/** * \file ecdh.h * * \brief This file contains ECDH definitions and functions. * * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous * key agreement protocol allowing two parties to establish a shared * secret over an insecure channel. Each party must have an * elliptic-curve public–private key pair. * * For more information, see NIST SP 800-56A Rev. 2: Recommendation for * Pair-Wise Key Establishment Schemes Using Discrete Logarithm * Cryptography. */ /* * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: GPL-2.0 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * This file is part of Mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_ECDH_H #define MBEDTLS_ECDH_H #if !defined(MBEDTLS_CONFIG_FILE) #include "config.h" #else #include MBEDTLS_CONFIG_FILE #endif #include "ecp.h" /* * Use a backward compatible ECDH context. * * This flag is always enabled for now and future versions might add a * configuration option that conditionally undefines this flag. * The configuration option in question may have a different name. * * Features undefining this flag, must have a warning in their description in * config.h stating that the feature breaks backward compatibility. */ #define MBEDTLS_ECDH_LEGACY_CONTEXT #ifdef __cplusplus extern "C" { #endif /** * Defines the source of the imported EC key. */ typedef enum { MBEDTLS_ECDH_OURS, /**< Our key. */ MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */ } mbedtls_ecdh_side; #if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT) /** * Defines the ECDH implementation used. * * Later versions of the library may add new variants, therefore users should * not make any assumptions about them. */ typedef enum { MBEDTLS_ECDH_VARIANT_NONE = 0, /*!< Implementation not defined. */ MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */ } mbedtls_ecdh_variant; /** * The context used by the default ECDH implementation. * * Later versions might change the structure of this context, therefore users * should not make any assumptions about the structure of * mbedtls_ecdh_context_mbed. */ typedef struct mbedtls_ecdh_context_mbed { mbedtls_ecp_group grp; /*!< The elliptic curve used. */ mbedtls_mpi d; /*!< The private key. */ mbedtls_ecp_point Q; /*!< The public key. */ mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ mbedtls_mpi z; /*!< The shared secret. */ #if defined(MBEDTLS_ECP_RESTARTABLE) mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ #endif } mbedtls_ecdh_context_mbed; #endif /** * * \warning Performing multiple operations concurrently on the same * ECDSA context is not supported; objects of this type * should not be shared between multiple threads. * \brief The ECDH context structure. */ typedef struct mbedtls_ecdh_context { #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) mbedtls_ecp_group grp; /*!< The elliptic curve used. */ mbedtls_mpi d; /*!< The private key. */ mbedtls_ecp_point Q; /*!< The public key. */ mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ mbedtls_mpi z; /*!< The shared secret. */ int point_format; /*!< The format of point export in TLS messages. */ mbedtls_ecp_point Vi; /*!< The blinding value. */ mbedtls_ecp_point Vf; /*!< The unblinding value. */ mbedtls_mpi _d; /*!< The previous \p d. */ #if defined(MBEDTLS_ECP_RESTARTABLE) int restart_enabled; /*!< The flag for restartable mode. */ mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ #endif /* MBEDTLS_ECP_RESTARTABLE */ #else uint8_t point_format; /*!< The format of point export in TLS messages as defined in RFC 4492. */ mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */ mbedtls_ecdh_variant var; /*!< The ECDH implementation/structure used. */ union { mbedtls_ecdh_context_mbed mbed_ecdh; } ctx; /*!< Implementation-specific context. The context in use is specified by the \c var field. */ #if defined(MBEDTLS_ECP_RESTARTABLE) uint8_t restart_enabled; /*!< The flag for restartable mode. Functions of an alternative implementation not supporting restartable mode must return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error if this flag is set. */ #endif /* MBEDTLS_ECP_RESTARTABLE */ #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */ } mbedtls_ecdh_context; /** * \brief This function generates an ECDH keypair on an elliptic * curve. * * This function performs the first of two core computations * implemented during the ECDH key exchange. The second core * computation is performed by mbedtls_ecdh_compute_shared(). * * \see ecp.h * * \param grp The ECP group to use. This must be initialized and have * domain parameters loaded, for example through * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). * \param d The destination MPI (private key). * This must be initialized. * \param Q The destination point (public key). * This must be initialized. * \param f_rng The RNG function to use. This must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL in case \p f_rng doesn't need a context argument. * * \return \c 0 on success. * \return Another \c MBEDTLS_ERR_ECP_XXX or * \c MBEDTLS_MPI_XXX error code on failure. */ int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** * \brief This function computes the shared secret. * * This function performs the second of two core computations * implemented during the ECDH key exchange. The first core * computation is performed by mbedtls_ecdh_gen_public(). * * \see ecp.h * * \note If \p f_rng is not NULL, it is used to implement * countermeasures against side-channel attacks. * For more information, see mbedtls_ecp_mul(). * * \param grp The ECP group to use. This must be initialized and have * domain parameters loaded, for example through * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group(). * \param z The destination MPI (shared secret). * This must be initialized. * \param Q The public key from another party. * This must be initialized. * \param d Our secret exponent (private key). * This must be initialized. * \param f_rng The RNG function. This may be \c NULL if randomization * of intermediate results during the ECP computations is * not needed (discouraged). See the documentation of * mbedtls_ecp_mul() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL if \p f_rng is \c NULL or doesn't need a * context argument. * * \return \c 0 on success. * \return Another \c MBEDTLS_ERR_ECP_XXX or * \c MBEDTLS_MPI_XXX error code on failure. */ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, const mbedtls_ecp_point *Q, const mbedtls_mpi *d, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** * \brief This function initializes an ECDH context. * * \param ctx The ECDH context to initialize. This must not be \c NULL. */ void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx ); /** * \brief