1c6672fdcSEdison Ai /* SPDX-License-Identifier: Apache-2.0 */ 2817466cbSJens Wiklander /** 3817466cbSJens Wiklander * \file ecdh.h 4817466cbSJens Wiklander * 53d3b0591SJens Wiklander * \brief This file contains ECDH definitions and functions. 6817466cbSJens Wiklander * 73d3b0591SJens Wiklander * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous 83d3b0591SJens Wiklander * key agreement protocol allowing two parties to establish a shared 93d3b0591SJens Wiklander * secret over an insecure channel. Each party must have an 103d3b0591SJens Wiklander * elliptic-curve public–private key pair. 113d3b0591SJens Wiklander * 123d3b0591SJens Wiklander * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for 133d3b0591SJens Wiklander * Pair-Wise Key Establishment Schemes Using Discrete Logarithm 143d3b0591SJens Wiklander * Cryptography</em>. 153d3b0591SJens Wiklander */ 163d3b0591SJens Wiklander /* 173d3b0591SJens Wiklander * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved 18817466cbSJens Wiklander * 19817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 20817466cbSJens Wiklander * not use this file except in compliance with the License. 21817466cbSJens Wiklander * You may obtain a copy of the License at 22817466cbSJens Wiklander * 23817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 24817466cbSJens Wiklander * 25817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 26817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 27817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 28817466cbSJens Wiklander * See the License for the specific language governing permissions and 29817466cbSJens Wiklander * limitations under the License. 30817466cbSJens Wiklander * 313d3b0591SJens Wiklander * This file is part of Mbed TLS (https://tls.mbed.org) 32817466cbSJens Wiklander */ 333d3b0591SJens Wiklander 34817466cbSJens Wiklander #ifndef MBEDTLS_ECDH_H 35817466cbSJens Wiklander #define MBEDTLS_ECDH_H 36817466cbSJens Wiklander 37*5b25c76aSJerome Forissier #if !defined(MBEDTLS_CONFIG_FILE) 38*5b25c76aSJerome Forissier #include "config.h" 39*5b25c76aSJerome Forissier #else 40*5b25c76aSJerome Forissier #include MBEDTLS_CONFIG_FILE 41*5b25c76aSJerome Forissier #endif 42*5b25c76aSJerome Forissier 43817466cbSJens Wiklander #include "ecp.h" 44817466cbSJens Wiklander 453d3b0591SJens Wiklander /* 463d3b0591SJens Wiklander * Use a backward compatible ECDH context. 473d3b0591SJens Wiklander * 483d3b0591SJens Wiklander * This flag is always enabled for now and future versions might add a 493d3b0591SJens Wiklander * configuration option that conditionally undefines this flag. 503d3b0591SJens Wiklander * The configuration option in question may have a different name. 513d3b0591SJens Wiklander * 523d3b0591SJens Wiklander * Features undefining this flag, must have a warning in their description in 533d3b0591SJens Wiklander * config.h stating that the feature breaks backward compatibility. 543d3b0591SJens Wiklander */ 553d3b0591SJens Wiklander #define MBEDTLS_ECDH_LEGACY_CONTEXT 563d3b0591SJens Wiklander 57817466cbSJens Wiklander #ifdef __cplusplus 58817466cbSJens Wiklander extern "C" { 59817466cbSJens Wiklander #endif 60817466cbSJens Wiklander 61817466cbSJens Wiklander /** 623d3b0591SJens Wiklander * Defines the source of the imported EC key. 63817466cbSJens Wiklander */ 64817466cbSJens Wiklander typedef enum 65817466cbSJens Wiklander { 663d3b0591SJens Wiklander MBEDTLS_ECDH_OURS, /**< Our key. */ 673d3b0591SJens Wiklander MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */ 68817466cbSJens Wiklander } mbedtls_ecdh_side; 69817466cbSJens Wiklander 703d3b0591SJens Wiklander #if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 71817466cbSJens Wiklander /** 723d3b0591SJens Wiklander * Defines the ECDH implementation used. 733d3b0591SJens Wiklander * 743d3b0591SJens Wiklander * Later versions of the library may add new variants, therefore users should 753d3b0591SJens Wiklander * not make any assumptions about them. 76817466cbSJens Wiklander */ 773d3b0591SJens Wiklander typedef enum 78817466cbSJens Wiklander { 793d3b0591SJens Wiklander MBEDTLS_ECDH_VARIANT_NONE = 0, /*!< Implementation not defined. */ 803d3b0591SJens Wiklander MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */ 813d3b0591SJens Wiklander } mbedtls_ecdh_variant; 823d3b0591SJens Wiklander 833d3b0591SJens Wiklander /** 843d3b0591SJens Wiklander * The context used by the default ECDH implementation. 