1 /**
2 * \file ecp.h
3 *
4 * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
5 *
6 * The use of ECP in cryptography and TLS is defined in
7 * <em>Standards for Efficient Cryptography Group (SECG): SEC1
8 * Elliptic Curve Cryptography</em> and
9 * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
10 * for Transport Layer Security (TLS)</em>.
11 *
12 * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
13 * group types.
14 *
15 */
16
17 /*
18 * Copyright The Mbed TLS Contributors
19 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
20 */
21
22 #ifndef MBEDTLS_ECP_H
23 #define MBEDTLS_ECP_H
24 #include "mbedtls/private_access.h"
25
26 #include "mbedtls/build_info.h"
27 #include "mbedtls/platform_util.h"
28
29 #include "mbedtls/bignum.h"
30
31 /*
32 * ECP error codes
33 */
34 /** Bad input parameters to function. */
35 #define MBEDTLS_ERR_ECP_BAD_INPUT_DATA -0x4F80
36 /** The buffer is too small to write to. */
37 #define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL -0x4F00
38 /** The requested feature is not available, for example, the requested curve is not supported. */
39 #define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE -0x4E80
40 /** The signature is not valid. */
41 #define MBEDTLS_ERR_ECP_VERIFY_FAILED -0x4E00
42 /** Memory allocation failed. */
43 #define MBEDTLS_ERR_ECP_ALLOC_FAILED -0x4D80
44 /** Generation of random value, such as ephemeral key, failed. */
45 #define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00
46 /** Invalid private or public key. */
47 #define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80
48 /** The buffer contains a valid signature followed by more data. */
49 #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00
50 /** Operation in progress, call again with the same parameters to continue. */
51 #define MBEDTLS_ERR_ECP_IN_PROGRESS -0x4B00
52
53 /* Flags indicating whether to include code that is specific to certain
54 * types of curves. These flags are for internal library use only. */
55 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
56 defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
57 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
58 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
59 defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
60 defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
61 defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
62 defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
63 defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
64 defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
65 defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || \
66 defined(MBEDTLS_ECP_DP_SM2_ENABLED)
67 #define MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED
68 #endif
69 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
70 defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
71 #define MBEDTLS_ECP_MONTGOMERY_ENABLED
72 #endif
73
74 #ifdef __cplusplus
75 extern "C" {
76 #endif
77
78 /**
79 * Domain-parameter identifiers: curve, subgroup, and generator.
80 *
81 * \note Only curves over prime fields are supported.
82 *
83 * \warning This library does not support validation of arbitrary domain
84 * parameters. Therefore, only standardized domain parameters from trusted
85 * sources should be used. See mbedtls_ecp_group_load().
86 */
87 /* Note: when adding a new curve:
88 * - Add it at the end of this enum, otherwise you'll break the ABI by
89 * changing the numerical value for existing curves.
90 * - Increment MBEDTLS_ECP_DP_MAX below if needed.
91 * - Update the calculation of MBEDTLS_ECP_MAX_BITS below.
92 * - Add the corresponding MBEDTLS_ECP_DP_xxx_ENABLED macro definition to
93 * mbedtls_config.h.
94 * - List the curve as a dependency of MBEDTLS_ECP_C and
95 * MBEDTLS_ECDSA_C if supported in check_config.h.
96 * - Add the curve to the appropriate curve type macro
97 * MBEDTLS_ECP_yyy_ENABLED above.
98 * - Add the necessary definitions to ecp_curves.c.
99 * - Add the curve to the ecp_supported_curves array in ecp.c.
100 * - Add the curve to applicable profiles in x509_crt.c.
101 * - Add the curve to applicable presets in ssl_tls.c.
102 */
103 typedef enum {
104 MBEDTLS_ECP_DP_NONE = 0, /*!< Curve not defined. */
105 MBEDTLS_ECP_DP_SECP192R1, /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
106 MBEDTLS_ECP_DP_SECP224R1, /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
107 MBEDTLS_ECP_DP_SECP256R1, /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
108 MBEDTLS_ECP_DP_SECP384R1, /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
109 MBEDTLS_ECP_DP_SECP521R1, /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
110 MBEDTLS_ECP_DP_BP256R1, /*!< Domain parameters for 256-bit Brainpool curve. */
111 MBEDTLS_ECP_DP_BP384R1, /*!< Domain parameters for 384-bit Brainpool curve. */
112 MBEDTLS_ECP_DP_BP512R1, /*!< Domain parameters for 512-bit Brainpool curve. */
113 MBEDTLS_ECP_DP_CURVE25519, /*!< Domain parameters for Curve25519. */
114 MBEDTLS_ECP_DP_SECP192K1, /*!< Domain parameters for 192-bit "Koblitz" curve. */
115 MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */
116 MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */
117 MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */
118 MBEDTLS_ECP_DP_SM2, /*!< Domain parameters for SM2. */
119 } mbedtls_ecp_group_id;
120
121 /**
122 * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
123 */
124 #define MBEDTLS_ECP_DP_MAX 14
125
126 /*
127 * Curve types
128 */
129 typedef enum {
130 MBEDTLS_ECP_TYPE_NONE = 0,
131 MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS, /* y^2 = x^3 + a x + b */
132 MBEDTLS_ECP_TYPE_MONTGOMERY, /* y^2 = x^3 + a x^2 + x */
133 } mbedtls_ecp_curve_type;
134
135 /**
136 * Curve information, for use by other modules.
137 *
138 * The fields of this structure are part of the public API and can be
139 * accessed directly by applications. Future versions of the library may
140 * add extra fields or reorder existing fields.
141 */
142 typedef struct mbedtls_ecp_curve_info {
143 mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */
144 uint16_t tls_id; /*!< The TLS NamedCurve identifier. */
145 uint16_t bit_size; /*!< The curve size in bits. */
146 const char *name; /*!< A human-friendly name. */
147 } mbedtls_ecp_curve_info;
148
149 /**
150 * \brief The ECP point structure, in Jacobian coordinates.
151 *
152 * \note All functions expect and return points satisfying
153 * the following condition: <code>Z == 0</code> or
154 * <code>Z == 1</code>. Other values of \p Z are
155 * used only by internal functions.
156 * The point is zero, or "at infinity", if <code>Z == 0</code>.
157 * Otherwise, \p X and \p Y are its standard (affine)
158 * coordinates.
159 */
160 typedef struct mbedtls_ecp_point {
161 mbedtls_mpi MBEDTLS_PRIVATE(X); /*!< The X coordinate of the ECP point. */
162 mbedtls_mpi MBEDTLS_PRIVATE(Y); /*!< The Y coordinate of the ECP point. */
163 mbedtls_mpi MBEDTLS_PRIVATE(Z); /*!< The Z coordinate of the ECP point. */
164 }
165 mbedtls_ecp_point;
166
167 #if !defined(MBEDTLS_ECP_ALT)
168 /*
169 * default Mbed TLS elliptic curve arithmetic implementation
170 *
171 * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
172 * alternative implementation for the whole module and it will replace this
173 * one.)
174 */
175
176 /**
177 * \brief The ECP group structure.
