/* * Copyright (c) 2016 Thomas Pornin * * Permission is hereby granted, free of charge, to any person obtaining * a copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ #ifndef BR_BEARSSL_EC_H__ #define BR_BEARSSL_EC_H__ #include #include #include "bearssl_rand.h" #ifdef __cplusplus extern "C" { #endif /** \file bearssl_ec.h * * # Elliptic Curves * * This file documents the EC implementations provided with BearSSL, and * ECDSA. * * ## Elliptic Curve API * * Only "named curves" are supported. Each EC implementation supports * one or several named curves, identified by symbolic identifiers. * These identifiers are small integers, that correspond to the values * registered by the * [IANA](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8). * * Since all currently defined elliptic curve identifiers are in the 0..31 * range, it is convenient to encode support of some curves in a 32-bit * word, such that bit x corresponds to curve of identifier x. * * An EC implementation is incarnated by a `br_ec_impl` instance, that * offers the following fields: * * - `supported_curves` * * A 32-bit word that documents the identifiers of the curves supported * by this implementation. * * - `generator()` * * Callback method that returns a pointer to the conventional generator * point for that curve. * * - `order()` * * Callback method that returns a pointer to the subgroup order for * that curve. That value uses unsigned big-endian encoding. * * - `xoff()` * * Callback method that returns the offset and length of the X * coordinate in an encoded point. * * - `mul()` * * Multiply a curve point with an integer. * * - `mulgen()` * * Multiply the curve generator with an integer. This may be faster * than the generic `mul()`. * * - `muladd()` * * Multiply two curve points by two integers, and return the sum of * the two products. * * All curve points are represented in uncompressed format. The `mul()` * and `muladd()` methods take care to validate that the provided points * are really part of the relevant curve subgroup. * * For all point multiplication functions, the following holds: * * - Functions validate that the provided points are valid members * of the relevant curve subgroup. An error is reported if that is * not the case. * * - Processing is constant-time, even if the point operands are not * valid. This holds for both the source and resulting points, and * the multipliers (integers). Only the byte length of the provided * multiplier arrays (not their actual value length in bits) may * leak through timing-based side channels. * * - The multipliers (integers) MUST be lower than the subgroup order. * If this property is not met, then the result is indeterminate, * but an error value is not ncessearily returned. * * * ## ECDSA * * ECDSA signatures have two standard formats, called "raw" and "asn1". * Internally, such a signature is a pair of modular integers `(r,s)`. * The "raw" format is the concatenation of the unsigned big-endian * encodings of these two integers, possibly left-padded with zeros so * that they have the same encoded length. The "asn1" format is the * DER encoding of an ASN.1 structure that contains the two integer * values: * * ECDSASignature ::= SEQUENCE { * r INTEGER, * s INTEGER * } * * In general, in all of X.509 and SSL/TLS, the "asn1" format is used. * BearSSL offers ECDSA implementations for both formats; conversion * functions between the two formats are also provided. Conversion of a * "raw" format signature into "asn1" may enlarge a signature by no more * than 9 bytes for all supported curves; conversely, conversion of an * "asn1" signature to "raw" may expand the signature but the "raw" * length will never be more than twice the length of the "asn1" length * (and usually it will be shorter). * * Note that for a given signature, the "raw" format is not fully * deterministic, in that it does not enforce a minimal common length. */ /* * Standard curve ID. These ID are equal to the assigned numerical * identifiers assigned to these curves for TLS: * http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */ /** \brief Identifier for named curve sect163k1. */ #define BR_EC_sect163k1 1 /** \brief Identifier for named curve sect163r1. */ #define BR_EC_sect163r1 2 /** \brief Identifier for named curve sect163r2. */ #define BR_EC_sect163r2 3 /** \brief Identifier for named curve sect193r1. */ #define BR_EC_sect193r1 4 /** \brief Identifier for named curve sect193r2. */ #define BR_EC_sect193r2 5 /** \brief Identifier for named curve sect233k1. */ #define BR_EC_sect233k1 6 /** \brief Identifier for named curve sect233r1. */ #define BR_EC_sect233r1 7 /** \brief Identifier for named curve sect239k1. */ #define BR_EC_sect239k1 8 /** \brief Identifier for named curve sect283k1. */ #define BR_EC_sect283k1 9 /** \brief Identifier for named curve sect283r1. */ #define BR_EC_sect283r1 10 /** \brief Identifier for named curve sect409k1. */ #define BR_EC_sect409k1 11 /** \brief Identifier for named curve sect409r1. */ #define BR_EC_sect409r1 12 /** \brief Identifier for named curve sect571k1. */ #define BR_EC_sect571k1 13 /** \brief Identifier for named curve sect571r1. */ #define BR_EC_sect571r1 14 /** \brief Identifier for named curve secp160k1. */ #define BR_EC_secp160k1 15 /** \brief Identifier for named curve secp160r1. */ #define BR_EC_secp160r1 16 /** \brief Identifier for named curve secp160r2. */ #define BR_EC_secp160r2 17 /** \brief Identifier for named curve secp192k1. */ #define BR_EC_secp192k1 18 /** \brief Identifier for named curve secp192r1. */ #define BR_EC_secp192r1 19 /** \brief Identifier for named curve secp224k1. */ #define BR_EC_secp224k1 20 /** \brief Identifier for named curve secp224r1. */ #define BR_EC_secp224r1 21 /** \brief Identifier for named curve secp256k1. */ #define BR_EC_secp256k1 22 /** \brief Identifier for named curve secp256r1. */ #define BR_EC_secp256r1 23 /** \brief Identifier for named curve secp384r1. */ #define BR_EC_secp384r1 24 /** \brief Identifier for named curve secp521r1. */ #define BR_EC_secp521r1 25 /** \brief Identifier for named curve brainpoolP256r1. */ #define BR_EC_brainpoolP256r1 26 /** \brief Identifier for named curve brainpoolP384r1. */ #define BR_EC_brainpoolP384r1 27 /** \brief Identifier for named curve brainpoolP512r1. */ #define BR_EC_brainpoolP512r1 28 /** \brief Identifier for named curve Curve25519. */ #define BR_EC_curve25519 29 /** \brief Identifier for named curve Curve448. */ #define BR_EC_curve448 30 /** * \brief Structure for an EC public key. */ typedef struct { /** \brief Identifier for the curve used by this key. */ int curve; /** \brief Public curve point (uncompressed format). */ unsigned char *q; /** \brief Length of public curve point (in bytes). */ size_t qlen; } br_ec_public_key; /** * \brief Structure for an EC private key. * * The private key is an integer modulo the curve subgroup order. The * encoding below tolerates extra leading zeros. In general, it is * recommended that the private key has the same length as the curve * subgroup order. */ typedef struct { /** \brief Identifier for the curve used by this key. */ int curve; /** \brief Private key (integer, unsigned big-endian encoding). */ unsigned char *x; /** \brief Private key length (in bytes). */ size_t xlen; } br_ec_private_key; /** * \brief Type for an EC implementation. */ typedef struct { /** * \brief Supported curves. * * This word is a bitfield: bit `x` is set if the curve of ID `x` * is supported. E.g. an implementation supporting both NIST P-256 * (secp256r1, ID 23) and NIST P-384 (secp384r1, ID 24) will have * value `0x01800000` in this field. */ uint32_t supported_curves; /** * \brief Get the conventional generator. * * This function returns the conventional generator (encoded * curve point) for the specified curve. This function MUST NOT * be called if the curve is not supported. * * \param curve curve identifier. * \param len receiver for the encoded generator length (in bytes). * \return the encoded generator. */ const unsigned char *(*generator)(int curve, size_t *len); /** * \brief Get the subgroup order. * * This function returns the order of the subgroup generated by * the conventional generator, for the specified curve. Unsigned * big-endian encoding is used. This function MUST NOT be called * if the curve is not supported. * * \param curve curve identifier. * \param len receiver for the encoded order length (in bytes). * \return the encoded order. */ const unsigned char *(*order)(int curve, size_t *len); /** * \brief Get the offset and length for the X coordinate. * * This function returns the offset and length (in bytes) of * the X coordinate in an encoded non-zero point. * * \param curve curve identifier. * \param len receiver for the