yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-04-28 16:06:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'development-proposed' into development-restricted-proposed

Browse source 
Resolve merge conflict in ecp.h, where `mbedtls_ecp_keypair` was moved.
This commit is contained in:
Jaeden Amero 2018-04-24 17:15:38 +01:00
parent 5450d1f597 1afdec1812
commit 8945343a51
7 changed files with 751 additions and 620 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
include/mbedtls/ccm.h
View file

@ -1,7 +1,10 @@
/** /**
* \file ccm.h * \file ccm.h
* *
* \brief CCM combines Counter mode encryption with CBC-MAC authentication * \brief This file provides an API for the CCM authenticated encryption
* mode for block ciphers.
*
* CCM combines Counter mode encryption with CBC-MAC authentication
* for 128-bit block ciphers. * for 128-bit block ciphers.
* *
* Input to CCM includes the following elements: * Input to CCM includes the following elements:
@ -80,7 +83,8 @@ void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
* \param key The encryption key. * \param key The encryption key.
* \param keybits The key size in bits. This must be acceptable by the cipher. * \param keybits The key size in bits. This must be acceptable by the cipher.
* *
* \return \c 0 on success, or a cipher-specific error code. * \return \c 0 on success.
* \return A CCM or cipher-specific error code on failure.
*/ */
int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
mbedtls_cipher_id_t cipher, mbedtls_cipher_id_t cipher,
@ -98,6 +102,13 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
/** /**
* \brief This function encrypts a buffer using CCM. * \brief This function encrypts a buffer using CCM.
* *
*
* \note The tag is written to a separate buffer. To concatenate
* the \p tag with the \p output, as done in <em>RFC-3610:
* Counter with CBC-MAC (CCM)</em>, use
* \p tag = \p output + \p length, and make sure that the
* output buffer is at least \p length + \p tag_len wide.
*
* \param ctx The CCM context to use for encryption. * \param ctx The CCM context to use for encryption.
* \param length The length of the input data in Bytes. * \param length The length of the input data in Bytes.
* \param iv Initialization vector (nonce). * \param iv Initialization vector (nonce).
@ -112,13 +123,8 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
* \param tag_len The length of the tag to generate in Bytes: * \param tag_len The length of the tag to generate in Bytes:
* 4, 6, 8, 10, 12, 14 or 16. * 4, 6, 8, 10, 12, 14 or 16.
* *
* \note The tag is written to a separate buffer. To concatenate
* the \p tag with the \p output, as done in <em>RFC-3610:
* Counter with CBC-MAC (CCM)</em>, use
* \p tag = \p output + \p length, and make sure that the
* output buffer is at least \p length + \p tag_len wide.
*
* \return \c 0 on success. * \return \c 0 on success.
* \return A CCM or cipher-specific error code on failure.
*/ */
int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len, const unsigned char *iv, size_t iv_len,
@ -144,8 +150,9 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
* \param tag_len The length of the tag in Bytes. * \param tag_len The length of the tag in Bytes.
* 4, 6, 8, 10, 12, 14 or 16. * 4, 6, 8, 10, 12, 14 or 16.
* *
* \return 0 if successful and authenticated, or * \return \c 0 on success. This indicates that the message is authentic.
* #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match. * \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
* \return A cipher-specific error code on calculation failure.
*/ */
int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len, const unsigned char *iv, size_t iv_len,
@ -158,7 +165,8 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
/** /**
* \brief The CCM checkup routine. * \brief The CCM checkup routine.
* *
* \return \c 0 on success, or \c 1 on failure. * \return \c 0 on success.
* \return \c 1 on failure.
*/ */
int mbedtls_ccm_self_test( int verbose ); int mbedtls_ccm_self_test( int verbose );
#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */

319
include/mbedtls/cipher.h
View file

@ -1,7 +1,9 @@
/** /**
* \file cipher.h * \file cipher.h
* *
* \brief The generic cipher wrapper. * \brief This file contains an abstraction interface for use with the cipher
* primitives provided by the library. It provides a common interface to all of
* the available cipher operations.
* *
* \author Adriaan de Jong <dejong@fox-it.com> * \author Adriaan de Jong <dejong@fox-it.com>
*/ */
@ -69,93 +71,93 @@ extern "C" {
#endif #endif
/** /**
* \brief An enumeration of supported ciphers. * \brief Supported cipher types.
* *
* \warning ARC4 and DES are considered weak ciphers and their use * \warning RC4 and DES are considered weak ciphers and their use
* constitutes a security risk. We recommend considering stronger * constitutes a security risk. Arm recommends considering stronger
* ciphers instead. * ciphers instead.
*/ */
typedef enum { typedef enum {
MBEDTLS_CIPHER_ID_NONE = 0, MBEDTLS_CIPHER_ID_NONE = 0, /**< Placeholder to mark the end of cipher ID lists. */
MBEDTLS_CIPHER_ID_NULL, MBEDTLS_CIPHER_ID_NULL, /**< The identity cipher, treated as a stream cipher. */
MBEDTLS_CIPHER_ID_AES, MBEDTLS_CIPHER_ID_AES, /**< The AES cipher. */
MBEDTLS_CIPHER_ID_DES, MBEDTLS_CIPHER_ID_DES, /**< The DES cipher. */
MBEDTLS_CIPHER_ID_3DES, MBEDTLS_CIPHER_ID_3DES, /**< The Triple DES cipher. */
MBEDTLS_CIPHER_ID_CAMELLIA, MBEDTLS_CIPHER_ID_CAMELLIA, /**< The Camellia cipher. */
MBEDTLS_CIPHER_ID_BLOWFISH, MBEDTLS_CIPHER_ID_BLOWFISH, /**< The Blowfish cipher. */
MBEDTLS_CIPHER_ID_ARC4, MBEDTLS_CIPHER_ID_ARC4, /**< The RC4 cipher. */
} mbedtls_cipher_id_t; } mbedtls_cipher_id_t;
/** /**
* \brief An enumeration of supported (cipher, mode) pairs. * \brief Supported {cipher type, cipher mode} pairs.
* *
* \warning ARC4 and DES are considered weak ciphers and their use * \warning RC4 and DES are considered weak ciphers and their use
* constitutes a security risk. We recommend considering stronger * constitutes a security risk. Arm recommends considering stronger
* ciphers instead. * ciphers instead.