178 *
179 * We consider two types of curve equations:
180 * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
181 * (SEC1 + RFC-4492)</li>
182 * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
183 * Curve448)</li></ul>
184 * In both cases, the generator (\p G) for a prime-order subgroup is fixed.
185 *
186 * For Short Weierstrass, this subgroup is the whole curve, and its
187 * cardinality is denoted by \p N. Our code requires that \p N is an
188 * odd prime as mbedtls_ecp_mul() requires an odd number, and
189 * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
190 *
191 * The default implementation only initializes \p A without setting it to the
192 * authentic value for curves with <code>A = -3</code>(SECP256R1, etc), in which
193 * case you need to load \p A by yourself when using domain parameters directly,
194 * for example:
195 * \code
196 * mbedtls_mpi_init(&A);
197 * mbedtls_ecp_group_init(&grp);
198 * CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id));
199 * if (mbedtls_ecp_group_a_is_minus_3(&grp)) {
200 * CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3));
201 * } else {
202 * CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A));
203 * }
204 *
205 * do_something_with_a(&A);
206 *
207 * cleanup:
208 * mbedtls_mpi_free(&A);
209 * mbedtls_ecp_group_free(&grp);
210 * \endcode
211 *
212 * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
213 * which is the quantity used in the formulas. Additionally, \p nbits is
214 * not the size of \p N but the required size for private keys.
215 *
216 * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
217 * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
218 * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
219 * which is congruent mod \p P to the given MPI, and is close enough to \p pbits
220 * in size, so that it may be efficiently brought in the 0..P-1 range by a few
221 * additions or subtractions. Therefore, it is only an approximate modular
222 * reduction. It must return 0 on success and non-zero on failure.
223 *
224 * \note Alternative implementations of the ECP module must obey the
225 * following constraints.
226 * * Group IDs must be distinct: if two group structures have
227 * the same ID, then they must be identical.
228 * * The fields \c id, \c P, \c A, \c B, \c G, \c N,
229 * \c pbits and \c nbits must have the same type and semantics
230 * as in the built-in implementation.
231 * They must be available for reading, but direct modification
232 * of these fields does not need to be supported.
233 * They do not need to be at the same offset in the structure.
234 */
235 typedef struct mbedtls_ecp_group {
236 mbedtls_ecp_group_id id; /*!< An internal group identifier. */
237 mbedtls_mpi P; /*!< The prime modulus of the base field. */
238 mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. Note that
239 \p A is not set to the authentic value in some cases.
240 Refer to detailed description of ::mbedtls_ecp_group if
241 using domain parameters in the structure.
242 For Montgomery curves: <code>(A + 2) / 4</code>. */
243 mbedtls_mpi B; /*!< For Short Weierstrass: \p B in the equation.
244 For Montgomery curves: unused. */
245 mbedtls_ecp_point G; /*!< The generator of the subgroup used. */
246 mbedtls_mpi N; /*!< The order of \p G. */
247 size_t pbits; /*!< The number of bits in \p P.*/
248 size_t nbits; /*!< For Short Weierstrass: The number of bits in \p P.
249 For Montgomery curves: the number of bits in the
250 private keys. */
251 /* End of public fields */
252
253 unsigned int MBEDTLS_PRIVATE(h); /*!< \internal 1 if the constants are static. */
254 int(*MBEDTLS_PRIVATE(modp))(mbedtls_mpi *); /*!< The function for fast pseudo-reduction
255 mod \p P (see above).*/
256 int(*MBEDTLS_PRIVATE(t_pre))(mbedtls_ecp_point *, void *); /*!< Unused. */
257 int(*MBEDTLS_PRIVATE(t_post))(mbedtls_ecp_point *, void *); /*!< Unused. */
258 void *MBEDTLS_PRIVATE(t_data); /*!< Unused. */
259 mbedtls_ecp_point *MBEDTLS_PRIVATE(T); /*!< Pre-computed points for ecp_mul_comb(). */
260 size_t MBEDTLS_PRIVATE(T_size); /*!< The number of dynamic allocated pre-computed points. */
261 }
262 mbedtls_ecp_group;
263
264 /**
265 * \name SECTION: Module settings
266 *
267 * The configuration options you can set for this module are in this section.
268 * Either change them in mbedtls_config.h, or define them using the compiler command line.
269 * \{
270 */
271
272 #if !defined(MBEDTLS_ECP_WINDOW_SIZE)
273 /*
274 * Maximum "window" size used for point multiplication.
275 * Default: a point where higher memory usage yields diminishing performance
276 * returns.
277 * Minimum value: 2. Maximum value: 7.
278 *
279 * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
280 * points used for point multiplication. This value is directly tied to EC
281 * peak memory usage, so decreasing it by one should roughly cut memory usage
282 * by two (if large curves are in use).
283 *
284 * Reduction in size may reduce speed, but larger curves are impacted first.
285 * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
286 * w-size: 6 5 4 3 2
287 * 521 145 141 135 120 97
288 * 384 214 209 198 177 146
289 * 256 320 320 303 262 226
290 * 224 475 475 453 398 342
291 * 192 640 640 633 587 476
292 */
293 #define MBEDTLS_ECP_WINDOW_SIZE 4 /**< The maximum window size used. */
294 #endif /* MBEDTLS_ECP_WINDOW_SIZE */
295
296 #if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
297 /*
298 * Trade code size for speed on fixed-point multiplication.
299 *
300 * This speeds up repeated multiplication of the generator (that is, the
301 * multiplication in ECDSA signatures, and half of the multiplications in
302 * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
303 *
304 * For each n-bit Short Weierstrass curve that is enabled, this adds 4n bytes
305 * of code size if n < 384 and 8n otherwise.
306 *
307 * Change this value to 0 to reduce code size.
308 */
309 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up. */
310 #endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
311
312 /** \} name SECTION: Module settings */
313
314 #else /* MBEDTLS_ECP_ALT */
315 #include "ecp_alt.h"
316 #endif /* MBEDTLS_ECP_ALT */
317
318 /**
319 * The maximum size of the groups, that is, of \c N and \c P.