X coordinate length (in bytes). * \return the offset for the X coordinate (in bytes). */ size_t (*xoff)(int curve, size_t *len); /** * \brief Multiply a curve point by an integer. * * The source point is provided in array `G` (of size `Glen` bytes); * the multiplication result is written over it. The multiplier * `x` (of size `xlen` bytes) uses unsigned big-endian encoding. * * Rules: * * - The specified curve MUST be supported. * * - The source point must be a valid point on the relevant curve * subgroup (and not the "point at infinity" either). If this is * not the case, then this function returns an error (0). * * - The multiplier integer MUST be non-zero and less than the * curve subgroup order. If this property does not hold, then * the result is indeterminate and an error code is not * guaranteed. * * Returned value is 1 on success, 0 on error. On error, the * contents of `G` are indeterminate. * * \param G point to multiply. * \param Glen length of the encoded point (in bytes). * \param x multiplier (unsigned big-endian). * \param xlen multiplier length (in bytes). * \param curve curve identifier. * \return 1 on success, 0 on error. */ uint32_t (*mul)(unsigned char *G, size_t Glen, const unsigned char *x, size_t xlen, int curve); /** * \brief Multiply the generator by an integer. * * The multiplier MUST be non-zero and less than the curve * subgroup order. Results are indeterminate if this property * does not hold. * * \param R output buffer for the point. * \param x multiplier (unsigned big-endian). * \param xlen multiplier length (in bytes). * \param curve curve identifier. * \return encoded result point length (in bytes). */ size_t (*mulgen)(unsigned char *R, const unsigned char *x, size_t xlen, int curve); /** * \brief Multiply two points by two integers and add the * results. * * The point `x*A + y*B` is computed and written back in the `A` * array. * * Rules: * * - The specified curve MUST be supported. * * - The source points (`A` and `B`) must be valid points on * the relevant curve subgroup (and not the "point at * infinity" either). If this is not the case, then this * function returns an error (0). * * - If the `B` pointer is `NULL`, then the conventional * subgroup generator is used. With some implementations, * this may be faster than providing a pointer to the * generator. * * - The multiplier integers (`x` and `y`) MUST be non-zero * and less than the curve subgroup order. If either integer * is zero, then an error is reported, but if one of them is * not lower than the subgroup order, then the result is * indeterminate and an error code is not guaranteed. * * - If the final result is the point at infinity, then an * error is returned. * * Returned value is 1 on success, 0 on error. On error, the * contents of `A` are indeterminate. * * \param A first point to multiply. * \param B second point to multiply (`NULL` for the generator). * \param len common length of the encoded points (in bytes). * \param x multiplier for `A` (unsigned big-endian). * \param xlen length of multiplier for `A` (in bytes). * \param y multiplier for `A` (unsigned big-endian). * \param ylen length of multiplier for `A` (in bytes). * \param curve curve identifier. * \return 1 on success, 0 on error. */ uint32_t (*muladd)(unsigned char *A, const unsigned char *B, size_t len, const unsigned char *x, size_t xlen, const unsigned char *y, size_t ylen, int curve); } br_ec_impl; /** * \brief EC implementation "i31". * * This implementation internally uses generic code for modular integers, * with a representation as sequences of 31-bit words. It supports secp256r1, * secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521). */ extern const br_ec_impl br_ec_prime_i31; /** * \brief EC implementation "i15". * * This implementation internally uses generic code for modular integers, * with a representation as sequences of 15-bit words. It supports secp256r1, * secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521). */ extern const br_ec_impl br_ec_prime_i15; /** * \brief EC implementation "m15" for P-256. * * This implementation uses specialised code for curve secp256r1 (also * known as NIST P-256), with optional Karatsuba decomposition, and fast * modular reduction thanks to the field modulus special format. Only * 32-bit multiplications are used (with 32-bit results, not 64-bit). */ extern const br_ec_impl