1 /** 2 * \file ecp.h 3 * 4 * \brief Elliptic curves over GF(p) 5 */ 6 /* 7 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 8 * SPDX-License-Identifier: GPL-2.0 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License as published by 12 * the Free Software Foundation; either version 2 of the License, or 13 * (at your option) any later version. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License along 21 * with this program; if not, write to the Free Software Foundation, Inc., 22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 * 24 * This file is part of mbed TLS (https://tls.mbed.org) 25 */ 26 #ifndef MBEDTLS_ECP_H 27 #define MBEDTLS_ECP_H 28 29 #if !defined(MBEDTLS_CONFIG_FILE) 30 #include "config.h" 31 #else 32 #include MBEDTLS_CONFIG_FILE 33 #endif 34 35 #include "bignum.h" 36 37 /* 38 * ECP error codes 39 */ 40 #define MBEDTLS_ERR_ECP_BAD_INPUT_DATA -0x4F80 /**< Bad input parameters to function. */ 41 #define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL -0x4F00 /**< The buffer is too small to write to. */ 42 #define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE -0x4E80 /**< Requested curve not available. */ 43 #define MBEDTLS_ERR_ECP_VERIFY_FAILED -0x4E00 /**< The signature is not valid. */ 44 #define MBEDTLS_ERR_ECP_ALLOC_FAILED -0x4D80 /**< Memory allocation failed. */ 45 #define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00 /**< Generation of random value, such as (ephemeral) key, failed. */ 46 #define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 /**< Invalid private or public key. */ 47 #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 /**< The buffer contains a valid signature followed by more data. */ 48 #define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED -0x4B80 /**< ECP hardware accelerator failed. */ 49 50 #if !defined(MBEDTLS_ECP_ALT) 51 /* 52 * default mbed TLS elliptic curve arithmetic implementation 53 * 54 * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an 55 * alternative implementation for the whole module and it will replace this 56 * one.) 57 */ 58 59 #ifdef __cplusplus 60 extern "C" { 61 #endif 62 63 /** 64 * Domain parameters (curve, subgroup and generator) identifiers. 65 * 66 * Only curves over prime fields are supported. 67 * 68 * \warning This library does not support validation of arbitrary domain 69 * parameters. Therefore, only well-known domain parameters from trusted 70 * sources should be used. See mbedtls_ecp_group_load(). 71 */ 72 typedef enum 73 { 74 MBEDTLS_ECP_DP_NONE = 0, 75 MBEDTLS_ECP_DP_SECP192R1, /*!< 192-bits NIST curve */ 76 MBEDTLS_ECP_DP_SECP224R1, /*!< 224-bits NIST curve */ 77 MBEDTLS_ECP_DP_SECP256R1, /*!< 256-bits NIST curve */ 78 MBEDTLS_ECP_DP_SECP384R1, /*!< 384-bits NIST curve */ 79 MBEDTLS_ECP_DP_SECP521R1, /*!< 521-bits NIST curve */ 80 MBEDTLS_ECP_DP_BP256R1, /*!< 256-bits Brainpool curve */ 81 MBEDTLS_ECP_DP_BP384R1, /*!< 384-bits Brainpool curve */ 82 MBEDTLS_ECP_DP_BP512R1, /*!< 512-bits Brainpool curve */ 83 MBEDTLS_ECP_DP_CURVE25519, /*!< Curve25519 */ 84 MBEDTLS_ECP_DP_SECP192K1, /*!< 192-bits "Koblitz" curve */ 85 MBEDTLS_ECP_DP_SECP224K1, /*!< 224-bits "Koblitz" curve */ 86 MBEDTLS_ECP_DP_SECP256K1, /*!< 256-bits "Koblitz" curve */ 87 } mbedtls_ecp_group_id; 88 89 /** 90 * Number of supported curves (plus one for NONE). 91 * 92 * (Montgomery curves excluded for now.) 93 */ 94 #define MBEDTLS_ECP_DP_MAX 12 95 96 /** 97 * Curve information for use by other modules 98 */ 99 typedef struct 100 { 101 mbedtls_ecp_group_id grp_id; /*!< Internal identifier */ 102 uint16_t tls_id; /*!< TLS NamedCurve identifier */ 103 uint16_t bit_size; /*!< Curve size in bits */ 104 const char *name; /*!< Human-friendly name */ 105 } mbedtls_ecp_curve_info; 106 107 /** 108 * \brief ECP point structure (jacobian coordinates) 109 * 110 * \note All functions expect and return points satisfying 111 * the following condition: Z == 0 or Z == 1. (Other 112 * values of Z are used by internal functions only.) 113 * The point is zero, or "at infinity", if Z == 0. 