320 */
321 #if !defined(MBEDTLS_ECP_LIGHT)
322 /* Dummy definition to help code that has optional ECP support and
323 * defines an MBEDTLS_ECP_MAX_BYTES-sized array unconditionally. */
324 #define MBEDTLS_ECP_MAX_BITS 1
325 /* Note: the curves must be listed in DECREASING size! */
326 #elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
327 #define MBEDTLS_ECP_MAX_BITS 521
328 #elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
329 #define MBEDTLS_ECP_MAX_BITS 512
330 #elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
331 #define MBEDTLS_ECP_MAX_BITS 448
332 #elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
333 #define MBEDTLS_ECP_MAX_BITS 384
334 #elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
335 #define MBEDTLS_ECP_MAX_BITS 384
336 #elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
337 #define MBEDTLS_ECP_MAX_BITS 256
338 #elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
339 #define MBEDTLS_ECP_MAX_BITS 256
340 #elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
341 #define MBEDTLS_ECP_MAX_BITS 256
342 #elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
343 #define MBEDTLS_ECP_MAX_BITS 255
344 #elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
345 #define MBEDTLS_ECP_MAX_BITS 225 // n is slightly above 2^224
346 #elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
347 #define MBEDTLS_ECP_MAX_BITS 224
348 #elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
349 #define MBEDTLS_ECP_MAX_BITS 192
350 #elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
351 #define MBEDTLS_ECP_MAX_BITS 192
352 #else /* !MBEDTLS_ECP_LIGHT */
353 #error "Missing definition of MBEDTLS_ECP_MAX_BITS"
354 #endif /* !MBEDTLS_ECP_LIGHT */
355
356 #define MBEDTLS_ECP_MAX_BYTES ((MBEDTLS_ECP_MAX_BITS + 7) / 8)
357 #define MBEDTLS_ECP_MAX_PT_LEN (2 * MBEDTLS_ECP_MAX_BYTES + 1)
358
359 #if defined(MBEDTLS_ECP_RESTARTABLE)
360
361 /**
362 * \brief Internal restart context for multiplication
363 *
364 * \note Opaque struct
365 */
366 typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
367
368 /**
369 * \brief Internal restart context for ecp_muladd()
370 *
371 * \note Opaque struct
372 */
373 typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
374
375 /**
376 * \brief General context for resuming ECC operations
377 */
378 typedef struct {
379 unsigned MBEDTLS_PRIVATE(ops_done); /*!< current ops count */
380 unsigned MBEDTLS_PRIVATE(depth); /*!< call depth (0 = top-level) */
381 mbedtls_ecp_restart_mul_ctx *MBEDTLS_PRIVATE(rsm); /*!< ecp_mul_comb() sub-context */
382 mbedtls_ecp_restart_muladd_ctx *MBEDTLS_PRIVATE(ma); /*!< ecp_muladd() sub-context */
383 } mbedtls_ecp_restart_ctx;
384
385 /*
386 * Operation counts for restartable functions
387 */
388 #define MBEDTLS_ECP_OPS_CHK 3 /*!< basic ops count for ecp_check_pubkey() */
389 #define MBEDTLS_ECP_OPS_DBL 8 /*!< basic ops count for ecp_double_jac() */
390 #define MBEDTLS_ECP_OPS_ADD 11 /*!< basic ops count for see ecp_add_mixed() */
391 #define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv() */
392
393 /**
394 * \brief Internal; for restartable functions in other modules.
395 * Check and update basic ops budget.
396 *
397 * \param grp Group structure
398 * \param rs_ctx Restart context
399 * \param ops Number of basic ops to do
400 *
401 * \return \c 0 if doing \p ops basic ops is still allowed,
402 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
403 */
404 int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
405 mbedtls_ecp_restart_ctx *rs_ctx,
406 unsigned ops);
407
408 /* Utility macro for checking and updating ops budget */
409 #define MBEDTLS_ECP_BUDGET(ops) \
410 MBEDTLS_MPI_CHK(mbedtls_ecp_check_budget(grp, rs_ctx, \
411 (unsigned) (ops)));
412
413 #else /* MBEDTLS_ECP_RESTARTABLE */
414
415 #define MBEDTLS_ECP_BUDGET(ops) /* no-op; for compatibility */
416
417 /* We want to declare restartable versions of existing functions anyway */
418 typedef void mbedtls_ecp_restart_ctx;
419
420 #endif /* MBEDTLS_ECP_RESTARTABLE */
421
422 /**
423 * \brief The ECP key-pair structure.
424 *
425 * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
426 *
427 * \note Members are deliberately in the same order as in the
428 * ::mbedtls_ecdsa_context structure.
429 */
430 typedef struct mbedtls_ecp_keypair {
431 mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /*!< Elliptic curve and base point */
432 mbedtls_mpi MBEDTLS_PRIVATE(d); /*!< our secret value */
433 mbedtls_ecp_point MBEDTLS_PRIVATE(Q); /*!< our public value */
434 }
435 mbedtls_ecp_keypair;
436
437 /**
438 * The uncompressed point format for Short Weierstrass curves
439 * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
440 */
441 #define MBEDTLS_ECP_PF_UNCOMPRESSED 0
442 /**
443 * The compressed point format for Short Weierstrass curves
444 * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
445 *
446 * \warning While this format is supported for all concerned curves for
447 * writing, when it comes to parsing, it is not supported for all
448 * curves. Specifically, parsing compressed points on
449 * MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1 is not
450 * supported.
451 */
452 #define MBEDTLS_ECP_PF_COMPRESSED 1
453
454 /*
455 * Some other constants from RFC 4492
456 */
457 #define MBEDTLS_ECP_TLS_NAMED_CURVE 3 /**< The named_curve of ECCurveType. */
458
459 #if defined(MBEDTLS_ECP_RESTARTABLE)
460 /**
461 * \brief Set the maximum number of basic operations done in a row.
462 *
463 * If more operations are needed to complete a computation,
464 * #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
465 * function performing the computation. It is then the
466 * caller's responsibility to either call again with the same
467 * parameters until it returns 0 or an error code; or to free
468 * the restart context if the operation is to be aborted.
469 *
470 * It is strictly required that all input parameters and the
471 * restart context be the same on successive calls for the
472 * same operation, but output parameters need not be the
473 * same; they must not be used until the function finally
474 * returns 0.
475 *
476 * This only applies to functions whose documentation
477 * mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
478 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
479 * SSL module). For functions that accept a "restart context"
480 * argument, passing NULL disables restart and makes the
481 * function equivalent to the function with the same name
482 * with \c _restartable removed. For functions in the ECDH
483 * module, restart is disabled unless the function accepts
484 * an "ECDH context" argument and
485 * mbedtls_ecdh_enable_restart() was previously called on
486 * that context. For function in the SSL module, restart is
487 * only enabled for specific sides and key exchanges
488 * (currently only for clients and ECDHE-ECDSA).
489 *
490 * \warning Using the PSA interruptible interfaces with keys in local
491 * storage and no accelerator driver will also call this
492 * function to set the values specified via those interfaces,
493 * overwriting values previously set. Care should be taken if
494 * mixing these two interfaces.
495 *
496 * \param max_ops Maximum number of basic operations done in a row.
497 * Default: 0 (unlimited).
498 * Lower (non-zero) values mean ECC functions will block for
499 * a lesser maximum amount of time.
500 *
501 * \note A "basic operation" is defined as a rough equivalent of a
502 * multiplication in GF(p) for the NIST P-256 curve.
503 * As an indication, with default settings, a scalar
504 * multiplication (full run of \c mbedtls_ecp_mul()) is:
505 * - about 3300 basic operations for P-256
506 * - about 9400 basic operations for P-384
507 *
508 * \note Very low values are not always respected: sometimes
509 * functions need to block for a minimum number of
510 * operations, and will do so even if max_ops is set to a
511 * lower value. That minimum depends on the curve size, and
512 * can be made lower by decreasing the value of
513 * \c MBEDTLS_ECP_WINDOW_SIZE. As an indication, here is the
514 * lowest effective value for various curves and values of
515 * that parameter (w for short):
516 * w=6 w=5 w=4 w=3 w=2
517 * P-256 208 208 160 136 124
518 * P-384 682 416 320 272 248
519 * P-521 1364 832 640 544 496
520 *
521 * \note This setting is currently ignored by Curve25519.