853d3b0591SJens Wiklander * 863d3b0591SJens Wiklander * Later versions might change the structure of this context, therefore users 873d3b0591SJens Wiklander * should not make any assumptions about the structure of 883d3b0591SJens Wiklander * mbedtls_ecdh_context_mbed. 893d3b0591SJens Wiklander */ 903d3b0591SJens Wiklander typedef struct mbedtls_ecdh_context_mbed 913d3b0591SJens Wiklander { 923d3b0591SJens Wiklander mbedtls_ecp_group grp; /*!< The elliptic curve used. */ 933d3b0591SJens Wiklander mbedtls_mpi d; /*!< The private key. */ 943d3b0591SJens Wiklander mbedtls_ecp_point Q; /*!< The public key. */ 953d3b0591SJens Wiklander mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ 963d3b0591SJens Wiklander mbedtls_mpi z; /*!< The shared secret. */ 973d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 983d3b0591SJens Wiklander mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ 993d3b0591SJens Wiklander #endif 1003d3b0591SJens Wiklander } mbedtls_ecdh_context_mbed; 1013d3b0591SJens Wiklander #endif 1023d3b0591SJens Wiklander 1033d3b0591SJens Wiklander /** 1043d3b0591SJens Wiklander * 1053d3b0591SJens Wiklander * \warning Performing multiple operations concurrently on the same 1063d3b0591SJens Wiklander * ECDSA context is not supported; objects of this type 1073d3b0591SJens Wiklander * should not be shared between multiple threads. 1083d3b0591SJens Wiklander * \brief The ECDH context structure. 1093d3b0591SJens Wiklander */ 1103d3b0591SJens Wiklander typedef struct mbedtls_ecdh_context 1113d3b0591SJens Wiklander { 1123d3b0591SJens Wiklander #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 1133d3b0591SJens Wiklander mbedtls_ecp_group grp; /*!< The elliptic curve used. */ 1143d3b0591SJens Wiklander mbedtls_mpi d; /*!< The private key. */ 1153d3b0591SJens Wiklander mbedtls_ecp_point Q; /*!< The public key. */ 1163d3b0591SJens Wiklander mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ 1173d3b0591SJens Wiklander mbedtls_mpi z; /*!< The shared secret. */ 1183d3b0591SJens Wiklander int point_format; /*!< The format of point export in TLS messages. */ 1193d3b0591SJens Wiklander mbedtls_ecp_point Vi; /*!< The blinding value. */ 1203d3b0591SJens Wiklander mbedtls_ecp_point Vf; /*!< The unblinding value. */ 1213d3b0591SJens Wiklander mbedtls_mpi _d; /*!< The previous \p d. */ 1223d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 1233d3b0591SJens Wiklander int restart_enabled; /*!< The flag for restartable mode. */ 1243d3b0591SJens Wiklander mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ 1253d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 1263d3b0591SJens Wiklander #else 1273d3b0591SJens Wiklander uint8_t point_format; /*!< The format of point export in TLS messages 1283d3b0591SJens Wiklander as defined in RFC 4492. */ 1293d3b0591SJens Wiklander mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */ 1303d3b0591SJens Wiklander mbedtls_ecdh_variant var; /*!< The ECDH implementation/structure used. */ 1313d3b0591SJens Wiklander union 1323d3b0591SJens Wiklander { 1333d3b0591SJens Wiklander mbedtls_ecdh_context_mbed mbed_ecdh; 1343d3b0591SJens Wiklander } ctx; /*!< Implementation-specific context. The 1353d3b0591SJens Wiklander context in use is specified by the \c var 1363d3b0591SJens Wiklander field. */ 1373d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 1383d3b0591SJens Wiklander uint8_t restart_enabled; /*!< The flag for restartable mode. Functions of 1393d3b0591SJens Wiklander an alternative implementation not supporting 1403d3b0591SJens Wiklander restartable mode must return 1413d3b0591SJens Wiklander MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error 1423d3b0591SJens Wiklander if this flag is set. */ 1433d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 1443d3b0591SJens Wiklander #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */ 145817466cbSJens Wiklander } 146817466cbSJens Wiklander mbedtls_ecdh_context; 147817466cbSJens Wiklander 148817466cbSJens Wiklander /** 1493d3b0591SJens Wiklander * \brief This function generates an ECDH keypair on an elliptic 1503d3b0591SJens Wiklander * curve. 