*/ */
typedef enum { typedef enum {
MBEDTLS_CIPHER_NONE = 0, MBEDTLS_CIPHER_NONE = 0, /**< Placeholder to mark the end of cipher-pair lists. */
MBEDTLS_CIPHER_NULL, MBEDTLS_CIPHER_NULL, /**< The identity stream cipher. */
MBEDTLS_CIPHER_AES_128_ECB, MBEDTLS_CIPHER_AES_128_ECB, /**< AES cipher with 128-bit ECB mode. */
MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_192_ECB, /**< AES cipher with 192-bit ECB mode. */
MBEDTLS_CIPHER_AES_256_ECB, MBEDTLS_CIPHER_AES_256_ECB, /**< AES cipher with 256-bit ECB mode. */
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_CIPHER_AES_128_CBC, /**< AES cipher with 128-bit CBC mode. */
MBEDTLS_CIPHER_AES_192_CBC, MBEDTLS_CIPHER_AES_192_CBC, /**< AES cipher with 192-bit CBC mode. */
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_CIPHER_AES_256_CBC, /**< AES cipher with 256-bit CBC mode. */
MBEDTLS_CIPHER_AES_128_CFB128, MBEDTLS_CIPHER_AES_128_CFB128, /**< AES cipher with 128-bit CFB128 mode. */
MBEDTLS_CIPHER_AES_192_CFB128, MBEDTLS_CIPHER_AES_192_CFB128, /**< AES cipher with 192-bit CFB128 mode. */
MBEDTLS_CIPHER_AES_256_CFB128, MBEDTLS_CIPHER_AES_256_CFB128, /**< AES cipher with 256-bit CFB128 mode. */
MBEDTLS_CIPHER_AES_128_CTR, MBEDTLS_CIPHER_AES_128_CTR, /**< AES cipher with 128-bit CTR mode. */
MBEDTLS_CIPHER_AES_192_CTR, MBEDTLS_CIPHER_AES_192_CTR, /**< AES cipher with 192-bit CTR mode. */
MBEDTLS_CIPHER_AES_256_CTR, MBEDTLS_CIPHER_AES_256_CTR, /**< AES cipher with 256-bit CTR mode. */
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_CIPHER_AES_128_GCM, /**< AES cipher with 128-bit GCM mode. */
MBEDTLS_CIPHER_AES_192_GCM, MBEDTLS_CIPHER_AES_192_GCM, /**< AES cipher with 192-bit GCM mode. */
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_CIPHER_AES_256_GCM, /**< AES cipher with 256-bit GCM mode. */
MBEDTLS_CIPHER_CAMELLIA_128_ECB, MBEDTLS_CIPHER_CAMELLIA_128_ECB, /**< Camellia cipher with 128-bit ECB mode. */
MBEDTLS_CIPHER_CAMELLIA_192_ECB, MBEDTLS_CIPHER_CAMELLIA_192_ECB, /**< Camellia cipher with 192-bit ECB mode. */
MBEDTLS_CIPHER_CAMELLIA_256_ECB, MBEDTLS_CIPHER_CAMELLIA_256_ECB, /**< Camellia cipher with 256-bit ECB mode. */
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_CIPHER_CAMELLIA_128_CBC, /**< Camellia cipher with 128-bit CBC mode. */
MBEDTLS_CIPHER_CAMELLIA_192_CBC, MBEDTLS_CIPHER_CAMELLIA_192_CBC, /**< Camellia cipher with 192-bit CBC mode. */
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_CIPHER_CAMELLIA_256_CBC, /**< Camellia cipher with 256-bit CBC mode. */
MBEDTLS_CIPHER_CAMELLIA_128_CFB128, MBEDTLS_CIPHER_CAMELLIA_128_CFB128, /**< Camellia cipher with 128-bit CFB128 mode. */
MBEDTLS_CIPHER_CAMELLIA_192_CFB128, MBEDTLS_CIPHER_CAMELLIA_192_CFB128, /**< Camellia cipher with 192-bit CFB128 mode. */
MBEDTLS_CIPHER_CAMELLIA_256_CFB128, MBEDTLS_CIPHER_CAMELLIA_256_CFB128, /**< Camellia cipher with 256-bit CFB128 mode. */
MBEDTLS_CIPHER_CAMELLIA_128_CTR, MBEDTLS_CIPHER_CAMELLIA_128_CTR, /**< Camellia cipher with 128-bit CTR mode. */
MBEDTLS_CIPHER_CAMELLIA_192_CTR, MBEDTLS_CIPHER_CAMELLIA_192_CTR, /**< Camellia cipher with 192-bit CTR mode. */
MBEDTLS_CIPHER_CAMELLIA_256_CTR, MBEDTLS_CIPHER_CAMELLIA_256_CTR, /**< Camellia cipher with 256-bit CTR mode. */
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_CIPHER_CAMELLIA_128_GCM, /**< Camellia cipher with 128-bit GCM mode. */
MBEDTLS_CIPHER_CAMELLIA_192_GCM, MBEDTLS_CIPHER_CAMELLIA_192_GCM, /**< Camellia cipher with 192-bit GCM mode. */
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_CIPHER_CAMELLIA_256_GCM, /**< Camellia cipher with 256-bit GCM mode. */
MBEDTLS_CIPHER_DES_ECB, MBEDTLS_CIPHER_DES_ECB, /**< DES cipher with ECB mode. */
MBEDTLS_CIPHER_DES_CBC, MBEDTLS_CIPHER_DES_CBC, /**< DES cipher with CBC mode. */
MBEDTLS_CIPHER_DES_EDE_ECB, MBEDTLS_CIPHER_DES_EDE_ECB, /**< DES cipher with EDE ECB mode. */
MBEDTLS_CIPHER_DES_EDE_CBC, MBEDTLS_CIPHER_DES_EDE_CBC, /**< DES cipher with EDE CBC mode. */
MBEDTLS_CIPHER_DES_EDE3_ECB, MBEDTLS_CIPHER_DES_EDE3_ECB, /**< DES cipher with EDE3 ECB mode. */
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_CIPHER_DES_EDE3_CBC, /**< DES cipher with EDE3 CBC mode. */
MBEDTLS_CIPHER_BLOWFISH_ECB, MBEDTLS_CIPHER_BLOWFISH_ECB, /**< Blowfish cipher with ECB mode. */
MBEDTLS_CIPHER_BLOWFISH_CBC, MBEDTLS_CIPHER_BLOWFISH_CBC, /**< Blowfish cipher with CBC mode. */
MBEDTLS_CIPHER_BLOWFISH_CFB64, MBEDTLS_CIPHER_BLOWFISH_CFB64, /**< Blowfish cipher with CFB64 mode. */
MBEDTLS_CIPHER_BLOWFISH_CTR, MBEDTLS_CIPHER_BLOWFISH_CTR, /**< Blowfish cipher with CTR mode. */
MBEDTLS_CIPHER_ARC4_128, MBEDTLS_CIPHER_ARC4_128, /**< RC4 cipher with 128-bit mode. */
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_CIPHER_AES_128_CCM, /**< AES cipher with 128-bit CCM mode. */
MBEDTLS_CIPHER_AES_192_CCM, MBEDTLS_CIPHER_AES_192_CCM, /**< AES cipher with 192-bit CCM mode. */
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_CIPHER_AES_256_CCM, /**< AES cipher with 256-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_128_CCM, MBEDTLS_CIPHER_CAMELLIA_128_CCM, /**< Camellia cipher with 128-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_192_CCM, MBEDTLS_CIPHER_CAMELLIA_192_CCM, /**< Camellia cipher with 192-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_256_CCM, MBEDTLS_CIPHER_CAMELLIA_256_CCM, /**< Camellia cipher with 256-bit CCM mode. */
} mbedtls_cipher_type_t; } mbedtls_cipher_type_t;
/** Supported cipher modes. */ /** Supported cipher modes. */
typedef enum { typedef enum {
MBEDTLS_MODE_NONE = 0, MBEDTLS_MODE_NONE = 0, /**< None. */
MBEDTLS_MODE_ECB, MBEDTLS_MODE_ECB, /**< The ECB cipher mode. */
MBEDTLS_MODE_CBC, MBEDTLS_MODE_CBC, /**< The CBC cipher mode. */
MBEDTLS_MODE_CFB, MBEDTLS_MODE_CFB, /**< The CFB cipher mode. */
MBEDTLS_MODE_OFB, /* Unused! */ MBEDTLS_MODE_OFB, /**< The OFB cipher mode - unsupported. */
MBEDTLS_MODE_CTR, MBEDTLS_MODE_CTR, /**< The CTR cipher mode. */
MBEDTLS_MODE_GCM, MBEDTLS_MODE_GCM, /**< The GCM cipher mode. */
MBEDTLS_MODE_STREAM, MBEDTLS_MODE_STREAM, /**< The stream cipher mode. */
MBEDTLS_MODE_CCM, MBEDTLS_MODE_CCM, /**< The CCM cipher mode. */
} mbedtls_cipher_mode_t; } mbedtls_cipher_mode_t;
/** Supported cipher padding types. */ /** Supported cipher padding types. */
@ -163,8 +165,8 @@ typedef enum {
MBEDTLS_PADDING_PKCS7 = 0, /**< PKCS7 padding (default). */ MBEDTLS_PADDING_PKCS7 = 0, /**< PKCS7 padding (default). */
MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding. */ MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding. */
MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding. */ MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding. */
MBEDTLS_PADDING_ZEROS, /**< zero padding (not reversible). */ MBEDTLS_PADDING_ZEROS, /**< Zero padding (not reversible). */
MBEDTLS_PADDING_NONE, /**< never pad (full blocks only). */ MBEDTLS_PADDING_NONE, /**< Never pad (full blocks only). */
} mbedtls_cipher_padding_t; } mbedtls_cipher_padding_t;
/** Type of operation. */ /** Type of operation. */
@ -228,7 +230,10 @@ typedef struct {
*/ */
unsigned int iv_size; unsigned int iv_size;
/** Flags to set. For example, if the cipher supports variable IV sizes or variable key sizes. */ /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
* MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
* cipher supports variable IV or variable key sizes, respectively.