522 */
523 void mbedtls_ecp_set_max_ops(unsigned max_ops);
524
525 /**
526 * \brief Check if restart is enabled (max_ops != 0)
527 *
528 * \return \c 0 if \c max_ops == 0 (restart disabled)
529 * \return \c 1 otherwise (restart enabled)
530 */
531 int mbedtls_ecp_restart_is_enabled(void);
532 #endif /* MBEDTLS_ECP_RESTARTABLE */
533
534 /*
535 * Get the type of a curve
536 */
537 mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp);
538
539 /**
540 * \brief This function retrieves the information defined in
541 * mbedtls_ecp_curve_info() for all supported curves.
542 *
543 * \note This function returns information about all curves
544 * supported by the library. Some curves may not be
545 * supported for all algorithms. Call mbedtls_ecdh_can_do()
546 * or mbedtls_ecdsa_can_do() to check if a curve is
547 * supported for ECDH or ECDSA.
548 *
549 * \return A statically allocated array. The last entry is 0.
550 */
551 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void);
552
553 /**
554 * \brief This function retrieves the list of internal group
555 * identifiers of all supported curves in the order of
556 * preference.
557 *
558 * \note This function returns information about all curves
559 * supported by the library. Some curves may not be
560 * supported for all algorithms. Call mbedtls_ecdh_can_do()
561 * or mbedtls_ecdsa_can_do() to check if a curve is
562 * supported for ECDH or ECDSA.
563 *
564 * \return A statically allocated array,
565 * terminated with MBEDTLS_ECP_DP_NONE.
566 */
567 const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void);
568
569 /**
570 * \brief This function retrieves curve information from an internal
571 * group identifier.
572 *
573 * \param grp_id An \c MBEDTLS_ECP_DP_XXX value.
574 *
575 * \return The associated curve information on success.
576 * \return NULL on failure.
577 */
578 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id);
579
580 /**
581 * \brief This function retrieves curve information from a TLS
582 * NamedCurve value.
583 *
584 * \param tls_id An \c MBEDTLS_ECP_DP_XXX value.
585 *
586 * \return The associated curve information on success.
587 * \return NULL on failure.
588 */
589 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id);
590
591 /**
592 * \brief This function retrieves curve information from a
593 * human-readable name.
594 *
595 * \param name The human-readable name.
596 *
597 * \return The associated curve information on success.
598 * \return NULL on failure.
599 */
600 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name);
601
602 /**
603 * \brief This function initializes a point as zero.
604 *
605 * \param pt The point to initialize.
606 */
607 void mbedtls_ecp_point_init(mbedtls_ecp_point *pt);
608
609 /**
610 * \brief This function initializes an ECP group context
611 * without loading any domain parameters.
612 *
613 * \note After this function is called, domain parameters
614 * for various ECP groups can be loaded through the
615 * mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
616 * functions.
617 */
618 void mbedtls_ecp_group_init(mbedtls_ecp_group *grp);
619
620 /**
621 * \brief This function initializes a key pair as an invalid one.
622 *
623 * \param key The key pair to initialize.
624 */
625 void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key);
626
627 /**
628 * \brief This function frees the components of a point.
629 *
630 * \param pt The point to free.
631 */
632 void mbedtls_ecp_point_free(mbedtls_ecp_point *pt);
633
634 /**
635 * \brief This function frees the components of an ECP group.
636 *
637 * \param grp The group to free. This may be \c NULL, in which
638 * case this function returns immediately. If it is not
639 * \c NULL, it must point to an initialized ECP group.
640 */
641 void mbedtls_ecp_group_free(mbedtls_ecp_group *grp);
642
643 /**
644 * \brief This function frees the components of a key pair.
645 *
646 * \param key The key pair to free. This may be \c NULL, in which
647 * case this function returns immediately. If it is not
648 * \c NULL, it must point to an initialized ECP key pair.
649 */
650 void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key);
651
652 #if defined(MBEDTLS_ECP_RESTARTABLE)
653 /**
654 * \brief Initialize a restart context.
655 *
656 * \param ctx The restart context to initialize. This must
657 * not be \c NULL.
658 */
659 void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx);
660
661 /**
662 * \brief Free the components of a restart context.
663 *
664 * \param ctx The restart context to free. This may be \c NULL, in which
665 * case this function returns immediately. If it is not
666 * \c NULL, it must point to an initialized restart context.
667 */
668 void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx);
669 #endif /* MBEDTLS_ECP_RESTARTABLE */
670
671 /**
672 * \brief This function copies the contents of point \p Q into
673 * point \p P.
674 *
675 * \param P The destination point. This must be initialized.
676 * \param Q The source point. This must be initialized.
677 *
678 * \return \c 0 on success.
679 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
680 * \return Another negative error code for other kinds of failure.
681 */
682 int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q);
683
684 /**
685 * \brief This function copies the contents of group \p src into
686 * group \p dst.
687 *
688 * \param dst The destination group. This must be initialized.
689 * \param src The source group. This must be initialized.
690 *
691 * \return \c 0 on success.
692 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
693 * \return Another negative error code on other kinds of failure.
694 */
695 int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst,
696 const mbedtls_ecp_group *src);
697
698 /**
699 * \brief This function sets a point to the point at infinity.
700 *
701 * \param pt The point to set. This must be initialized.
702 *
703 * \return \c 0 on success.
704 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
705 * \return Another negative error code on other kinds of failure.
706 */
707 int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt);
708
709 /**
710 * \brief This function checks if a point is the point at infinity.
711 *
712 * \param pt The point to test. This must be initialized.
713 *
714 * \return \c 1 if the point is zero.
715 * \return \c 0 if the point is non-zero.
716 * \return A negative error code on failure.
717 */
718 int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt);
719
720 /**
721 * \brief This function compares two points.
722 *
723 * \note This assumes that the points are normalized. Otherwise,
724 * they may compare as "not equal" even if they are.
725 *
726 * \param P The first point to compare. This must be initialized.
727 * \param Q The second point to compare. This must be initialized.
728 *
729 * \return \c 0 if the points are equal.
730 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
731 */
732 int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
733 const mbedtls_ecp_point *Q);
734
735 /**
736 * \brief This function imports a non-zero point from two ASCII
737 * strings.
738 *
739 * \param P The destination point. This must be initialized.
740 * \param radix The numeric base of the input.
741 * \param x The first affine coordinate, as a null-terminated string.
742 * \param y The second affine coordinate, as a null-terminated string.
743 *
744 * \return \c 0 on success.
745 * \return An \c MBEDTLS_ERR_MPI_XXX error code on failure.
746 */
747 int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
748 const char *x, const char *y);
749
750 /**
751 * \brief This function exports a point into unsigned binary data.
752 *
753 * \param grp The group to which the point should belong.
