1*817466cbSJens Wiklander /** 2*817466cbSJens Wiklander * \file ecdh.h 3*817466cbSJens Wiklander * 4*817466cbSJens Wiklander * \brief Elliptic curve Diffie-Hellman 5*817466cbSJens Wiklander * 6*817466cbSJens Wiklander * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 7*817466cbSJens Wiklander * SPDX-License-Identifier: Apache-2.0 8*817466cbSJens Wiklander * 9*817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 10*817466cbSJens Wiklander * not use this file except in compliance with the License. 11*817466cbSJens Wiklander * You may obtain a copy of the License at 12*817466cbSJens Wiklander * 13*817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 14*817466cbSJens Wiklander * 15*817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 16*817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17*817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18*817466cbSJens Wiklander * See the License for the specific language governing permissions and 19*817466cbSJens Wiklander * limitations under the License. 20*817466cbSJens Wiklander * 21*817466cbSJens Wiklander * This file is part of mbed TLS (https://tls.mbed.org) 22*817466cbSJens Wiklander */ 23*817466cbSJens Wiklander #ifndef MBEDTLS_ECDH_H 24*817466cbSJens Wiklander #define MBEDTLS_ECDH_H 25*817466cbSJens Wiklander 26*817466cbSJens Wiklander #include "ecp.h" 27*817466cbSJens Wiklander 28*817466cbSJens Wiklander #ifdef __cplusplus 29*817466cbSJens Wiklander extern "C" { 30*817466cbSJens Wiklander #endif 31*817466cbSJens Wiklander 32*817466cbSJens Wiklander /** 33*817466cbSJens Wiklander * When importing from an EC key, select if it is our key or the peer's key 34*817466cbSJens Wiklander */ 35*817466cbSJens Wiklander typedef enum 36*817466cbSJens Wiklander { 37*817466cbSJens Wiklander MBEDTLS_ECDH_OURS, 38*817466cbSJens Wiklander MBEDTLS_ECDH_THEIRS, 39*817466cbSJens Wiklander } mbedtls_ecdh_side; 40*817466cbSJens Wiklander 41*817466cbSJens Wiklander /** 42*817466cbSJens Wiklander * \brief ECDH context structure 43*817466cbSJens Wiklander */ 44*817466cbSJens Wiklander typedef struct 45*817466cbSJens Wiklander { 46*817466cbSJens Wiklander mbedtls_ecp_group grp; /*!< elliptic curve used */ 47*817466cbSJens Wiklander mbedtls_mpi d; /*!< our secret value (private key) */ 48*817466cbSJens Wiklander mbedtls_ecp_point Q; /*!< our public value (public key) */ 49*817466cbSJens Wiklander mbedtls_ecp_point Qp; /*!< peer's public value (public key) */ 50*817466cbSJens Wiklander mbedtls_mpi z; /*!< shared secret */ 51*817466cbSJens Wiklander int point_format; /*!< format for point export in TLS messages */ 52*817466cbSJens Wiklander mbedtls_ecp_point Vi; /*!< blinding value (for later) */ 53*817466cbSJens Wiklander mbedtls_ecp_point Vf; /*!< un-blinding value (for later) */ 54*817466cbSJens Wiklander mbedtls_mpi _d; /*!< previous d (for later) */ 55*817466cbSJens Wiklander } 56*817466cbSJens Wiklander mbedtls_ecdh_context; 57*817466cbSJens Wiklander 58*817466cbSJens Wiklander /** 59*817466cbSJens Wiklander * \brief Generate a public key. 60*817466cbSJens Wiklander * Raw function that only does the core computation. 61*817466cbSJens Wiklander * 62*817466cbSJens Wiklander * \param grp ECP group 63*817466cbSJens Wiklander * \param d Destination MPI (secret exponent, aka private key) 64*817466cbSJens Wiklander * \param Q Destination point (public key) 65*817466cbSJens Wiklander * \param f_rng RNG function 66*817466cbSJens Wiklander * \param p_rng RNG parameter 67*817466cbSJens Wiklander * 68*817466cbSJens Wiklander * \return 0 if successful, 69*817466cbSJens Wiklander * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 70*817466cbSJens Wiklander */ 71*817466cbSJens Wiklander int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, 72*817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 73*817466cbSJens Wiklander void *p_rng ); 74*817466cbSJens Wiklander 75*817466cbSJens Wiklander /** 76*817466cbSJens Wiklander * \brief Compute shared secret 77*817466cbSJens Wiklander * Raw function that only does the core computation. 