*/
int flags; int flags;
/** The block size, in Bytes. */ /** The block size, in Bytes. */
@ -299,7 +304,8 @@ const int *mbedtls_cipher_list( void );
* \param cipher_name Name of the cipher to search for. * \param cipher_name Name of the cipher to search for.
* *
* \return The cipher information structure associated with the * \return The cipher information structure associated with the
* given \p cipher_name, or NULL if not found. * given \p cipher_name.
* \return NULL if the associated cipher information is not found.
*/ */
const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name ); const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name );
@ -310,7 +316,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher
* \param cipher_type Type of the cipher to search for. * \param cipher_type Type of the cipher to search for.
* *
* \return The cipher information structure associated with the * \return The cipher information structure associated with the
* given \p cipher_type, or NULL if not found. * given \p cipher_type.
* \return NULL if the associated cipher information is not found.
*/ */
const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type ); const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type );
@ -325,7 +332,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher
* \param mode The cipher mode. For example, #MBEDTLS_MODE_CBC. * \param mode The cipher mode. For example, #MBEDTLS_MODE_CBC.
* *
* \return The cipher information structure associated with the * \return The cipher information structure associated with the
* given \p cipher_id, or NULL if not found. * given \p cipher_id.
* \return NULL if the associated cipher information is not found.
*/ */
const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id, const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
int key_bitlen, int key_bitlen,
@ -352,10 +360,11 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
* \param ctx The context to initialize. May not be NULL. * \param ctx The context to initialize. May not be NULL.
* \param cipher_info The cipher to use. * \param cipher_info The cipher to use.
* *
* \return \c 0 on success, * \return \c 0 on success.
* #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter failure, * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the * parameter-verification failure.
* cipher-specific context failed. * \return #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
* cipher-specific context fails.
* *
* \internal Currently, the function also clears the structure. * \internal Currently, the function also clears the structure.
* In future versions, the caller will be required to call * In future versions, the caller will be required to call
@ -368,8 +377,8 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_in
* *
* \param ctx The context of the cipher. Must be initialized. * \param ctx The context of the cipher. Must be initialized.
* *
* \return The size of the blocks of the cipher, or zero if \p ctx * \return The size of the blocks of the cipher.
* has not been initialized. * \return 0 if \p ctx has not been initialized.
*/ */
static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx ) static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx )
{ {
@ -385,8 +394,8 @@ static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_c
* *
* \param ctx The context of the cipher. Must be initialized. * \param ctx The context of the cipher. Must be initialized.
* *
* \return The mode of operation, or #MBEDTLS_MODE_NONE if * \return The mode of operation.
* \p ctx has not been initialized. * \return #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
*/ */
static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx ) static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx )
{ {
@ -402,9 +411,9 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtl
* *
* \param ctx The context of the cipher. Must be initialized. * \param ctx The context of the cipher. Must be initialized.
* *
* \return <ul><li>If no IV has been set: the recommended IV size. * \return The recommended IV size if no IV has been set.
* 0 for ciphers not using IV or nonce.</li> * \return \c 0 for ciphers not using an IV or a nonce.
* <li>If IV has already been set: the actual size.</li></ul> * \return The actual size if an IV has been set.
*/ */
static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx ) static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx )
{ {
@ -422,8 +431,8 @@ static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ct
* *
* \param ctx The context of the cipher. Must be initialized. * \param ctx The context of the cipher. Must be initialized.
* *
* \return The type of the cipher, or #MBEDTLS_CIPHER_NONE if * \return The type of the cipher.
* \p ctx has not been initialized. * \return #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
*/ */
static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_cipher_context_t *ctx ) static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_cipher_context_t *ctx )
{ {
@ -439,8 +448,8 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_ciphe
* *
* \param ctx The context of the cipher. Must be initialized. * \param ctx The context of the cipher. Must be initialized.
* *
* \return The name of the cipher, or NULL if \p ctx has not * \return The name of the cipher.
* been not initialized. * \return NULL if \p ctx has not been not initialized.
*/ */
static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx ) static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx )
{ {
@ -455,8 +464,8 @@ static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_
* *
* \param ctx The context of the cipher. Must be initialized. * \param ctx The context of the cipher. Must be initialized.
* *
* \return The key length of the cipher in bits, or * \return The key length of the cipher in bits.
* #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been * \return #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
* initialized. * initialized.
*/ */
static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t *ctx ) static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t *ctx )
@ -472,9 +481,8 @@ static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t
* *
* \param ctx The context of the cipher. Must be initialized. * \param ctx The context of the cipher. Must be initialized.
* *
* \return The type of operation: #MBEDTLS_ENCRYPT or * \return The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
* #MBEDTLS_DECRYPT, or #MBEDTLS_OPERATION_NONE if \p ctx * \return #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
* has not been initialized.
*/ */
static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_cipher_context_t *ctx ) static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_cipher_context_t *ctx )
{ {
@ -495,9 +503,10 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_ci
* \param operation The operation that the key will be used for: * \param operation The operation that the key will be used for:
* #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT. * #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
* *
* \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if * \return \c 0 on success.
* parameter verification fails, or a cipher-specific * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* error code. * parameter-verification failure.
* \return A cipher-specific error code on failure.
*/ */
int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key, int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
int key_bitlen, const mbedtls_operation_t operation ); int key_bitlen, const mbedtls_operation_t operation );
@ -512,9 +521,10 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *k
* \param ctx The generic cipher context. * \param ctx The generic cipher context.
* \param mode The padding mode. * \param mode The padding mode.
* *
* \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE * \return \c 0 on success.
* if the selected padding mode is not supported, or * \return #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
* #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode * if the selected padding mode is not supported.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
* does not support padding. * does not support padding.
*/ */
int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode ); int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode );
@ -524,15 +534,17 @@ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_ciph
* \brief This function sets the initialization vector (IV) * \brief This function sets the initialization vector (IV)
* or nonce. * or nonce.
* *
* \note Some ciphers do not use IVs nor nonce. For these
* ciphers, this function has no effect.
*
* \param ctx The generic cipher context. * \param ctx The generic cipher context.
* \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
* \param iv_len The IV length for ciphers with variable-size IV. * \param iv_len The IV length for ciphers with variable-size IV.
* This parameter is discarded by ciphers with fixed-size IV. * This parameter is discarded by ciphers with fixed-size IV.
* *
* \returns \c 0 on success, or #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA * \return \c 0 on success.
* * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* \note Some ciphers do not use IVs nor nonce. For these * parameter-verification failure.
* ciphers, this function has no effect.
*/ */
int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len ); const unsigned char *iv, size_t iv_len );
@ -542,8 +554,9 @@ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
* *
* \param ctx The generic cipher context. * \param ctx The generic cipher context.
* *
* \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA * \return \c 0 on success.
* if parameter verification fails. * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* parameter-verification failure.
*/ */
int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ); int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
@ -557,7 +570,8 @@ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
* \param ad The additional data to use. * \param ad The additional data to use.
* \param ad_len the Length of \p ad. * \param ad_len the Length of \p ad.
* *
* \return \c 0 on success, or a specific error code on failure. * \return \c 0 on success.
* \return A specific error code on failure.