151817466cbSJens Wiklander * 1523d3b0591SJens Wiklander * This function performs the first of two core computations 1533d3b0591SJens Wiklander * implemented during the ECDH key exchange. The second core 1543d3b0591SJens Wiklander * computation is performed by mbedtls_ecdh_compute_shared(). 155817466cbSJens Wiklander * 1563d3b0591SJens Wiklander * \see ecp.h 1573d3b0591SJens Wiklander * 1583d3b0591SJens Wiklander * \param grp The ECP group to use. This must be initialized and have 1593d3b0591SJens Wiklander * domain parameters loaded, for example through 1603d3b0591SJens Wiklander * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). 1613d3b0591SJens Wiklander * \param d The destination MPI (private key). 1623d3b0591SJens Wiklander * This must be initialized. 1633d3b0591SJens Wiklander * \param Q The destination point (public key). 1643d3b0591SJens Wiklander * This must be initialized. 1653d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 1663d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 1673d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 1683d3b0591SJens Wiklander * 1693d3b0591SJens Wiklander * \return \c 0 on success. 1703d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX or 1713d3b0591SJens Wiklander * \c MBEDTLS_MPI_XXX error code on failure. 172817466cbSJens Wiklander */ 173817466cbSJens Wiklander int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, 174817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 175817466cbSJens Wiklander void *p_rng ); 176817466cbSJens Wiklander 177817466cbSJens Wiklander /** 1783d3b0591SJens Wiklander * \brief This function computes the shared secret. 179817466cbSJens Wiklander * 1803d3b0591SJens Wiklander * This function performs the second of two core computations 1813d3b0591SJens Wiklander * implemented during the ECDH key exchange. The first core 1823d3b0591SJens Wiklander * computation is performed by mbedtls_ecdh_gen_public(). 183817466cbSJens Wiklander * 1843d3b0591SJens Wiklander * \see ecp.h 185817466cbSJens Wiklander * 1863d3b0591SJens Wiklander * \note If \p f_rng is not NULL, it is used to implement 1873d3b0591SJens Wiklander * countermeasures against side-channel attacks. 1883d3b0591SJens Wiklander * For more information, see mbedtls_ecp_mul(). 1893d3b0591SJens Wiklander * 1903d3b0591SJens Wiklander * \param grp The ECP group to use. This must be initialized and have 1913d3b0591SJens Wiklander * domain parameters loaded, for example through 1923d3b0591SJens Wiklander * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). 1933d3b0591SJens Wiklander * \param z The destination MPI (shared secret). 1943d3b0591SJens Wiklander * This must be initialized. 1953d3b0591SJens Wiklander * \param Q The public key from another party. 1963d3b0591SJens Wiklander * This must be initialized. 1973d3b0591SJens Wiklander * \param d Our secret exponent (private key). 1983d3b0591SJens Wiklander * This must be initialized. 1993d3b0591SJens Wiklander * \param f_rng The RNG function. This may be \c NULL if randomization 2003d3b0591SJens Wiklander * of intermediate results during the ECP computations is 2013d3b0591SJens Wiklander * not needed (discouraged). See the documentation of 2023d3b0591SJens Wiklander * mbedtls_ecp_mul() for more. 2033d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 2043d3b0591SJens Wiklander * \c NULL if \p f_rng is \c NULL or doesn't need a 2053d3b0591SJens Wiklander * context argument. 2063d3b0591SJens Wiklander * 2073d3b0591SJens Wiklander * \return \c 0 on success. 2083d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX or 2093d3b0591SJens Wiklander * \c MBEDTLS_MPI_XXX error code on failure. 210817466cbSJens Wiklander */ 211817466cbSJens Wiklander int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, 212817466cbSJens Wiklander const mbedtls_ecp_point *Q, const mbedtls_mpi *d, 213817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 214817466cbSJens Wiklander void *p_rng ); 215817466cbSJens Wiklander 216817466cbSJens Wiklander /** 2173d3b0591SJens Wiklander * \brief This function initializes an ECDH context. 218817466cbSJens Wiklander * 2193d3b0591SJens Wiklander * \param ctx The ECDH context to initialize. This must not be \c NULL. 220817466cbSJens Wiklander */ 221817466cbSJens Wiklander void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx ); 222817466cbSJens Wiklander 223817466cbSJens Wiklander /** 2243d3b0591SJens Wiklander * \brief This function sets up the ECDH context with the information 2253d3b0591SJens Wiklander * given. 