114 * Otherwise, X and Y are its standard (affine) coordinates. 115 */ 116 typedef struct 117 { 118 mbedtls_mpi X; /*!< the point's X coordinate */ 119 mbedtls_mpi Y; /*!< the point's Y coordinate */ 120 mbedtls_mpi Z; /*!< the point's Z coordinate */ 121 } 122 mbedtls_ecp_point; 123 124 /** 125 * \brief ECP group structure 126 * 127 * We consider two types of curves equations: 128 * 1. Short Weierstrass y^2 = x^3 + A x + B mod P (SEC1 + RFC 4492) 129 * 2. Montgomery, y^2 = x^3 + A x^2 + x mod P (Curve25519 + draft) 130 * In both cases, a generator G for a prime-order subgroup is fixed. In the 131 * short weierstrass, this subgroup is actually the whole curve, and its 132 * cardinal is denoted by N. 133 * 134 * In the case of Short Weierstrass curves, our code requires that N is an odd 135 * prime. (Use odd in mbedtls_ecp_mul() and prime in mbedtls_ecdsa_sign() for blinding.) 136 * 137 * In the case of Montgomery curves, we don't store A but (A + 2) / 4 which is 138 * the quantity actually used in the formulas. Also, nbits is not the size of N 139 * but the required size for private keys. 140 * 141 * If modp is NULL, reduction modulo P is done using a generic algorithm. 142 * Otherwise, it must point to a function that takes an mbedtls_mpi in the range 143 * 0..2^(2*pbits)-1 and transforms it in-place in an integer of little more 144 * than pbits, so that the integer may be efficiently brought in the 0..P-1 145 * range by a few additions or substractions. It must return 0 on success and 146 * non-zero on failure. 147 */ 148 typedef struct 149 { 150 mbedtls_ecp_group_id id; /*!< internal group identifier */ 151 mbedtls_mpi P; /*!< prime modulus of the base field */ 152 mbedtls_mpi A; /*!< 1. A in the equation, or 2. (A + 2) / 4 */ 153 mbedtls_mpi B; /*!< 1. B in the equation, or 2. unused */ 154 mbedtls_ecp_point G; /*!< generator of the (sub)group used */ 155 mbedtls_mpi N; /*!< 1. the order of G, or 2. unused */ 156 size_t pbits; /*!< number of bits in P */ 157 size_t nbits; /*!< number of bits in 1. P, or 2. private keys */ 158 unsigned int h; /*!< internal: 1 if the constants are static */ 159 int (*modp)(mbedtls_mpi *); /*!< function for fast reduction mod P */ 160 int (*t_pre)(mbedtls_ecp_point *, void *); /*!< unused */ 161 int (*t_post)(mbedtls_ecp_point *, void *); /*!< unused */ 162 void *t_data; /*!< unused */ 163 mbedtls_ecp_point *T; /*!< pre-computed points for ecp_mul_comb() */ 164 size_t T_size; /*!< number for pre-computed points */ 165 } 166 mbedtls_ecp_group; 167 168 /** 169 * \brief ECP key pair structure 170 * 171 * A generic key pair that could be used for ECDSA, fixed ECDH, etc. 172 * 173 * \note Members purposefully in the same order as struc mbedtls_ecdsa_context. 174 */ 175 typedef struct 176 { 177 mbedtls_ecp_group grp; /*!< Elliptic curve and base point */ 178 mbedtls_mpi d; /*!< our secret value */ 179 mbedtls_ecp_point Q; /*!< our public value */ 180 } 181 mbedtls_ecp_keypair; 182 183 /** 184 * \name SECTION: Module settings 185 * 186 * The configuration options you can set for this module are in this section. 187 * Either change them in config.h or define them on the compiler command line. 188 * \{ 189 */ 190 191 #if !defined(MBEDTLS_ECP_MAX_BITS) 192 /** 193 * Maximum size of the groups (that is, of N and P) 194 */ 195 #define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */ 196 #endif 197 198 #define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 ) 199 #define MBEDTLS_ECP_MAX_PT_LEN ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 ) 200 201 #if !defined(MBEDTLS_ECP_WINDOW_SIZE) 202 /* 203 * Maximum "window" size used for point multiplication. 204 * Default: 6. 205 * Minimum value: 2. Maximum value: 7. 206 * 207 * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) ) 208 * points used for point multiplication. This value is directly tied to EC 209 * peak memory usage, so decreasing it by one should roughly cut memory usage 210 * by two (if large curves are in use). 211 * 212 * Reduction in size may reduce speed, but larger curves are impacted first. 