[398] | 1 | /**
|
---|
| 2 | * \file ecdsa.h
|
---|
| 3 | *
|
---|
| 4 | * \brief This file contains ECDSA definitions and functions.
|
---|
| 5 | *
|
---|
| 6 | * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
|
---|
| 7 | * <em>Standards for Efficient Cryptography Group (SECG):
|
---|
| 8 | * SEC1 Elliptic Curve Cryptography</em>.
|
---|
| 9 | * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
|
---|
| 10 | * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
|
---|
| 11 | *
|
---|
| 12 | */
|
---|
| 13 | /*
|
---|
| 14 | * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
|
---|
| 15 | * SPDX-License-Identifier: Apache-2.0
|
---|
| 16 | *
|
---|
| 17 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
| 18 | * not use this file except in compliance with the License.
|
---|
| 19 | * You may obtain a copy of the License at
|
---|
| 20 | *
|
---|
| 21 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
| 22 | *
|
---|
| 23 | * Unless required by applicable law or agreed to in writing, software
|
---|
| 24 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
| 25 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
| 26 | * See the License for the specific language governing permissions and
|
---|
| 27 | * limitations under the License.
|
---|
| 28 | *
|
---|
| 29 | * This file is part of Mbed TLS (https://tls.mbed.org)
|
---|
| 30 | */
|
---|
| 31 |
|
---|
| 32 | #ifndef MBEDTLS_ECDSA_H
|
---|
| 33 | #define MBEDTLS_ECDSA_H
|
---|
| 34 |
|
---|
| 35 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
| 36 | #include "config.h"
|
---|
| 37 | #else
|
---|
| 38 | #include MBEDTLS_CONFIG_FILE
|
---|
| 39 | #endif
|
---|
| 40 |
|
---|
| 41 | #include "ecp.h"
|
---|
| 42 | #include "md.h"
|
---|
| 43 |
|
---|
| 44 | /*
|
---|
| 45 | * RFC-4492 page 20:
|
---|
| 46 | *
|
---|
| 47 | * Ecdsa-Sig-Value ::= SEQUENCE {
|
---|
| 48 | * r INTEGER,
|
---|
| 49 | * s INTEGER
|
---|
| 50 | * }
|
---|
| 51 | *
|
---|
| 52 | * Size is at most
|
---|
| 53 | * 1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s,
|
---|
| 54 | * twice that + 1 (tag) + 2 (len) for the sequence
|
---|
| 55 | * (assuming ECP_MAX_BYTES is less than 126 for r and s,
|
---|
| 56 | * and less than 124 (total len <= 255) for the sequence)
|
---|
| 57 | */
|
---|
| 58 | #if MBEDTLS_ECP_MAX_BYTES > 124
|
---|
| 59 | #error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
|
---|
| 60 | #endif
|
---|
| 61 | /** The maximal size of an ECDSA signature in Bytes. */
|
---|
| 62 | #define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
|
---|
| 63 |
|
---|
| 64 | #ifdef __cplusplus
|
---|
| 65 | extern "C" {
|
---|
| 66 | #endif
|
---|
| 67 |
|
---|
| 68 | /**
|
---|
| 69 | * \brief The ECDSA context structure.
|
---|
| 70 | *
|
---|
| 71 | * \warning Performing multiple operations concurrently on the same
|
---|
| 72 | * ECDSA context is not supported; objects of this type
|
---|
| 73 | * should not be shared between multiple threads.
