1 | /**
|
---|
2 | * \file ecdsa.h
|
---|
3 | *
|
---|
4 | * \brief This file contains ECDSA definitions and functions.
|
---|
5 | *
|
---|
6 | * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
|
---|
7 | * <em>Standards for Efficient Cryptography Group (SECG):
|
---|
8 | * SEC1 Elliptic Curve Cryptography</em>.
|
---|
9 | * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
|
---|
10 | * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
|
---|
11 | *
|
---|
12 | */
|
---|
13 | /*
|
---|
14 | * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
|
---|
15 | * SPDX-License-Identifier: Apache-2.0
|
---|
16 | *
|
---|
17 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
18 | * not use this file except in compliance with the License.
|
---|
19 | * You may obtain a copy of the License at
|
---|
20 | *
|
---|
21 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
22 | *
|
---|
23 | * Unless required by applicable law or agreed to in writing, software
|
---|
24 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
25 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
26 | * See the License for the specific language governing permissions and
|
---|
27 | * limitations under the License.
|
---|
28 | *
|
---|
29 | * This file is part of Mbed TLS (https://tls.mbed.org)
|
---|
30 | */
|
---|
31 |
|
---|
32 | #ifndef MBEDTLS_ECDSA_H
|
---|
33 | #define MBEDTLS_ECDSA_H
|
---|
34 |
|
---|
35 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
36 | #include "config.h"
|
---|
37 | #else
|
---|
38 | #include MBEDTLS_CONFIG_FILE
|
---|
39 | #endif
|
---|
40 |
|
---|
41 | #include "ecp.h"
|
---|
42 | #include "md.h"
|
---|
43 |
|
---|
44 | /*
|
---|
45 | * RFC-4492 page 20:
|
---|
46 | *
|
---|
47 | * Ecdsa-Sig-Value ::= SEQUENCE {
|
---|
48 | * r INTEGER,
|
---|
49 | * s INTEGER
|
---|
50 | * }
|
---|
51 | *
|
---|
52 | * Size is at most
|
---|
53 | * 1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s,
|
---|
54 | * twice that + 1 (tag) + 2 (len) for the sequence
|
---|
55 | * (assuming ECP_MAX_BYTES is less than 126 for r and s,
|
---|
56 | * and less than 124 (total len <= 255) for the sequence)
|
---|
57 | */
|
---|
58 | #if MBEDTLS_ECP_MAX_BYTES > 124
|
---|
59 | #error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
|
---|
60 | #endif
|
---|
61 | /** The maximal size of an ECDSA signature in Bytes. */
|
---|
62 | #define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
|
---|
63 |
|
---|
64 | #ifdef __cplusplus
|
---|
65 | extern "C" {
|
---|
66 | #endif
|
---|
67 |
|
---|
68 | /**
|
---|
69 | * \brief The ECDSA context structure.
|
---|
70 | *
|
---|
71 | * \warning Performing multiple operations concurrently on the same
|
---|
72 | * ECDSA context is not supported; objects of this type
|
---|
73 | * should not be shared between multiple threads.
|
---|
74 | */
|
---|
75 | typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
|
---|
76 |
|
---|
77 | #if defined(MBEDTLS_ECP_RESTARTABLE)
|
---|
78 |
|
---|
79 | /**
|
---|
80 | * \brief Internal restart context for ecdsa_verify()
|
---|
81 | *
|
---|
82 | * \note Opaque struct, defined in ecdsa.c
|
---|
83 | */
|
---|
84 | typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
|
---|
85 |
|
---|
86 | /**
|
---|
87 | * \brief Internal restart context for ecdsa_sign()
|
---|
88 | *
|
---|
89 | * \note Opaque struct, defined in ecdsa.c
|
---|
90 | */
|
---|
91 | typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
|
---|
92 |
|
---|
93 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
94 | /**
|
---|
95 | * \brief Internal restart context for ecdsa_sign_det()
|
---|
96 | *
|
---|
97 | * \note Opaque struct, defined in ecdsa.c
|
---|
98 | */
|
---|
99 | typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
|
---|
100 | #endif
|
---|
101 |
|
---|
102 | /**
|
---|
103 | * \brief General context for resuming ECDSA operations
|
---|
104 | */
|
---|
105 | typedef struct
|
---|
106 | {
|
---|
107 | mbedtls_ecp_restart_ctx ecp; /*!< base context for ECP restart and
|
---|
108 | shared administrative info */
|
---|
109 | mbedtls_ecdsa_restart_ver_ctx *ver; /*!< ecdsa_verify() sub-context */
|
---|
110 | mbedtls_ecdsa_restart_sig_ctx *sig; /*!< ecdsa_sign() sub-context */
|
---|
111 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
112 | mbedtls_ecdsa_restart_det_ctx *det; /*!< ecdsa_sign_det() sub-context */
|
---|
113 | #endif
|
---|
114 | } mbedtls_ecdsa_restart_ctx;
|
---|
115 |
|
---|
116 | #else /* MBEDTLS_ECP_RESTARTABLE */
|
---|
117 |
|
---|
118 | /* Now we can declare functions that take a pointer to that */
|
---|
119 | typedef void mbedtls_ecdsa_restart_ctx;
|
---|
120 |
|
---|
121 | #endif /* MBEDTLS_ECP_RESTARTABLE */
|
---|
122 |
|
---|
123 | /**
|
---|
124 | * \brief This function computes the ECDSA signature of a
|
---|
125 | * previously-hashed message.