226817466cbSJens Wiklander * 2273d3b0591SJens Wiklander * This function should be called after mbedtls_ecdh_init() but 2283d3b0591SJens Wiklander * before mbedtls_ecdh_make_params(). There is no need to call 2293d3b0591SJens Wiklander * this function before mbedtls_ecdh_read_params(). 2303d3b0591SJens Wiklander * 2313d3b0591SJens Wiklander * This is the first function used by a TLS server for ECDHE 2323d3b0591SJens Wiklander * ciphersuites. 2333d3b0591SJens Wiklander * 2343d3b0591SJens Wiklander * \param ctx The ECDH context to set up. This must be initialized. 2353d3b0591SJens Wiklander * \param grp_id The group id of the group to set up the context for. 2363d3b0591SJens Wiklander * 2373d3b0591SJens Wiklander * \return \c 0 on success. 2383d3b0591SJens Wiklander */ 2393d3b0591SJens Wiklander int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx, 2403d3b0591SJens Wiklander mbedtls_ecp_group_id grp_id ); 2413d3b0591SJens Wiklander 2423d3b0591SJens Wiklander /** 2433d3b0591SJens Wiklander * \brief This function frees a context. 2443d3b0591SJens Wiklander * 2453d3b0591SJens Wiklander * \param ctx The context to free. This may be \c NULL, in which 2463d3b0591SJens Wiklander * case this function does nothing. If it is not \c NULL, 2473d3b0591SJens Wiklander * it must point to an initialized ECDH context. 248817466cbSJens Wiklander */ 249817466cbSJens Wiklander void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx ); 250817466cbSJens Wiklander 251817466cbSJens Wiklander /** 2523d3b0591SJens Wiklander * \brief This function generates an EC key pair and exports its 2533d3b0591SJens Wiklander * in the format used in a TLS ServerKeyExchange handshake 2543d3b0591SJens Wiklander * message. 255817466cbSJens Wiklander * 2563d3b0591SJens Wiklander * This is the second function used by a TLS server for ECDHE 2573d3b0591SJens Wiklander * ciphersuites. (It is called after mbedtls_ecdh_setup().) 258817466cbSJens Wiklander * 2593d3b0591SJens Wiklander * \see ecp.h 260817466cbSJens Wiklander * 2613d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 2623d3b0591SJens Wiklander * and bound to a group, for example via mbedtls_ecdh_setup(). 2633d3b0591SJens Wiklander * \param olen The address at which to store the number of Bytes written. 2643d3b0591SJens Wiklander * \param buf The destination buffer. This must be a writable buffer of 2653d3b0591SJens Wiklander * length \p blen Bytes. 2663d3b0591SJens Wiklander * \param blen The length of the destination buffer \p buf in Bytes. 2673d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 2683d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 2693d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 2703d3b0591SJens Wiklander * 2713d3b0591SJens Wiklander * \return \c 0 on success. 2723d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 2733d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 2743d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 275817466cbSJens Wiklander */ 276817466cbSJens Wiklander int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, 277817466cbSJens Wiklander unsigned char *buf, size_t blen, 278817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 279817466cbSJens Wiklander void *p_rng ); 280817466cbSJens Wiklander 281817466cbSJens Wiklander /** 2823d3b0591SJens Wiklander * \brief This function parses the ECDHE parameters in a 2833d3b0591SJens Wiklander * TLS ServerKeyExchange handshake message. 284817466cbSJens Wiklander * 2853d3b0591SJens Wiklander * \note In a TLS handshake, this is the how the client 2863d3b0591SJens Wiklander * sets up its ECDHE context from the server's public 2873d3b0591SJens Wiklander * ECDHE key material. 288817466cbSJens Wiklander * 2893d3b0591SJens Wiklander * \see ecp.h 2903d3b0591SJens Wiklander * 2913d3b0591SJens Wiklander * \param ctx The ECDHE context to use. This must be initialized. 2923d3b0591SJens Wiklander * \param buf On input, \c *buf must be the start of the input buffer. 2933d3b0591SJens Wiklander * On output, \c *buf is updated to point to the end of the 2943d3b0591SJens Wiklander * data that has been read. On success, this is the first byte 2953d3b0591SJens Wiklander * past the end of the ServerKeyExchange parameters. 