens Wiklander * 63d3b0591SJens Wiklander * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous 73d3b0591SJens Wiklander * key agreement protocol allowing two parties to establish a shared 83d3b0591SJens Wiklander * secret over an insecure channel. Each party must have an 93d3b0591SJens Wiklander * elliptic-curve public–private key pair. 103d3b0591SJens Wiklander * 113d3b0591SJens Wiklander * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for 123d3b0591SJens Wiklander * Pair-Wise Key Establishment Schemes Using Discrete Logarithm 133d3b0591SJens Wiklander * Cryptography</em>. 143d3b0591SJens Wiklander */ 153d3b0591SJens Wiklander /* 167901324dSJerome Forissier * Copyright The Mbed TLS Contributors 17b0563631STom Van Eyck * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 18817466cbSJens Wiklander */ 193d3b0591SJens Wiklander 20817466cbSJens Wiklander #ifndef MBEDTLS_ECDH_H 21817466cbSJens Wiklander #define MBEDTLS_ECDH_H 2232b31808SJens Wiklander #include "mbedtls/private_access.h" 23817466cbSJens Wiklander 2432b31808SJens Wiklander #include "mbedtls/build_info.h" 255b25c76aSJerome Forissier 2611fa71b9SJerome Forissier #include "mbedtls/ecp.h" 27817466cbSJens Wiklander 2832b31808SJens Wiklander /* 2932b31808SJens Wiklander * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context 3032b31808SJens Wiklander * defined in `ecdh.h`). For most applications, the choice of format makes 3132b31808SJens Wiklander * no difference, since all library functions can work with either format, 3232b31808SJens Wiklander * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE. 3332b31808SJens Wiklander 3432b31808SJens Wiklander * The new format used when this option is disabled is smaller 3532b31808SJens Wiklander * (56 bytes on a 32-bit platform). In future versions of the library, it 3632b31808SJens Wiklander * will support alternative implementations of ECDH operations. 3732b31808SJens Wiklander * The new format is incompatible with applications that access 3832b31808SJens Wiklander * context fields directly and with restartable ECP operations. 3932b31808SJens Wiklander */ 4032b31808SJens Wiklander 4132b31808SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 4232b31808SJens Wiklander #define MBEDTLS_ECDH_LEGACY_CONTEXT 4332b31808SJens Wiklander #else 4432b31808SJens Wiklander #undef MBEDTLS_ECDH_LEGACY_CONTEXT 4532b31808SJens Wiklander #endif 4632b31808SJens Wiklander 4711fa71b9SJerome Forissier #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) 4811fa71b9SJerome Forissier #undef MBEDTLS_ECDH_LEGACY_CONTEXT 4911fa71b9SJerome Forissier #include "everest/everest.h" 5011fa71b9SJerome Forissier #endif 513d3b0591SJens Wiklander 52817466cbSJens Wiklander #ifdef __cplusplus 53817466cbSJens Wiklander extern "C" { 54817466cbSJens Wiklander #endif 55817466cbSJens Wiklander 56817466cbSJens Wiklander /** 573d3b0591SJens Wiklander * Defines the source of the imported EC key. 58817466cbSJens Wiklander */ 5932b31808SJens Wiklander typedef enum { 603d3b0591SJens Wiklander MBEDTLS_ECDH_OURS, /**< Our key. */ 613d3b0591SJens Wiklander MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */ 62817466cbSJens Wiklander } mbedtls_ecdh_side; 63817466cbSJens Wiklander 643d3b0591SJens Wiklander #if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 65817466cbSJens Wiklander /** 663d3b0591SJens Wiklander * Defines the ECDH implementation used. 673d3b0591SJens Wiklander * 683d3b0591SJens Wiklander * Later versions of the library may add new variants, therefore users should 693d3b0591SJens Wiklander * not make any assumptions about them. 70817466cbSJens Wiklander */ 7132b31808SJens Wiklander typedef enum { 723d3b0591SJens Wiklander MBEDTLS_ECDH_VARIANT_NONE = 0, /*!