*/ */
int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len ); const unsigned char *ad, size_t ad_len );
@ -573,6 +587,11 @@ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
* Exception: For MBEDTLS_MODE_ECB, expects a single block * Exception: For MBEDTLS_MODE_ECB, expects a single block
* in size. For example, 16 Bytes for AES. * in size. For example, 16 Bytes for AES.
* *
* \note If the underlying cipher is used in GCM mode, all calls
* to this function, except for the last one before
* mbedtls_cipher_finish(), must have \p ilen as a
* multiple of the block size of the cipher.
*
* \param ctx The generic cipher context. * \param ctx The generic cipher context.
* \param input The buffer holding the input data. * \param input The buffer holding the input data.
* \param ilen The length of the input data. * \param ilen The length of the input data.
@ -582,16 +601,12 @@ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
* \param olen The length of the output data, to be updated with the * \param olen The length of the output data, to be updated with the
* actual number of Bytes written. * actual number of Bytes written.
* *
* \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if * \return \c 0 on success.
* parameter verification fails, * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an * parameter-verification failure.
* unsupported mode for a cipher, or a cipher-specific * \return #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
* error code. * unsupported mode for a cipher.
* * \return A cipher-specific error code on failure.
* \note If the underlying cipher is GCM, all calls to this
* function, except the last one before
* mbedtls_cipher_finish(). Must have \p ilen as a
* multiple of the block_size.
*/ */
int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
size_t ilen, unsigned char *output, size_t *olen ); size_t ilen, unsigned char *output, size_t *olen );
@ -606,13 +621,14 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
* \param output The buffer to write data to. Needs block_size available. * \param output The buffer to write data to. Needs block_size available.
* \param olen The length of the data written to the \p output buffer. * \param olen The length of the data written to the \p output buffer.
* *
* \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if * \return \c 0 on success.
* parameter verification fails, * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption * parameter-verification failure.
* expected a full block but was not provided one, * \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
* #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding * expecting a full block but not receiving one.
* while decrypting, or a cipher-specific error code * \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
* on failure for any other reason. * while decrypting.
* \return A cipher-specific error code on failure.
*/ */
int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
unsigned char *output, size_t *olen ); unsigned char *output, size_t *olen );
@ -627,7 +643,8 @@ int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
* \param tag The buffer to write the tag to. * \param tag The buffer to write the tag to.
* \param tag_len The length of the tag to write. * \param tag_len The length of the tag to write.
* *
* \return \c 0 on success, or a specific error code on failure. * \return \c 0 on success.
* \return A specific error code on failure.
*/ */
int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
unsigned char *tag, size_t tag_len ); unsigned char *tag, size_t tag_len );
@ -641,7 +658,8 @@ int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
* \param tag The buffer holding the tag. * \param tag The buffer holding the tag.
* \param tag_len The length of the tag to check. * \param tag_len The length of the tag to check.
* *
* \return \c 0 on success, or a specific error code on failure. * \return \c 0 on success.
* \return A specific error code on failure.
*/ */
int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
const unsigned char *tag, size_t tag_len ); const unsigned char *tag, size_t tag_len );
@ -667,13 +685,14 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
* \note Some ciphers do not use IVs nor nonce. For these * \note Some ciphers do not use IVs nor nonce. For these
* ciphers, use \p iv = NULL and \p iv_len = 0. * ciphers, use \p iv = NULL and \p iv_len = 0.
* *
* \returns \c 0 on success, or * \return \c 0 on success.
* #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption * parameter-verification failure.
* expected a full block but was not provided one, or * \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
* #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding * expecting a full block but not receiving one.
* while decrypting, or a cipher-specific error code on * \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
* failure for any other reason. * while decrypting.
* \return A cipher-specific error code on failure.
*/ */
int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len, const unsigned char *iv, size_t iv_len,
@ -699,9 +718,10 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
* \param tag The buffer for the authentication tag. * \param tag The buffer for the authentication tag.
* \param tag_len The desired length of the authentication tag. * \param tag_len The desired length of the authentication tag.
* *
* \returns \c 0 on success, or * \return \c 0 on success.
* #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* a cipher-specific error code. * parameter-verification failure.
* \return A cipher-specific error code on failure.
*/ */
int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len, const unsigned char *iv, size_t iv_len,
@ -713,6 +733,10 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
/** /**
* \brief The generic autenticated decryption (AEAD) function. * \brief The generic autenticated decryption (AEAD) function.
* *
* \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer.
*
* \param ctx The generic cipher context. * \param ctx The generic cipher context.
* \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
* \param iv_len The IV length for ciphers with variable-size IV. * \param iv_len The IV length for ciphers with variable-size IV.
@ -728,14 +752,11 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
* \param tag The buffer holding the authentication tag. * \param tag The buffer holding the authentication tag.
* \param tag_len The length of the authentication tag. * \param tag_len The length of the authentication tag.
* *
* \returns \c 0 on success, or * \return \c 0 on success.
* #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic, * parameter-verification failure.
* or a cipher-specific error code on failure for any other reason. * \return #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
* * \return A cipher-specific error code on failure.
* \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer.
*/ */
int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len, const unsigned char *iv, size_t iv_len,

111
include/mbedtls/dhm.h
View file

@ -1,7 +1,13 @@
/** /**
* \file dhm.h * \file dhm.h
* *
* \brief Diffie-Hellman-Merkle key exchange. * \brief This file contains Diffie-Hellman-Merkle (DHM) key exchange
* definitions and functions.
*
* Diffie-Hellman-Merkle (DHM) key exchange is defined in
* <em>RFC-2631: Diffie-Hellman Key Agreement Method</em> and
* <em>Public-Key Cryptography Standards (PKCS) #3: Diffie
* Hellman Key Agreement Standard</em>.
* *
* <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
* Internet Key Exchange (IKE)</em> defines a number of standardized * Internet Key Exchange (IKE)</em> defines a number of standardized
@ -130,8 +136,8 @@ void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
* failures. * failures.
* \param end The end of the input buffer. * \param end The end of the input buffer.
* *
* \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code * \return \c 0 on success.
* on failure. * \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
*/ */
int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
unsigned char **p, unsigned char **p,
@ -141,13 +147,6 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
* \brief This function sets up and writes the ServerKeyExchange * \brief This function sets up and writes the ServerKeyExchange
* parameters. * parameters.
* *
* \param ctx The DHM context.
* \param x_size The private value size in Bytes.
* \param olen The number of characters written.
* \param output The destination buffer.
* \param f_rng The RNG function.
* \param p_rng The RNG parameter.
*
* \note The destination buffer must be large enough to hold * \note The destination buffer must be large enough to hold
* the reduced binary presentation of the modulus, the generator * the reduced binary presentation of the modulus, the generator
* and the public key, each wrapped with a 2-byte length field. * and the public key, each wrapped with a 2-byte length field.
@ -160,8 +159,15 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
* mbedtls_dhm_set_group() below in conjunction with * mbedtls_dhm_set_group() below in conjunction with
* mbedtls_mpi_read_binary() and mbedtls_mpi_read_string(). * mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
* *
* \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code * \param ctx The DHM context.
* on failure. * \param x_size The private key size in Bytes.
* \param olen The number of characters written.
* \param output The destination buffer.
* \param f_rng The RNG function.
* \param p_rng The RNG context.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
*/ */
int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
unsigned char *output, size_t *olen, unsigned char *output, size_t *olen,
@ -169,54 +175,54 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
void *p_rng ); void *p_rng );
/** /**
* \brief Set prime modulus and generator * \brief This function sets the prime modulus and generator.
*
* \note This function can be used to set \p P, \p G
* in preparation for mbedtls_dhm_make_params().
* *
* \param ctx The DHM context. * \param ctx The DHM context.
* \param P The MPI holding DHM prime modulus. * \param P The MPI holding the DHM prime modulus.