754 * This must be initialized and have group parameters
755 * set, for example through mbedtls_ecp_group_load().
756 * \param P The point to export. This must be initialized.
757 * \param format The point format. This must be either
758 * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
759 * (For groups without these formats, this parameter is
760 * ignored. But it still has to be either of the above
761 * values.)
762 * \param olen The address at which to store the length of
763 * the output in Bytes. This must not be \c NULL.
764 * \param buf The output buffer. This must be a writable buffer
765 * of length \p buflen Bytes.
766 * \param buflen The length of the output buffer \p buf in Bytes.
767 *
768 * \return \c 0 on success.
769 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
770 * is too small to hold the point.
771 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
772 * or the export for the given group is not implemented.
773 * \return Another negative error code on other kinds of failure.
774 */
775 int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
776 const mbedtls_ecp_point *P,
777 int format, size_t *olen,
778 unsigned char *buf, size_t buflen);
779
780 /**
781 * \brief This function imports a point from unsigned binary data.
782 *
783 * \note This function does not check that the point actually
784 * belongs to the given group, see mbedtls_ecp_check_pubkey()
785 * for that.
786 *
787 * \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
788 * limitations.
789 *
790 * \param grp The group to which the point should belong.
791 * This must be initialized and have group parameters
792 * set, for example through mbedtls_ecp_group_load().
793 * \param P The destination context to import the point to.
794 * This must be initialized.
795 * \param buf The input buffer. This must be a readable buffer
796 * of length \p ilen Bytes.
797 * \param ilen The length of the input buffer \p buf in Bytes.
798 *
799 * \return \c 0 on success.
800 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
801 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
802 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the
803 * given group is not implemented.
804 */
805 int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
806 mbedtls_ecp_point *P,
807 const unsigned char *buf, size_t ilen);
808
809 /**
810 * \brief This function imports a point from a TLS ECPoint record.
811 *
812 * \note On function return, \p *buf is updated to point immediately
813 * after the ECPoint record.
814 *
815 * \param grp The ECP group to use.
816 * This must be initialized and have group parameters
817 * set, for example through mbedtls_ecp_group_load().
818 * \param pt The destination point.
819 * \param buf The address of the pointer to the start of the input buffer.
820 * \param len The length of the buffer.
821 *
822 * \return \c 0 on success.
823 * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization
824 * failure.
825 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
826 */
827 int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
828 mbedtls_ecp_point *pt,
829 const unsigned char **buf, size_t len);
830
831 /**
832 * \brief This function exports a point as a TLS ECPoint record
833 * defined in RFC 4492, Section 5.4.
834 *
835 * \param grp The ECP group to use.
836 * This must be initialized and have group parameters
837 * set, for example through mbedtls_ecp_group_load().
838 * \param pt The point to be exported. This must be initialized.
839 * \param format The point format to use. This must be either
840 * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
841 * \param olen The address at which to store the length in Bytes
842 * of the data written.
843 * \param buf The target buffer. This must be a writable buffer of
844 * length \p blen Bytes.
845 * \param blen The length of the target buffer \p buf in Bytes.
846 *
847 * \return \c 0 on success.
848 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
849 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
850 * is too small to hold the exported point.
851 * \return Another negative error code on other kinds of failure.
852 */
853 int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp,
854 const mbedtls_ecp_point *pt,
855 int format, size_t *olen,
856 unsigned char *buf, size_t blen);
857
858 /**
859 * \brief This function sets up an ECP group context
860 * from a standardized set of domain parameters.
861 *
862 * \note The index should be a value of the NamedCurve enum,
863 * as defined in <em>RFC-4492: Elliptic Curve Cryptography
864 * (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
865 * usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
866 *
867 * \param grp The group context to setup. This must be initialized.
868 * \param id The identifier of the domain parameter set to load.
869 *
870 * \return \c 0 on success.
871 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
872 * correspond to a known group.
873 * \return Another negative error code on other kinds of failure.
874 */
875 int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id);
876
877 /**
878 * \brief This function sets up an ECP group context from a TLS
879 * ECParameters record as defined in RFC 4492, Section 5.4.
880 *
881 * \note The read pointer \p buf is updated to point right after
882 * the ECParameters record on exit.
883 *
884 * \param grp The group context to setup. This must be initialized.
885 * \param buf The address of the pointer to the start of the input buffer.
886 * \param len The length of the input buffer \c *buf in Bytes.
887 *
888 * \return \c 0 on success.
889 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
890 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
891 * recognized.
892 * \return Another negative error code on other kinds of failure.
893 */
894 int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
895 const unsigned char **buf, size_t len);
896
897 /**
898 * \brief This function extracts an elliptic curve group ID from a
899 * TLS ECParameters record as defined in RFC 4492, Section 5.4.
900 *
901 * \note The read pointer \p buf is updated to point right after
902 * the ECParameters record on exit.
903 *
904 * \param grp The address at which to store the group id.
905 * This must not be \c NULL.
906 * \param buf The address of the pointer to the start of the input buffer.
907 * \param len The length of the input buffer \c *buf in Bytes.
908 *
909 * \return \c 0 on success.
910 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
911 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
912 * recognized.
913 * \return Another negative error code on other kinds of failure.
914 */
915 int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
916 const unsigned char **buf,
917 size_t len);
918 /**
919 * \brief This function exports an elliptic curve as a TLS
920 * ECParameters record as defined in RFC 4492, Section 5.4.
921 *
922 * \param grp The ECP group to be exported.
923 * This must be initialized and have group parameters
924 * set, for example through mbedtls_ecp_group_load().
925 * \param olen The address at which to store the number of Bytes written.
926 * This must not be \c NULL.
927 * \param buf The buffer to write to. This must be a writable buffer
928 * of length \p blen Bytes.
929 * \param blen The length of the output buffer \p buf in Bytes.
930 *
931 * \return \c 0 on success.
932 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
933 * buffer is too small to hold the exported group.
934 * \return Another negative error code on other kinds of failure.
935 */
936 int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp,
937 size_t *olen,
938 unsigned char *buf, size_t blen);
939
940 /**
941 * \brief This function performs a scalar multiplication of a point
942 * by an integer: \p R = \p m * \p P.
943 *
944 * It is not thread-safe to use same group in multiple threads.
945 *
946 * \note To prevent timing attacks, this function
947 * executes the exact same sequence of base-field
948 * operations for any valid \p m. It avoids any if-branch or
949 * array index depending on the value of \p m. It also uses
950 * \p f_rng to randomize some intermediate results.
951 *
952 * \param grp The ECP group to use.
953 * This must be initialized and have group parameters
954 * set, for example through mbedtls_ecp_group_load().
955 * \param R The point in which to store the result of the calculation.
956 * This must be initialized.
957 * \param m The integer by which to multiply. This must be initialized.
958 * \param P The point to multiply. This must be initialized.
959 * \param f_rng The RNG function. This must not be \c NULL.
960 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c
961 * NULL if \p f_rng doesn't need a context.
962 *
963 * \return \c 0 on success.
964 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
965 * key, or \p P is not a valid public key.
966 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
967 * \return Another negative error code on other kinds of failure.
