1c6672fdcSEdison Ai /* SPDX-License-Identifier: Apache-2.0 */ 2817466cbSJens Wiklander /** 3817466cbSJens Wiklander * \file ecdh.h 4817466cbSJens Wiklander * 5*3d3b0591SJens Wiklander * \brief This file contains ECDH definitions and functions. 6817466cbSJens Wiklander * 7*3d3b0591SJens Wiklander * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous 8*3d3b0591SJens Wiklander * key agreement protocol allowing two parties to establish a shared 9*3d3b0591SJens Wiklander * secret over an insecure channel. Each party must have an 10*3d3b0591SJens Wiklander * elliptic-curve public–private key pair. 11*3d3b0591SJens Wiklander * 12*3d3b0591SJens Wiklander * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for 13*3d3b0591SJens Wiklander * Pair-Wise Key Establishment Schemes Using Discrete Logarithm 14*3d3b0591SJens Wiklander * Cryptography</em>. 15*3d3b0591SJens Wiklander */ 16*3d3b0591SJens Wiklander /* 17*3d3b0591SJens Wiklander * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved 18817466cbSJens Wiklander * 19817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 20817466cbSJens Wiklander * not use this file except in compliance with the License. 21817466cbSJens Wiklander * You may obtain a copy of the License at 22817466cbSJens Wiklander * 23817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 24817466cbSJens Wiklander * 25817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 26817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 27817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 28817466cbSJens Wiklander * See the License for the specific language governing permissions and 29817466cbSJens Wiklander * limitations under the License. 30817466cbSJens Wiklander * 31*3d3b0591SJens Wiklander * This file is part of Mbed TLS (https://tls.mbed.org) 32817466cbSJens Wiklander */ 33*3d3b0591SJens Wiklander 34817466cbSJens Wiklander #ifndef MBEDTLS_ECDH_H 35817466cbSJens Wiklander #define MBEDTLS_ECDH_H 36817466cbSJens Wiklander 37817466cbSJens Wiklander #include "ecp.h" 38817466cbSJens Wiklander 39*3d3b0591SJens Wiklander /* 40*3d3b0591SJens Wiklander * Use a backward compatible ECDH context. 41*3d3b0591SJens Wiklander * 42*3d3b0591SJens Wiklander * This flag is always enabled for now and future versions might add a 43*3d3b0591SJens Wiklander * configuration option that conditionally undefines this flag. 44*3d3b0591SJens Wiklander * The configuration option in question may have a different name. 45*3d3b0591SJens Wiklander * 46*3d3b0591SJens Wiklander * Features undefining this flag, must have a warning in their description in 47*3d3b0591SJens Wiklander * config.h stating that the feature breaks backward compatibility. 48*3d3b0591SJens Wiklander */ 49*3d3b0591SJens Wiklander #define MBEDTLS_ECDH_LEGACY_CONTEXT 50*3d3b0591SJens Wiklander 51817466cbSJens Wiklander #ifdef __cplusplus 52817466cbSJens Wiklander extern "C" { 53817466cbSJens Wiklander #endif 54817466cbSJens Wiklander 55817466cbSJens Wiklander /** 56*3d3b0591SJens Wiklander * Defines the source of the imported EC key. 57817466cbSJens Wiklander */ 58817466cbSJens Wiklander typedef enum 59817466cbSJens Wiklander { 60*3d3b0591SJens Wiklander MBEDTLS_ECDH_OURS, /**< Our key. */ 61*3d3b0591SJens Wiklander MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */ 62817466cbSJens Wiklander } mbedtls_ecdh_side; 63817466cbSJens Wiklander 64*3d3b0591SJens Wiklander #if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 65817466cbSJens Wiklander /** 66*3d3b0591SJens Wiklander * Defines the ECDH implementation used. 67*3d3b0591SJens Wiklander * 68*3d3b0591SJens Wiklander * Later versions of the library may add new variants, therefore users should 69*3d3b0591SJens Wiklander * not make any assumptions about them. 70817466cbSJens Wiklander */ 71*3d3b0591SJens Wiklander typedef enum 72817466cbSJens Wiklander { 73*3d3b0591SJens Wiklander MBEDTLS_ECDH_VARIANT_NONE = 0, /*!< Implementation not defined. */ 74*3d3b0591SJens Wiklander MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */ 75*3d3b0591SJens Wiklander } mbedtls_ecdh_variant; 76*3d3b0591SJens Wiklander 77*3d3b0591SJens Wiklander /** 78*3d3b0591SJens Wiklander * The context used by the default ECDH implementation. 