1 /** 2 * \file ecdsa.h 3 * 4 * \brief This file contains ECDSA definitions and functions. 5 * 6 * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in 7 * <em>Standards for Efficient Cryptography Group (SECG): 8 * SEC1 Elliptic Curve Cryptography</em>. 9 * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve 10 * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>. 11 * 12 */ 13 /* 14 * Copyright The Mbed TLS Contributors 15 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 16 * 17 * This file is provided under the Apache License 2.0, or the 18 * GNU General Public License v2.0 or later. 19 * 20 * ********** 21 * Apache License 2.0: 22 * 23 * Licensed under the Apache License, Version 2.0 (the "License"); you may 24 * not use this file except in compliance with the License. 25 * You may obtain a copy of the License at 26 * 27 * http://www.apache.org/licenses/LICENSE-2.0 28 * 29 * Unless required by applicable law or agreed to in writing, software 30 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 31 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 32 * See the License for the specific language governing permissions and 33 * limitations under the License. 34 * 35 * ********** 36 * 37 * ********** 38 * GNU General Public License v2.0 or later: 39 * 40 * This program is free software; you can redistribute it and/or modify 41 * it under the terms of the GNU General Public License as published by 42 * the Free Software Foundation; either version 2 of the License, or 43 * (at your option) any later version. 44 * 45 * This program is distributed in the hope that it will be useful, 46 * but WITHOUT ANY WARRANTY; without even the implied warranty of 47 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 48 * GNU General Public License for more details. 49 * 50 * You should have received a copy of the GNU General Public License along 51 * with this program; if not, write to the Free Software Foundation, Inc., 52 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 53 * 54 * ********** 55 */ 56 57 #ifndef MBEDTLS_ECDSA_H 58 #define MBEDTLS_ECDSA_H 59 60 #if !defined(MBEDTLS_CONFIG_FILE) 61 #include "config.h" 62 #else 63 #include MBEDTLS_CONFIG_FILE 64 #endif 65 66 #include "ecp.h" 67 #include "md.h" 68 69 /* 70 * RFC-4492 page 20: 71 * 72 * Ecdsa-Sig-Value ::= SEQUENCE { 73 * r INTEGER, 74 * s INTEGER 75 * } 76 * 77 * Size is at most 78 * 1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s, 79 * twice that + 1 (tag) + 2 (len) for the sequence 80 * (assuming ECP_MAX_BYTES is less than 126 for r and s, 81 * and less than 124 (total len <= 255) for the sequence) 82 */ 83 #if MBEDTLS_ECP_MAX_BYTES > 124 84 #error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN" 85 #endif 86 /** The maximal size of an ECDSA signature in Bytes. */ 87 #define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) ) 88 89 #ifdef __cplusplus 90 extern "C" { 91 #endif 92 93 /** 94 * \brief The ECDSA context structure. 95 * 96 * \warning Performing multiple operations concurrently on the same 97 * ECDSA context is not supported; objects of this type 98 * should not be shared between multiple threads. 99 */ 100 typedef mbedtls_ecp_keypair mbedtls_ecdsa_context; 101 102 #if defined(MBEDTLS_ECP_RESTARTABLE) 103 104 /** 105 * \brief Internal restart context for ecdsa_verify() 106 * 107 * \note Opaque struct, defined in ecdsa.c 108 */ 109 typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx; 110 111 /** 112 * \brief Internal restart context for ecdsa_sign() 113 * 114 * \note Opaque struct, defined in ecdsa.c 115 */ 116 typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx; 117 118 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 119 /** 120 * \brief Internal restart context for ecdsa_sign_det() 121 * 122 * \note Opaque struct, defined in ecdsa.c 123 */ 124 typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx; 125 #endif 126 127 /** 128 * \brief General context for resuming ECDSA operations 129 */ 130 typedef struct 131 { 132 mbedtls_ecp_restart_ctx ecp; /*!< base context for ECP restart and 133 shared administrative info */ 134 mbedtls_ecdsa_restart_ver_ctx *ver; /*!< ecdsa_verify() sub-context */ 135 mbedtls_ecdsa_restart_sig_ctx *sig; /*!< ecdsa_sign() sub-context */ 136 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 137 mbedtls_ecdsa_restart_det_ctx *det; /*!< ecdsa_sign_det() sub-context */ 138 #endif 139 } mbedtls_ecdsa_restart_ctx; 140 141 #else /* MBEDTLS_ECP_RESTARTABLE */ 142 143 /* Now we can declare functions that take a pointer to that */ 144 typedef void mbedtls_ecdsa_restart_ctx; 145 146 #endif /* MBEDTLS_ECP_RESTARTABLE */ 147 148 /** 149 * \brief This function computes the ECDSA signature of a 150 * previously-hashed message. 151 * 152 * \note The deterministic version implemented in 153 * mbedtls_ecdsa_sign_det() is usually preferred. 154 * 155 * \note If the bitlength of the message hash is larger than the 156 * bitlength of the group order, then the hash is truncated 157 * as defined in <em>Standards for Efficient Cryptography Group 158 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 159 * 4.1.3, step 5. 