< Implementation not defined. */ 733d3b0591SJens Wiklander MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */ 7411fa71b9SJerome Forissier #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) 7511fa71b9SJerome Forissier MBEDTLS_ECDH_VARIANT_EVEREST /*!< Everest implementation */ 7611fa71b9SJerome Forissier #endif 773d3b0591SJens Wiklander } mbedtls_ecdh_variant; 783d3b0591SJens Wiklander 793d3b0591SJens Wiklander /** 803d3b0591SJens Wiklander * The context used by the default ECDH implementation. 813d3b0591SJens Wiklander * 823d3b0591SJens Wiklander * Later versions might change the structure of this context, therefore users 833d3b0591SJens Wiklander * should not make any assumptions about the structure of 843d3b0591SJens Wiklander * mbedtls_ecdh_context_mbed. 853d3b0591SJens Wiklander */ 8632b31808SJens Wiklander typedef struct mbedtls_ecdh_context_mbed { 8732b31808SJens Wiklander mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /*!< The elliptic curve used. */ 8832b31808SJens Wiklander mbedtls_mpi MBEDTLS_PRIVATE(d); /*!< The private key. */ 8932b31808SJens Wiklander mbedtls_ecp_point MBEDTLS_PRIVATE(Q); /*!< The public key. */ 9032b31808SJens Wiklander mbedtls_ecp_point MBEDTLS_PRIVATE(Qp); /*!< The value of the public key of the peer. */ 9132b31808SJens Wiklander mbedtls_mpi MBEDTLS_PRIVATE(z); /*!< The shared secret. */ 923d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 9332b31808SJens Wiklander mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */ 943d3b0591SJens Wiklander #endif 953d3b0591SJens Wiklander } mbedtls_ecdh_context_mbed; 963d3b0591SJens Wiklander #endif 973d3b0591SJens Wiklander 983d3b0591SJens Wiklander /** 993d3b0591SJens Wiklander * 1003d3b0591SJens Wiklander * \warning Performing multiple operations concurrently on the same 1013d3b0591SJens Wiklander * ECDSA context is not supported; objects of this type 1023d3b0591SJens Wiklander * should not be shared between multiple threads. 1033d3b0591SJens Wiklander * \brief The ECDH context structure. 1043d3b0591SJens Wiklander */ 10532b31808SJens Wiklander typedef struct mbedtls_ecdh_context { 1063d3b0591SJens Wiklander #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 10732b31808SJens Wiklander mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /*!< The elliptic curve used. */ 10832b31808SJens Wiklander mbedtls_mpi MBEDTLS_PRIVATE(d); /*!< The private key. */ 10932b31808SJens Wiklander mbedtls_ecp_point MBEDTLS_PRIVATE(Q); /*!< The public key. */ 11032b31808SJens Wiklander mbedtls_ecp_point MBEDTLS_PRIVATE(Qp); /*!< The value of the public key of the peer. */ 11132b31808SJens Wiklander mbedtls_mpi MBEDTLS_PRIVATE(z); /*!< The shared secret. */ 11232b31808SJens Wiklander int MBEDTLS_PRIVATE(point_format); /*!< The format of point export in TLS messages. */ 11332b31808SJens Wiklander mbedtls_ecp_point MBEDTLS_PRIVATE(Vi); /*!< The blinding value. */ 11432b31808SJens Wiklander mbedtls_ecp_point MBEDTLS_PRIVATE(Vf); /*!< The unblinding value. */ 11532b31808SJens Wiklander mbedtls_mpi MBEDTLS_PRIVATE(_d); /*!< The previous \p d. */ 1163d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 11732b31808SJens Wiklander int MBEDTLS_PRIVATE(restart_enabled); /*!< The flag for restartable mode. */ 11832b31808SJens Wiklander mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */ 1193d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 1203d3b0591SJens Wiklander #else 12132b31808SJens Wiklander uint8_t MBEDTLS_PRIVATE(point_format); /*!< The format of point export in TLS messages 1223d3b0591SJens Wiklander as defined in RFC 4492. */ 12332b31808SJens Wiklander mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id);/*!< The elliptic curve used. */ 12432b31808SJens Wiklander mbedtls_ecdh_variant MBEDTLS_PRIVATE(var); /*!