br_ec_p256_m15; /** * \brief EC implementation "m31" for P-256. * * This implementation uses specialised code for curve secp256r1 (also * known as NIST P-256), relying on multiplications of 31-bit values * (MUL31). */ extern const br_ec_impl br_ec_p256_m31; /** * \brief EC implementation "m62" (specialised code) for P-256. * * This implementation uses custom code relying on multiplication of * integers up to 64 bits, with a 128-bit result. This implementation is * defined only on platforms that offer the 64x64->128 multiplication * support; use `br_ec_p256_m62_get()` to dynamically obtain a pointer * to that implementation. */ extern const br_ec_impl br_ec_p256_m62; /** * \brief Get the "m62" implementation of P-256, if available. * * \return the implementation, or 0. */ const br_ec_impl *br_ec_p256_m62_get(void); /** * \brief EC implementation "m64" (specialised code) for P-256. * * This implementation uses custom code relying on multiplication of * integers up to 64 bits, with a 128-bit result. This implementation is * defined only on platforms that offer the 64x64->128 multiplication * support; use `br_ec_p256_m64_get()` to dynamically obtain a pointer * to that implementation. */ extern const br_ec_impl br_ec_p256_m64; /** * \brief Get the "m64" implementation of P-256, if available. * * \return the implementation, or 0. */ const br_ec_impl *br_ec_p256_m64_get(void); /** * \brief EC implementation "i15" (generic code) for Curve25519. * * This implementation uses the generic code for modular integers (with * 15-bit words) to support Curve25519. Due to the specificities of the * curve definition, the following applies: * * - `muladd()` is not implemented (the function returns 0 systematically). * - `order()` returns 2^255-1, since the point multiplication algorithm * accepts any 32-bit integer as input (it clears the top bit and low * three bits systematically). */ extern const br_ec_impl br_ec_c25519_i15; /** * \brief EC implementation "i31" (generic code) for Curve25519. * * This implementation uses the generic code for modular integers (with * 31-bit words) to support Curve25519. Due to the specificities of the * curve definition, the following applies: * * - `muladd()` is not implemented (the function returns 0 systematically). * - `order()` returns 2^255-1, since the point multiplication algorithm * accepts any 32-bit integer as input (it clears the top bit and low * three bits systematically). */ extern const br_ec_impl br_ec_c25519_i31; /** * \brief EC implementation "m15" (specialised code) for Curve25519. * * This implementation uses custom code relying on multiplication of * integers up to 15 bits. Due to the specificities of the curve * definition, the following applies: * * - `muladd()` is not implemented (the function returns 0 systematically). * - `order()` returns 2^255-1, since the point multiplication algorithm * accepts any 32-bit integer as input (it clears the top bit and low * three bits systematically). */ extern const br_ec_impl br_ec_c25519_m15; /** * \brief EC implementation "m31" (specialised code) for Curve25519. * * This implementation uses custom code relying on multiplication of * integers up to 31 bits. Due to the specificities of the curve * definition, the following applies: * * - `muladd()` is not implemented (the function returns 0 systematically). * - `order()` returns 2^255-1, since the point multiplication algorithm * accepts any 32-bit integer as input (it clears the top bit and low * three bits systematically). */ extern const br_ec_impl br_ec_c25519_m31; /** * \brief EC implementation "m62" (specialised code) for Curve25519. * * This implementation uses custom code relying on multiplication of * integers up to 62 bits, with a 124-bit result. This implementation is * defined only on platforms that offer the 64x64->128 multiplication * support; use `br_ec_c25519_m62_get()` to dynamically obtain a pointer * to that implementation. Due to the specificities of the curve * definition, the following applies: * * - `muladd()` is not implemented (the function returns 0 systematically). * - `order()` returns 2^255-1, since the point multiplication algorithm * accepts any 32-bit integer as input (it clears the top bit and low * three bits systematically). */ extern const br_ec_impl br_ec_c25519_m62; /** * \brief Get the "m62" implementation of Curve25519, if available. * * \return