|
---|
| 74 | */
|
---|
| 75 | typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
|
---|
| 76 |
|
---|
| 77 | #if defined(MBEDTLS_ECP_RESTARTABLE)
|
---|
| 78 |
|
---|
| 79 | /**
|
---|
| 80 | * \brief Internal restart context for ecdsa_verify()
|
---|
| 81 | *
|
---|
| 82 | * \note Opaque struct, defined in ecdsa.c
|
---|
| 83 | */
|
---|
| 84 | typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
|
---|
| 85 |
|
---|
| 86 | /**
|
---|
| 87 | * \brief Internal restart context for ecdsa_sign()
|
---|
| 88 | *
|
---|
| 89 | * \note Opaque struct, defined in ecdsa.c
|
---|
| 90 | */
|
---|
| 91 | typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
|
---|
| 92 |
|
---|
| 93 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
| 94 | /**
|
---|
| 95 | * \brief Internal restart context for ecdsa_sign_det()
|
---|
| 96 | *
|
---|
| 97 | * \note Opaque struct, defined in ecdsa.c
|
---|
| 98 | */
|
---|
| 99 | typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
|
---|
| 100 | #endif
|
---|
| 101 |
|
---|
| 102 | /**
|
---|
| 103 | * \brief General context for resuming ECDSA operations
|
---|
| 104 | */
|
---|
| 105 | typedef struct
|
---|
| 106 | {
|
---|
| 107 | mbedtls_ecp_restart_ctx ecp; /*!< base context for ECP restart and
|
---|
| 108 | shared administrative info */
|
---|
| 109 | mbedtls_ecdsa_restart_ver_ctx *ver; /*!< ecdsa_verify() sub-context */
|
---|
| 110 | mbedtls_ecdsa_restart_sig_ctx *sig; /*!< ecdsa_sign() sub-context */
|
---|
| 111 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
| 112 | mbedtls_ecdsa_restart_det_ctx *det; /*!< ecdsa_sign_det() sub-context */
|
---|
| 113 | #endif
|
---|
| 114 | } mbedtls_ecdsa_restart_ctx;
|
---|
| 115 |
|
---|
| 116 | #else /* MBEDTLS_ECP_RESTARTABLE */
|
---|
| 117 |
|
---|
| 118 | /* Now we can declare functions that take a pointer to that */
|
---|
| 119 | typedef void mbedtls_ecdsa_restart_ctx;
|
---|
| 120 |
|
---|
| 121 | #endif /* MBEDTLS_ECP_RESTARTABLE */
|
---|
| 122 |
|
---|
| 123 | /**
|
---|
| 124 | * \brief This function computes the ECDSA signature of a
|
---|
| 125 | * previously-hashed message.
|
---|
| 126 | *
|
---|
| 127 | * \note The deterministic version implemented in
|
---|
| 128 | * mbedtls_ecdsa_sign_det() is usually preferred.
|
---|
| 129 | *
|
---|
| 130 | * \note If the bitlength of the message hash is larger than the
|
---|
| 131 | * bitlength of the group order, then the hash is truncated
|
---|
| 132 | * as defined in <em>Standards for Efficient Cryptography Group
|
---|
| 133 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
| 134 | * 4.1.3, step 5.
|
---|
| 135 | *
|
---|
| 136 | * \see ecp.h
|
---|
| 137 | *
|
---|
| 138 | * \param grp The context for the elliptic curve to use.
|
---|
| 139 | * This must be initialized and have group parameters
|
---|
| 140 | * set, for example through mbedtls_ecp_group_load().
|
---|
| 141 | * \param r The MPI context in which to store the first part
|
---|
| 142 | * the signature. This must be initialized.
|
---|
| 143 | * \param s The MPI context in which to store the second part
|
---|
| 144 | * the signature. This must be initialized.
|
---|
| 145 | * \param d The private signing key. This must be initialized.
|
---|
| 146 | * \param buf The content to be signed. This is usually the hash of
|
---|
| 147 | * the original data to be signed. This must be a readable
|
---|
| 148 | * buffer of length \p blen Bytes. It may be \c NULL if
|
---|
| 149 | * \p blen is zero.
|
---|
| 150 | * \param blen The length of \p buf in Bytes.
|
---|
| 151 | * \param f_rng The RNG function. This must not be \c NULL.
|
---|
| 152 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
| 153 | * \c NULL if \p f_rng doesn't need a context parameter.
|
---|
| 154 | *
|
---|
| 155 | * \return \c 0 on success.
|
---|
| 156 | * \return An \c MBEDTLS_ERR_ECP_XXX
|
---|
| 157 | * or \c MBEDTLS_MPI_XXX error code on failure.