79*3d3b0591SJens Wiklander * 80*3d3b0591SJens Wiklander * Later versions might change the structure of this context, therefore users 81*3d3b0591SJens Wiklander * should not make any assumptions about the structure of 82*3d3b0591SJens Wiklander * mbedtls_ecdh_context_mbed. 83*3d3b0591SJens Wiklander */ 84*3d3b0591SJens Wiklander typedef struct mbedtls_ecdh_context_mbed 85*3d3b0591SJens Wiklander { 86*3d3b0591SJens Wiklander mbedtls_ecp_group grp; /*!< The elliptic curve used. */ 87*3d3b0591SJens Wiklander mbedtls_mpi d; /*!< The private key. */ 88*3d3b0591SJens Wiklander mbedtls_ecp_point Q; /*!< The public key. */ 89*3d3b0591SJens Wiklander mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ 90*3d3b0591SJens Wiklander mbedtls_mpi z; /*!< The shared secret. */ 91*3d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 92*3d3b0591SJens Wiklander mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ 93*3d3b0591SJens Wiklander #endif 94*3d3b0591SJens Wiklander } mbedtls_ecdh_context_mbed; 95*3d3b0591SJens Wiklander #endif 96*3d3b0591SJens Wiklander 97*3d3b0591SJens Wiklander /** 98*3d3b0591SJens Wiklander * 99*3d3b0591SJens Wiklander * \warning Performing multiple operations concurrently on the same 100*3d3b0591SJens Wiklander * ECDSA context is not supported; objects of this type 101*3d3b0591SJens Wiklander * should not be shared between multiple threads. 102*3d3b0591SJens Wiklander * \brief The ECDH context structure. 103*3d3b0591SJens Wiklander */ 104*3d3b0591SJens Wiklander typedef struct mbedtls_ecdh_context 105*3d3b0591SJens Wiklander { 106*3d3b0591SJens Wiklander #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 107*3d3b0591SJens Wiklander mbedtls_ecp_group grp; /*!< The elliptic curve used. */ 108*3d3b0591SJens Wiklander mbedtls_mpi d; /*!< The private key. */ 109*3d3b0591SJens Wiklander mbedtls_ecp_point Q; /*!< The public key. */ 110*3d3b0591SJens Wiklander mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ 111*3d3b0591SJens Wiklander mbedtls_mpi z; /*!< The shared secret. */ 112*3d3b0591SJens Wiklander int point_format; /*!< The format of point export in TLS messages. */ 113*3d3b0591SJens Wiklander mbedtls_ecp_point Vi; /*!< The blinding value. */ 114*3d3b0591SJens Wiklander mbedtls_ecp_point Vf; /*!< The unblinding value. */ 115*3d3b0591SJens Wiklander mbedtls_mpi _d; /*!< The previous \p d. */ 116*3d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 117*3d3b0591SJens Wiklander int restart_enabled; /*!< The flag for restartable mode. */ 118*3d3b0591SJens Wiklander mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ 119*3d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 120*3d3b0591SJens Wiklander #else 121*3d3b0591SJens Wiklander uint8_t point_format; /*!< The format of point export in TLS messages 122*3d3b0591SJens Wiklander as defined in RFC 4492. */ 123*3d3b0591SJens Wiklander mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */ 124*3d3b0591SJens Wiklander mbedtls_ecdh_variant var; /*!< The ECDH implementation/structure used. */ 125*3d3b0591SJens Wiklander union 126*3d3b0591SJens Wiklander { 127*3d3b0591SJens Wiklander mbedtls_ecdh_context_mbed mbed_ecdh; 128*3d3b0591SJens Wiklander } ctx; /*!< Implementation-specific context. The 129*3d3b0591SJens Wiklander context in use is specified by the \c var 130*3d3b0591SJens Wiklander field. */ 131*3d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 132*3d3b0591SJens Wiklander uint8_t restart_enabled; /*!< The flag for restartable mode. Functions of 133*3d3b0591SJens Wiklander an alternative implementation not supporting 134*3d3b0591SJens Wiklander restartable mode must return 135*3d3b0591SJens Wiklander MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error 136*3d3b0591SJens Wiklander if this flag is set. */ 137*3d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 138*3d3b0591SJens Wiklander #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */ 139817466cbSJens Wiklander } 140817466cbSJens Wiklander mbedtls_ecdh_context; 141817466cbSJens Wiklander 142817466cbSJens Wiklander /** 143*3d3b0591SJens Wiklander * \brief This function generates an ECDH keypair on an elliptic 144*3d3b0591SJens Wiklander * curve. 145817466cbSJens Wiklander * 146*3d3b0591SJens Wiklander * This function performs the first of two core computations 147*3d3b0591SJens Wiklander * implemented during the ECDH key exchange. The second core 148*3d3b0591SJens Wiklander * computation is performed by mbedtls_ecdh_compute_shared(). 