the implementation, or 0. */ const br_ec_impl *br_ec_c25519_m62_get(void); /** * \brief EC implementation "m64" (specialised code) for Curve25519. * * This implementation uses custom code relying on multiplication of * integers up to 64 bits, with a 128-bit result. This implementation is * defined only on platforms that offer the 64x64->128 multiplication * support; use `br_ec_c25519_m64_get()` to dynamically obtain a pointer * to that implementation. Due to the specificities of the curve * definition, the following applies: * * - `muladd()` is not implemented (the function returns 0 systematically). * - `order()` returns 2^255-1, since the point multiplication algorithm * accepts any 32-bit integer as input (it clears the top bit and low * three bits systematically). */ extern const br_ec_impl br_ec_c25519_m64; /** * \brief Get the "m64" implementation of Curve25519, if available. * * \return the implementation, or 0. */ const br_ec_impl *br_ec_c25519_m64_get(void); /** * \brief Aggregate EC implementation "m15". * * This implementation is a wrapper for: * * - `br_ec_c25519_m15` for Curve25519 * - `br_ec_p256_m15` for NIST P-256 * - `br_ec_prime_i15` for other curves (NIST P-384 and NIST-P512) */ extern const br_ec_impl br_ec_all_m15; /** * \brief Aggregate EC implementation "m31". * * This implementation is a wrapper for: * * - `br_ec_c25519_m31` for Curve25519 * - `br_ec_p256_m31` for NIST P-256 * - `br_ec_prime_i31` for other curves (NIST P-384 and NIST-P512) */ extern const br_ec_impl br_ec_all_m31; /** * \brief Get the "default" EC implementation for the current system. * * This returns a pointer to the preferred implementation on the * current system. * * \return the default EC implementation. */ const br_ec_impl *br_ec_get_default(void); /** * \brief Convert a signature from "raw" to "asn1". * * Conversion is done "in place" and the new length is returned. * Conversion may enlarge the signature, but by no more than 9 bytes at * most. On error, 0 is returned (error conditions include an odd raw * signature length, or an oversized integer). * * \param sig signature to convert. * \param sig_len signature length (in bytes). * \return the new signature length, or 0 on error. */ size_t br_ecdsa_raw_to_asn1(void *sig, size_t sig_len); /** * \brief Convert a signature from "asn1" to "raw". * * Conversion is done "in place" and the new length is returned. * Conversion may enlarge the signature, but the new signature length * will be less than twice the source length at most. On error, 0 is * returned (error conditions include an invalid ASN.1 structure or an * oversized integer). * * \param sig signature to convert. * \param sig_len signature length (in bytes). * \return the new signature length, or 0 on error. */ size_t br_ecdsa_asn1_to_raw(void *sig, size_t sig_len); /** * \brief Type for an ECDSA signer function. * * A pointer to the EC implementation is provided. The hash value is * assumed to have the length inferred from the designated hash function * class. * * Signature is written in the buffer pointed to by `sig`, and the length * (in bytes) is returned. On error, nothing is written in the buffer, * and 0 is returned. This function returns 0 if the specified curve is * not supported by the provided EC implementation. * * The signature format is either "raw" or "asn1", depending on the * implementation; maximum length is predictable from the implemented * curve: * * | curve | raw | asn1 | * | :--------- | --: | ---: | * | NIST P-256 | 64 | 72 | * | NIST P-384 | 96 | 104 | * | NIST P-521 | 132 | 139 | * * \param impl EC implementation to use. * \param hf hash function used to process the data. * \param hash_value signed data (hashed). * \param sk EC private key. * \param sig destination buffer. * \return the signature length (in bytes), or 0 on error. */ typedef size_t (*br_ecdsa_sign)(const br_ec_impl *impl, const br_hash_class *hf, const void *hash_value, const br_ec_private_key *sk, void *sig); /** * \brief Type for an ECDSA signature verification function. * * A pointer to the EC implementation is provided. The hashed value, * computed over the purportedly signed data, is also provided with * its length. * * The signature format is either "raw" or "asn1", depending on the * implementation. * * Returned value is 1 on success (valid signature), 0 on error. This * function returns 0 if