* \param G The MPI holding DHM generator. * \param G The MPI holding the DHM generator.
* *
* \note This function can be used to set P, G * \return \c 0 if successful.
* in preparation for \c mbedtls_dhm_make_params. * \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
*
* \return \c 0 if successful, or an \c MBEDTLS_ERR_DHM_XXX error code
* on failure.
*/ */
int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx, int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
const mbedtls_mpi *P, const mbedtls_mpi *P,
const mbedtls_mpi *G ); const mbedtls_mpi *G );
/** /**
* \brief This function imports the public value G^Y of the peer. * \brief This function imports the public value of the peer, G^Y.
* *
* \param ctx The DHM context. * \param ctx The DHM context.
* \param input The input buffer. * \param input The input buffer containing the G^Y value of the peer.
* \param ilen The size of the input buffer. * \param ilen The size of the input buffer.
* *
* \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code * \return \c 0 on success.
* on failure. * \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
*/ */
int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx, int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
const unsigned char *input, size_t ilen ); const unsigned char *input, size_t ilen );
/** /**
* \brief This function creates its own private value \c X and * \brief This function creates its own private key, \c X, and
* exports \c G^X. * exports \c G^X.
* *
* \note The destination buffer is always fully written
* so as to contain a big-endian representation of G^X mod P.
* If it is larger than ctx->len, it is padded accordingly
* with zero-bytes at the beginning.
*
* \param ctx The DHM context. * \param ctx The DHM context.
* \param x_size The private value size in Bytes. * \param x_size The private key size in Bytes.
* \param output The destination buffer. * \param output The destination buffer.
* \param olen The length of the destination buffer. Must be at least * \param olen The length of the destination buffer. Must be at least
equal to ctx->len (the size of \c P). * equal to ctx->len (the size of \c P).
* \param f_rng The RNG function. * \param f_rng The RNG function.
* \param p_rng The RNG parameter. * \param p_rng The RNG context.
* *
* \note The destination buffer will always be fully written * \return \c 0 on success.
* so as to contain a big-endian presentation of G^X mod P. * \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
* If it is larger than ctx->len, it will accordingly be
* padded with zero-bytes in the beginning.
*
* \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
* on failure.
*/ */
int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
unsigned char *output, size_t olen, unsigned char *output, size_t olen,
@ -227,22 +233,22 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
* \brief This function derives and exports the shared secret * \brief This function derives and exports the shared secret
* \c (G^Y)^X mod \c P. * \c (G^Y)^X mod \c P.
* *
* \note If \p f_rng is not NULL, it is used to blind the input as
* a countermeasure against timing attacks. Blinding is used
* only if our private key \c X is re-used, and not used
* otherwise. We recommend always passing a non-NULL
* \p f_rng argument.
*
* \param ctx The DHM context. * \param ctx The DHM context.
* \param output The destination buffer. * \param output The destination buffer.
* \param output_size The size of the destination buffer. Must be at least * \param output_size The size of the destination buffer. Must be at least
* the size of ctx->len. * the size of ctx->len (the size of \c P).
* \param olen On exit, holds the actual number of Bytes written. * \param olen On exit, holds the actual number of Bytes written.
* \param f_rng The RNG function, for blinding purposes. * \param f_rng The RNG function, for blinding purposes.
* \param p_rng The RNG parameter. * \param p_rng The RNG context.
* *
* \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code * \return \c 0 on success.
* on failure. * \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
*
* \note If non-NULL, \p f_rng is used to blind the input as
* a countermeasure against timing attacks. Blinding is used
* only if our secret value \p X is re-used and omitted
* otherwise. Therefore, we recommend always passing a
* non-NULL \p f_rng argument.
*/ */
int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx, int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
unsigned char *output, size_t output_size, size_t *olen, unsigned char *output, size_t output_size, size_t *olen,
@ -250,7 +256,7 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
void *p_rng ); void *p_rng );
/** /**
* \brief This function frees and clears the components of a DHM key. * \brief This function frees and clears the components of a DHM context.
* *
* \param ctx The DHM context to free and clear. * \param ctx The DHM context to free and clear.
*/ */
@ -266,8 +272,9 @@ void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
* \param dhminlen The size of the buffer, including the terminating null * \param dhminlen The size of the buffer, including the terminating null
* Byte for PEM data. * Byte for PEM data.
* *
* \return \c 0 on success, or a specific DHM or PEM error code * \return \c 0 on success.
* on failure. * \return An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error code
* error code on failure.
*/ */
int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
size_t dhminlen ); size_t dhminlen );
@ -280,8 +287,9 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
* \param dhm The DHM context to load the parameters to. * \param dhm The DHM context to load the parameters to.
* \param path The filename to read the DHM parameters from. * \param path The filename to read the DHM parameters from.
* *
* \return \c 0 on success, or a specific DHM or PEM error code * \return \c 0 on success.
* on failure. * \return An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error code
* error code on failure.
*/ */
int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
#endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_FS_IO */
@ -290,7 +298,8 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
/** /**
* \brief The DMH checkup routine. * \brief The DMH checkup routine.
* *
* \return \c 0 on success, or \c 1 on failure. * \return \c 0 on success.
* \return \c 1 on failure.
*/ */
int mbedtls_dhm_self_test( int verbose ); int mbedtls_dhm_self_test( int verbose );

179
include/mbedtls/ecdsa.h
View file

@ -1,9 +1,10 @@
/** /**
* \file ecdsa.h * \file ecdsa.h
* *
* \brief The Elliptic Curve Digital Signature Algorithm (ECDSA). * \brief This file contains ECDSA definitions and functions.
* *
* ECDSA is defined in <em>Standards for Efficient Cryptography Group (SECG): * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
* <em>Standards for Efficient Cryptography Group (SECG):
* SEC1 Elliptic Curve Cryptography</em>. * SEC1 Elliptic Curve Cryptography</em>.
* The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
* Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>. * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
@ -69,6 +70,14 @@ extern "C" {
* *
* \note The deterministic version is usually preferred. * \note The deterministic version is usually preferred.
* *
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated
* as defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5.
*
* \see ecp.h
*
* \param grp The ECP group. * \param grp The ECP group.
* \param r The first output integer. * \param r The first output integer.
* \param s The second output integer. * \param s The second output integer.
@ -76,18 +85,11 @@ extern "C" {
* \param buf The message hash. * \param buf The message hash.
* \param blen The length of \p buf. * \param blen The length of \p buf.
* \param f_rng The RNG function. * \param f_rng The RNG function.
* \param p_rng The RNG parameter. * \param p_rng The RNG context.
* *
* \note If the bitlength of the message hash is larger than the * \return \c 0 on success.
* bitlength of the group order, then the hash is truncated * \return An \c MBEDTLS_ERR_ECP_XXX
* as defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5.
*
* \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX
* or \c MBEDTLS_MPI_XXX error code on failure. * or \c MBEDTLS_MPI_XXX error code on failure.
*
* \see ecp.h
*/ */
int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
const mbedtls_mpi *d, const unsigned char *buf, size_t blen, const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
@ -97,10 +99,19 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
/** /**
* \brief This function computes the ECDSA signature of a * \brief This function computes the ECDSA signature of a
* previously-hashed message, deterministic version. * previously-hashed message, deterministic version.
*
* For more information, see <em>RFC-6979: Deterministic * For more information, see <em>RFC-6979: Deterministic
* Usage of the Digital Signature Algorithm (DSA) and Elliptic * Usage of the Digital Signature Algorithm (DSA) and Elliptic
* Curve Digital Signature Algorithm (ECDSA)</em>. * Curve Digital Signature Algorithm (ECDSA)</em>.
* *
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5.
*
* \see ecp.h
*
* \param grp The ECP group. * \param grp The ECP group.
* \param r The first output integer. * \param r The first output integer.
* \param s The second output integer. * \param s The second output integer.
@ -109,17 +120,9 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
* \param blen The length of \p buf. * \param blen The length of \p buf.