This function sets up the ECDH context with the information * given. * * This function should be called after mbedtls_ecdh_init() but * before mbedtls_ecdh_make_params(). There is no need to call * this function before mbedtls_ecdh_read_params(). * * This is the first function used by a TLS server for ECDHE * ciphersuites. * * \param ctx The ECDH context to set up. This must be initialized. * \param grp_id The group id of the group to set up the context for. * * \return \c 0 on success. */ int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id ); /** * \brief This function frees a context. * * \param ctx The context to free. This may be \c NULL, in which * case this function does nothing. If it is not \c NULL, * it must point to an initialized ECDH context. */ void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx ); /** * \brief This function generates an EC key pair and exports its * in the format used in a TLS ServerKeyExchange handshake * message. * * This is the second function used by a TLS server for ECDHE * ciphersuites. (It is called after mbedtls_ecdh_setup().) * * \see ecp.h * * \param ctx The ECDH context to use. This must be initialized * and bound to a group, for example via mbedtls_ecdh_setup(). * \param olen The address at which to store the number of Bytes written. * \param buf The destination buffer. This must be a writable buffer of * length \p blen Bytes. * \param blen The length of the destination buffer \p buf in Bytes. * \param f_rng The RNG function to use. This must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL in case \p f_rng doesn't need a context argument. * * \return \c 0 on success. * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. */ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** * \brief This function parses the ECDHE parameters in a * TLS ServerKeyExchange handshake message. * * \note In a TLS handshake, this is the how the client * sets up its ECDHE context from the server's public * ECDHE key material. * * \see ecp.h * * \param ctx The ECDHE context to use. This must be initialized. * \param buf On input, \c *buf must be the start of the input buffer. * On output, \c *buf is updated to point to the end of the * data that has been read. On success, this is the first byte * past the end of the ServerKeyExchange parameters. * On error, this is the point at which an error has been * detected, which is usually not useful except to debug * failures. * \param end The end of the input buffer. * * \return \c 0 on success. * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. * */ int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx, const unsigned char **buf, const unsigned char *end ); /** * \brief This function sets up an ECDH context from an EC key. * * It is used by clients and servers in place of the * ServerKeyEchange for static ECDH, and imports ECDH * parameters from the EC key information of a certificate. * * \see ecp.h * * \param ctx The ECDH context to set up. This must be initialized. * \param key The EC key to use. This must be initialized. * \param side Defines the source of the key. Possible values are: * - #MBEDTLS_ECDH_OURS: The key is ours. * - #MBEDTLS_ECDH_THEIRS: The key is that of the peer. * * \return \c 0 on success. * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. * */ int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key, mbedtls_ecdh_side side ); /** * \brief This function generates a public key and exports it * as a TLS ClientKeyExchange payload. * * This is the second function used by a TLS client for ECDH(E) * ciphersuites. * * \see ecp.h * * \param ctx The ECDH context to use. This must be initialized * and bound to a group, the latter usually by * mbedtls_ecdh_read_params(). * \param olen The address at which to store the number of Bytes written. * This must not be \c NULL. * \param buf The destination buffer. This must be a writable buffer * of length \p blen Bytes. * \param blen The size of the destination buffer \p buf in Bytes. * \param f_rng The RNG function to use. This must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL in case \p f_rng doesn't need a context argument. * * \return \c 0 on success. * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. */ int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** * \brief This function parses and processes the ECDHE payload of a * TLS ClientKeyExchange message. * * This is the third function used by a TLS server for ECDH(E) * ciphersuites. (It is called after mbedtls_ecdh_setup() and * mbedtls_ecdh_make_params().) * * \see ecp.h * * \param ctx The ECDH context to use. This must be initialized * and bound to a group, for example via mbedtls_ecdh_setup(). * \param buf The pointer to the ClientKeyExchange payload. This must * be a readable buffer of length \p blen Bytes. * \param blen The length of the input buffer \p buf in Bytes. * * \return \c 0 on success. * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. */ int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx, const unsigned char *buf, size_t blen ); /** * \brief This function derives and exports the shared secret. * * This is the last function used by both TLS client * and servers. * * \note If \p f_rng is not NULL, it is used to implement * countermeasures against side-channel attacks. * For more information, see mbedtls_ecp_mul(). * * \see ecp.h * \param ctx The ECDH context to use. This must be initialized * and have its own private key generated and the peer's * public key imported. * \param olen The address at which to store the total number of * Bytes written on success. This must not be \c NULL. * \param buf The buffer to write the generated shared key to. This * must be a writable buffer of size \p blen Bytes. * \param blen The length of the destination buffer \p buf in Bytes. * \param f_rng The RNG function, for blinding purposes. This may * b \c NULL if blinding isn't needed. * \param p_rng The RNG context. This may be \c NULL if \p f_rng * doesn't need a context argument. * * \return \c 0 on success. * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. */ int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); #if defined(MBEDTLS_ECP_RESTARTABLE) /** * \brief This function enables restartable EC computations for this * context. (Default: disabled.) * * \see \c mbedtls_ecp_set_max_ops() * * \note It is not possible to safely disable restartable * computations once enabled, except by free-ing the context, * which cancels possible in-progress operations. * * \param ctx The ECDH context to use. This must be initialized. */ void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx ); #endif /* MBEDTLS_ECP_RESTARTABLE */ #ifdef __cplusplus } #endif #endif /* ecdh.h */