160 * 161 * \see ecp.h 162 * 163 * \param grp The context for the elliptic curve to use. 164 * This must be initialized and have group parameters 165 * set, for example through mbedtls_ecp_group_load(). 166 * \param r The MPI context in which to store the first part 167 * the signature. This must be initialized. 168 * \param s The MPI context in which to store the second part 169 * the signature. This must be initialized. 170 * \param d The private signing key. This must be initialized. 171 * \param buf The content to be signed. This is usually the hash of 172 * the original data to be signed. This must be a readable 173 * buffer of length \p blen Bytes. It may be \c NULL if 174 * \p blen is zero. 175 * \param blen The length of \p buf in Bytes. 176 * \param f_rng The RNG function. This must not be \c NULL. 177 * \param p_rng The RNG context to be passed to \p f_rng. This may be 178 * \c NULL if \p f_rng doesn't need a context parameter. 179 * 180 * \return \c 0 on success. 181 * \return An \c MBEDTLS_ERR_ECP_XXX 182 * or \c MBEDTLS_MPI_XXX error code on failure. 183 */ 184 int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, 185 const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 186 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 187 188 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 189 /** 190 * \brief This function computes the ECDSA signature of a 191 * previously-hashed message, deterministic version. 192 * 193 * For more information, see <em>RFC-6979: Deterministic 194 * Usage of the Digital Signature Algorithm (DSA) and Elliptic 195 * Curve Digital Signature Algorithm (ECDSA)</em>. 196 * 197 * \note If the bitlength of the message hash is larger than the 198 * bitlength of the group order, then the hash is truncated as 199 * defined in <em>Standards for Efficient Cryptography Group 200 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 201 * 4.1.3, step 5. 202 * 203 * \warning Since the output of the internal RNG is always the same for 204 * the same key and message, this limits the efficiency of 205 * blinding and leaks information through side channels. For 206 * secure behavior use mbedtls_ecdsa_sign_det_ext() instead. 207 * 208 * (Optimally the blinding is a random value that is different 209 * on every execution. In this case the blinding is still 210 * random from the attackers perspective, but is the same on 211 * each execution. This means that this blinding does not 212 * prevent attackers from recovering secrets by combining 213 * several measurement traces, but may prevent some attacks 214 * that exploit relationships between secret data.) 215 * 216 * \see ecp.h 217 * 218 * \param grp The context for the elliptic curve to use. 219 * This must be initialized and have group parameters 220 * set, for example through mbedtls_ecp_group_load(). 221 * \param r The MPI context in which to store the first part 222 * the signature. This must be initialized. 223 * \param s The MPI context in which to store the second part 224 * the signature. This must be initialized. 225 * \param d The private signing key. This must be initialized 226 * and setup, for example through mbedtls_ecp_gen_privkey(). 227 * \param buf The hashed content to be signed. This must be a readable 228 * buffer of length \p blen Bytes. It may be \c NULL if 229 * \p blen is zero. 230 * \param blen The length of \p buf in Bytes. 231 * \param md_alg The hash algorithm used to hash the original data. 232 * 233 * \return \c 0 on success. 234 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 235 * error code on failure. 236 */ 237 int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, 238 mbedtls_mpi *s, const mbedtls_mpi *d, 239 const unsigned char *buf, size_t blen, 240 mbedtls_md_type_t md_alg ); 241 /** 242 * \brief This function computes the ECDSA signature of a 243 * previously-hashed message, deterministic version. 244 * 245 * For more information, see <em>RFC-6979: Deterministic 246 * Usage of the Digital Signature Algorithm (DSA) and Elliptic 247 * Curve Digital Signature Algorithm (ECDSA)</em>. 248 * 249 * \note If the bitlength of the message hash is larger than the 250 * bitlength of the group order, then the hash is truncated as 251 * defined in <em>Standards for Efficient Cryptography Group 252 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 253 * 4.1.3, step 5. 254 * 255 * \see ecp.h 256 * 257 * \param grp The context for the elliptic curve to use. 258 * This must be initialized and have group parameters 259 * set, for example through mbedtls_ecp_group_load(). 260 * \param r The MPI context in which to store the first part 261 * the signature. This must be initialized. 262 * \param s The MPI context in which to store the second part 263 * the signature. This must be initialized. 264 * \param d The private signing key. This must be initialized 265 * and setup, for example through mbedtls_ecp_gen_privkey(). 266 * \param buf The hashed content to be signed. This must be a readable 267 * buffer of length \p blen Bytes. It may be \c NULL if 268 * \p blen is zero. 269 * \param blen The length of \p buf in Bytes. 