|
---|
126 | *
|
---|
127 | * \note The deterministic version implemented in
|
---|
128 | * mbedtls_ecdsa_sign_det() is usually preferred.
|
---|
129 | *
|
---|
130 | * \note If the bitlength of the message hash is larger than the
|
---|
131 | * bitlength of the group order, then the hash is truncated
|
---|
132 | * as defined in <em>Standards for Efficient Cryptography Group
|
---|
133 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
134 | * 4.1.3, step 5.
|
---|
135 | *
|
---|
136 | * \see ecp.h
|
---|
137 | *
|
---|
138 | * \param grp The context for the elliptic curve to use.
|
---|
139 | * This must be initialized and have group parameters
|
---|
140 | * set, for example through mbedtls_ecp_group_load().
|
---|
141 | * \param r The MPI context in which to store the first part
|
---|
142 | * the signature. This must be initialized.
|
---|
143 | * \param s The MPI context in which to store the second part
|
---|
144 | * the signature. This must be initialized.
|
---|
145 | * \param d The private signing key. This must be initialized.
|
---|
146 | * \param buf The content to be signed. This is usually the hash of
|
---|
147 | * the original data to be signed. This must be a readable
|
---|
148 | * buffer of length \p blen Bytes. It may be \c NULL if
|
---|
149 | * \p blen is zero.
|
---|
150 | * \param blen The length of \p buf in Bytes.
|
---|
151 | * \param f_rng The RNG function. This must not be \c NULL.
|
---|
152 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
153 | * \c NULL if \p f_rng doesn't need a context parameter.
|
---|
154 | *
|
---|
155 | * \return \c 0 on success.
|
---|
156 | * \return An \c MBEDTLS_ERR_ECP_XXX
|
---|
157 | * or \c MBEDTLS_MPI_XXX error code on failure.
|
---|
158 | */
|
---|
159 | int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
|
---|
160 | const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
|
---|
161 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
|
---|
162 |
|
---|
163 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
164 | /**
|
---|
165 | * \brief This function computes the ECDSA signature of a
|
---|
166 | * previously-hashed message, deterministic version.
|
---|
167 | *
|
---|
168 | * For more information, see <em>RFC-6979: Deterministic
|
---|
169 | * Usage of the Digital Signature Algorithm (DSA) and Elliptic
|
---|
170 | * Curve Digital Signature Algorithm (ECDSA)</em>.
|
---|
171 | *
|
---|
172 | * \note If the bitlength of the message hash is larger than the
|
---|
173 | * bitlength of the group order, then the hash is truncated as
|
---|
174 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
175 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
176 | * 4.1.3, step 5.
|
---|
177 | *
|
---|
178 | * \see ecp.h
|
---|
179 | *
|
---|
180 | * \param grp The context for the elliptic curve to use.
|
---|
181 | * This must be initialized and have group parameters
|
---|
182 | * set, for example through mbedtls_ecp_group_load().
|
---|
183 | * \param r The MPI context in which to store the first part
|
---|
184 | * the signature. This must be initialized.
|
---|
185 | * \param s The MPI context in which to store the second part
|
---|
186 | * the signature. This must be initialized.
|
---|
187 | * \param d The private signing key. This must be initialized
|
---|
188 | * and setup, for example through mbedtls_ecp_gen_privkey().