149817466cbSJens Wiklander * 150*3d3b0591SJens Wiklander * \see ecp.h 151*3d3b0591SJens Wiklander * 152*3d3b0591SJens Wiklander * \param grp The ECP group to use. This must be initialized and have 153*3d3b0591SJens Wiklander * domain parameters loaded, for example through 154*3d3b0591SJens Wiklander * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). 155*3d3b0591SJens Wiklander * \param d The destination MPI (private key). 156*3d3b0591SJens Wiklander * This must be initialized. 157*3d3b0591SJens Wiklander * \param Q The destination point (public key). 158*3d3b0591SJens Wiklander * This must be initialized. 159*3d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 160*3d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 161*3d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 162*3d3b0591SJens Wiklander * 163*3d3b0591SJens Wiklander * \return \c 0 on success. 164*3d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX or 165*3d3b0591SJens Wiklander * \c MBEDTLS_MPI_XXX error code on failure. 166817466cbSJens Wiklander */ 167817466cbSJens Wiklander int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, 168817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 169817466cbSJens Wiklander void *p_rng ); 170817466cbSJens Wiklander 171817466cbSJens Wiklander /** 172*3d3b0591SJens Wiklander * \brief This function computes the shared secret. 173817466cbSJens Wiklander * 174*3d3b0591SJens Wiklander * This function performs the second of two core computations 175*3d3b0591SJens Wiklander * implemented during the ECDH key exchange. The first core 176*3d3b0591SJens Wiklander * computation is performed by mbedtls_ecdh_gen_public(). 177817466cbSJens Wiklander * 178*3d3b0591SJens Wiklander * \see ecp.h 179817466cbSJens Wiklander * 180*3d3b0591SJens Wiklander * \note If \p f_rng is not NULL, it is used to implement 181*3d3b0591SJens Wiklander * countermeasures against side-channel attacks. 182*3d3b0591SJens Wiklander * For more information, see mbedtls_ecp_mul(). 183*3d3b0591SJens Wiklander * 184*3d3b0591SJens Wiklander * \param grp The ECP group to use. This must be initialized and have 185*3d3b0591SJens Wiklander * domain parameters loaded, for example through 186*3d3b0591SJens Wiklander * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). 187*3d3b0591SJens Wiklander * \param z The destination MPI (shared secret). 188*3d3b0591SJens Wiklander * This must be initialized. 189*3d3b0591SJens Wiklander * \param Q The public key from another party. 190*3d3b0591SJens Wiklander * This must be initialized. 191*3d3b0591SJens Wiklander * \param d Our secret exponent (private key). 192*3d3b0591SJens Wiklander * This must be initialized. 193*3d3b0591SJens Wiklander * \param f_rng The RNG function. This may be \c NULL if randomization 194*3d3b0591SJens Wiklander * of intermediate results during the ECP computations is 195*3d3b0591SJens Wiklander * not needed (discouraged). See the documentation of 196*3d3b0591SJens Wiklander * mbedtls_ecp_mul() for more. 197*3d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 198*3d3b0591SJens Wiklander * \c NULL if \p f_rng is \c NULL or doesn't need a 199*3d3b0591SJens Wiklander * context argument. 200*3d3b0591SJens Wiklander * 201*3d3b0591SJens Wiklander * \return \c 0 on success. 202*3d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX or 203*3d3b0591SJens Wiklander * \c MBEDTLS_MPI_XXX error code on failure. 204817466cbSJens Wiklander */ 205817466cbSJens Wiklander int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, 206817466cbSJens Wiklander const mbedtls_ecp_point *Q, const mbedtls_mpi *d, 207817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 208817466cbSJens Wiklander void *p_rng ); 209817466cbSJens Wiklander 210817466cbSJens Wiklander /** 211*3d3b0591SJens Wiklander * \brief This function initializes an ECDH context. 212817466cbSJens Wiklander * 213*3d3b0591SJens Wiklander * \param ctx The ECDH context to initialize. This must not be \c NULL. 214817466cbSJens Wiklander */ 215817466cbSJens Wiklander void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx ); 216817466cbSJens Wiklander 217817466cbSJens Wiklander /** 218*3d3b0591SJens Wiklander * \brief This function sets up the ECDH context with the information 219*3d3b0591SJens Wiklander * given. 