270 * \param md_alg The hash algorithm used to hash the original data. 271 * \param f_rng_blind The RNG function used for blinding. This must not be 272 * \c NULL. 273 * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be 274 * \c NULL if \p f_rng doesn't need a context parameter. 275 * 276 * \return \c 0 on success. 277 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 278 * error code on failure. 279 */ 280 int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r, 281 mbedtls_mpi *s, const mbedtls_mpi *d, 282 const unsigned char *buf, size_t blen, 283 mbedtls_md_type_t md_alg, 284 int (*f_rng_blind)(void *, unsigned char *, 285 size_t), 286 void *p_rng_blind ); 287 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 288 289 /** 290 * \brief This function verifies the ECDSA signature of a 291 * previously-hashed message. 292 * 293 * \note If the bitlength of the message hash is larger than the 294 * bitlength of the group order, then the hash is truncated as 295 * defined in <em>Standards for Efficient Cryptography Group 296 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 297 * 4.1.4, step 3. 298 * 299 * \see ecp.h 300 * 301 * \param grp The ECP group to use. 302 * This must be initialized and have group parameters 303 * set, for example through mbedtls_ecp_group_load(). 304 * \param buf The hashed content that was signed. This must be a readable 305 * buffer of length \p blen Bytes. It may be \c NULL if 306 * \p blen is zero. 307 * \param blen The length of \p buf in Bytes. 308 * \param Q The public key to use for verification. This must be 309 * initialized and setup. 310 * \param r The first integer of the signature. 311 * This must be initialized. 312 * \param s The second integer of the signature. 313 * This must be initialized. 314 * 315 * \return \c 0 on success. 316 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature 317 * is invalid. 318 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 319 * error code on failure for any other reason. 320 */ 321 int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, 322 const unsigned char *buf, size_t blen, 323 const mbedtls_ecp_point *Q, const mbedtls_mpi *r, 324 const mbedtls_mpi *s); 325 326 /** 327 * \brief This function computes the ECDSA signature and writes it 328 * to a buffer, serialized as defined in <em>RFC-4492: 329 * Elliptic Curve Cryptography (ECC) Cipher Suites for 330 * Transport Layer Security (TLS)</em>. 331 * 332 * \warning It is not thread-safe to use the same context in 333 * multiple threads. 334 * 335 * \note The deterministic version is used if 336 * #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more 337 * information, see <em>RFC-6979: Deterministic Usage 338 * of the Digital Signature Algorithm (DSA) and Elliptic 339 * Curve Digital Signature Algorithm (ECDSA)</em>. 340 * 341 * \note If the bitlength of the message hash is larger than the 342 * bitlength of the group order, then the hash is truncated as 343 * defined in <em>Standards for Efficient Cryptography Group 344 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 345 * 4.1.3, step 5. 346 * 347 * \see ecp.h 348 * 349 * \param ctx The ECDSA context to use. This must be initialized 350 * and have a group and private key bound to it, for example 351 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 352 * \param md_alg The message digest that was used to hash the message. 353 * \param hash The message hash to be signed. This must be a readable 354 * buffer of length \p blen Bytes. 355 * \param hlen The length of the hash \p hash in Bytes. 356 * \param sig The buffer to which to write the signature. This must be a 357 * writable buffer of length at least twice as large as the 358 * size of the curve used, plus 9. For example, 73 Bytes if 359 * a 256-bit curve is used. A buffer length of 360 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 361 * \param slen The address at which to store the actual length of 362 * the signature written. Must not be \c NULL. 363 * \param f_rng The RNG function. This must not be \c NULL if 364 * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, 365 * it is unused and may be set to \c NULL. 366 * \param p_rng The RNG context to be passed to \p f_rng. This may be 367 * \c NULL if \p f_rng is \c NULL or doesn't use a context. 368 * 369 * \return \c 0 on success. 370 * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 371 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 372 */ 373 int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, 374 mbedtls_md_type_t md_alg, 375 const unsigned char *hash, size_t hlen, 376 unsigned char *sig, size_t *slen, 377 int (*f_rng)(void *, unsigned char *, size_t), 378 void *p_rng ); 379 380 /** 381 * \brief This function computes the ECDSA signature and writes it 382 * to a buffer, in a restartable way. 383 * 384 * \see \c mbedtls_ecdsa_write_signature() 385 * 386 * \note This function is like \c mbedtls_ecdsa_write_signature() 387 * but it can return early and restart according to the limit 388 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking. 389 * 390 * \param ctx The ECDSA context to use. This must be initialized 391 * and have a group and private key bound to it, for example 392 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 393 * \param md_alg The message digest that was used to hash the message. 