213 * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1): 214 * w-size: 6 5 4 3 2 215 * 521 145 141 135 120 97 216 * 384 214 209 198 177 146 217 * 256 320 320 303 262 226 218 219 * 224 475 475 453 398 342 220 * 192 640 640 633 587 476 221 */ 222 #define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ 223 #endif /* MBEDTLS_ECP_WINDOW_SIZE */ 224 225 #if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM) 226 /* 227 * Trade memory for speed on fixed-point multiplication. 228 * 229 * This speeds up repeated multiplication of the generator (that is, the 230 * multiplication in ECDSA signatures, and half of the multiplications in 231 * ECDSA verification and ECDHE) by a factor roughly 3 to 4. 232 * 233 * The cost is increasing EC peak memory usage by a factor roughly 2. 234 * 235 * Change this value to 0 to reduce peak memory usage. 236 */ 237 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ 238 #endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */ 239 240 /* \} name SECTION: Module settings */ 241 242 /* 243 * Point formats, from RFC 4492's enum ECPointFormat 244 */ 245 #define MBEDTLS_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format */ 246 #define MBEDTLS_ECP_PF_COMPRESSED 1 /**< Compressed point format */ 247 248 /* 249 * Some other constants from RFC 4492 250 */ 251 #define MBEDTLS_ECP_TLS_NAMED_CURVE 3 /**< ECCurveType's named_curve */ 252 253 /** 254 * \brief Get the list of supported curves in order of preferrence 255 * (full information) 256 * 257 * \return A statically allocated array, the last entry is 0. 258 */ 259 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void ); 260 261 /** 262 * \brief Get the list of supported curves in order of preferrence 263 * (grp_id only) 264 * 265 * \return A statically allocated array, 266 * terminated with MBEDTLS_ECP_DP_NONE. 267 */ 268 const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void ); 269 270 /** 271 * \brief Get curve information from an internal group identifier 272 * 273 * \param grp_id A MBEDTLS_ECP_DP_XXX value 274 * 275 * \return The associated curve information or NULL 276 */ 277 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id ); 278 279 /** 280 * \brief Get curve information from a TLS NamedCurve value 281 * 282 * \param tls_id A MBEDTLS_ECP_DP_XXX value 283 * 284 * \return The associated curve information or NULL 285 */ 286 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id ); 287 288 /** 289 * \brief Get curve information from a human-readable name 290 * 291 * \param name The name 292 * 293 * \return The associated curve information or NULL 294 */ 295 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name ); 296 297 /** 298 * \brief Initialize a point (as zero) 299 */ 300 void mbedtls_ecp_point_init( mbedtls_ecp_point *pt ); 301 302 /** 303 * \brief Initialize a group (to something meaningless) 304 */ 305 void mbedtls_ecp_group_init( mbedtls_ecp_group *grp ); 306 307 /** 308 * \brief Initialize a key pair (as an invalid one) 309 */ 310 void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key ); 311 312 /** 313 * \brief Free the components of a point 314 */ 315 void mbedtls_ecp_point_free( mbedtls_ecp_point *pt ); 316 317 /** 318 * \brief Free the components of an ECP group 319 */ 320 void mbedtls_ecp_group_free( mbedtls_ecp_group *grp ); 321 322 /** 323 * \brief Free the components of a key pair 324 */ 325 void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key ); 326 327 /** 328 * \brief Copy the contents of point Q into P 329 * 330 * \param P Destination point 331 * \param Q Source point 332 * 333 * \return 0 if successful, 334 * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed 335 */ 336 int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q ); 337 338 /** 339 * \brief Copy the contents of a group object 340 * 341 * \param dst Destination group 342 * \param src Source group 343 * 344 * \return 0 if successful, 345 * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed 346 */ 347 