1 /** 2 * \file ecdh.h 3 * 4 * \brief The Elliptic Curve Diffie-Hellman (ECDH) protocol APIs. 5 * 6 * ECDH is an anonymous key agreement protocol allowing two parties to 7 * establish a shared secret over an insecure channel. Each party must have an 8 * elliptic-curve public–private key pair. 9 * 10 * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for 11 * Pair-Wise Key Establishment Schemes Using Discrete Logarithm 12 * Cryptography</em>. 13 */ 14 /* 15 * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved 16 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 17 * 18 * This file is provided under the Apache License 2.0, or the 19 * GNU General Public License v2.0 or later. 20 * 21 * ********** 22 * Apache License 2.0: 23 * 24 * Licensed under the Apache License, Version 2.0 (the "License"); you may 25 * not use this file except in compliance with the License. 26 * You may obtain a copy of the License at 27 * 28 * http://www.apache.org/licenses/LICENSE-2.0 29 * 30 * Unless required by applicable law or agreed to in writing, software 31 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 32 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 33 * See the License for the specific language governing permissions and 34 * limitations under the License. 35 * 36 * ********** 37 * 38 * ********** 39 * GNU General Public License v2.0 or later: 40 * 41 * This program is free software; you can redistribute it and/or modify 42 * it under the terms of the GNU General Public License as published by 43 * the Free Software Foundation; either version 2 of the License, or 44 * (at your option) any later version. 45 * 46 * This program is distributed in the hope that it will be useful, 47 * but WITHOUT ANY WARRANTY; without even the implied warranty of 48 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 49 * GNU General Public License for more details. 50 * 51 * You should have received a copy of the GNU General Public License along 52 * with this program; if not, write to the Free Software Foundation, Inc., 53 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 54 * 55 * ********** 56 * 57 * This file is part of Mbed TLS (https://tls.mbed.org) 58 */ 59 60 #ifndef MBEDTLS_ECDH_H 61 #define MBEDTLS_ECDH_H 62 63 #if !defined(MBEDTLS_CONFIG_FILE) 64 #include "config.h" 65 #else 66 #include MBEDTLS_CONFIG_FILE 67 #endif 68 69 #include "ecp.h" 70 71 #ifdef __cplusplus 72 extern "C" { 73 #endif 74 75 /** 76 * Defines the source of the imported EC key: 77 * <ul><li>Our key.</li> 78 * <li>The key of the peer.</li></ul> 79 */ 80 typedef enum 81 { 82 MBEDTLS_ECDH_OURS, 83 MBEDTLS_ECDH_THEIRS, 84 } mbedtls_ecdh_side; 85 86 /** 87 * \brief The ECDH context structure. 88 */ 89 typedef struct 90 { 91 mbedtls_ecp_group grp; /*!< The elliptic curve used. */ 92 mbedtls_mpi d; /*!< The private key. */ 93 mbedtls_ecp_point Q; /*!< The public key. */ 94 mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ 95 mbedtls_mpi z; /*!< The shared secret. */ 96 int point_format; /*!< The format of point export in TLS messages. */ 97 mbedtls_ecp_point Vi; /*!< The blinding value. */ 98 mbedtls_ecp_point Vf; /*!< The unblinding value. */ 99 mbedtls_mpi _d; /*!< The previous \p d. */ 100 } 101 mbedtls_ecdh_context; 102 103 /** 104 * \brief This function generates an ECDH keypair on an elliptic 105 * curve. 106 * 107 * This function performs the first of two core computations 108 * implemented during the ECDH key exchange. The second core 109 * computation is performed by mbedtls_ecdh_compute_shared(). 110 * 111 * \param grp The ECP group. 112 * \param d The destination MPI (private key). 113 * \param Q The destination point (public key). 114 * \param f_rng The RNG function. 115 * \param p_rng The RNG parameter. 116 * 117 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or 118 * \c MBEDTLS_MPI_XXX error code on failure. 119 * 120 * \see ecp.h 121 */ 122 int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, 123 int (*f_rng)(void *, unsigned char *, size_t), 124 void *p_rng ); 125 126 /** 127 * \brief This function computes the shared secret. 128 * 129 * This function performs the second of two core computations 130 * implemented during the ECDH key exchange. The first core 131 * computation is performed by mbedtls_ecdh_gen_public(). 132 * 133 * \param grp The ECP group. 134 * \param z The destination MPI (shared secret). 135 * \param Q The public key from another party. 136 * \param d Our secret exponent (private key). 137 * \param f_rng The RNG function. 138 * \param p_rng The RNG parameter. 139 * 140 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or 141 * \c MBEDTLS_MPI_XXX error code on failure. 142 * 143 * \see ecp.h 144 * 145 * \note If \p f_rng is not NULL, it is used to implement 146 * countermeasures against potential elaborate timing 147 * attacks. For more information, see mbedtls_ecp_mul(). 