|
---|
| 158 | */
|
---|
| 159 | int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
|
---|
| 160 | const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
|
---|
| 161 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
|
---|
| 162 |
|
---|
| 163 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
| 164 | /**
|
---|
| 165 | * \brief This function computes the ECDSA signature of a
|
---|
| 166 | * previously-hashed message, deterministic version.
|
---|
| 167 | *
|
---|
| 168 | * For more information, see <em>RFC-6979: Deterministic
|
---|
| 169 | * Usage of the Digital Signature Algorithm (DSA) and Elliptic
|
---|
| 170 | * Curve Digital Signature Algorithm (ECDSA)</em>.
|
---|
| 171 | *
|
---|
| 172 | * \note If the bitlength of the message hash is larger than the
|
---|
| 173 | * bitlength of the group order, then the hash is truncated as
|
---|
| 174 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
| 175 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
| 176 | * 4.1.3, step 5.
|
---|
| 177 | *
|
---|
| 178 | * \see ecp.h
|
---|
| 179 | *
|
---|
| 180 | * \param grp The context for the elliptic curve to use.
|
---|
| 181 | * This must be initialized and have group parameters
|
---|
| 182 | * set, for example through mbedtls_ecp_group_load().
|
---|
| 183 | * \param r The MPI context in which to store the first part
|
---|
| 184 | * the signature. This must be initialized.
|
---|
| 185 | * \param s The MPI context in which to store the second part
|
---|
| 186 | * the signature. This must be initialized.
|
---|
| 187 | * \param d The private signing key. This must be initialized
|
---|
| 188 | * and setup, for example through mbedtls_ecp_gen_privkey().
|
---|
| 189 | * \param buf The hashed content to be signed. This must be a readable
|
---|
| 190 | * buffer of length \p blen Bytes. It may be \c NULL if
|
---|
| 191 | * \p blen is zero.
|
---|
| 192 | * \param blen The length of \p buf in Bytes.
|
---|
| 193 | * \param md_alg The hash algorithm used to hash the original data.
|
---|
| 194 | *
|
---|
| 195 | * \return \c 0 on success.
|
---|
| 196 | * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
|
---|
| 197 | * error code on failure.
|
---|
| 198 | */
|
---|
| 199 | int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
|
---|
| 200 | mbedtls_mpi *s, const mbedtls_mpi *d,
|
---|
| 201 | const unsigned char *buf, size_t blen,
|
---|
| 202 | mbedtls_md_type_t md_alg );
|
---|
| 203 | #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
|
---|
| 204 |
|
---|
| 205 | /**
|
---|
| 206 | * \brief This function verifies the ECDSA signature of a
|
---|
| 207 | * previously-hashed message.
|
---|
| 208 | *
|
---|
| 209 | * \note If the bitlength of the message hash is larger than the
|
---|
| 210 | * bitlength of the group order, then the hash is truncated as
|
---|
| 211 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
| 212 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
| 213 | * 4.1.4, step 3.
|
---|
| 214 | *
|
---|
| 215 | * \see ecp.h
|
---|
| 216 | *
|
---|
| 217 | * \param grp The ECP group to use.
|
---|
| 218 | * This must be initialized and have group parameters
|
---|
| 219 | * set, for example through mbedtls_ecp_group_load().
|
---|
| 220 | * \param buf The hashed content that was signed. This must be a readable
|
---|
| 221 | * buffer of length \p blen Bytes. It may be \c NULL if
|
---|
| 222 | * \p blen is zero.
|
---|
| 223 | * \param blen The length of \p buf in Bytes.
|
---|
| 224 | * \param Q The public key to use for verification. This must be
|
---|
| 225 | * initialized and setup.
|
---|
| 226 | * \param r The first integer of the signature.
|
---|
| 227 | * This must be initialized.
|
---|
| 228 | * \param s The second integer of the signature.
|
---|
| 229 | * This must be initialized.
|
---|
| 230 | *
|
---|
| 231 | * \return \c 0 on success.
|
---|
| 232 | * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
|
---|
| 233 | * is invalid.
|
---|
| 234 | * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
|
---|
| 235 | * error code on failure for any other reason.