* \param md_alg The MD algorithm used to hash the message. * \param md_alg The MD algorithm used to hash the message.
* *
* \note If the bitlength of the message hash is larger than the * \return \c 0 on success.
* bitlength of the group order, then the hash is truncated as * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
* defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5.
*
* \return \c 0 on success,
* or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
* error code on failure. * error code on failure.
*
* \see ecp.h
*/ */
int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
const mbedtls_mpi *d, const unsigned char *buf, size_t blen, const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
@ -130,6 +133,14 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi
* \brief This function verifies the ECDSA signature of a * \brief This function verifies the ECDSA signature of a
* previously-hashed message. * previously-hashed message.
* *
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.4, step 3.
*
* \see ecp.h
*
* \param grp The ECP group. * \param grp The ECP group.
* \param buf The message hash. * \param buf The message hash.
* \param blen The length of \p buf. * \param blen The length of \p buf.
@ -137,18 +148,11 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi
* \param r The first integer of the signature. * \param r The first integer of the signature.
* \param s The second integer of the signature. * \param s The second integer of the signature.
* *
* \note If the bitlength of the message hash is larger than the * \return \c 0 on success.
* bitlength of the group order, then the hash is truncated as * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
* defined in <em>Standards for Efficient Cryptography Group * is invalid.
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
* 4.1.4, step 3.
*
* \return \c 0 on success,
* #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
* or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
* error code on failure for any other reason. * error code on failure for any other reason.
*
* \see ecp.h
*/ */
int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
const unsigned char *buf, size_t blen, const unsigned char *buf, size_t blen,
@ -169,15 +173,6 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
* of the Digital Signature Algorithm (DSA) and Elliptic * of the Digital Signature Algorithm (DSA) and Elliptic
* Curve Digital Signature Algorithm (ECDSA)</em>. * Curve Digital Signature Algorithm (ECDSA)</em>.
* *
* \param ctx The ECDSA context.
* \param md_alg The message digest that was used to hash the message.
* \param hash The message hash.
* \param hlen The length of the hash.
* \param sig The buffer that holds the signature.
* \param slen The length of the signature written.
* \param f_rng The RNG function.
* \param p_rng The RNG parameter.
*
* \note The \p sig buffer must be at least twice as large as the * \note The \p sig buffer must be at least twice as large as the
* size of the curve used, plus 9. For example, 73 Bytes if * size of the curve used, plus 9. For example, 73 Bytes if
* a 256-bit curve is used. A buffer length of * a 256-bit curve is used. A buffer length of
@ -189,11 +184,20 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5. * 4.1.3, step 5.
* *
* \return \c 0 on success,
* or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
* \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*
* \see ecp.h * \see ecp.h
*
* \param ctx The ECDSA context.
* \param md_alg The message digest that was used to hash the message.
* \param hash The message hash.
* \param hlen The length of the hash.
* \param sig The buffer that holds the signature.
* \param slen The length of the signature written.
* \param f_rng The RNG function.
* \param p_rng The RNG context.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
* \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/ */
int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg, int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hlen, const unsigned char *hash, size_t hlen,
@ -209,26 +213,17 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
#define MBEDTLS_DEPRECATED #define MBEDTLS_DEPRECATED
#endif #endif
/** /**
* \brief This function computes an ECDSA signature and writes it to a buffer, * \brief This function computes an ECDSA signature and writes
* serialized as defined in <em>RFC-4492: Elliptic Curve Cryptography * it to a buffer, serialized as defined in <em>RFC-4492:
* (ECC) Cipher Suites for Transport Layer Security (TLS)</em>. * Elliptic Curve Cryptography (ECC) Cipher Suites for
* Transport Layer Security (TLS)</em>.
* *
* The deterministic version is defined in <em>RFC-6979: * The deterministic version is defined in <em>RFC-6979:
* Deterministic Usage of the Digital Signature Algorithm (DSA) and * Deterministic Usage of the Digital Signature Algorithm (DSA)
* Elliptic Curve Digital Signature Algorithm (ECDSA)</em>. * and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
* *
* \warning It is not thread-safe to use the same context in * \warning It is not thread-safe to use the same context in
* multiple threads. * multiple threads.
*
* \deprecated Superseded by mbedtls_ecdsa_write_signature() in 2.0.0
*
* \param ctx The ECDSA context.
* \param hash The Message hash.
* \param hlen The length of the hash.
* \param sig The buffer that holds the signature.
* \param slen The length of the signature written.
* \param md_alg The MD algorithm used to hash the message.
* *
* \note The \p sig buffer must be at least twice as large as the * \note The \p sig buffer must be at least twice as large as the
* size of the curve used, plus 9. For example, 73 Bytes if a * size of the curve used, plus 9. For example, 73 Bytes if a
@ -241,11 +236,21 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5. * 4.1.3, step 5.
* *
* \return \c 0 on success,
* or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
* \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*
* \see ecp.h * \see ecp.h
*
* \deprecated Superseded by mbedtls_ecdsa_write_signature() in
* Mbed TLS version 2.0 and later.
*
* \param ctx The ECDSA context.
* \param hash The message hash.
* \param hlen The length of the hash.
* \param sig The buffer that holds the signature.
* \param slen The length of the signature written.
* \param md_alg The MD algorithm used to hash the message.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
* \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/ */
int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
const unsigned char *hash, size_t hlen, const unsigned char *hash, size_t hlen,
@ -258,26 +263,26 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
/** /**
* \brief This function reads and verifies an ECDSA signature. * \brief This function reads and verifies an ECDSA signature.
* *
* \param ctx The ECDSA context.
* \param hash The message hash.
* \param hlen The size of the hash.
* \param sig The signature to read and verify.
* \param slen The size of \p sig.
*
* \note If the bitlength of the message hash is larger than the * \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as * bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group * defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.4, step 3. * 4.1.4, step 3.
* *
* \return \c 0 on success,
* #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
* #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
* signature in sig but its length is less than \p siglen,
* or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
* error code on failure for any other reason.
*
* \see ecp.h * \see ecp.h
*
* \param ctx The ECDSA context.
* \param hash The message hash.
* \param hlen The size of the hash.
* \param sig The signature to read and verify.
* \param slen The size of \p sig.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
* \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
* signature in \p sig, but its length is less than \p siglen.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
* error code on failure for any other reason.
*/ */
int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
const unsigned char *hash, size_t hlen, const unsigned char *hash, size_t hlen,
@ -286,16 +291,16 @@ int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
/** /**
* \brief This function generates an ECDSA keypair on the given curve. * \brief This function generates an ECDSA keypair on the given curve.
* *
* \see ecp.h
*
* \param ctx The ECDSA context to store the keypair in. * \param ctx The ECDSA context to store the keypair in.
* \param gid The elliptic curve to use. One of the various * \param gid The elliptic curve to use. One of the various
* \c MBEDTLS_ECP_DP_XXX macros depending on configuration. * \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
* \param f_rng The RNG function. * \param f_rng The RNG function.
* \param p_rng The RNG parameter. * \param p_rng The RNG context.
* *
* \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on * \return \c 0 on success.
* failure. * \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
*
* \see ecp.h
*/ */
int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
@ -303,13 +308,13 @@ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
/** /**
* \brief This function sets an ECDSA context from an EC key pair. * \brief This function sets an ECDSA context from an EC key pair.
* *
* \see ecp.h
*
* \param ctx The ECDSA context to set. * \param ctx The ECDSA context to set.
* \param key The EC key to use. * \param key The EC key to use.
* *
* \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on * \return \c 0 on success.
* failure. * \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
*
* \see ecp.h
*/ */
int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key ); int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key );

661
include/mbedtls/ecp.h
View file

@ -1,10 +1,21 @@
/** /**
* \file ecp.h * \file ecp.h
* *
* \brief Elliptic curves over GF(p) * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
*
* The use of ECP in cryptography and TLS is defined in
* <em>Standards for Efficient Cryptography Group (SECG): SEC1
* Elliptic Curve Cryptography</em> and
* <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
* for Transport Layer Security (TLS)</em>.