the specified curve is not supported by the * provided EC implementation. * * \param impl EC implementation to use. * \param hash signed data (hashed). * \param hash_len hash value length (in bytes). * \param pk EC public key. * \param sig signature. * \param sig_len signature length (in bytes). * \return 1 on success, 0 on error. */ typedef uint32_t (*br_ecdsa_vrfy)(const br_ec_impl *impl, const void *hash, size_t hash_len, const br_ec_public_key *pk, const void *sig, size_t sig_len); /** * \brief ECDSA signature generator, "i31" implementation, "asn1" format. * * \see br_ecdsa_sign() * * \param impl EC implementation to use. * \param hf hash function used to process the data. * \param hash_value signed data (hashed). * \param sk EC private key. * \param sig destination buffer. * \return the signature length (in bytes), or 0 on error. */ size_t br_ecdsa_i31_sign_asn1(const br_ec_impl *impl, const br_hash_class *hf, const void *hash_value, const br_ec_private_key *sk, void *sig); /** * \brief ECDSA signature generator, "i31" implementation, "raw" format. * * \see br_ecdsa_sign() * * \param impl EC implementation to use. * \param hf hash function used to process the data. * \param hash_value signed data (hashed). * \param sk EC private key. * \param sig destination buffer. * \return the signature length (in bytes), or 0 on error. */ size_t br_ecdsa_i31_sign_raw(const br_ec_impl *impl, const br_hash_class *hf, const void *hash_value, const br_ec_private_key *sk, void *sig); /** * \brief ECDSA signature verifier, "i31" implementation, "asn1" format. * * \see br_ecdsa_vrfy() * * \param impl EC implementation to use. * \param hash signed data (hashed). * \param hash_len hash value length (in bytes). * \param pk EC public key. * \param sig signature. * \param sig_len signature length (in bytes). * \return 1 on success, 0 on error. */ uint32_t br_ecdsa_i31_vrfy_asn1(const br_ec_impl *impl, const void *hash, size_t hash_len, const br_ec_public_key *pk, const void *sig, size_t sig_len); /** * \brief ECDSA signature verifier, "i31" implementation, "raw" format. * * \see br_ecdsa_vrfy() * * \param impl EC implementation to use. * \param hash signed data (hashed). * \param hash_len hash value length (in bytes). * \param pk EC public key. * \param sig signature. * \param sig_len signature length (in bytes). * \return 1 on success, 0 on error. */ uint32_t br_ecdsa_i31_vrfy_raw(const br_ec_impl *impl, const void *hash, size_t hash_len, const br_ec_public_key *pk, const void *sig, size_t sig_len); /** * \brief ECDSA signature generator, "i15" implementation, "asn1" format. * * \see br_ecdsa_sign() * * \param impl EC implementation to use. * \param hf hash function used to process the data. * \param hash_value signed data (hashed). * \param sk EC private key. * \param sig destination buffer. * \return the signature length (in bytes), or 0 on error. */ size_t br_ecdsa_i15_sign_asn1(const br_ec_impl *impl, const br_hash_class *hf, const void *hash_value, const br_ec_private_key *sk, void *sig); /** * \brief ECDSA signature generator, "i15" implementation, "raw" format. * * \see br_ecdsa_sign() * * \param impl EC implementation to use. * \param hf hash function used to process the data. * \param hash_value signed data (hashed). * \param sk EC private key. * \param sig destination buffer. * \return the signature length (in bytes), or 0 on error. */ size_t br_ecdsa_i15_sign_raw(const br_ec_impl *impl, const br_hash_class *hf, const void *hash_value, const br_ec_private_key *sk, void *sig); /** * \brief ECDSA signature verifier, "i15" implementation, "asn1" format. * * \see br_ecdsa_vrfy() * * \param impl EC implementation to use. * \param hash signed data (hashed). * \param hash_len hash value length (in bytes). * \param pk EC public key. * \param sig signature. * \param sig_len signature length (in bytes). * \return 1 on success, 0 on error. */ uint32_t br_ecdsa_i15_vrfy_asn1(const br_ec_impl *impl, const void *hash, size_t hash_len, const br_ec_public_key *pk, const void *sig, size_t sig_len); /** * \brief ECDSA signature verifier, "i15" implementation, "raw" format. * * \see br_ecdsa_vrfy() * * \param impl EC implementation to use. * \param hash signed data (hashed). * \param hash_len hash value length (in bytes). * \param pk EC public key. * \param sig signature. * \param sig_len signature length (in bytes). * \return 