|
---|
| 236 | */
|
---|
| 237 | int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
|
---|
| 238 | const unsigned char *buf, size_t blen,
|
---|
| 239 | const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
|
---|
| 240 | const mbedtls_mpi *s);
|
---|
| 241 |
|
---|
| 242 | /**
|
---|
| 243 | * \brief This function computes the ECDSA signature and writes it
|
---|
| 244 | * to a buffer, serialized as defined in <em>RFC-4492:
|
---|
| 245 | * Elliptic Curve Cryptography (ECC) Cipher Suites for
|
---|
| 246 | * Transport Layer Security (TLS)</em>.
|
---|
| 247 | *
|
---|
| 248 | * \warning It is not thread-safe to use the same context in
|
---|
| 249 | * multiple threads.
|
---|
| 250 | *
|
---|
| 251 | * \note The deterministic version is used if
|
---|
| 252 | * #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
|
---|
| 253 | * information, see <em>RFC-6979: Deterministic Usage
|
---|
| 254 | * of the Digital Signature Algorithm (DSA) and Elliptic
|
---|
| 255 | * Curve Digital Signature Algorithm (ECDSA)</em>.
|
---|
| 256 | *
|
---|
| 257 | * \note If the bitlength of the message hash is larger than the
|
---|
| 258 | * bitlength of the group order, then the hash is truncated as
|
---|
| 259 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
| 260 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
| 261 | * 4.1.3, step 5.
|
---|
| 262 | *
|
---|
| 263 | * \see ecp.h
|
---|
| 264 | *
|
---|
| 265 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
| 266 | * and have a group and private key bound to it, for example
|
---|
| 267 | * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
|
---|
| 268 | * \param md_alg The message digest that was used to hash the message.
|
---|
| 269 | * \param hash The message hash to be signed. This must be a readable
|
---|
| 270 | * buffer of length \p blen Bytes.
|
---|
| 271 | * \param hlen The length of the hash \p hash in Bytes.
|
---|
| 272 | * \param sig The buffer to which to write the signature. This must be a
|
---|
| 273 | * writable buffer of length at least twice as large as the
|
---|
| 274 | * size of the curve used, plus 9. For example, 73 Bytes if
|
---|
| 275 | * a 256-bit curve is used. A buffer length of
|
---|
| 276 | * #MBEDTLS_ECDSA_MAX_LEN is always safe.
|
---|
| 277 | * \param slen The address at which to store the actual length of
|
---|
| 278 | * the signature written. Must not be \c NULL.
|
---|
| 279 | * \param f_rng The RNG function. This must not be \c NULL if
|
---|
| 280 | * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
|
---|
| 281 | * it is unused and may be set to \c NULL.
|
---|
| 282 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
| 283 | * \c NULL if \p f_rng is \c NULL or doesn't use a context.
|
---|
| 284 | *
|
---|
| 285 | * \return \c 0 on success.
|
---|
| 286 | * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
|
---|
| 287 | * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
|
---|
| 288 | */
|
---|
| 289 | int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
|
---|
| 290 | mbedtls_md_type_t md_alg,
|
---|
| 291 | const unsigned char *hash, size_t hlen,
|
---|
| 292 | unsigned char *sig, size_t *slen,
|
---|
| 293 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
| 294 | void *p_rng );
|
---|
| 295 |
|
---|
| 296 | /**
|
---|
| 297 | * \brief This function computes the ECDSA signature and writes it
|
---|
| 298 | * to a buffer, in a restartable way.
|
---|
| 299 | *
|
---|
| 300 | * \see \c mbedtls_ecdsa_write_signature()
|
---|
| 301 | *
|
---|
| 302 | * \note This function is like \c mbedtls_ecdsa_write_signature()
|
---|
| 303 | * but it can return early and restart according to the limit
|
---|
| 304 | * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
|
---|
| 305 | *
|
---|
| 306 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
| 307 | * and have a group and private key bound to it, for example
|
---|
| 308 | * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
|
---|
| 309 | * \param md_alg The message digest that was used to hash the message.
|
---|
| 310 | * \param hash The message hash to be signed. This must be a readable
|
---|
| 311 | * buffer of length \p blen Bytes.
|
---|
| 312 | * \param hlen The length of the hash \p hash in Bytes.