*
* <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
* group types.
*
*/ */
/* /*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
* *
* Licensed under the Apache License, Version 2.0 (the "License"); you may * Licensed under the Apache License, Version 2.0 (the "License"); you may
@ -19,8 +30,9 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
* *
* This file is part of mbed TLS (https://tls.mbed.org) * This file is part of Mbed TLS (https://tls.mbed.org)
*/ */
#ifndef MBEDTLS_ECP_H #ifndef MBEDTLS_ECP_H
#define MBEDTLS_ECP_H #define MBEDTLS_ECP_H
@ -31,77 +43,79 @@
*/ */
#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA -0x4F80 /**< Bad input parameters to function. */ #define MBEDTLS_ERR_ECP_BAD_INPUT_DATA -0x4F80 /**< Bad input parameters to function. */
#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL -0x4F00 /**< The buffer is too small to write to. */ #define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL -0x4F00 /**< The buffer is too small to write to. */
#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE -0x4E80 /**< Requested curve not available. */ #define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE -0x4E80 /**< The requested feature is not available, for example, the requested curve is not supported. */
#define MBEDTLS_ERR_ECP_VERIFY_FAILED -0x4E00 /**< The signature is not valid. */ #define MBEDTLS_ERR_ECP_VERIFY_FAILED -0x4E00 /**< The signature is not valid. */
#define MBEDTLS_ERR_ECP_ALLOC_FAILED -0x4D80 /**< Memory allocation failed. */ #define MBEDTLS_ERR_ECP_ALLOC_FAILED -0x4D80 /**< Memory allocation failed. */
#define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00 /**< Generation of random value, such as (ephemeral) key, failed. */ #define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00 /**< Generation of random value, such as ephemeral key, failed. */
#define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 /**< Invalid private or public key. */ #define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 /**< Invalid private or public key. */
#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 /**< The buffer contains a valid signature followed by more data. */ #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 /**< The buffer contains a valid signature followed by more data. */
#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED -0x4B80 /**< ECP hardware accelerator failed. */ #define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED -0x4B80 /**< The ECP hardware accelerator failed. */
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif
/** /**
* Domain parameters (curve, subgroup and generator) identifiers. * Domain-parameter identifiers: curve, subgroup, and generator.
* *
* Only curves over prime fields are supported. * \note Only curves over prime fields are supported.
* *
* \warning This library does not support validation of arbitrary domain * \warning This library does not support validation of arbitrary domain
* parameters. Therefore, only well-known domain parameters from trusted * parameters. Therefore, only standardized domain parameters from trusted
* sources should be used. See mbedtls_ecp_group_load(). * sources should be used. See mbedtls_ecp_group_load().
*/ */
typedef enum typedef enum
{ {
MBEDTLS_ECP_DP_NONE = 0, MBEDTLS_ECP_DP_NONE = 0, /*!< Curve not defined. */
MBEDTLS_ECP_DP_SECP192R1, /*!< 192-bits NIST curve */ MBEDTLS_ECP_DP_SECP192R1, /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP224R1, /*!< 224-bits NIST curve */ MBEDTLS_ECP_DP_SECP224R1, /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP256R1, /*!< 256-bits NIST curve */ MBEDTLS_ECP_DP_SECP256R1, /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP384R1, /*!< 384-bits NIST curve */ MBEDTLS_ECP_DP_SECP384R1, /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_SECP521R1, /*!< 521-bits NIST curve */ MBEDTLS_ECP_DP_SECP521R1, /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
MBEDTLS_ECP_DP_BP256R1, /*!< 256-bits Brainpool curve */ MBEDTLS_ECP_DP_BP256R1, /*!< Domain parameters for 256-bit Brainpool curve. */
MBEDTLS_ECP_DP_BP384R1, /*!< 384-bits Brainpool curve */ MBEDTLS_ECP_DP_BP384R1, /*!< Domain parameters for 384-bit Brainpool curve. */
MBEDTLS_ECP_DP_BP512R1, /*!< 512-bits Brainpool curve */ MBEDTLS_ECP_DP_BP512R1, /*!< Domain parameters for 512-bit Brainpool curve. */
MBEDTLS_ECP_DP_CURVE25519, /*!< Curve25519 */ MBEDTLS_ECP_DP_CURVE25519, /*!< Domain parameters for Curve25519. */
MBEDTLS_ECP_DP_CURVE448, /*!< Curve448 */ MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */
MBEDTLS_ECP_DP_SECP192K1, /*!< 192-bits "Koblitz" curve */ MBEDTLS_ECP_DP_SECP192K1, /*!< Domain parameters for 192-bit "Koblitz" curve. */
MBEDTLS_ECP_DP_SECP224K1, /*!< 224-bits "Koblitz" curve */ MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */
MBEDTLS_ECP_DP_SECP256K1, /*!< 256-bits "Koblitz" curve */ MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */
} mbedtls_ecp_group_id; } mbedtls_ecp_group_id;
/** /**
* Number of supported curves (plus one for NONE). * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
* *
* (Montgomery curves excluded for now.) * \note Montgomery curves are currently excluded.
*/ */
#define MBEDTLS_ECP_DP_MAX 12 #define MBEDTLS_ECP_DP_MAX 12
/** /**
* Curve information for use by other modules * Curve information, for use by other modules.
*/ */
typedef struct typedef struct
{ {
mbedtls_ecp_group_id grp_id; /*!< Internal identifier */ mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */
uint16_t tls_id; /*!< TLS NamedCurve identifier */ uint16_t tls_id; /*!< The TLS NamedCurve identifier. */
uint16_t bit_size; /*!< Curve size in bits */ uint16_t bit_size; /*!< The curve size in bits. */
const char *name; /*!< Human-friendly name */ const char *name; /*!< A human-friendly name. */
} mbedtls_ecp_curve_info; } mbedtls_ecp_curve_info;
/** /**
* \brief ECP point structure (jacobian coordinates) * \brief The ECP point structure, in Jacobian coordinates.
* *
* \note All functions expect and return points satisfying * \note All functions expect and return points satisfying
* the following condition: Z == 0 or Z == 1. (Other * the following condition: <code>Z == 0</code> or
* values of Z are used by internal functions only.) * <code>Z == 1</code>. Other values of \p Z are
* The point is zero, or "at infinity", if Z == 0. * used only by internal functions.
* Otherwise, X and Y are its standard (affine) coordinates. * The point is zero, or "at infinity", if <code>Z == 0</code>.
* Otherwise, \p X and \p Y are its standard (affine)
* coordinates.
*/ */
typedef struct typedef struct
{ {
mbedtls_mpi X; /*!< the point's X coordinate */ mbedtls_mpi X; /*!< The X coordinate of the ECP point. */
mbedtls_mpi Y; /*!< the point's Y coordinate */ mbedtls_mpi Y; /*!< The Y coordinate of the ECP point. */
mbedtls_mpi Z; /*!< the point's Z coordinate */ mbedtls_mpi Z; /*!< The Z coordinate of the ECP point. */
} }
mbedtls_ecp_point; mbedtls_ecp_point;
@ -115,46 +129,55 @@ mbedtls_ecp_point;
*/ */
/** /**
* \brief ECP group structure * \brief The ECP group structure.
* *
* We consider two types of curves equations: * We consider two types of curve equations:
* 1. Short Weierstrass y^2 = x^3 + A x + B mod P (SEC1 + RFC 4492) * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
* 2. Montgomery, y^2 = x^3 + A x^2 + x mod P (Curve25519 + draft) * (SEC1 + RFC-4492)</li>
* In both cases, a generator G for a prime-order subgroup is fixed. In the * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
* short weierstrass, this subgroup is actually the whole curve, and its * Curve448)</li></ul>
* cardinal is denoted by N. * In both cases, the generator (\p G) for a prime-order subgroup is fixed.