< The ECDH implementation/structure used. */ 12532b31808SJens Wiklander union { 12632b31808SJens Wiklander mbedtls_ecdh_context_mbed MBEDTLS_PRIVATE(mbed_ecdh); 12711fa71b9SJerome Forissier #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) 12832b31808SJens Wiklander mbedtls_ecdh_context_everest MBEDTLS_PRIVATE(everest_ecdh); 12911fa71b9SJerome Forissier #endif 13032b31808SJens Wiklander } MBEDTLS_PRIVATE(ctx); /*!< Implementation-specific context. The 1313d3b0591SJens Wiklander context in use is specified by the \c var 1323d3b0591SJens Wiklander field. */ 1333d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 13432b31808SJens Wiklander uint8_t MBEDTLS_PRIVATE(restart_enabled); /*!< The flag for restartable mode. Functions of 1353d3b0591SJens Wiklander an alternative implementation not supporting 1363d3b0591SJens Wiklander restartable mode must return 1373d3b0591SJens Wiklander MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error 1383d3b0591SJens Wiklander if this flag is set. */ 1393d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 1403d3b0591SJens Wiklander #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */ 141817466cbSJens Wiklander } 142817466cbSJens Wiklander mbedtls_ecdh_context; 143817466cbSJens Wiklander 144817466cbSJens Wiklander /** 145b0563631STom Van Eyck * \brief Return the ECP group for provided context. 146b0563631STom Van Eyck * 147b0563631STom Van Eyck * \note To access group specific fields, users should use 148b0563631STom Van Eyck * `mbedtls_ecp_curve_info_from_grp_id` or 149b0563631STom Van Eyck * `mbedtls_ecp_group_load` on the extracted `group_id`. 150b0563631STom Van Eyck * 151b0563631STom Van Eyck * \param ctx The ECDH context to parse. This must not be \c NULL. 152b0563631STom Van Eyck * 153b0563631STom Van Eyck * \return The \c mbedtls_ecp_group_id of the context. 154b0563631STom Van Eyck */ 155b0563631STom Van Eyck mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx); 156b0563631STom Van Eyck 157b0563631STom Van Eyck /** 15811fa71b9SJerome Forissier * \brief Check whether a given group can be used for ECDH. 15911fa71b9SJerome Forissier * 16011fa71b9SJerome Forissier * \param gid The ECP group ID to check. 16111fa71b9SJerome Forissier * 16211fa71b9SJerome Forissier * \return \c 1 if the group can be used, \c 0 otherwise 16311fa71b9SJerome Forissier */ 16411fa71b9SJerome Forissier int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid); 16511fa71b9SJerome Forissier 16611fa71b9SJerome Forissier /** 1673d3b0591SJens Wiklander * \brief This function generates an ECDH keypair on an elliptic 1683d3b0591SJens Wiklander * curve. 169817466cbSJens Wiklander * 1703d3b0591SJens Wiklander * This function performs the first of two core computations 1713d3b0591SJens Wiklander * implemented during the ECDH key exchange. The second core 1723d3b0591SJens Wiklander * computation is performed by mbedtls_ecdh_compute_shared(). 173817466cbSJens Wiklander * 1743d3b0591SJens Wiklander * \see ecp.h 1753d3b0591SJens Wiklander * 1763d3b0591SJens Wiklander * \param grp The ECP group to use. This must be initialized and have 1773d3b0591SJens Wiklander * domain parameters loaded, for example through 1783d3b0591SJens Wiklander * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). 1793d3b0591SJens Wiklander * \param d The destination MPI (private key). 1803d3b0591SJens Wiklander * This must be initialized. 1813d3b0591SJens Wiklander * \param Q The destination point (public key). 1823d3b0591SJens Wiklander * This must be initialized. 1833d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 1843d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 1853d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 1863d3b0591SJens Wiklander * 1873d3b0591SJens Wiklander * \return \c 0 on success. 1883d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX or 1893d3b0591SJens Wiklander * \c MBEDTLS_MPI_XXX error code on failure. 