78*817466cbSJens Wiklander * 79*817466cbSJens Wiklander * \param grp ECP group 80*817466cbSJens Wiklander * \param z Destination MPI (shared secret) 81*817466cbSJens Wiklander * \param Q Public key from other party 82*817466cbSJens Wiklander * \param d Our secret exponent (private key) 83*817466cbSJens Wiklander * \param f_rng RNG function (see notes) 84*817466cbSJens Wiklander * \param p_rng RNG parameter 85*817466cbSJens Wiklander * 86*817466cbSJens Wiklander * \return 0 if successful, 87*817466cbSJens Wiklander * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 88*817466cbSJens Wiklander * 89*817466cbSJens Wiklander * \note If f_rng is not NULL, it is used to implement 90*817466cbSJens Wiklander * countermeasures against potential elaborate timing 91*817466cbSJens Wiklander * attacks, see \c mbedtls_ecp_mul() for details. 92*817466cbSJens Wiklander */ 93*817466cbSJens Wiklander int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, 94*817466cbSJens Wiklander const mbedtls_ecp_point *Q, const mbedtls_mpi *d, 95*817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 96*817466cbSJens Wiklander void *p_rng ); 97*817466cbSJens Wiklander 98*817466cbSJens Wiklander /** 99*817466cbSJens Wiklander * \brief Initialize context 100*817466cbSJens Wiklander * 101*817466cbSJens Wiklander * \param ctx Context to initialize 102*817466cbSJens Wiklander */ 103*817466cbSJens Wiklander void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx ); 104*817466cbSJens Wiklander 105*817466cbSJens Wiklander /** 106*817466cbSJens Wiklander * \brief Free context 107*817466cbSJens Wiklander * 108*817466cbSJens Wiklander * \param ctx Context to free 109*817466cbSJens Wiklander */ 110*817466cbSJens Wiklander void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx ); 111*817466cbSJens Wiklander 112*817466cbSJens Wiklander /** 113*817466cbSJens Wiklander * \brief Generate a public key and a TLS ServerKeyExchange payload. 114*817466cbSJens Wiklander * (First function used by a TLS server for ECDHE.) 115*817466cbSJens Wiklander * 116*817466cbSJens Wiklander * \param ctx ECDH context 117*817466cbSJens Wiklander * \param olen number of chars written 118*817466cbSJens Wiklander * \param buf destination buffer 119*817466cbSJens Wiklander * \param blen length of buffer 120*817466cbSJens Wiklander * \param f_rng RNG function 121*817466cbSJens Wiklander * \param p_rng RNG parameter 122*817466cbSJens Wiklander * 123*817466cbSJens Wiklander * \note This function assumes that ctx->grp has already been 124*817466cbSJens Wiklander * properly set (for example using mbedtls_ecp_group_load). 125*817466cbSJens Wiklander * 126*817466cbSJens Wiklander * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code 127*817466cbSJens Wiklander */ 128*817466cbSJens Wiklander int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, 129*817466cbSJens Wiklander unsigned char *buf, size_t blen, 130*817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 131*817466cbSJens Wiklander void *p_rng ); 132*817466cbSJens Wiklander 133*817466cbSJens Wiklander /** 134*817466cbSJens Wiklander * \brief Parse and procress a TLS ServerKeyExhange payload. 135*817466cbSJens Wiklander * (First function used by a TLS client for ECDHE.) 136*817466cbSJens Wiklander * 137*817466cbSJens Wiklander * \param ctx ECDH context 138*817466cbSJens Wiklander * \param buf pointer to start of input buffer 139*817466cbSJens Wiklander * \param end one past end of buffer 140*817466cbSJens Wiklander * 141*817466cbSJens Wiklander * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code 142*817466cbSJens Wiklander */ 143*817466cbSJens Wiklander int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx, 144*817466cbSJens Wiklander const unsigned char **buf, const unsigned char *end ); 145*817466cbSJens Wiklander 146*817466cbSJens Wiklander /** 147*817466cbSJens Wiklander * \brief Setup an ECDH context from an EC key. 148*817466cbSJens Wiklander * (Used by clients and servers in place of the 149*817466cbSJens Wiklander * ServerKeyEchange for static ECDH: import ECDH parameters 150*817466cbSJens Wiklander * from a certificate's EC key information.) 