1 on success, 0 on error. */ uint32_t br_ecdsa_i15_vrfy_raw(const br_ec_impl *impl, const void *hash, size_t hash_len, const br_ec_public_key *pk, const void *sig, size_t sig_len); /** * \brief Get "default" ECDSA implementation (signer, asn1 format). * * This returns the preferred implementation of ECDSA signature generation * ("asn1" output format) on the current system. * * \return the default implementation. */ br_ecdsa_sign br_ecdsa_sign_asn1_get_default(void); /** * \brief Get "default" ECDSA implementation (signer, raw format). * * This returns the preferred implementation of ECDSA signature generation * ("raw" output format) on the current system. * * \return the default implementation. */ br_ecdsa_sign br_ecdsa_sign_raw_get_default(void); /** * \brief Get "default" ECDSA implementation (verifier, asn1 format). * * This returns the preferred implementation of ECDSA signature verification * ("asn1" output format) on the current system. * * \return the default implementation. */ br_ecdsa_vrfy br_ecdsa_vrfy_asn1_get_default(void); /** * \brief Get "default" ECDSA implementation (verifier, raw format). * * This returns the preferred implementation of ECDSA signature verification * ("raw" output format) on the current system. * * \return the default implementation. */ br_ecdsa_vrfy br_ecdsa_vrfy_raw_get_default(void); /** * \brief Maximum size for EC private key element buffer. * * This is the largest number of bytes that `br_ec_keygen()` may need or * ever return. */ #define BR_EC_KBUF_PRIV_MAX_SIZE 72 /** * \brief Maximum size for EC public key element buffer. * * This is the largest number of bytes that `br_ec_compute_public()` may * need or ever return. */ #define BR_EC_KBUF_PUB_MAX_SIZE 145 /** * \brief Generate a new EC private key. * * If the specified `curve` is not supported by the elliptic curve * implementation (`impl`), then this function returns zero. * * The `sk` structure fields are set to the new private key data. In * particular, `sk.x` is made to point to the provided key buffer (`kbuf`), * in which the actual private key data is written. That buffer is assumed * to be large enough. The `BR_EC_KBUF_PRIV_MAX_SIZE` defines the maximum * size for all supported curves. * * The number of bytes used in `kbuf` is returned. If `kbuf` is `NULL`, then * the private key is not actually generated, and `sk` may also be `NULL`; * the minimum length for `kbuf` is still computed and returned. * * If `sk` is `NULL` but `kbuf` is not `NULL`, then the private key is * still generated and stored in `kbuf`. * * \param rng_ctx source PRNG context (already initialized). * \param impl the elliptic curve implementation. * \param sk the private key structure to fill, or `NULL`. * \param kbuf the key element buffer, or `NULL`. * \param curve the curve identifier. * \return the key data length (in bytes), or zero. */ size_t br_ec_keygen(const br_prng_class **rng_ctx, const br_ec_impl *impl, br_ec_private_key *sk, void *kbuf, int curve); /** * \brief Compute EC public key from EC private key. * * This function uses the provided elliptic curve implementation (`impl`) * to compute the public key corresponding to the private key held in `sk`. * The public key point is written into `kbuf`, which is then linked from * the `*pk` structure. The size of the public key point, i.e. the number * of bytes used in `kbuf`, is returned. * * If `kbuf` is `NULL`, then the public key point is NOT computed, and * the public key structure `*pk` is unmodified (`pk` may be `NULL` in * that case). The size of the public key point is still returned. * * If `pk` is `NULL` but `kbuf` is not `NULL`, then the public key * point is computed and stored in `kbuf`, and its size is returned. * * If the curve used by the private key is not supported by the curve * implementation, then this function returns zero. * * The private key MUST be valid. An off-range private key value is not * necessarily detected, and leads to unpredictable results. * * \param impl the elliptic curve implementation. * \param pk the public key structure to fill (or `NULL`). * \param kbuf the public key point buffer (or `NULL`). * \param sk the source private key. * \return the public key point length (in bytes), or zero. */ size_t br_ec_compute_pub(const br_ec_impl *impl, br_ec_public_key *pk, void *kbuf, const br_ec_private_key *sk); #ifdef __cplusplus } #endif #endif