394 * \param hash The message hash to be signed. This must be a readable 395 * buffer of length \p blen Bytes. 396 * \param hlen The length of the hash \p hash in Bytes. 397 * \param sig The buffer to which to write the signature. This must be a 398 * writable buffer of length at least twice as large as the 399 * size of the curve used, plus 9. For example, 73 Bytes if 400 * a 256-bit curve is used. A buffer length of 401 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 402 * \param slen The address at which to store the actual length of 403 * the signature written. Must not be \c NULL. 404 * \param f_rng The RNG function. This must not be \c NULL if 405 * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, 406 * it is unused and may be set to \c NULL. 407 * \param p_rng The RNG context to be passed to \p f_rng. This may be 408 * \c NULL if \p f_rng is \c NULL or doesn't use a context. 409 * \param rs_ctx The restart context to use. This may be \c NULL to disable 410 * restarting. If it is not \c NULL, it must point to an 411 * initialized restart context. 412 * 413 * \return \c 0 on success. 414 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 415 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 416 * \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 417 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 418 */ 419 int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx, 420 mbedtls_md_type_t md_alg, 421 const unsigned char *hash, size_t hlen, 422 unsigned char *sig, size_t *slen, 423 int (*f_rng)(void *, unsigned char *, size_t), 424 void *p_rng, 425 mbedtls_ecdsa_restart_ctx *rs_ctx ); 426 427 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 428 #if ! defined(MBEDTLS_DEPRECATED_REMOVED) 429 #if defined(MBEDTLS_DEPRECATED_WARNING) 430 #define MBEDTLS_DEPRECATED __attribute__((deprecated)) 431 #else 432 #define MBEDTLS_DEPRECATED 433 #endif 434 /** 435 * \brief This function computes an ECDSA signature and writes 436 * it to a buffer, serialized as defined in <em>RFC-4492: 437 * Elliptic Curve Cryptography (ECC) Cipher Suites for 438 * Transport Layer Security (TLS)</em>. 439 * 440 * The deterministic version is defined in <em>RFC-6979: 441 * Deterministic Usage of the Digital Signature Algorithm (DSA) 442 * and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>. 443 * 444 * \warning It is not thread-safe to use the same context in 445 * multiple threads. 446 * 447 * \note If the bitlength of the message hash is larger than the 448 * bitlength of the group order, then the hash is truncated as 449 * defined in <em>Standards for Efficient Cryptography Group 450 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 451 * 4.1.3, step 5. 452 * 453 * \see ecp.h 454 * 455 * \deprecated Superseded by mbedtls_ecdsa_write_signature() in 456 * Mbed TLS version 2.0 and later. 457 * 458 * \param ctx The ECDSA context to use. This must be initialized 459 * and have a group and private key bound to it, for example 460 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 461 * \param hash The message hash to be signed. This must be a readable 462 * buffer of length \p blen Bytes. 463 * \param hlen The length of the hash \p hash in Bytes. 464 * \param sig The buffer to which to write the signature. This must be a 465 * writable buffer of length at least twice as large as the 466 * size of the curve used, plus 9. For example, 73 Bytes if 467 * a 256-bit curve is used. A buffer length of 468 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 469 * \param slen The address at which to store the actual length of 470 * the signature written. Must not be \c NULL. 471 * \param md_alg The message digest that was used to hash the message. 472 * 473 * \return \c 0 on success. 474 * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 475 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 476 */ 477 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, 478 const unsigned char *hash, size_t hlen, 479 unsigned char *sig, size_t *slen, 480 mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED; 481 #undef MBEDTLS_DEPRECATED 482 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 483 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 484 485 /** 486 * \brief This function reads and verifies an ECDSA signature. 487 * 488 * \note If the bitlength of the message hash is larger than the 489 * bitlength of the group order, then the hash is truncated as 490 * defined in <em>Standards for Efficient Cryptography Group 491 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 492 * 4.1.4, step 3. 493 * 494 * \see ecp.h 495 * 496 * \param ctx The ECDSA context to use. This must be initialized 497 * and have a group and public key bound to it. 498 * \param hash The message hash that was signed. This must be a readable 499 * buffer of length \p size Bytes. 