2963d3b0591SJens Wiklander * On error, this is the point at which an error has been 2973d3b0591SJens Wiklander * detected, which is usually not useful except to debug 2983d3b0591SJens Wiklander * failures. 2993d3b0591SJens Wiklander * \param end The end of the input buffer. 3003d3b0591SJens Wiklander * 3013d3b0591SJens Wiklander * \return \c 0 on success. 3023d3b0591SJens Wiklander * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. 3033d3b0591SJens Wiklander * 304817466cbSJens Wiklander */ 305817466cbSJens Wiklander int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx, 3063d3b0591SJens Wiklander const unsigned char **buf, 3073d3b0591SJens Wiklander const unsigned char *end ); 308817466cbSJens Wiklander 309817466cbSJens Wiklander /** 3103d3b0591SJens Wiklander * \brief This function sets up an ECDH context from an EC key. 311817466cbSJens Wiklander * 3123d3b0591SJens Wiklander * It is used by clients and servers in place of the 3133d3b0591SJens Wiklander * ServerKeyEchange for static ECDH, and imports ECDH 3143d3b0591SJens Wiklander * parameters from the EC key information of a certificate. 315817466cbSJens Wiklander * 3163d3b0591SJens Wiklander * \see ecp.h 3173d3b0591SJens Wiklander * 3183d3b0591SJens Wiklander * \param ctx The ECDH context to set up. This must be initialized. 3193d3b0591SJens Wiklander * \param key The EC key to use. This must be initialized. 3203d3b0591SJens Wiklander * \param side Defines the source of the key. Possible values are: 3213d3b0591SJens Wiklander * - #MBEDTLS_ECDH_OURS: The key is ours. 3223d3b0591SJens Wiklander * - #MBEDTLS_ECDH_THEIRS: The key is that of the peer. 3233d3b0591SJens Wiklander * 3243d3b0591SJens Wiklander * \return \c 0 on success. 3253d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 3263d3b0591SJens Wiklander * 327817466cbSJens Wiklander */ 3283d3b0591SJens Wiklander int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, 3293d3b0591SJens Wiklander const mbedtls_ecp_keypair *key, 330817466cbSJens Wiklander mbedtls_ecdh_side side ); 331817466cbSJens Wiklander 332817466cbSJens Wiklander /** 3333d3b0591SJens Wiklander * \brief This function generates a public key and exports it 3343d3b0591SJens Wiklander * as a TLS ClientKeyExchange payload. 335817466cbSJens Wiklander * 3363d3b0591SJens Wiklander * This is the second function used by a TLS client for ECDH(E) 3373d3b0591SJens Wiklander * ciphersuites. 338817466cbSJens Wiklander * 3393d3b0591SJens Wiklander * \see ecp.h 3403d3b0591SJens Wiklander * 3413d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 3423d3b0591SJens Wiklander * and bound to a group, the latter usually by 3433d3b0591SJens Wiklander * mbedtls_ecdh_read_params(). 3443d3b0591SJens Wiklander * \param olen The address at which to store the number of Bytes written. 3453d3b0591SJens Wiklander * This must not be \c NULL. 3463d3b0591SJens Wiklander * \param buf The destination buffer. This must be a writable buffer 3473d3b0591SJens Wiklander * of length \p blen Bytes. 3483d3b0591SJens Wiklander * \param blen The size of the destination buffer \p buf in Bytes. 3493d3b0591SJens Wiklander * \param f_rng The RNG function to use. This must not be \c NULL. 3503d3b0591SJens Wiklander * \param p_rng The RNG context to be passed to \p f_rng. This may be 3513d3b0591SJens Wiklander * \c NULL in case \p f_rng doesn't need a context argument. 3523d3b0591SJens Wiklander * 3533d3b0591SJens Wiklander * \return \c 0 on success. 3543d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 3553d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 3563d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 357817466cbSJens Wiklander */ 358817466cbSJens Wiklander int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, 359817466cbSJens Wiklander unsigned char *buf, size_t blen, 360817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 361817466cbSJens Wiklander void *p_rng ); 362817466cbSJens Wiklander 363817466cbSJens Wiklander /** 3643d3b0591SJens Wiklander * \brief This function parses and processes the ECDHE payload of a 3653d3b0591SJens Wiklander * TLS ClientKeyExchange message. 366817466cbSJens Wiklander * 3673d3b0591SJens Wiklander * This is the third function used by a TLS server for ECDH(E) 3683d3b0591SJens Wiklander * ciphersuites. (It is called after mbedtls_ecdh_setup() and 3693d3b0591SJens Wiklander * mbedtls_ecdh_make_params().) 