|
---|
189 | * \param buf The hashed content to be signed. This must be a readable
|
---|
190 | * buffer of length \p blen Bytes. It may be \c NULL if
|
---|
191 | * \p blen is zero.
|
---|
192 | * \param blen The length of \p buf in Bytes.
|
---|
193 | * \param md_alg The hash algorithm used to hash the original data.
|
---|
194 | *
|
---|
195 | * \return \c 0 on success.
|
---|
196 | * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
|
---|
197 | * error code on failure.
|
---|
198 | */
|
---|
199 | int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
|
---|
200 | mbedtls_mpi *s, const mbedtls_mpi *d,
|
---|
201 | const unsigned char *buf, size_t blen,
|
---|
202 | mbedtls_md_type_t md_alg );
|
---|
203 | #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
|
---|
204 |
|
---|
205 | /**
|
---|
206 | * \brief This function verifies the ECDSA signature of a
|
---|
207 | * previously-hashed message.
|
---|
208 | *
|
---|
209 | * \note If the bitlength of the message hash is larger than the
|
---|
210 | * bitlength of the group order, then the hash is truncated as
|
---|
211 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
212 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
213 | * 4.1.4, step 3.
|
---|
214 | *
|
---|
215 | * \see ecp.h
|
---|
216 | *
|
---|
217 | * \param grp The ECP group to use.
|
---|
218 | * This must be initialized and have group parameters
|
---|
219 | * set, for example through mbedtls_ecp_group_load().
|
---|
220 | * \param buf The hashed content that was signed. This must be a readable
|
---|
221 | * buffer of length \p blen Bytes. It may be \c NULL if
|
---|
222 | * \p blen is zero.
|
---|
223 | * \param blen The length of \p buf in Bytes.
|
---|
224 | * \param Q The public key to use for verification. This must be
|
---|
225 | * initialized and setup.
|
---|
226 | * \param r The first integer of the signature.
|
---|
227 | * This must be initialized.
|
---|
228 | * \param s The second integer of the signature.
|
---|
229 | * This must be initialized.
|
---|
230 | *
|
---|
231 | * \return \c 0 on success.
|
---|
232 | * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
|
---|
233 | * is invalid.
|
---|
234 | * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
|
---|
235 | * error code on failure for any other reason.
|
---|
236 | */
|
---|
237 | int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
|
---|
238 | const unsigned char *buf, size_t blen,
|
---|
239 | const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
|
---|
240 | const mbedtls_mpi *s);
|
---|
241 |
|
---|
242 | /**
|
---|
243 | * \brief This function computes the ECDSA signature and writes it
|
---|
244 | * to a buffer, serialized as defined in <em>RFC-4492:
|
---|
245 | * Elliptic Curve Cryptography (ECC) Cipher Suites for
|
---|
246 | * Transport Layer Security (TLS)</em>.
|
---|
247 | *
|
---|
248 | * \warning It is not thread-safe to use the same context in
|
---|
249 | * multiple threads.
|
---|
250 | *
|
---|
251 | * \note The deterministic version is used if
|
---|
252 | * #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
|
---|
253 | * information, see <em>RFC-6979: Deterministic Usage
|
---|
254 | * of the Digital Signature Algorithm (DSA) and Elliptic
|
---|
255 | * Curve Digital Signature Algorithm (ECDSA)</em>.
|
---|
256 | *
|
---|
257 | * \note If the bitlength of the message hash is larger than the
|
---|
258 | * bitlength of the group order, then the hash is truncated as
|
---|
259 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
260 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
261 | * 4.1.3, step 5.
|
---|
262 | *
|
---|
263 | * \see ecp.h
|
---|
264 | *
|
---|
265 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
266 | * and have a group and private key bound to it, for example
|
---|
267 | * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
|
---|
268 | * \param md_alg The message digest that was used to hash the message.
|
---|
269 | * \param hash The message hash to be signed. This must be a readable
|
---|
270 | * buffer of length \p blen Bytes.
|
---|
271 | * \param hlen The length of the hash \p hash in Bytes.
|
---|
272 | * \param sig The buffer to which to write the signature. This must be a
|
---|
273 | * writable buffer of length at least twice as large as the
|
---|
274 | * size of the curve used, plus 9. For example, 73 Bytes if
|
---|
275 | * a 256-bit curve is used. A buffer length of
|
---|
276 | * #MBEDTLS_ECDSA_MAX_LEN is always safe.