968 */
969 int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
970 const mbedtls_mpi *m, const mbedtls_ecp_point *P,
971 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
972
973 /**
974 * \brief This function performs multiplication of a point by
975 * an integer: \p R = \p m * \p P in a restartable way.
976 *
977 * \see mbedtls_ecp_mul()
978 *
979 * \note This function does the same as \c mbedtls_ecp_mul(), but
980 * it can return early and restart according to the limit set
981 * with \c mbedtls_ecp_set_max_ops() to reduce blocking.
982 *
983 * \param grp The ECP group to use.
984 * This must be initialized and have group parameters
985 * set, for example through mbedtls_ecp_group_load().
986 * \param R The point in which to store the result of the calculation.
987 * This must be initialized.
988 * \param m The integer by which to multiply. This must be initialized.
989 * \param P The point to multiply. This must be initialized.
990 * \param f_rng The RNG function. This must not be \c NULL.
991 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c
992 * NULL if \p f_rng doesn't need a context.
993 * \param rs_ctx The restart context (NULL disables restart).
994 *
995 * \return \c 0 on success.
996 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
997 * key, or \p P is not a valid public key.
998 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
999 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
1000 * operations was reached: see \c mbedtls_ecp_set_max_ops().
1001 * \return Another negative error code on other kinds of failure.
1002 */
1003 int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1004 const mbedtls_mpi *m, const mbedtls_ecp_point *P,
1005 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1006 mbedtls_ecp_restart_ctx *rs_ctx);
1007
1008 #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
1009 /**
1010 * \brief This function checks if domain parameter A of the curve is
1011 * \c -3.
1012 *
1013 * \note This function is only defined for short Weierstrass curves.
1014 * It may not be included in builds without any short
1015 * Weierstrass curve.
1016 *
1017 * \param grp The ECP group to use.
1018 * This must be initialized and have group parameters
1019 * set, for example through mbedtls_ecp_group_load().
1020 *
1021 * \return \c 1 if <code>A = -3</code>.
1022 * \return \c 0 Otherwise.
1023 */
mbedtls_ecp_group_a_is_minus_3(const mbedtls_ecp_group * grp)1024 static inline int mbedtls_ecp_group_a_is_minus_3(const mbedtls_ecp_group *grp)
1025 {
1026 return grp->A.MBEDTLS_PRIVATE(p) == NULL;
1027 }
1028
1029 /**
1030 * \brief This function performs multiplication and addition of two
1031 * points by integers: \p R = \p m * \p P + \p n * \p Q
1032 *
1033 * It is not thread-safe to use same group in multiple threads.
1034 *
1035 * \note In contrast to mbedtls_ecp_mul(), this function does not
1036 * guarantee a constant execution flow and timing.
1037 *
1038 * \note This function is only defined for short Weierstrass curves.
1039 * It may not be included in builds without any short
1040 * Weierstrass curve.
1041 *
1042 * \param grp The ECP group to use.
1043 * This must be initialized and have group parameters
1044 * set, for example through mbedtls_ecp_group_load().
1045 * \param R The point in which to store the result of the calculation.
1046 * This must be initialized.
1047 * \param m The integer by which to multiply \p P.
1048 * This must be initialized.
1049 * \param P The point to multiply by \p m. This must be initialized.
1050 * \param n The integer by which to multiply \p Q.
1051 * This must be initialized.
1052 * \param Q The point to be multiplied by \p n.
1053 * This must be initialized.
1054 *
1055 * \return \c 0 on success.
1056 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
1057 * valid private keys, or \p P or \p Q are not valid public
1058 * keys.
1059 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
1060 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
1061 * designate a short Weierstrass curve.
1062 * \return Another negative error code on other kinds of failure.
1063 */
1064 int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1065 const mbedtls_mpi *m, const mbedtls_ecp_point *P,
1066 const mbedtls_mpi *n, const mbedtls_ecp_point *Q);
1067
1068 /**
1069 * \brief This function performs multiplication and addition of two
1070 * points by integers: \p R = \p m * \p P + \p n * \p Q in a
1071 * restartable way.
1072 *
1073 * \see \c mbedtls_ecp_muladd()
1074 *
1075 * \note This function works the same as \c mbedtls_ecp_muladd(),
1076 * but it can return early and restart according to the limit
1077 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
1078 *
1079 * \note This function is only defined for short Weierstrass curves.
1080 * It may not be included in builds without any short
1081 * Weierstrass curve.
1082 *
1083 * \param grp The ECP group to use.
1084 * This must be initialized and have group parameters
1085 * set, for example through mbedtls_ecp_group_load().
1086 * \param R The point in which to store the result of the calculation.
1087 * This must be initialized.
1088 * \param m The integer by which to multiply \p P.
1089 * This must be initialized.
1090 * \param P The point to multiply by \p m. This must be initialized.
1091 * \param n The integer by which to multiply \p Q.
1092 * This must be initialized.
1093 * \param Q The point to be multiplied by \p n.
1094 * This must be initialized.
1095 * \param rs_ctx The restart context (NULL disables restart).
1096 *
1097 * \return \c 0 on success.
1098 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
1099 * valid private keys, or \p P or \p Q are not valid public
1100 * keys.
1101 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
1102 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
1103 * designate a short Weierstrass curve.
1104 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
1105 * operations was reached: see \c mbedtls_ecp_set_max_ops().
1106 * \return Another negative error code on other kinds of failure.
1107 */
1108 int mbedtls_ecp_muladd_restartable(
1109 mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
1110 const mbedtls_mpi *m, const mbedtls_ecp_point *P,
1111 const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
1112 mbedtls_ecp_restart_ctx *rs_ctx);
1113 #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
1114
1115 /**
1116 * \brief This function checks that a point is a valid public key
1117 * on this curve.
1118 *
1119 * It only checks that the point is non-zero, has
1120 * valid coordinates and lies on the curve. It does not verify
1121 * that it is indeed a multiple of \c G. This additional
1122 * check is computationally more expensive, is not required
1123 * by standards, and should not be necessary if the group
1124 * used has a small cofactor. In particular, it is useless for
1125 * the NIST groups which all have a cofactor of 1.
1126 *
1127 * \note This function uses bare components rather than an
1128 * ::mbedtls_ecp_keypair structure, to ease use with other
1129 * structures, such as ::mbedtls_ecdh_context or
1130 * ::mbedtls_ecdsa_context.
1131 *
1132 * \param grp The ECP group the point should belong to.
1133 * This must be initialized and have group parameters
1134 * set, for example through mbedtls_ecp_group_load().
1135 * \param pt The point to check. This must be initialized.
1136 *
1137 * \return \c 0 if the point is a valid public key.
1138 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
1139 * a valid public key for the given curve.
1140 * \return Another negative error code on other kinds of failure.
1141 */
1142 int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
1143 const mbedtls_ecp_point *pt);
1144
1145 /**
1146 * \brief This function checks that an \c mbedtls_mpi is a
1147 * valid private key for this curve.