370817466cbSJens Wiklander * 3713d3b0591SJens Wiklander * \see ecp.h 3723d3b0591SJens Wiklander * 3733d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 3743d3b0591SJens Wiklander * and bound to a group, for example via mbedtls_ecdh_setup(). 3753d3b0591SJens Wiklander * \param buf The pointer to the ClientKeyExchange payload. This must 3763d3b0591SJens Wiklander * be a readable buffer of length \p blen Bytes. 3773d3b0591SJens Wiklander * \param blen The length of the input buffer \p buf in Bytes. 3783d3b0591SJens Wiklander * 3793d3b0591SJens Wiklander * \return \c 0 on success. 3803d3b0591SJens Wiklander * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. 381817466cbSJens Wiklander */ 382817466cbSJens Wiklander int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx, 383817466cbSJens Wiklander const unsigned char *buf, size_t blen ); 384817466cbSJens Wiklander 385817466cbSJens Wiklander /** 3863d3b0591SJens Wiklander * \brief This function derives and exports the shared secret. 387817466cbSJens Wiklander * 3883d3b0591SJens Wiklander * This is the last function used by both TLS client 3893d3b0591SJens Wiklander * and servers. 390817466cbSJens Wiklander * 3913d3b0591SJens Wiklander * \note If \p f_rng is not NULL, it is used to implement 3923d3b0591SJens Wiklander * countermeasures against side-channel attacks. 3933d3b0591SJens Wiklander * For more information, see mbedtls_ecp_mul(). 3943d3b0591SJens Wiklander * 3953d3b0591SJens Wiklander * \see ecp.h 3963d3b0591SJens Wiklander 3973d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized 3983d3b0591SJens Wiklander * and have its own private key generated and the peer's 3993d3b0591SJens Wiklander * public key imported. 4003d3b0591SJens Wiklander * \param olen The address at which to store the total number of 4013d3b0591SJens Wiklander * Bytes written on success. This must not be \c NULL. 4023d3b0591SJens Wiklander * \param buf The buffer to write the generated shared key to. This 4033d3b0591SJens Wiklander * must be a writable buffer of size \p blen Bytes. 4043d3b0591SJens Wiklander * \param blen The length of the destination buffer \p buf in Bytes. 4053d3b0591SJens Wiklander * \param f_rng The RNG function, for blinding purposes. This may 4063d3b0591SJens Wiklander * b \c NULL if blinding isn't needed. 4073d3b0591SJens Wiklander * \param p_rng The RNG context. This may be \c NULL if \p f_rng 4083d3b0591SJens Wiklander * doesn't need a context argument. 4093d3b0591SJens Wiklander * 4103d3b0591SJens Wiklander * \return \c 0 on success. 4113d3b0591SJens Wiklander * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 4123d3b0591SJens Wiklander * operations was reached: see \c mbedtls_ecp_set_max_ops(). 4133d3b0591SJens Wiklander * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. 414817466cbSJens Wiklander */ 415817466cbSJens Wiklander int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, 416817466cbSJens Wiklander unsigned char *buf, size_t blen, 417817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 418817466cbSJens Wiklander void *p_rng ); 419817466cbSJens Wiklander 4203d3b0591SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) 4213d3b0591SJens Wiklander /** 4223d3b0591SJens Wiklander * \brief This function enables restartable EC computations for this 4233d3b0591SJens Wiklander * context. (Default: disabled.) 4243d3b0591SJens Wiklander * 4253d3b0591SJens Wiklander * \see \c mbedtls_ecp_set_max_ops() 4263d3b0591SJens Wiklander * 4273d3b0591SJens Wiklander * \note It is not possible to safely disable restartable 4283d3b0591SJens Wiklander * computations once enabled, except by free-ing the context, 4293d3b0591SJens Wiklander * which cancels possible in-progress operations. 4303d3b0591SJens Wiklander * 4313d3b0591SJens Wiklander * \param ctx The ECDH context to use. This must be initialized. 4323d3b0591SJens Wiklander */ 4333d3b0591SJens Wiklander void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx ); 4343d3b0591SJens Wiklander #endif /* MBEDTLS_ECP_RESTARTABLE */ 4353d3b0591SJens Wiklander 436817466cbSJens Wiklander #ifdef __cplusplus 437817466cbSJens Wiklander } 438817466cbSJens Wiklander #endif 439817466cbSJens Wiklander 440817466cbSJens Wiklander #endif /* ecdh.h */ 441