190817466cbSJens Wiklander */ 191817466cbSJens Wiklander int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, 192*273a583eSThomas Bourgoin mbedtls_f_rng_t *f_rng, 193817466cbSJens Wiklander void *p_rng); 194817466cbSJens Wiklander 195817466cbSJens Wiklander /** 1963d3b0591SJens Wiklander * \brief This function computes the shared secret. 197817466cbSJens Wiklander * 1983d3b0591SJens Wiklander * This function performs the second of two core computations 1993d3b0591SJens Wiklander * implemented during the ECDH key exchange. The first core 2003d3b0591SJens Wiklander * computation is performed by mbedtls_ecdh_gen_public(). 201817466cbSJens Wiklander * 2023d3b0591SJens Wiklander * \see ecp.h 203817466cbSJens Wiklander * 2043d3b0591SJens Wiklander * \note If \p f_rng is not NULL, it is used to implement 2053d3b0591SJens Wiklander * countermeasures against side-channel attacks. 2063d3b0591SJens Wiklander * For more information, see mbedtls_ecp_mul(). 2073d3b0591SJens Wiklander * 2083d3b0591SJens Wiklander * \param grp The ECP group to use. This must be initialized and have 2093d3b0591SJens Wiklander * domain parameters loaded, for example through 2103d3b0591SJens Wiklander * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). 2113d3b0591SJens Wiklander * \param z The destination MPI (shared secret). 2123d3b0591SJens Wiklander * This must be initialized. 2133d3b0591SJens Wiklander * \param Q The public key from another party. 2143d3b0591SJens Wiklander * This must be initialized. 2153d3b0591SJens Wiklander * \param d Our secret exponent (private key). 2163d3b0591SJens Wiklander * This must be initialized. 21732b31808SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 2183d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 2193d3b0591SJens Wiklander * \c NULL if \p f_rng is \c NULL or doesn't need a 2203d3b0591SJens Wiklander * context argument. 2213d3b0591SJens Wiklander * 2223d3b0591SJens Wiklander * \return \c 0 on success. 2233d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX or 2243d3b0591SJens Wiklander * \c MBEDTLS_MPI_XXX error code on failure. 225817466cbSJens Wiklander */ 226817466cbSJens Wiklander int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z, 227817466cbSJens Wiklander const mbedtls_ecp_point *Q, const mbedtls_mpi *d, 228*273a583eSThomas Bourgoin mbedtls_f_rng_t *f_rng, 229817466cbSJens Wiklander void *p_rng); 230817466cbSJens Wiklander 231817466cbSJens Wiklander /** 2323d3b0591SJens Wiklander * \brief This function initializes an ECDH context. 233817466cbSJens Wiklander * 2343d3b0591SJens Wiklander * \param ctx The ECDH context to initialize. This must not be \c NULL. 235817466cbSJens Wiklander */ 236817466cbSJens Wiklander void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx); 237817466cbSJens Wiklander 238817466cbSJens Wiklander /** 2393d3b0591SJens Wiklander * \brief This function sets up the ECDH context with the information 2403d3b0591SJens Wiklander * given. 241817466cbSJens Wiklander * 2423d3b0591SJens Wiklander * This function should be called after mbedtls_ecdh_init() but 2433d3b0591SJens Wiklander * before mbedtls_ecdh_make_params(). There is no need to call 2443d3b0591SJens Wiklander * this function before mbedtls_ecdh_read_params(). 2453d3b0591SJens Wiklander * 2463d3b0591SJens Wiklander * This is the first function used by a TLS server for ECDHE 2473d3b0591SJens Wiklander * ciphersuites. 2483d3b0591SJens Wiklander * 2493d3b0591SJens Wiklander * \param ctx The ECDH context to set up. This must be initialized. 2503d3b0591SJens Wiklander * \param grp_id The group id of the group to set up the context for. 2513d3b0591SJens Wiklander * 2523d3b0591SJens Wiklander * \return \c 0 on success. 2533d3b0591SJens Wiklander */ 2543d3b0591SJens Wiklander int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, 2553d3b0591SJens Wiklander mbedtls_ecp_group_id grp_id); 2563d3b0591SJens Wiklander 2573d3b0591SJens Wiklander /** 2583d3b0591SJens Wiklander * \brief This function frees a context. 