|
---|
277 | * \param slen The address at which to store the actual length of
|
---|
278 | * the signature written. Must not be \c NULL.
|
---|
279 | * \param f_rng The RNG function. This must not be \c NULL if
|
---|
280 | * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
|
---|
281 | * it is unused and may be set to \c NULL.
|
---|
282 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
283 | * \c NULL if \p f_rng is \c NULL or doesn't use a context.
|
---|
284 | *
|
---|
285 | * \return \c 0 on success.
|
---|
286 | * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
|
---|
287 | * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
|
---|
288 | */
|
---|
289 | int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
|
---|
290 | mbedtls_md_type_t md_alg,
|
---|
291 | const unsigned char *hash, size_t hlen,
|
---|
292 | unsigned char *sig, size_t *slen,
|
---|
293 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
294 | void *p_rng );
|
---|
295 |
|
---|
296 | /**
|
---|
297 | * \brief This function computes the ECDSA signature and writes it
|
---|
298 | * to a buffer, in a restartable way.
|
---|
299 | *
|
---|
300 | * \see \c mbedtls_ecdsa_write_signature()
|
---|
301 | *
|
---|
302 | * \note This function is like \c mbedtls_ecdsa_write_signature()
|
---|
303 | * but it can return early and restart according to the limit
|
---|
304 | * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
|
---|
305 | *
|
---|
306 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
307 | * and have a group and private key bound to it, for example
|
---|
308 | * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
|
---|
309 | * \param md_alg The message digest that was used to hash the message.
|
---|
310 | * \param hash The message hash to be signed. This must be a readable
|
---|
311 | * buffer of length \p blen Bytes.
|
---|
312 | * \param hlen The length of the hash \p hash in Bytes.
|
---|
313 | * \param sig The buffer to which to write the signature. This must be a
|
---|
314 | * writable buffer of length at least twice as large as the
|
---|
315 | * size of the curve used, plus 9. For example, 73 Bytes if
|
---|
316 | * a 256-bit curve is used. A buffer length of
|
---|
317 | * #MBEDTLS_ECDSA_MAX_LEN is always safe.
|
---|
318 | * \param slen The address at which to store the actual length of
|
---|
319 | * the signature written. Must not be \c NULL.
|
---|
320 | * \param f_rng The RNG function. This must not be \c NULL if
|
---|
321 | * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
|
---|
322 | * it is unused and may be set to \c NULL.
|
---|
323 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
324 | * \c NULL if \p f_rng is \c NULL or doesn't use a context.
|
---|
325 | * \param rs_ctx The restart context to use. This may be \c NULL to disable
|
---|
326 | * restarting. If it is not \c NULL, it must point to an
|
---|
327 | * initialized restart context.
|
---|
328 | *
|
---|
329 | * \return \c 0 on success.
|
---|
330 | * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
---|
331 | * operations was reached: see \c mbedtls_ecp_set_max_ops().
|
---|
332 | * \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
|
---|
333 | * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
|
---|
334 | */
|
---|
335 | int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
|
---|
336 | mbedtls_md_type_t md_alg,
|
---|
337 | const unsigned char *hash, size_t hlen,
|
---|
338 | unsigned char *sig, size_t *slen,
|
---|
339 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
340 | void *p_rng,
|
---|
341 | mbedtls_ecdsa_restart_ctx *rs_ctx );
|
---|
342 |
|
---|
343 | #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
---|
344 | #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
|
---|
345 | #if defined(MBEDTLS_DEPRECATED_WARNING)
|
---|
346 | #define MBEDTLS_DEPRECATED __attribute__((deprecated))
|
---|
347 | #else
|
---|
348 | #define MBEDTLS_DEPRECATED
|
---|
349 | #endif
|
---|
350 | /**
|
---|
351 | * \brief This function computes an ECDSA signature and writes
|
---|
352 | * it to a buffer, serialized as defined in <em>RFC-4492:
|
---|
353 | * Elliptic Curve Cryptography (ECC) Cipher Suites for
|
---|
354 | * Transport Layer Security (TLS)</em>.
|
---|
355 | *
|
---|
356 | * The deterministic version is defined in <em>RFC-6979:
|
---|
357 | * Deterministic Usage of the Digital Signature Algorithm (DSA)
|
---|
358 | * and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
|
---|
359 | *
|
---|
360 | * \warning It is not thread-safe to use the same context in
|
---|
361 | * multiple threads.