220817466cbSJens Wiklander * 221*3d3b0591SJens Wiklander * This function should be called after mbedtls_ecdh_init() but 222*3d3b0591SJens Wiklander * before mbedtls_ecdh_make_params(). There is no need to call 223*3d3b0591SJens Wiklander * this function before mbedtls_ecdh_read_params(). 224*3d3b0591SJens Wiklander * 225*3d3b0591SJens Wiklander * This is the first function used by a TLS server for ECDHE 226*3d3b0591SJens Wiklander * ciphersuites. 227*3d3b0591SJens Wiklander * 228*3d3b0591SJens Wiklander * \param ctx The ECDH context to set up. This must be initialized. 229*3d3b0591SJens Wiklander * \param grp_id The group id of the group to set up the context for. 230*3d3b0591SJens Wiklander * 231*3d3b0591SJens Wiklander * \return \c 0 on success. 232*3d3b0591SJens Wiklander */ 233*3d3b0591SJens Wiklander int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx, 234*3d3b0591SJens Wiklander mbedtls_ecp_group_id grp_id ); 235*3d3b0591SJens Wiklander 236*3d3b0591SJens Wiklander /** 237*3d3b0591SJens Wiklander * \brief This function frees a context. 238*3d3b0591SJens Wiklander * 239*3d3b0591SJens Wiklander * \param ctx The context to free. This may be \c NULL, in which 240*3d3b0591SJens Wiklander * case this function does nothing. If it is not \c NULL, 241*3d3b0591SJens Wiklander * it must point to an initialized ECDH context. 242817466cbSJens Wiklander */ 243817466cbSJens Wiklander void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx ); 244817466cbSJens Wiklander 245817466cbSJens Wiklander /** 246*3d3b0591SJens Wiklander * \brief This function generates an EC key pair and exports its 247*3d3b0591SJens Wiklander * in the format used in a TLS ServerKeyExchange handshake 248*3d3b0591SJens Wiklander * message. 249817466cbSJens Wiklander * 250*3d3b0591SJens Wiklander * This is the second function used by a TLS server for ECDHE 251*3d3b0591SJens Wiklander * ciphersuites. (It is called after mbedtls_ecdh_setup().) 252817466cbSJens Wiklander * 253*3d3b0591SJens Wiklander * \see ecp.h 254817466cbSJens Wiklander * 255*3d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 256*3d3b0591SJens Wiklander * and bound to a group, for example via mbedtls_ecdh_setup(). 257*3d3b0591SJens Wiklander * \param olen The address at which to store the number of Bytes written. 258*3d3b0591SJens Wiklander * \param buf The destination buffer. This must be a writable buffer of 259*3d3b0591SJens Wiklander * length \p blen Bytes. 260*3d3b0591SJens Wiklander * \param blen The length of the destination buffer \p buf in Bytes. 261*3d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 262*3d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 263*3d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 264*3d3b0591SJens Wiklander * 265*3d3b0591SJens Wiklander * \return \c 0 on success. 266*3d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 267*3d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 268*3d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 269817466cbSJens Wiklander */ 270817466cbSJens Wiklander int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, 271817466cbSJens Wiklander unsigned char *buf, size_t blen, 272817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 273817466cbSJens Wiklander void *p_rng ); 274817466cbSJens Wiklander 275817466cbSJens Wiklander /** 276*3d3b0591SJens Wiklander * \brief This function parses the ECDHE parameters in a 277*3d3b0591SJens Wiklander * TLS ServerKeyExchange handshake message. 278817466cbSJens Wiklander * 279*3d3b0591SJens Wiklander * \note In a TLS handshake, this is the how the client 280*3d3b0591SJens Wiklander * sets up its ECDHE context from the server's public 281*3d3b0591SJens Wiklander * ECDHE key material. 282817466cbSJens Wiklander * 283*3d3b0591SJens Wiklander * \see ecp.h 284*3d3b0591SJens Wiklander * 285*3d3b0591SJens Wiklander * \param ctx The ECDHE context to use. This must be initialized. 286*3d3b0591SJens Wiklander * \param buf On input, \c *buf must be the start of the input buffer. 287*3d3b0591SJens Wiklander * On output, \c *buf is updated to point to the end of the 288*3d3b0591SJens Wiklander * data that has been read. On success, this is the first byte 289*3d3b0591SJens Wiklander * past the end of the ServerKeyExchange parameters. 