1148 *
1149 * \note This function uses bare components rather than an
1150 * ::mbedtls_ecp_keypair structure to ease use with other
1151 * structures, such as ::mbedtls_ecdh_context or
1152 * ::mbedtls_ecdsa_context.
1153 *
1154 * \param grp The ECP group the private key should belong to.
1155 * This must be initialized and have group parameters
1156 * set, for example through mbedtls_ecp_group_load().
1157 * \param d The integer to check. This must be initialized.
1158 *
1159 * \return \c 0 if the point is a valid private key.
1160 * \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
1161 * private key for the given curve.
1162 * \return Another negative error code on other kinds of failure.
1163 */
1164 int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
1165 const mbedtls_mpi *d);
1166
1167 /**
1168 * \brief This function generates a private key.
1169 *
1170 * \param grp The ECP group to generate a private key for.
1171 * This must be initialized and have group parameters
1172 * set, for example through mbedtls_ecp_group_load().
1173 * \param d The destination MPI (secret part). This must be initialized.
1174 * \param f_rng The RNG function. This must not be \c NULL.
1175 * \param p_rng The RNG parameter to be passed to \p f_rng. This may be
1176 * \c NULL if \p f_rng doesn't need a context argument.
1177 *
1178 * \return \c 0 on success.
1179 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
1180 * on failure.
1181 */
1182 int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
1183 mbedtls_mpi *d,
1184 int (*f_rng)(void *, unsigned char *, size_t),
1185 void *p_rng);
1186
1187 /**
1188 * \brief This function generates a keypair with a configurable base
1189 * point.
1190 *
1191 * \note This function uses bare components rather than an
1192 * ::mbedtls_ecp_keypair structure to ease use with other
1193 * structures, such as ::mbedtls_ecdh_context or
1194 * ::mbedtls_ecdsa_context.
1195 *
1196 * \param grp The ECP group to generate a key pair for.
1197 * This must be initialized and have group parameters
1198 * set, for example through mbedtls_ecp_group_load().
1199 * \param G The base point to use. This must be initialized
1200 * and belong to \p grp. It replaces the default base
1201 * point \c grp->G used by mbedtls_ecp_gen_keypair().
1202 * \param d The destination MPI (secret part).
1203 * This must be initialized.
1204 * \param Q The destination point (public part).
1205 * This must be initialized.
1206 * \param f_rng The RNG function. This must not be \c NULL.
1207 * \param p_rng The RNG context to be passed to \p f_rng. This may
1208 * be \c NULL if \p f_rng doesn't need a context argument.
1209 *
1210 * \return \c 0 on success.
1211 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
1212 * on failure.
1213 */
1214 int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
1215 const mbedtls_ecp_point *G,
1216 mbedtls_mpi *d, mbedtls_ecp_point *Q,
1217 int (*f_rng)(void *, unsigned char *, size_t),
1218 void *p_rng);
1219
1220 /**
1221 * \brief This function generates an ECP keypair.
1222 *
1223 * \note This function uses bare components rather than an
1224 * ::mbedtls_ecp_keypair structure to ease use with other
1225 * structures, such as ::mbedtls_ecdh_context or
1226 * ::mbedtls_ecdsa_context.
1227 *
1228 * \param grp The ECP group to generate a key pair for.
1229 * This must be initialized and have group parameters
1230 * set, for example through mbedtls_ecp_group_load().
1231 * \param d The destination MPI (secret part).
1232 * This must be initialized.
1233 * \param Q The destination point (public part).
1234 * This must be initialized.
1235 * \param f_rng The RNG function. This must not be \c NULL.
1236 * \param p_rng The RNG context to be passed to \p f_rng. This may
1237 * be \c NULL if \p f_rng doesn't need a context argument.
1238 *
1239 * \return \c 0 on success.
1240 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
1241 * on failure.
1242 */
1243 int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d,
1244 mbedtls_ecp_point *Q,
1245 int (*f_rng)(void *, unsigned char *, size_t),
1246 void *p_rng);
1247
1248 /**
1249 * \brief This function generates an ECP key.
1250 *
1251 * \param grp_id The ECP group identifier.
1252 * \param key The destination key. This must be initialized.
1253 * \param f_rng The RNG function to use. This must not be \c NULL.
1254 * \param p_rng The RNG context to be passed to \p f_rng. This may
1255 * be \c NULL if \p f_rng doesn't need a context argument.
1256 *
1257 * \return \c 0 on success.
1258 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
1259 * on failure.
1260 */
1261 int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
1262 int (*f_rng)(void *, unsigned char *, size_t),
1263 void *p_rng);
1264
1265 /** \brief Set the public key in a key pair object.
1266 *
1267 * \note This function does not check that the point actually
1268 * belongs to the given group. Call mbedtls_ecp_check_pubkey()
1269 * on \p Q before calling this function to check that.
1270 *
1271 * \note This function does not check that the public key matches
1272 * the private key that is already in \p key, if any.
1273 * To check the consistency of the resulting key pair object,
1274 * call mbedtls_ecp_check_pub_priv() after setting both
1275 * the public key and the private key.
1276 *
1277 * \param grp_id The ECP group identifier.
1278 * \param key The key pair object. It must be initialized.
1279 * If its group has already been set, it must match \p grp_id.
1280 * If its group has not been set, it will be set to \p grp_id.
1281 * If the public key has already been set, it is overwritten.
1282 * \param Q The public key to copy. This must be a point on the
1283 * curve indicated by \p grp_id.
1284 *
1285 * \return \c 0 on success.
1286 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not
1287 * match \p grp_id.
1288 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
1289 * the group is not implemented.
1290 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
1291 * \return Another negative error code on other kinds of failure.
1292 */
1293 int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
1294 mbedtls_ecp_keypair *key,
1295 const mbedtls_ecp_point *Q);
1296
1297 /**
1298 * \brief This function reads an elliptic curve private key.
1299 *
1300 * \note This function does not set the public key in the
1301 * key pair object. Without a public key, the key pair object
1302 * cannot be used with operations that require the public key.
1303 * Call mbedtls_ecp_keypair_calc_public() to set the public
1304 * key from the private key. Alternatively, you can call
1305 * mbedtls_ecp_set_public_key() to set the public key part,
1306 * and then optionally mbedtls_ecp_check_pub_priv() to check
1307 * that the private and public parts are consistent.
1308 *
1309 * \note If a public key has already been set in the key pair
1310 * object, this function does not check that it is consistent
1311 * with the private key. Call mbedtls_ecp_check_pub_priv()
1312 * after setting both the public key and the private key
1313 * to make that check.
1314 *
1315 * \param grp_id The ECP group identifier.
1316 * \param key The destination key.
1317 * \param buf The buffer containing the binary representation of the
1318 * key. (Big endian integer for Weierstrass curves, byte
1319 * string for Montgomery curves.)
1320 * \param buflen The length of the buffer in bytes.
1321 *
1322 * \return \c 0 on success.
1323 * \return #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is
1324 * invalid.
1325 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
1326 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
1327 * the group is not implemented.
1328 * \return Another negative error code on different kinds of failure.
1329 */
1330 int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
1331 const unsigned char *buf, size_t buflen);
1332
1333 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1334 /**
1335 * \brief This function exports an elliptic curve private key.