|
---|
| 313 | * \param sig The buffer to which to write the signature. This must be a
|
---|
| 314 | * writable buffer of length at least twice as large as the
|
---|
| 315 | * size of the curve used, plus 9. For example, 73 Bytes if
|
---|
| 316 | * a 256-bit curve is used. A buffer length of
|
---|
| 317 | * #MBEDTLS_ECDSA_MAX_LEN is always safe.
|
---|
| 318 | * \param slen The address at which to store the actual length of
|
---|
| 319 | * the signature written. Must not be \c NULL.
|
---|
| 320 | * \param f_rng The RNG function. This must not be \c NULL if
|
---|
| 321 | * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
|
---|
| 322 | * it is unused and may be set to \c NULL.
|
---|
| 323 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
| 324 | * \c NULL if \p f_rng is \c NULL or doesn't use a context.
|
---|
| 325 | * \param rs_ctx The restart context to use. This may be \c NULL to disable
|
---|
| 326 | * restarting. If it is not \c NULL, it must point to an
|
---|
| 327 | * initialized restart context.
|
---|
| 328 | *
|
---|
| 329 | * \return \c 0 on success.
|
---|
| 330 | * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
---|
| 331 | * operations was reached: see \c mbedtls_ecp_set_max_ops().
|
---|
| 332 | * \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
|
---|
| 333 | * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
|
---|
| 334 | */
|
---|
| 335 | int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
|
---|
| 336 | mbedtls_md_type_t md_alg,
|
---|
| 337 | const unsigned char *hash, size_t hlen,
|
---|
| 338 | unsigned char *sig, size_t *slen,
|
---|
| 339 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
| 340 | void *p_rng,
|
---|
| 341 | mbedtls_ecdsa_restart_ctx *rs_ctx );
|
---|
| 342 |
|
---|
| 343 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
| 344 | #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
|
---|
| 345 | #if defined(MBEDTLS_DEPRECATED_WARNING)
|
---|
| 346 | #define MBEDTLS_DEPRECATED __attribute__((deprecated))
|
---|
| 347 | #else
|
---|
| 348 | #define MBEDTLS_DEPRECATED
|
---|
| 349 | #endif
|
---|
| 350 | /**
|
---|
| 351 | * \brief This function computes an ECDSA signature and writes
|
---|
| 352 | * it to a buffer, serialized as defined in <em>RFC-4492:
|
---|
| 353 | * Elliptic Curve Cryptography (ECC) Cipher Suites for
|
---|
| 354 | * Transport Layer Security (TLS)</em>.
|
---|
| 355 | *
|
---|
| 356 | * The deterministic version is defined in <em>RFC-6979:
|
---|
| 357 | * Deterministic Usage of the Digital Signature Algorithm (DSA)
|
---|
| 358 | * and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
|
---|
| 359 | *
|
---|
| 360 | * \warning It is not thread-safe to use the same context in
|
---|
| 361 | * multiple threads.
|
---|
| 362 | *
|
---|
| 363 | * \note If the bitlength of the message hash is larger than the
|
---|
| 364 | * bitlength of the group order, then the hash is truncated as
|
---|
| 365 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
| 366 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
| 367 | * 4.1.3, step 5.
|
---|
| 368 | *
|
---|
| 369 | * \see ecp.h
|
---|
| 370 | *
|
---|
| 371 | * \deprecated Superseded by mbedtls_ecdsa_write_signature() in
|
---|
| 372 | * Mbed TLS version 2.0 and later.
|
---|
| 373 | *
|
---|
| 374 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
| 375 | * and have a group and private key bound to it, for example
|
---|
| 376 | * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
|
---|
| 377 | * \param hash The message hash to be signed. This must be a readable
|
---|
| 378 | * buffer of length \p blen Bytes.
|
---|
| 379 | * \param hlen The length of the hash \p hash in Bytes.
|
---|
| 380 | * \param sig The buffer to which to write the signature. This must be a
|
---|
| 381 | * writable buffer of length at least twice as large as the
|
---|
| 382 | * size of the curve used, plus 9. For example, 73 Bytes if
|
---|
| 383 | * a 256-bit curve is used. A buffer length of
|
---|
| 384 | * #MBEDTLS_ECDSA_MAX_LEN is always safe.