151*817466cbSJens Wiklander * 152*817466cbSJens Wiklander * \param ctx ECDH constext to set 153*817466cbSJens Wiklander * \param key EC key to use 154*817466cbSJens Wiklander * \param side Is it our key (1) or the peer's key (0) ? 155*817466cbSJens Wiklander * 156*817466cbSJens Wiklander * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code 157*817466cbSJens Wiklander */ 158*817466cbSJens Wiklander int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key, 159*817466cbSJens Wiklander mbedtls_ecdh_side side ); 160*817466cbSJens Wiklander 161*817466cbSJens Wiklander /** 162*817466cbSJens Wiklander * \brief Generate a public key and a TLS ClientKeyExchange payload. 163*817466cbSJens Wiklander * (Second function used by a TLS client for ECDH(E).) 164*817466cbSJens Wiklander * 165*817466cbSJens Wiklander * \param ctx ECDH context 166*817466cbSJens Wiklander * \param olen number of bytes actually written 167*817466cbSJens Wiklander * \param buf destination buffer 168*817466cbSJens Wiklander * \param blen size of destination buffer 169*817466cbSJens Wiklander * \param f_rng RNG function 170*817466cbSJens Wiklander * \param p_rng RNG parameter 171*817466cbSJens Wiklander * 172*817466cbSJens Wiklander * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code 173*817466cbSJens Wiklander */ 174*817466cbSJens Wiklander int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, 175*817466cbSJens Wiklander unsigned char *buf, size_t blen, 176*817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 177*817466cbSJens Wiklander void *p_rng ); 178*817466cbSJens Wiklander 179*817466cbSJens Wiklander /** 180*817466cbSJens Wiklander * \brief Parse and process a TLS ClientKeyExchange payload. 181*817466cbSJens Wiklander * (Second function used by a TLS server for ECDH(E).) 182*817466cbSJens Wiklander * 183*817466cbSJens Wiklander * \param ctx ECDH context 184*817466cbSJens Wiklander * \param buf start of input buffer 185*817466cbSJens Wiklander * \param blen length of input buffer 186*817466cbSJens Wiklander * 187*817466cbSJens Wiklander * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code 188*817466cbSJens Wiklander */ 189*817466cbSJens Wiklander int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx, 190*817466cbSJens Wiklander const unsigned char *buf, size_t blen ); 191*817466cbSJens Wiklander 192*817466cbSJens Wiklander /** 193*817466cbSJens Wiklander * \brief Derive and export the shared secret. 194*817466cbSJens Wiklander * (Last function used by both TLS client en servers.) 195*817466cbSJens Wiklander * 196*817466cbSJens Wiklander * \param ctx ECDH context 197*817466cbSJens Wiklander * \param olen number of bytes written 198*817466cbSJens Wiklander * \param buf destination buffer 199*817466cbSJens Wiklander * \param blen buffer length 200*817466cbSJens Wiklander * \param f_rng RNG function, see notes for \c mbedtls_ecdh_compute_shared() 201*817466cbSJens Wiklander * \param p_rng RNG parameter 202*817466cbSJens Wiklander * 203*817466cbSJens Wiklander * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code 204*817466cbSJens Wiklander */ 205*817466cbSJens Wiklander int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, 206*817466cbSJens Wiklander unsigned char *buf, size_t blen, 207*817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 208*817466cbSJens Wiklander void *p_rng ); 209*817466cbSJens Wiklander 210*817466cbSJens Wiklander #ifdef __cplusplus 211*817466cbSJens Wiklander } 212*817466cbSJens Wiklander #endif 213*817466cbSJens Wiklander 214*817466cbSJens Wiklander #endif /* ecdh.h */ 215