int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src ); 348 349 /** 350 * \brief Set a point to zero 351 * 352 * \param pt Destination point 353 * 354 * \return 0 if successful, 355 * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed 356 */ 357 int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt ); 358 359 /** 360 * \brief Tell if a point is zero 361 * 362 * \param pt Point to test 363 * 364 * \return 1 if point is zero, 0 otherwise 365 */ 366 int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt ); 367 368 /** 369 * \brief Compare two points 370 * 371 * \note This assumes the points are normalized. Otherwise, 372 * they may compare as "not equal" even if they are. 373 * 374 * \param P First point to compare 375 * \param Q Second point to compare 376 * 377 * \return 0 if the points are equal, 378 * MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise 379 */ 380 int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P, 381 const mbedtls_ecp_point *Q ); 382 383 /** 384 * \brief Import a non-zero point from two ASCII strings 385 * 386 * \param P Destination point 387 * \param radix Input numeric base 388 * \param x First affine coordinate as a null-terminated string 389 * \param y Second affine coordinate as a null-terminated string 390 * 391 * \return 0 if successful, or a MBEDTLS_ERR_MPI_XXX error code 392 */ 393 int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix, 394 const char *x, const char *y ); 395 396 /** 397 * \brief Export a point into unsigned binary data 398 * 399 * \param grp Group to which the point should belong 400 * \param P Point to export 401 * \param format Point format, should be a MBEDTLS_ECP_PF_XXX macro 402 * \param olen Length of the actual output 403 * \param buf Output buffer 404 * \param buflen Length of the output buffer 405 * 406 * \return 0 if successful, 407 * or MBEDTLS_ERR_ECP_BAD_INPUT_DATA 408 * or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL 409 */ 410 int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P, 411 int format, size_t *olen, 412 unsigned char *buf, size_t buflen ); 413 414 /** 415 * \brief Import a point from unsigned binary data 416 * 417 * \param grp Group to which the point should belong 418 * \param P Point to import 419 * \param buf Input buffer 420 * \param ilen Actual length of input 421 * 422 * \return 0 if successful, 423 * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid, 424 * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed, 425 * MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format 426 * is not implemented. 427 * 428 * \note This function does NOT check that the point actually 429 * belongs to the given group, see mbedtls_ecp_check_pubkey() for 430 * that. 431 */ 432 int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P, 433 const unsigned char *buf, size_t ilen ); 434 435 /** 436 * \brief Import a point from a TLS ECPoint record 437 * 438 * \param grp ECP group used 439 * \param pt Destination point 440 * \param buf $(Start of input buffer) 441 * \param len Buffer length 442 * 443 * \note buf is updated to point right after the ECPoint on exit 444 * 445 * \return 0 if successful, 446 * MBEDTLS_ERR_MPI_XXX if initialization failed 447 * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid 448 */ 449 int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt, 450 const unsigned char **buf, size_t len ); 451 452 /** 453 * \brief Export a point as a TLS ECPoint record 454 * 455 * \param grp ECP group used 456 * \param pt Point to export 457 * \param format Export format 458 * \param olen length of data written 459 * \param buf Buffer to write to 460 * \param blen Buffer length 461 * 462 * \return 0 if successful, 463 * or MBEDTLS_ERR_ECP_BAD_INPUT_DATA 464 * or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL 465 */ 466 int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt, 467 int format, size_t *olen, 468 unsigned char *buf, size_t blen ); 469 470 /** 471 * \brief Set a group using well-known domain parameters 472 * 473 * \param grp Destination group 474 * \param id Index in the list of well-known domain parameters 475 * 476 * \return 0 if successful, 477 * MBEDTLS_ERR_MPI_XXX if initialization failed 478 * MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for unkownn groups 479 * 480 * \note Index should be a value of RFC 4492's enum NamedCurve, 481 * usually in the form of a MBEDTLS_ECP_DP_XXX macro. 