1336 *
1337 * \deprecated Note that although this function accepts an output
1338 * buffer that is smaller or larger than the key, most key
1339 * import interfaces require the output to have exactly
1340 * key's nominal length. It is generally simplest to
1341 * pass the key's nominal length as \c buflen, after
1342 * checking that the output buffer is large enough.
1343 * See the description of the \p buflen parameter for
1344 * how to calculate the nominal length.
1345 * To avoid this difficulty, use mbedtls_ecp_write_key_ext()
1346 * instead.
1347 * mbedtls_ecp_write_key() is deprecated and will be
1348 * removed in a future version of the library.
1349 *
1350 * \note If the private key was not set in \p key,
1351 * the output is unspecified. Future versions
1352 * may return an error in that case.
1353 *
1354 * \param key The private key.
1355 * \param buf The output buffer for containing the binary representation
1356 * of the key.
1357 * For Weierstrass curves, this is the big-endian
1358 * representation, padded with null bytes at the beginning
1359 * to reach \p buflen bytes.
1360 * For Montgomery curves, this is the standard byte string
1361 * representation (which is little-endian), padded with
1362 * null bytes at the end to reach \p buflen bytes.
1363 * \param buflen The total length of the buffer in bytes.
1364 * The length of the output is
1365 * (`grp->nbits` + 7) / 8 bytes
1366 * where `grp->nbits` is the private key size in bits.
1367 * For Weierstrass keys, if the output buffer is smaller,
1368 * leading zeros are trimmed to fit if possible. For
1369 * Montgomery keys, the output buffer must always be large
1370 * enough for the nominal length.
1371 *
1372 * \return \c 0 on success.
1373 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or
1374 * #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key
1375 * representation is larger than the available space in \p buf.
1376 * \return Another negative error code on different kinds of failure.
1377 */
1378 int MBEDTLS_DEPRECATED mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
1379 unsigned char *buf, size_t buflen);
1380 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1381
1382 /**
1383 * \brief This function exports an elliptic curve private key.
1384 *
1385 * \param key The private key.
1386 * \param olen On success, the length of the private key.
1387 * This is always (`grp->nbits` + 7) / 8 bytes
1388 * where `grp->nbits` is the private key size in bits.
1389 * \param buf The output buffer for containing the binary representation
1390 * of the key.
1391 * \param buflen The total length of the buffer in bytes.
1392 * #MBEDTLS_ECP_MAX_BYTES is always sufficient.
1393 *
1394 * \return \c 0 on success.
1395 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key
1396 * representation is larger than the available space in \p buf.
1397 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is
1398 * set in \p key.
1399 * \return Another negative error code on different kinds of failure.
1400 */
1401 int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key,
1402 size_t *olen, unsigned char *buf, size_t buflen);
1403
1404 /**
1405 * \brief This function exports an elliptic curve public key.
1406 *
1407 * \note If the public key was not set in \p key,
1408 * the output is unspecified. Future versions
1409 * may return an error in that case.
1410 *
1411 * \param key The public key.
1412 * \param format The point format. This must be either
1413 * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
1414 * (For groups without these formats, this parameter is
1415 * ignored. But it still has to be either of the above
1416 * values.)
1417 * \param olen The address at which to store the length of
1418 * the output in Bytes. This must not be \c NULL.
1419 * \param buf The output buffer. This must be a writable buffer
1420 * of length \p buflen Bytes.
1421 * \param buflen The length of the output buffer \p buf in Bytes.
1422 *
1423 * \return \c 0 on success.
1424 * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
1425 * is too small to hold the point.
1426 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
1427 * or the export for the given group is not implemented.
1428 * \return Another negative error code on other kinds of failure.
1429 */
1430 int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
1431 int format, size_t *olen,
1432 unsigned char *buf, size_t buflen);
1433
1434 /**
1435 * \brief This function checks that the keypair objects
1436 * \p pub and \p prv have the same group and the
1437 * same public point, and that the private key in
1438 * \p prv is consistent with the public key.
1439 *
1440 * \param pub The keypair structure holding the public key. This
1441 * must be initialized. If it contains a private key, that
1442 * part is ignored.
1443 * \param prv The keypair structure holding the full keypair.
1444 * This must be initialized.
1445 * \param f_rng The RNG function. This must not be \c NULL.
1446 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c
1447 * NULL if \p f_rng doesn't need a context.
1448 *
1449 * \return \c 0 on success, meaning that the keys are valid and match.
1450 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
1451 * \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
1452 * error code on calculation failure.
1453 */
1454 int mbedtls_ecp_check_pub_priv(
1455 const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
1456 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
1457
1458 /** \brief Calculate the public key from a private key in a key pair.
1459 *
1460 * \param key A keypair structure. It must have a private key set.
1461 * If the public key is set, it will be overwritten.
1462 * \param f_rng The RNG function. This must not be \c NULL.
1463 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c
1464 * NULL if \p f_rng doesn't need a context.
1465 *
1466 * \return \c 0 on success. The key pair object can be used for
1467 * operations that require the public key.
1468 * \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
1469 * error code on calculation failure.
1470 */
1471 int mbedtls_ecp_keypair_calc_public(
1472 mbedtls_ecp_keypair *key,
1473 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
1474
1475 /** \brief Query the group that a key pair belongs to.
1476 *
1477 * \param key The key pair to query.
1478 *
1479 * \return The group ID for the group registered in the key pair
1480 * object.
1481 * This is \c MBEDTLS_ECP_DP_NONE if no group has been set
1482 * in the key pair object.
1483 */
1484 mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
1485 const mbedtls_ecp_keypair *key);
1486
1487 /**
1488 * \brief This function exports generic key-pair parameters.
1489 *
1490 * Each of the output parameters can be a null pointer
1491 * if you do not need that parameter.
1492 *
1493 * \note If the private key or the public key was not set in \p key,
1494 * the corresponding output is unspecified. Future versions
1495 * may return an error in that case.
1496 *
1497 * \param key The key pair to export from.
1498 * \param grp Slot for exported ECP group.
1499 * It must either be null or point to an initialized ECP group.
1500 * \param d Slot for the exported secret value.
1501 * It must either be null or point to an initialized mpi.
1502 * \param Q Slot for the exported public value.
1503 * It must either be null or point to an initialized ECP point.
1504 *
1505 * \return \c 0 on success,
1506 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
1507 * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't
1508 * correspond to a known group.
1509 * \return Another negative error code on other kinds of failure.
1510 */
1511 int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
1512 mbedtls_mpi *d, mbedtls_ecp_point *Q);
1513
1514 #if defined(MBEDTLS_SELF_TEST)
1515
1516 /**
1517 * \brief The ECP checkup routine.
1518 *
1519 * \return \c 0 on success.
1520 * \return \c 1 on failure.
1521 */
1522 int mbedtls_ecp_self_test(int verbose);
1523
1524 #endif /* MBEDTLS_SELF_TEST */
1525
1526 #ifdef __cplusplus
1527 }
1528 #endif
1529
1530 #endif /* ecp.h */
1531