290*3d3b0591SJens Wiklander * On error, this is the point at which an error has been 291*3d3b0591SJens Wiklander * detected, which is usually not useful except to debug 292*3d3b0591SJens Wiklander * failures. 293*3d3b0591SJens Wiklander * \param end The end of the input buffer. 294*3d3b0591SJens Wiklander * 295*3d3b0591SJens Wiklander * \return \c 0 on success. 296*3d3b0591SJens Wiklander * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. 297*3d3b0591SJens Wiklander * 298817466cbSJens Wiklander */ 299817466cbSJens Wiklander int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx, 300*3d3b0591SJens Wiklander const unsigned char **buf, 301*3d3b0591SJens Wiklander const unsigned char *end ); 302817466cbSJens Wiklander 303817466cbSJens Wiklander /** 304*3d3b0591SJens Wiklander * \brief This function sets up an ECDH context from an EC key. 305817466cbSJens Wiklander * 306*3d3b0591SJens Wiklander * It is used by clients and servers in place of the 307*3d3b0591SJens Wiklander * ServerKeyEchange for static ECDH, and imports ECDH 308*3d3b0591SJens Wiklander * parameters from the EC key information of a certificate. 309817466cbSJens Wiklander * 310*3d3b0591SJens Wiklander * \see ecp.h 311*3d3b0591SJens Wiklander * 312*3d3b0591SJens Wiklander * \param ctx The ECDH context to set up. This must be initialized. 313*3d3b0591SJens Wiklander * \param key The EC key to use. This must be initialized. 314*3d3b0591SJens Wiklander * \param side Defines the source of the key. Possible values are: 315*3d3b0591SJens Wiklander * - #MBEDTLS_ECDH_OURS: The key is ours. 316*3d3b0591SJens Wiklander * - #MBEDTLS_ECDH_THEIRS: The key is that of the peer. 317*3d3b0591SJens Wiklander * 318*3d3b0591SJens Wiklander * \return \c 0 on success. 319*3d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 320*3d3b0591SJens Wiklander * 321817466cbSJens Wiklander */ 322*3d3b0591SJens Wiklander int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, 323*3d3b0591SJens Wiklander const mbedtls_ecp_keypair *key, 324817466cbSJens Wiklander mbedtls_ecdh_side side ); 325817466cbSJens Wiklander 326817466cbSJens Wiklander /** 327*3d3b0591SJens Wiklander * \brief This function generates a public key and exports it 328*3d3b0591SJens Wiklander * as a TLS ClientKeyExchange payload. 329817466cbSJens Wiklander * 330*3d3b0591SJens Wiklander * This is the second function used by a TLS client for ECDH(E) 331*3d3b0591SJens Wiklander * ciphersuites. 332817466cbSJens Wiklander * 333*3d3b0591SJens Wiklander * \see ecp.h 334*3d3b0591SJens Wiklander * 335*3d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 336*3d3b0591SJens Wiklander * and bound to a group, the latter usually by 337*3d3b0591SJens Wiklander * mbedtls_ecdh_read_params(). 338*3d3b0591SJens Wiklander * \param olen The address at which to store the number of Bytes written. 339*3d3b0591SJens Wiklander * This must not be \c NULL. 340*3d3b0591SJens Wiklander * \param buf The destination buffer. This must be a writable buffer 341*3d3b0591SJens Wiklander * of length \p blen Bytes. 342*3d3b0591SJens Wiklander * \param blen The size of the destination buffer \p buf in Bytes. 343*3d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 344*3d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 345*3d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 346*3d3b0591SJens Wiklander * 347*3d3b0591SJens Wiklander * \return \c 0 on success. 348*3d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 349*3d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 350*3d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 351817466cbSJens Wiklander */ 352817466cbSJens Wiklander int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, 353817466cbSJens Wiklander unsigned char *buf, size_t blen, 354817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 355817466cbSJens Wiklander void *p_rng ); 356817466cbSJens Wiklander 357817466cbSJens Wiklander /** 358*3d3b0591SJens Wiklander * \brief This function parses and processes the ECDHE payload of a 359*3d3b0591SJens Wiklander * TLS ClientKeyExchange message. 360817466cbSJens Wiklander * 361*3d3b0591SJens Wiklander * This is the third function used by a TLS server for ECDH(E) 362*3d3b0591SJens Wiklander * ciphersuites. (It is called after mbedtls_ecdh_setup() and 363*3d3b0591SJens Wiklander * mbedtls_ecdh_make_params().) 