2593d3b0591SJens Wiklander * 2603d3b0591SJens Wiklander * \param ctx The context to free. This may be \c NULL, in which 2613d3b0591SJens Wiklander * case this function does nothing. If it is not \c NULL, 2623d3b0591SJens Wiklander * it must point to an initialized ECDH context. 263817466cbSJens Wiklander */ 264817466cbSJens Wiklander void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx); 265817466cbSJens Wiklander 266817466cbSJens Wiklander /** 2673d3b0591SJens Wiklander * \brief This function generates an EC key pair and exports its 2683d3b0591SJens Wiklander * in the format used in a TLS ServerKeyExchange handshake 2693d3b0591SJens Wiklander * message. 270817466cbSJens Wiklander * 2713d3b0591SJens Wiklander * This is the second function used by a TLS server for ECDHE 2723d3b0591SJens Wiklander * ciphersuites. (It is called after mbedtls_ecdh_setup().) 273817466cbSJens Wiklander * 2743d3b0591SJens Wiklander * \see ecp.h 275817466cbSJens Wiklander * 2763d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 2773d3b0591SJens Wiklander * and bound to a group, for example via mbedtls_ecdh_setup(). 2783d3b0591SJens Wiklander * \param olen The address at which to store the number of Bytes written. 2793d3b0591SJens Wiklander * \param buf The destination buffer. This must be a writable buffer of 2803d3b0591SJens Wiklander * length \p blen Bytes. 2813d3b0591SJens Wiklander * \param blen The length of the destination buffer \p buf in Bytes. 2823d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 2833d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 2843d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 2853d3b0591SJens Wiklander * 2863d3b0591SJens Wiklander * \return \c 0 on success. 2873d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 2883d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 2893d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 290817466cbSJens Wiklander */ 291817466cbSJens Wiklander int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen, 292817466cbSJens Wiklander unsigned char *buf, size_t blen, 293*273a583eSThomas Bourgoin mbedtls_f_rng_t *f_rng, 294817466cbSJens Wiklander void *p_rng); 295817466cbSJens Wiklander 296817466cbSJens Wiklander /** 2973d3b0591SJens Wiklander * \brief This function parses the ECDHE parameters in a 2983d3b0591SJens Wiklander * TLS ServerKeyExchange handshake message. 299817466cbSJens Wiklander * 3003d3b0591SJens Wiklander * \note In a TLS handshake, this is the how the client 3013d3b0591SJens Wiklander * sets up its ECDHE context from the server's public 3023d3b0591SJens Wiklander * ECDHE key material. 303817466cbSJens Wiklander * 3043d3b0591SJens Wiklander * \see ecp.h 3053d3b0591SJens Wiklander * 3063d3b0591SJens Wiklander * \param ctx The ECDHE context to use. This must be initialized. 3073d3b0591SJens Wiklander * \param buf On input, \c *buf must be the start of the input buffer. 3083d3b0591SJens Wiklander * On output, \c *buf is updated to point to the end of the 3093d3b0591SJens Wiklander * data that has been read. On success, this is the first byte 3103d3b0591SJens Wiklander * past the end of the ServerKeyExchange parameters. 3113d3b0591SJens Wiklander * On error, this is the point at which an error has been 3123d3b0591SJens Wiklander * detected, which is usually not useful except to debug 3133d3b0591SJens Wiklander * failures. 3143d3b0591SJens Wiklander * \param end The end of the input buffer. 3153d3b0591SJens Wiklander * 3163d3b0591SJens Wiklander * \return \c 0 on success. 3173d3b0591SJens Wiklander * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. 