|
---|
362 | *
|
---|
363 | * \note If the bitlength of the message hash is larger than the
|
---|
364 | * bitlength of the group order, then the hash is truncated as
|
---|
365 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
366 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
367 | * 4.1.3, step 5.
|
---|
368 | *
|
---|
369 | * \see ecp.h
|
---|
370 | *
|
---|
371 | * \deprecated Superseded by mbedtls_ecdsa_write_signature() in
|
---|
372 | * Mbed TLS version 2.0 and later.
|
---|
373 | *
|
---|
374 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
375 | * and have a group and private key bound to it, for example
|
---|
376 | * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
|
---|
377 | * \param hash The message hash to be signed. This must be a readable
|
---|
378 | * buffer of length \p blen Bytes.
|
---|
379 | * \param hlen The length of the hash \p hash in Bytes.
|
---|
380 | * \param sig The buffer to which to write the signature. This must be a
|
---|
381 | * writable buffer of length at least twice as large as the
|
---|
382 | * size of the curve used, plus 9. For example, 73 Bytes if
|
---|
383 | * a 256-bit curve is used. A buffer length of
|
---|
384 | * #MBEDTLS_ECDSA_MAX_LEN is always safe.
|
---|
385 | * \param slen The address at which to store the actual length of
|
---|
386 | * the signature written. Must not be \c NULL.
|
---|
387 | * \param md_alg The message digest that was used to hash the message.
|
---|
388 | *
|
---|
389 | * \return \c 0 on success.
|
---|
390 | * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
|
---|
391 | * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
|
---|
392 | */
|
---|
393 | int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
|
---|
394 | const unsigned char *hash, size_t hlen,
|
---|
395 | unsigned char *sig, size_t *slen,
|
---|
396 | mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
|
---|
397 | #undef MBEDTLS_DEPRECATED
|
---|
398 | #endif /* MBEDTLS_DEPRECATED_REMOVED */
|
---|
399 | #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
|
---|
400 |
|
---|
401 | /**
|
---|
402 | * \brief This function reads and verifies an ECDSA signature.
|
---|
403 | *
|
---|
404 | * \note If the bitlength of the message hash is larger than the
|
---|
405 | * bitlength of the group order, then the hash is truncated as
|
---|
406 | * defined in <em>Standards for Efficient Cryptography Group
|
---|
407 | * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
|
---|
408 | * 4.1.4, step 3.
|
---|
409 | *
|
---|
410 | * \see ecp.h
|
---|
411 | *
|
---|
412 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
413 | * and have a group and public key bound to it.
|
---|
414 | * \param hash The message hash that was signed. This must be a readable
|
---|
415 | * buffer of length \p size Bytes.
|
---|
416 | * \param hlen The size of the hash \p hash.
|
---|
417 | * \param sig The signature to read and verify. This must be a readable
|
---|
418 | * buffer of length \p slen Bytes.
|
---|
419 | * \param slen The size of \p sig in Bytes.
|
---|
420 | *
|
---|
421 | * \return \c 0 on success.
|
---|
422 | * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
|
---|
423 | * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
|
---|
424 | * signature in \p sig, but its length is less than \p siglen.
|
---|
425 | * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
|
---|
426 | * error code on failure for any other reason.
|
---|
427 | */
|
---|
428 | int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
|
---|
429 | const unsigned char *hash, size_t hlen,
|
---|
430 | const unsigned char *sig, size_t slen );
|
---|
431 |
|
---|
432 | /**
|
---|
433 | * \brief This function reads and verifies an ECDSA signature,
|
---|
434 | * in a restartable way.
|
---|
435 | *
|
---|
436 | * \see \c mbedtls_ecdsa_read_signature()
|
---|
437 | *
|
---|
438 | * \note This function is like \c mbedtls_ecdsa_read_signature()
|
---|
439 | * but it can return early and restart according to the limit
|
---|
440 | * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
|
---|
441 | *
|
---|
442 | * \param ctx The ECDSA context to use. This must be initialized
|
---|
443 | * and have a group and public key bound to it.
|
---|
444 | * \param hash The message hash that was signed. This must be a readable
|
---|
445 | * buffer of length \p size Bytes.
|
---|
446 | * \param hlen The size of the hash \p hash.
|
---|
447 | * \param sig The signature to read and verify. This must be a readable
|
---|
448 | * buffer of length \p slen Bytes.