148 */ 149 int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, 150 const mbedtls_ecp_point *Q, const mbedtls_mpi *d, 151 int (*f_rng)(void *, unsigned char *, size_t), 152 void *p_rng ); 153 154 /** 155 * \brief This function initializes an ECDH context. 156 * 157 * \param ctx The ECDH context to initialize. 158 */ 159 void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx ); 160 161 /** 162 * \brief This function frees a context. 163 * 164 * \param ctx The context to free. 165 */ 166 void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx ); 167 168 /** 169 * \brief This function generates a public key and a TLS 170 * ServerKeyExchange payload. 171 * 172 * This is the first function used by a TLS server for ECDHE 173 * ciphersuites. 174 * 175 * \param ctx The ECDH context. 176 * \param olen The number of characters written. 177 * \param buf The destination buffer. 178 * \param blen The length of the destination buffer. 179 * \param f_rng The RNG function. 180 * \param p_rng The RNG parameter. 181 * 182 * \note This function assumes that the ECP group (grp) of the 183 * \p ctx context has already been properly set, 184 * for example, using mbedtls_ecp_group_load(). 185 * 186 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code 187 * on failure. 188 * 189 * \see ecp.h 190 */ 191 int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, 192 unsigned char *buf, size_t blen, 193 int (*f_rng)(void *, unsigned char *, size_t), 194 void *p_rng ); 195 196 /** 197 * \brief This function parses and processes a TLS ServerKeyExhange 198 * payload. 199 * 200 * This is the first function used by a TLS client for ECDHE 201 * ciphersuites. 202 * 203 * \param ctx The ECDH context. 204 * \param buf The pointer to the start of the input buffer. 205 * \param end The address for one Byte past the end of the buffer. 206 * 207 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code 208 * on failure. 209 * 210 * \see ecp.h 211 */ 212 int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx, 213 const unsigned char **buf, const unsigned char *end ); 214 215 /** 216 * \brief This function sets up an ECDH context from an EC key. 217 * 218 * It is used by clients and servers in place of the 219 * ServerKeyEchange for static ECDH, and imports ECDH 220 * parameters from the EC key information of a certificate. 221 * 222 * \param ctx The ECDH context to set up. 223 * \param key The EC key to use. 224 * \param side Defines the source of the key: 225 * <ul><li>1: Our key.</li> 226 <li>0: The key of the peer.</li></ul> 227 * 228 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code 229 * on failure. 230 * 231 * \see ecp.h 232 */ 233 int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key, 234 mbedtls_ecdh_side side ); 235 236 /** 237 * \brief This function generates a public key and a TLS 238 * ClientKeyExchange payload. 239 * 240 * This is the second function used by a TLS client for ECDH(E) 241 * ciphersuites. 242 * 243 * \param ctx The ECDH context. 244 * \param olen The number of Bytes written. 245 * \param buf The destination buffer. 246 * \param blen The size of the destination buffer. 247 * \param f_rng The RNG function. 248 * \param p_rng The RNG parameter. 249 * 250 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code 251 * on failure. 252 * 253 * \see ecp.h 254 */ 255 int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, 256 unsigned char *buf, size_t blen, 257 int (*f_rng)(void *, unsigned char *, size_t), 258 void *p_rng ); 259 260 /** 261 * \brief This function parses and processes a TLS ClientKeyExchange 262 * payload. 263 * 264 * This is the second function used by a TLS server for ECDH(E) 265 * ciphersuites. 266 * 267 * \param ctx The ECDH context. 268 * \param buf The start of the input buffer. 269 * \param blen The length of the input buffer. 270 * 271 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code 272 * on failure. 273 * 274 * \see ecp.h 275 */ 276 int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx, 277 const unsigned char *buf, size_t blen ); 278 279 /** 280 * \brief This function derives and exports the shared secret. 281 * 282 * This is the last function used by both TLS client 283 * and servers. 284 * 285 * \param ctx The ECDH context. 286 * \param olen The number of Bytes written. 287 * \param buf The destination buffer. 288 * \param blen The length of the destination buffer. 289 * \param f_rng The RNG function. 290 * \param p_rng The RNG parameter. 291 * 292 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code 293 * on failure. 294 * 295 * \see ecp.h 296 * 297 * \note If \p f_rng is not NULL, it is used to implement 298 * countermeasures against potential elaborate timing 299 * attacks. For more information, see mbedtls_ecp_mul(). 300 */ 301 int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, 302 unsigned char *buf, size_t blen, 303 int (*f_rng)(void *, unsigned char *, size_t), 304 void *p_rng ); 305 306 #ifdef __cplusplus 307 } 308 #endif 309 310 #endif /* ecdh.h */ 311