3183d3b0591SJens Wiklander * 319817466cbSJens Wiklander */ 320817466cbSJens Wiklander int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx, 3213d3b0591SJens Wiklander const unsigned char **buf, 3223d3b0591SJens Wiklander const unsigned char *end); 323817466cbSJens Wiklander 324817466cbSJens Wiklander /** 3253d3b0591SJens Wiklander * \brief This function sets up an ECDH context from an EC key. 326817466cbSJens Wiklander * 3273d3b0591SJens Wiklander * It is used by clients and servers in place of the 328cb034002SJerome Forissier * ServerKeyExchange for static ECDH, and imports ECDH 3293d3b0591SJens Wiklander * parameters from the EC key information of a certificate. 330817466cbSJens Wiklander * 3313d3b0591SJens Wiklander * \see ecp.h 3323d3b0591SJens Wiklander * 3333d3b0591SJens Wiklander * \param ctx The ECDH context to set up. This must be initialized. 3343d3b0591SJens Wiklander * \param key The EC key to use. This must be initialized. 3353d3b0591SJens Wiklander * \param side Defines the source of the key. Possible values are: 3363d3b0591SJens Wiklander * - #MBEDTLS_ECDH_OURS: The key is ours. 3373d3b0591SJens Wiklander * - #MBEDTLS_ECDH_THEIRS: The key is that of the peer. 3383d3b0591SJens Wiklander * 3393d3b0591SJens Wiklander * \return \c 0 on success. 3403d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 3413d3b0591SJens Wiklander * 342817466cbSJens Wiklander */ 3433d3b0591SJens Wiklander int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx, 3443d3b0591SJens Wiklander const mbedtls_ecp_keypair *key, 345817466cbSJens Wiklander mbedtls_ecdh_side side); 346817466cbSJens Wiklander 347817466cbSJens Wiklander /** 3483d3b0591SJens Wiklander * \brief This function generates a public key and exports it 3493d3b0591SJens Wiklander * as a TLS ClientKeyExchange payload. 350817466cbSJens Wiklander * 3513d3b0591SJens Wiklander * This is the second function used by a TLS client for ECDH(E) 3523d3b0591SJens Wiklander * ciphersuites. 353817466cbSJens Wiklander * 3543d3b0591SJens Wiklander * \see ecp.h 3553d3b0591SJens Wiklander * 3563d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 3573d3b0591SJens Wiklander * and bound to a group, the latter usually by 3583d3b0591SJens Wiklander * mbedtls_ecdh_read_params(). 3593d3b0591SJens Wiklander * \param olen The address at which to store the number of Bytes written. 3603d3b0591SJens Wiklander * This must not be \c NULL. 3613d3b0591SJens Wiklander * \param buf The destination buffer. This must be a writable buffer 3623d3b0591SJens Wiklander * of length \p blen Bytes. 3633d3b0591SJens Wiklander * \param blen The size of the destination buffer \p buf in Bytes. 3643d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 3653d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 3663d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 3673d3b0591SJens Wiklander * 3683d3b0591SJens Wiklander * \return \c 0 on success. 3693d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 3703d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 3713d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 372817466cbSJens Wiklander */ 373817466cbSJens Wiklander int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen, 374817466cbSJens Wiklander unsigned char *buf, size_t blen, 375*273a583eSThomas Bourgoin mbedtls_f_rng_t *f_rng, 376817466cbSJens Wiklander void *p_rng); 377817466cbSJens Wiklander 378817466cbSJens Wiklander /** 3793d3b0591SJens Wiklander * \brief This function parses and processes the ECDHE payload of a 3803d3b0591SJens Wiklander * TLS ClientKeyExchange message. 381817466cbSJens Wiklander * 3823d3b0591SJens Wiklander * This is the third function used by a TLS server for ECDH(E) 3833d3b0591SJens Wiklander * ciphersuites. (It is called after mbedtls_ecdh_setup() and 3843d3b0591SJens Wiklander * mbedtls_ecdh_make_params().) 385817466cbSJens Wiklander * 3863d3b0591SJens Wiklander * \see ecp.h 3873d3b0591SJens Wiklander * 3883d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 3893d3b0591SJens Wiklander * and bound to a group, for example via mbedtls_ecdh_setup(). 