482 */ 483 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ); 484 485 /** 486 * \brief Set a group from a TLS ECParameters record 487 * 488 * \param grp Destination group 489 * \param buf &(Start of input buffer) 490 * \param len Buffer length 491 * 492 * \note buf is updated to point right after ECParameters on exit 493 * 494 * \return 0 if successful, 495 * MBEDTLS_ERR_MPI_XXX if initialization failed 496 * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid 497 */ 498 int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len ); 499 500 /** 501 * \brief Write the TLS ECParameters record for a group 502 * 503 * \param grp ECP group used 504 * \param olen Number of bytes actually written 505 * \param buf Buffer to write to 506 * \param blen Buffer length 507 * 508 * \return 0 if successful, 509 * or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL 510 */ 511 int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen, 512 unsigned char *buf, size_t blen ); 513 514 /** 515 * \brief Multiplication by an integer: R = m * P 516 * (Not thread-safe to use same group in multiple threads) 517 * 518 * \note In order to prevent timing attacks, this function 519 * executes the exact same sequence of (base field) 520 * operations for any valid m. It avoids any if-branch or 521 * array index depending on the value of m. 522 * 523 * \note If f_rng is not NULL, it is used to randomize intermediate 524 * results in order to prevent potential timing attacks 525 * targeting these results. It is recommended to always 526 * provide a non-NULL f_rng (the overhead is negligible). 527 * 528 * \param grp ECP group 529 * \param R Destination point 530 * \param m Integer by which to multiply 531 * \param P Point to multiply 532 * \param f_rng RNG function (see notes) 533 * \param p_rng RNG parameter 534 * 535 * \return 0 if successful, 536 * MBEDTLS_ERR_ECP_INVALID_KEY if m is not a valid privkey 537 * or P is not a valid pubkey, 538 * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed 539 */ 540 int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, 541 const mbedtls_mpi *m, const mbedtls_ecp_point *P, 542 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 543 544 /** 545 * \brief Multiplication and addition of two points by integers: 546 * R = m * P + n * Q 547 * (Not thread-safe to use same group in multiple threads) 548 * 549 * \note In contrast to mbedtls_ecp_mul(), this function does not guarantee 550 * a constant execution flow and timing. 551 * 552 * \param grp ECP group 553 * \param R Destination point 554 * \param m Integer by which to multiply P 555 * \param P Point to multiply by m 556 * \param n Integer by which to multiply Q 557 * \param Q Point to be multiplied by n 558 * 559 * \return 0 if successful, 560 * MBEDTLS_ERR_ECP_INVALID_KEY if m or n is not a valid privkey 561 * or P or Q is not a valid pubkey, 562 * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed 563 */ 564 int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, 565 const mbedtls_mpi *m, const mbedtls_ecp_point *P, 566 const mbedtls_mpi *n, const mbedtls_ecp_point *Q ); 567 568 /** 569 * \brief Check that a point is a valid public key on this curve 570 * 571 * \param grp Curve/group the point should belong to 572 * \param pt Point to check 573 * 574 * \return 0 if point is a valid public key, 575 * MBEDTLS_ERR_ECP_INVALID_KEY otherwise. 576 * 577 * \note This function only checks the point is non-zero, has valid 578 * coordinates and lies on the curve, but not that it is 579 * indeed a multiple of G. This is additional check is more 580 * expensive, isn't required by standards, and shouldn't be 581 * necessary if the group used has a small cofactor. In 582 * particular, it is useless for the NIST groups which all 583 * have a cofactor of 1. 