|
---|
449 | * \param slen The size of \p sig in Bytes.
|
---|
450 | * \param rs_ctx The restart context to use. This may be \c NULL to disable
|
---|
451 | * restarting. If it is not \c NULL, it must point to an
|
---|
452 | * initialized restart context.
|
---|
453 | *
|
---|
454 | * \return \c 0 on success.
|
---|
455 | * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
|
---|
456 | * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
|
---|
457 | * signature in \p sig, but its length is less than \p siglen.
|
---|
458 | * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
---|
459 | * operations was reached: see \c mbedtls_ecp_set_max_ops().
|
---|
460 | * \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
|
---|
461 | * error code on failure for any other reason.
|
---|
462 | */
|
---|
463 | int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
|
---|
464 | const unsigned char *hash, size_t hlen,
|
---|
465 | const unsigned char *sig, size_t slen,
|
---|
466 | mbedtls_ecdsa_restart_ctx *rs_ctx );
|
---|
467 |
|
---|
468 | /**
|
---|
469 | * \brief This function generates an ECDSA keypair on the given curve.
|
---|
470 | *
|
---|
471 | * \see ecp.h
|
---|
472 | *
|
---|
473 | * \param ctx The ECDSA context to store the keypair in.
|
---|
474 | * This must be initialized.
|
---|
475 | * \param gid The elliptic curve to use. One of the various
|
---|
476 | * \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
|
---|
477 | * \param f_rng The RNG function to use. This must not be \c NULL.
|
---|
478 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
479 | * \c NULL if \p f_rng doesn't need a context argument.
|
---|
480 | *
|
---|
481 | * \return \c 0 on success.
|
---|
482 | * \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
|
---|
483 | */
|
---|
484 | int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
|
---|
485 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
|
---|
486 |
|
---|
487 | /**
|
---|
488 | * \brief This function sets up an ECDSA context from an EC key pair.
|
---|
489 | *
|
---|
490 | * \see ecp.h
|
---|
491 | *
|
---|
492 | * \param ctx The ECDSA context to setup. This must be initialized.
|
---|
493 | * \param key The EC key to use. This must be initialized and hold
|
---|
494 | * a private-public key pair or a public key. In the former
|
---|
495 | * case, the ECDSA context may be used for signature creation
|
---|
496 | * and verification after this call. In the latter case, it
|
---|
497 | * may be used for signature verification.
|
---|
498 | *
|
---|
499 | * \return \c 0 on success.
|
---|
500 | * \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
|
---|
501 | */
|
---|
502 | int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx,
|
---|
503 | const mbedtls_ecp_keypair *key );
|
---|
504 |
|
---|
505 | /**
|
---|
506 | * \brief This function initializes an ECDSA context.
|
---|
507 | *
|
---|
508 | * \param ctx The ECDSA context to initialize.
|
---|
509 | * This must not be \c NULL.
|
---|
510 | */
|
---|
511 | void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
|
---|
512 |
|
---|
513 | /**
|
---|
514 | * \brief This function frees an ECDSA context.
|
---|
515 | *
|
---|
516 | * \param ctx The ECDSA context to free. This may be \c NULL,
|
---|
517 | * in which case this function does nothing. If it
|
---|
518 | * is not \c NULL, it must be initialized.
|
---|
519 | */
|
---|
520 | void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
|
---|
521 |
|
---|
522 | #if defined(MBEDTLS_ECP_RESTARTABLE)
|
---|
523 | /**
|
---|
524 | * \brief Initialize a restart context.
|
---|
525 | *
|
---|
526 | * \param ctx The restart context to initialize.
|
---|
527 | * This must not be \c NULL.
|
---|
528 | */
|
---|
529 | void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx );
|
---|
530 |
|
---|
531 | /**
|
---|
532 | * \brief Free the components of a restart context.
|
---|
533 | *
|
---|
534 | * \param ctx The restart context to free. This may be \c NULL,
|
---|
535 | * in which case this function does nothing. If it
|
---|
536 | * is not \c NULL, it must be initialized.
|
---|
537 | */
|
---|
538 | void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx );
|
---|
539 | #endif /* MBEDTLS_ECP_RESTARTABLE */
|
---|
540 |
|
---|
541 | #ifdef __cplusplus
|
---|
542 | }
|
---|
543 | #endif
|
---|
544 |
|
---|
545 | #endif /* ecdsa.h */
|
---|