364817466cbSJens Wiklander * 365*3d3b0591SJens Wiklander * \see ecp.h 366*3d3b0591SJens Wiklander * 367*3d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 368*3d3b0591SJens Wiklander * and bound to a group, for example via mbedtls_ecdh_setup(). 369*3d3b0591SJens Wiklander * \param buf The pointer to the ClientKeyExchange payload. This must 370*3d3b0591SJens Wiklander * be a readable buffer of length \p blen Bytes. 371*3d3b0591SJens Wiklander * \param blen The length of the input buffer \p buf in Bytes. 372*3d3b0591SJens Wiklander * 373*3d3b0591SJens Wiklander * \return \c 0 on success. 374*3d3b0591SJens Wiklander * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. 375817466cbSJens Wiklander */ 376817466cbSJens Wiklander int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx, 377817466cbSJens Wiklander const unsigned char *buf, size_t blen ); 378817466cbSJens Wiklander 379817466cbSJens Wiklander /** 380*3d3b0591SJens Wiklander * \brief This function derives and exports the shared secret. 381817466cbSJens Wiklander * 382*3d3b0591SJens Wiklander * This is the last function used by both TLS client 383*3d3b0591SJens Wiklander * and servers. 384817466cbSJens Wiklander * 385*3d3b0591SJens Wiklander * \note If \p f_rng is not NULL, it is used to implement 386*3d3b0591SJens Wiklander * countermeasures against side-channel attacks. 387*3d3b0591SJens Wiklander * For more information, see mbedtls_ecp_mul(). 388*3d3b0591SJens Wiklander * 389*3d3b0591SJens Wiklander * \see ecp.h 390*3d3b0591SJens Wiklander 391*3d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 392*3d3b0591SJens Wiklander * and have its own private key generated and the peer's 393*3d3b0591SJens Wiklander * public key imported. 394*3d3b0591SJens Wiklander * \param olen The address at which to store the total number of 395*3d3b0591SJens Wiklander * Bytes written on success. This must not be \c NULL. 396*3d3b0591SJens Wiklander * \param buf The buffer to write the generated shared key to. This 397*3d3b0591SJens Wiklander * must be a writable buffer of size \p blen Bytes. 398*3d3b0591SJens Wiklander * \param blen The length of the destination buffer \p buf in Bytes. 399*3d3b0591SJens Wiklander * \param f_rng The RNG function, for blinding purposes. This may 400*3d3b0591SJens Wiklander * b \c NULL if blinding isn't needed. 401*3d3b0591SJens Wiklander * \param p_rng The RNG context. This may be \c NULL if \p f_rng 402*3d3b0591SJens Wiklander * doesn't need a context argument. 403*3d3b0591SJens Wiklander * 404*3d3b0591SJens Wiklander * \return \c 0 on success. 405*3d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 406*3d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 407*3d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 408817466cbSJens Wiklander */ 409817466cbSJens Wiklander int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, 410817466cbSJens Wiklander unsigned char *buf, size_t blen, 411817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 412817466cbSJens Wiklander void *p_rng ); 413817466cbSJens Wiklander 414*3d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 415*3d3b0591SJens Wiklander /** 416*3d3b0591SJens Wiklander * \brief This function enables restartable EC computations for this 417*3d3b0591SJens Wiklander * context. (Default: disabled.) 418*3d3b0591SJens Wiklander * 419*3d3b0591SJens Wiklander * \see \c mbedtls_ecp_set_max_ops() 420*3d3b0591SJens Wiklander * 421*3d3b0591SJens Wiklander * \note It is not possible to safely disable restartable 422*3d3b0591SJens Wiklander * computations once enabled, except by free-ing the context, 423*3d3b0591SJens Wiklander * which cancels possible in-progress operations. 424*3d3b0591SJens Wiklander * 425*3d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized. 426*3d3b0591SJens Wiklander */ 427*3d3b0591SJens Wiklander void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx ); 428*3d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 429*3d3b0591SJens Wiklander 430817466cbSJens Wiklander #ifdef __cplusplus 431817466cbSJens Wiklander } 432817466cbSJens Wiklander #endif 433817466cbSJens Wiklander 434817466cbSJens Wiklander #endif /* ecdh.h */ 435