|
---|
| 385 | * \param slen The address at which to store the actual length of
|
---|
| 386 | * the signature written. Must not be \c NULL.
|
---|
| 387 | * \param md_alg The message digest that was used to hash the message.
|
---|
| 388 | *
|
---|
| 389 | * \return \c 0 on success.
|
---|
| 390 | * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
|
---|
| 391 | * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
|
---|
| 392 | */
|
---|
| 393 | int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
|
---|
| 394 | const unsigned char *hash, size_t hlen,
|
---|
| 395 | unsigned char *sig, size_t *slen,
|
---|
| 396 | mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
|
---|
| 397 | #undef MBEDTLS_DEPRECATED
|
---|
| 398 | #endif /* MBEDTLS_DEPRECATED_REMOVED */
|
---|
| 399 | #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
|
---|
| 400 |
|
---|
| 401 | /**
|
---|
| 402 | * \brief This function reads and verifies an ECDSA signature.
|
---|
| 403 | *
|
---|
| 404 | * \note If the bitlength of the message hash is larger than the
|
---|
| 405 | * bitlength of the group order, then the hash is truncated as
|
---|
| 406 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
| 407 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
| 408 | * 4.1.4, step 3.
|
---|
| 409 | *
|
---|
| 410 | * \see ecp.h
|
---|
| 411 | *
|
---|
| 412 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
| 413 | * and have a group and public key bound to it.
|
---|
| 414 | * \param hash The message hash that was signed. This must be a readable
|
---|
| 415 | * buffer of length \p size Bytes.
|
---|
| 416 | * \param hlen The size of the hash \p hash.
|
---|
| 417 | * \param sig The signature to read and verify. This must be a readable
|
---|
| 418 | * buffer of length \p slen Bytes.
|
---|
| 419 | * \param slen The size of \p sig in Bytes.
|
---|
| 420 | *
|
---|
| 421 | * \return \c 0 on success.
|
---|
| 422 | * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
|
---|
| 423 | * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
|
---|
| 424 | * signature in \p sig, but its length is less than \p siglen.
|
---|
| 425 | * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
|
---|
| 426 | * error code on failure for any other reason.
|
---|
| 427 | */
|
---|
| 428 | int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
|
---|
| 429 | const unsigned char *hash, size_t hlen,
|
---|
| 430 | const unsigned char *sig, size_t slen );
|
---|
| 431 |
|
---|
| 432 | /**
|
---|
| 433 | * \brief This function reads and verifies an ECDSA signature,
|
---|
| 434 | * in a restartable way.
|
---|
| 435 | *
|
---|
| 436 | * \see \c mbedtls_ecdsa_read_signature()
|
---|
| 437 | *
|
---|
| 438 | * \note This function is like \c mbedtls_ecdsa_read_signature()
|
---|
| 439 | * but it can return early and restart according to the limit
|
---|
| 440 | * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
|
---|
| 441 | *
|
---|
| 442 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
| 443 | * and have a group and public key bound to it.
|
---|
| 444 | * \param hash The message hash that was signed. This must be a readable
|
---|
| 445 | * buffer of length \p size Bytes.
|
---|
| 446 | * \param hlen The size of the hash \p hash.
|
---|
| 447 | * \param sig The signature to read and verify. This must be a readable
|
---|
| 448 | * buffer of length \p slen Bytes.
|
---|
| 449 | * \param slen The size of \p sig in Bytes.
|
---|
| 450 | * \param rs_ctx The restart context to use. This may be \c NULL to disable
|
---|
| 451 | * restarting. If it is not \c NULL, it must point to an
|
---|
| 452 | * initialized restart context.
|
---|
| 453 | *
|
---|
| 454 | * \return \c 0 on success.
|
---|
| 455 | * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
|
---|
| 456 | * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
|
---|
| 457 | * signature in \p sig, but its length is less than \p siglen.
|
---|
| 458 | * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
---|
| 459 | * operations was reached: see \c mbedtls_ecp_set_max_ops().
|
---|
| 460 | * \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
|
---|
| 461 | * error code on failure for any other reason.