500 * \param hlen The size of the hash \p hash. 501 * \param sig The signature to read and verify. This must be a readable 502 * buffer of length \p slen Bytes. 503 * \param slen The size of \p sig in Bytes. 504 * 505 * \return \c 0 on success. 506 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. 507 * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid 508 * signature in \p sig, but its length is less than \p siglen. 509 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX 510 * error code on failure for any other reason. 511 */ 512 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, 513 const unsigned char *hash, size_t hlen, 514 const unsigned char *sig, size_t slen ); 515 516 /** 517 * \brief This function reads and verifies an ECDSA signature, 518 * in a restartable way. 519 * 520 * \see \c mbedtls_ecdsa_read_signature() 521 * 522 * \note This function is like \c mbedtls_ecdsa_read_signature() 523 * but it can return early and restart according to the limit 524 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking. 525 * 526 * \param ctx The ECDSA context to use. This must be initialized 527 * and have a group and public key bound to it. 528 * \param hash The message hash that was signed. This must be a readable 529 * buffer of length \p size Bytes. 530 * \param hlen The size of the hash \p hash. 531 * \param sig The signature to read and verify. This must be a readable 532 * buffer of length \p slen Bytes. 533 * \param slen The size of \p sig in Bytes. 534 * \param rs_ctx The restart context to use. This may be \c NULL to disable 535 * restarting. If it is not \c NULL, it must point to an 536 * initialized restart context. 537 * 538 * \return \c 0 on success. 539 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. 540 * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid 541 * signature in \p sig, but its length is less than \p siglen. 542 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 543 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 544 * \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX 545 * error code on failure for any other reason. 546 */ 547 int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx, 548 const unsigned char *hash, size_t hlen, 549 const unsigned char *sig, size_t slen, 550 mbedtls_ecdsa_restart_ctx *rs_ctx ); 551 552 /** 553 * \brief This function generates an ECDSA keypair on the given curve. 554 * 555 * \see ecp.h 556 * 557 * \param ctx The ECDSA context to store the keypair in. 558 * This must be initialized. 559 * \param gid The elliptic curve to use. One of the various 560 * \c MBEDTLS_ECP_DP_XXX macros depending on configuration. 561 * \param f_rng The RNG function to use. This must not be \c NULL. 562 * \param p_rng The RNG context to be passed to \p f_rng. This may be 563 * \c NULL if \p f_rng doesn't need a context argument. 564 * 565 * \return \c 0 on success. 566 * \return An \c MBEDTLS_ERR_ECP_XXX code on failure. 567 */ 568 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, 569 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 570 571 /** 572 * \brief This function sets up an ECDSA context from an EC key pair. 573 * 574 * \see ecp.h 575 * 576 * \param ctx The ECDSA context to setup. This must be initialized. 577 * \param key The EC key to use. This must be initialized and hold 578 * a private-public key pair or a public key. In the former 579 * case, the ECDSA context may be used for signature creation 580 * and verification after this call. In the latter case, it 581 * may be used for signature verification. 582 * 583 * \return \c 0 on success. 584 * \return An \c MBEDTLS_ERR_ECP_XXX code on failure. 585 */ 586 int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, 587 const mbedtls_ecp_keypair *key ); 588 589 /** 590 * \brief This function initializes an ECDSA context. 591 * 592 * \param ctx The ECDSA context to initialize. 593 * This must not be \c NULL. 594 */ 595 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ); 596 597 /** 598 * \brief This function frees an ECDSA context. 599 * 600 * \param ctx The ECDSA context to free. This may be \c NULL, 601 * in which case this function does nothing. If it 602 * is not \c NULL, it must be initialized. 603 */ 604 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ); 605 606 #if defined(MBEDTLS_ECP_RESTARTABLE) 607 /** 608 * \brief Initialize a restart context. 609 * 610 * \param ctx The restart context to initialize. 611 * This must not be \c NULL. 612 */ 613 void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx ); 614 615 /** 616 * \brief Free the components of a restart context. 617 * 618 * \param ctx The restart context to free. This may be \c NULL, 619 * in which case this function does nothing. If it 620 * is not \c NULL, it must be initialized. 621 */ 622 void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx ); 623 #endif /* MBEDTLS_ECP_RESTARTABLE */ 624 625 #ifdef __cplusplus 626 } 627 #endif 628 629 #endif /* ecdsa.h */ 630