584 * 585 * \note Uses bare components rather than an mbedtls_ecp_keypair structure 586 * in order to ease use with other structures such as 587 * mbedtls_ecdh_context of mbedtls_ecdsa_context. 588 */ 589 int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt ); 590 591 /** 592 * \brief Check that an mbedtls_mpi is a valid private key for this curve 593 * 594 * \param grp Group used 595 * \param d Integer to check 596 * 597 * \return 0 if point is a valid private key, 598 * MBEDTLS_ERR_ECP_INVALID_KEY otherwise. 599 * 600 * \note Uses bare components rather than an mbedtls_ecp_keypair structure 601 * in order to ease use with other structures such as 602 * mbedtls_ecdh_context of mbedtls_ecdsa_context. 603 */ 604 int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d ); 605 606 /** 607 * \brief Generate a private key 608 * 609 * \param grp ECP group 610 * \param d Destination MPI (secret part) 611 * \param f_rng RNG function 612 * \param p_rng RNG parameter 613 * 614 * \return 0 if successful, 615 * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 616 */ 617 int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp, 618 mbedtls_mpi *d, 619 int (*f_rng)(void *, unsigned char *, size_t), 620 void *p_rng ); 621 622 /** 623 * \brief Generate a keypair with configurable base point 624 * 625 * \param grp ECP group 626 * \param G Chosen base point 627 * \param d Destination MPI (secret part) 628 * \param Q Destination point (public part) 629 * \param f_rng RNG function 630 * \param p_rng RNG parameter 631 * 632 * \return 0 if successful, 633 * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 634 * 635 * \note Uses bare components rather than an mbedtls_ecp_keypair structure 636 * in order to ease use with other structures such as 637 * mbedtls_ecdh_context of mbedtls_ecdsa_context. 638 */ 639 int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, 640 const mbedtls_ecp_point *G, 641 mbedtls_mpi *d, mbedtls_ecp_point *Q, 642 int (*f_rng)(void *, unsigned char *, size_t), 643 void *p_rng ); 644 645 /** 646 * \brief Generate a keypair 647 * 648 * \param grp ECP group 649 * \param d Destination MPI (secret part) 650 * \param Q Destination point (public part) 651 * \param f_rng RNG function 652 * \param p_rng RNG parameter 653 * 654 * \return 0 if successful, 655 * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 656 * 657 * \note Uses bare components rather than an mbedtls_ecp_keypair structure 658 * in order to ease use with other structures such as 659 * mbedtls_ecdh_context of mbedtls_ecdsa_context. 660 */ 661 int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, 662 int (*f_rng)(void *, unsigned char *, size_t), 663 void *p_rng ); 664 665 /** 666 * \brief Generate a keypair 667 * 668 * \param grp_id ECP group identifier 669 * \param key Destination keypair 670 * \param f_rng RNG function 671 * \param p_rng RNG parameter 672 * 673 * \return 0 if successful, 674 * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code 675 */ 676 int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, 677 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 678 679 /** 680 * \brief Check a public-private key pair 681 * 682 * \param pub Keypair structure holding a public key 683 * \param prv Keypair structure holding a private (plus public) key 684 * 685 * \return 0 if successful (keys are valid and match), or 686 * MBEDTLS_ERR_ECP_BAD_INPUT_DATA, or 687 * a MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX code. 688 */ 689 int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv ); 690 691 #if defined(MBEDTLS_SELF_TEST) 692 693 /** 694 * \brief Checkup routine 695 * 696 * \return 0 if successful, or 1 if a test failed 697 */ 698 int mbedtls_ecp_self_test( int verbose ); 699 700 #endif /* MBEDTLS_SELF_TEST */ 701 702 #ifdef __cplusplus 703 } 704 #endif 705 706 #else /* MBEDTLS_ECP_ALT */ 707 #include "ecp_alt.h" 708 #endif /* MBEDTLS_ECP_ALT */ 709 710 #endif /* ecp.h */ 711