|
---|
| 462 | */
|
---|
| 463 | int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
|
---|
| 464 | const unsigned char *hash, size_t hlen,
|
---|
| 465 | const unsigned char *sig, size_t slen,
|
---|
| 466 | mbedtls_ecdsa_restart_ctx *rs_ctx );
|
---|
| 467 |
|
---|
| 468 | /**
|
---|
| 469 | * \brief This function generates an ECDSA keypair on the given curve.
|
---|
| 470 | *
|
---|
| 471 | * \see ecp.h
|
---|
| 472 | *
|
---|
| 473 | * \param ctx The ECDSA context to store the keypair in.
|
---|
| 474 | * This must be initialized.
|
---|
| 475 | * \param gid The elliptic curve to use. One of the various
|
---|
| 476 | * \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
|
---|
| 477 | * \param f_rng The RNG function to use. This must not be \c NULL.
|
---|
| 478 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
| 479 | * \c NULL if \p f_rng doesn't need a context argument.
|
---|
| 480 | *
|
---|
| 481 | * \return \c 0 on success.
|
---|
| 482 | * \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
|
---|
| 483 | */
|
---|
| 484 | int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
|
---|
| 485 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
|
---|
| 486 |
|
---|
| 487 | /**
|
---|
| 488 | * \brief This function sets up an ECDSA context from an EC key pair.
|
---|
| 489 | *
|
---|
| 490 | * \see ecp.h
|
---|
| 491 | *
|
---|
| 492 | * \param ctx The ECDSA context to setup. This must be initialized.
|
---|
| 493 | * \param key The EC key to use. This must be initialized and hold
|
---|
| 494 | * a private-public key pair or a public key. In the former
|
---|
| 495 | * case, the ECDSA context may be used for signature creation
|
---|
| 496 | * and verification after this call. In the latter case, it
|
---|
| 497 | * may be used for signature verification.
|
---|
| 498 | *
|
---|
| 499 | * \return \c 0 on success.
|
---|
| 500 | * \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
|
---|
| 501 | */
|
---|
| 502 | int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx,
|
---|
| 503 | const mbedtls_ecp_keypair *key );
|
---|
| 504 |
|
---|
| 505 | /**
|
---|
| 506 | * \brief This function initializes an ECDSA context.
|
---|
| 507 | *
|
---|
| 508 | * \param ctx The ECDSA context to initialize.
|
---|
| 509 | * This must not be \c NULL.
|
---|
| 510 | */
|
---|
| 511 | void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
|
---|
| 512 |
|
---|
| 513 | /**
|
---|
| 514 | * \brief This function frees an ECDSA context.
|
---|
| 515 | *
|
---|
| 516 | * \param ctx The ECDSA context to free. This may be \c NULL,
|
---|
| 517 | * in which case this function does nothing. If it
|
---|
| 518 | * is not \c NULL, it must be initialized.
|
---|
| 519 | */
|
---|
| 520 | void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
|
---|
| 521 |
|
---|
| 522 | #if defined(MBEDTLS_ECP_RESTARTABLE)
|
---|
| 523 | /**
|
---|
| 524 | * \brief Initialize a restart context.
|
---|
| 525 | *
|
---|
| 526 | * \param ctx The restart context to initialize.
|
---|
| 527 | * This must not be \c NULL.
|
---|
| 528 | */
|
---|
| 529 | void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx );
|
---|
| 530 |
|
---|
| 531 | /**
|
---|
| 532 | * \brief Free the components of a restart context.
|
---|
| 533 | *
|
---|
| 534 | * \param ctx The restart context to free. This may be \c NULL,
|
---|
| 535 | * in which case this function does nothing. If it
|
---|
| 536 | * is not \c NULL, it must be initialized.
|
---|
| 537 | */
|
---|
| 538 | void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx );
|
---|
| 539 | #endif /* MBEDTLS_ECP_RESTARTABLE */
|
---|
| 540 |
|
---|
| 541 | #ifdef __cplusplus
|
---|
| 542 | }
|
---|
| 543 | #endif
|
---|
| 544 |
|
---|
| 545 | #endif /* ecdsa.h */
|
---|