3903d3b0591SJens Wiklander * \param buf The pointer to the ClientKeyExchange payload. This must 3913d3b0591SJens Wiklander * be a readable buffer of length \p blen Bytes. 3923d3b0591SJens Wiklander * \param blen The length of the input buffer \p buf in Bytes. 3933d3b0591SJens Wiklander * 3943d3b0591SJens Wiklander * \return \c 0 on success. 3953d3b0591SJens Wiklander * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. 396817466cbSJens Wiklander */ 397817466cbSJens Wiklander int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx, 398817466cbSJens Wiklander const unsigned char *buf, size_t blen); 399817466cbSJens Wiklander 400817466cbSJens Wiklander /** 4013d3b0591SJens Wiklander * \brief This function derives and exports the shared secret. 402817466cbSJens Wiklander * 4033d3b0591SJens Wiklander * This is the last function used by both TLS client 4043d3b0591SJens Wiklander * and servers. 405817466cbSJens Wiklander * 4063d3b0591SJens Wiklander * \note If \p f_rng is not NULL, it is used to implement 4073d3b0591SJens Wiklander * countermeasures against side-channel attacks. 4083d3b0591SJens Wiklander * For more information, see mbedtls_ecp_mul(). 4093d3b0591SJens Wiklander * 4103d3b0591SJens Wiklander * \see ecp.h 4113d3b0591SJens Wiklander 4123d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 4133d3b0591SJens Wiklander * and have its own private key generated and the peer's 4143d3b0591SJens Wiklander * public key imported. 4153d3b0591SJens Wiklander * \param olen The address at which to store the total number of 4163d3b0591SJens Wiklander * Bytes written on success. This must not be \c NULL. 4173d3b0591SJens Wiklander * \param buf The buffer to write the generated shared key to. This 4183d3b0591SJens Wiklander * must be a writable buffer of size \p blen Bytes. 4193d3b0591SJens Wiklander * \param blen The length of the destination buffer \p buf in Bytes. 42032b31808SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 4213d3b0591SJens Wiklander * \param p_rng The RNG context. This may be \c NULL if \p f_rng 4223d3b0591SJens Wiklander * doesn't need a context argument. 4233d3b0591SJens Wiklander * 4243d3b0591SJens Wiklander * \return \c 0 on success. 4253d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 4263d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 4273d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 428817466cbSJens Wiklander */ 429817466cbSJens Wiklander int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen, 430817466cbSJens Wiklander unsigned char *buf, size_t blen, 431*273a583eSThomas Bourgoin mbedtls_f_rng_t *f_rng, 432817466cbSJens Wiklander void *p_rng); 433817466cbSJens Wiklander 4343d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 4353d3b0591SJens Wiklander /** 4363d3b0591SJens Wiklander * \brief This function enables restartable EC computations for this 4373d3b0591SJens Wiklander * context. (Default: disabled.) 4383d3b0591SJens Wiklander * 4393d3b0591SJens Wiklander * \see \c mbedtls_ecp_set_max_ops() 4403d3b0591SJens Wiklander * 4413d3b0591SJens Wiklander * \note It is not possible to safely disable restartable 4423d3b0591SJens Wiklander * computations once enabled, except by free-ing the context, 4433d3b0591SJens Wiklander * which cancels possible in-progress operations. 4443d3b0591SJens Wiklander * 4453d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized. 4463d3b0591SJens Wiklander */ 4473d3b0591SJens Wiklander void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx); 4483d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 4493d3b0591SJens Wiklander 450817466cbSJens Wiklander #ifdef __cplusplus 451817466cbSJens Wiklander } 452817466cbSJens Wiklander #endif 453817466cbSJens Wiklander 454817466cbSJens Wiklander #endif /* ecdh.h */ 455