* *
* In the case of Short Weierstrass curves, our code requires that N is an odd * For Short Weierstrass, this subgroup is the whole curve, and its
* prime. (Use odd in mbedtls_ecp_mul() and prime in mbedtls_ecdsa_sign() for blinding.) * cardinality is denoted by \p N. Our code requires that \p N is an
* odd prime as mbedtls_ecp_mul() requires an odd number, and
* mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
* *
* In the case of Montgomery curves, we don't store A but (A + 2) / 4 which is * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
* the quantity actually used in the formulas. Also, nbits is not the size of N * which is the quantity used in the formulas. Additionally, \p nbits is
* but the required size for private keys. * not the size of \p N but the required size for private keys.
*
* If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
* Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
* range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
* which is congruent mod \p P to the given MPI, and is close enough to \p pbits
* in size, so that it may be efficiently brought in the 0..P-1 range by a few
* additions or subtractions. Therefore, it is only an approximative modular
* reduction. It must return 0 on success and non-zero on failure.
* *
* If modp is NULL, reduction modulo P is done using a generic algorithm.
* Otherwise, it must point to a function that takes an mbedtls_mpi in the range
* 0..2^(2*pbits)-1 and transforms it in-place in an integer of little more
* than pbits, so that the integer may be efficiently brought in the 0..P-1
* range by a few additions or substractions. It must return 0 on success and
* non-zero on failure.
*/ */
typedef struct typedef struct
{ {
mbedtls_ecp_group_id id; /*!< internal group identifier */ mbedtls_ecp_group_id id; /*!< An internal group identifier. */
mbedtls_mpi P; /*!< prime modulus of the base field */ mbedtls_mpi P; /*!< The prime modulus of the base field. */
mbedtls_mpi A; /*!< 1. A in the equation, or 2. (A + 2) / 4 */ mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. For
mbedtls_mpi B; /*!< 1. B in the equation, or 2. unused */ Montgomery curves: <code>(A + 2) / 4</code>. */
mbedtls_ecp_point G; /*!< generator of the (sub)group used */ mbedtls_mpi B; /*!< For Short Weierstrass: \p B in the equation.
mbedtls_mpi N; /*!< the order of G */ For Montgomery curves: unused. */
size_t pbits; /*!< number of bits in P */ mbedtls_ecp_point G; /*!< The generator of the subgroup used. */
size_t nbits; /*!< number of bits in 1. P, or 2. private keys */ mbedtls_mpi N; /*!< The order of \p G. */
unsigned int h; /*!< internal: 1 if the constants are static */ size_t pbits; /*!< The number of bits in \p P.*/
int (*modp)(mbedtls_mpi *); /*!< function for fast reduction mod P */ size_t nbits; /*!< For Short Weierstrass: The number of bits in \p P.
int (*t_pre)(mbedtls_ecp_point *, void *); /*!< unused */ For Montgomery curves: the number of bits in the
int (*t_post)(mbedtls_ecp_point *, void *); /*!< unused */ private keys. */
void *t_data; /*!< unused */ unsigned int h; /*!< \internal 1 if the constants are static. */
mbedtls_ecp_point *T; /*!< pre-computed points for ecp_mul_comb() */ int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction
size_t T_size; /*!< number for pre-computed points */ mod \p P (see above).*/
int (*t_pre)(mbedtls_ecp_point *, void *); /*!< Unused. */
int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */
void *t_data; /*!< Unused. */
mbedtls_ecp_point *T; /*!< Pre-computed points for ecp_mul_comb(). */
size_t T_size; /*!< The number of pre-computed points. */
} }
mbedtls_ecp_group; mbedtls_ecp_group;
@ -162,15 +185,15 @@ mbedtls_ecp_group;
* \name SECTION: Module settings * \name SECTION: Module settings
* *
* The configuration options you can set for this module are in this section. * The configuration options you can set for this module are in this section.
* Either change them in config.h or define them on the compiler command line. * Either change them in config.h, or define them using the compiler command line.
* \{ * \{
*/ */
#if !defined(MBEDTLS_ECP_MAX_BITS) #if !defined(MBEDTLS_ECP_MAX_BITS)
/** /**
* Maximum size of the groups (that is, of N and P) * The maximum size of the groups, that is, of \c N and \c P.
*/ */
#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */ #define MBEDTLS_ECP_MAX_BITS 521 /**< The maximum size of groups, in bits. */
#endif #endif
#define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 ) #define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )
@ -193,11 +216,10 @@ mbedtls_ecp_group;
* 521 145 141 135 120 97 * 521 145 141 135 120 97
* 384 214 209 198 177 146 * 384 214 209 198 177 146
* 256 320 320 303 262 226 * 256 320 320 303 262 226
* 224 475 475 453 398 342 * 224 475 475 453 398 342
* 192 640 640 633 587 476 * 192 640 640 633 587 476
*/ */
#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ #define MBEDTLS_ECP_WINDOW_SIZE 6 /**< The maximum window size used. */
#endif /* MBEDTLS_ECP_WINDOW_SIZE */ #endif /* MBEDTLS_ECP_WINDOW_SIZE */
#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM) #if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
@ -212,7 +234,7 @@ mbedtls_ecp_group;
* *
* Change this value to 0 to reduce peak memory usage. * Change this value to 0 to reduce peak memory usage.
*/ */
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up. */
#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */ #endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
/* \} name SECTION: Module settings */ /* \} name SECTION: Module settings */
@ -222,11 +244,12 @@ mbedtls_ecp_group;
#endif /* MBEDTLS_ECP_ALT */ #endif /* MBEDTLS_ECP_ALT */
/** /**
* \brief ECP key pair structure * \brief The ECP key-pair structure.
* *
* A generic key pair that could be used for ECDSA, fixed ECDH, etc. * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
* *
* \note Members purposefully in the same order as struc mbedtls_ecdsa_context. * \note Members are deliberately in the same order as in the
* ::mbedtls_ecdsa_context structure.
*/ */
typedef struct typedef struct
{ {
@ -239,25 +262,27 @@ mbedtls_ecp_keypair;
/* /*
* Point formats, from RFC 4492's enum ECPointFormat * Point formats, from RFC 4492's enum ECPointFormat
*/ */
#define MBEDTLS_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format */ #define MBEDTLS_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format. */
#define MBEDTLS_ECP_PF_COMPRESSED 1 /**< Compressed point format */ #define MBEDTLS_ECP_PF_COMPRESSED 1 /**< Compressed point format. */
/* /*
* Some other constants from RFC 4492 * Some other constants from RFC 4492
*/ */
#define MBEDTLS_ECP_TLS_NAMED_CURVE 3 /**< ECCurveType's named_curve */ #define MBEDTLS_ECP_TLS_NAMED_CURVE 3 /**< The named_curve of ECCurveType. */
/** /**
* \brief Get the list of supported curves in order of preferrence * \brief This function retrieves the information defined in
* (full information) * mbedtls_ecp_curve_info() for all supported curves in order
* of preference.
* *
* \return A statically allocated array, the last entry is 0. * \return A statically allocated array. The last entry is 0.
*/ */
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void ); const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
/** /**
* \brief Get the list of supported curves in order of preferrence * \brief This function retrieves the list of internal group
* (grp_id only) * identifiers of all supported curves in the order of
* preference.
* *
* \return A statically allocated array, * \return A statically allocated array,
* terminated with MBEDTLS_ECP_DP_NONE. * terminated with MBEDTLS_ECP_DP_NONE.
@ -265,357 +290,400 @@ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void ); const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void );
/** /**
* \brief Get curve information from an internal group identifier * \brief This function retrieves curve information from an internal
* group identifier.
* *
* \param grp_id A MBEDTLS_ECP_DP_XXX value * \param grp_id An \c MBEDTLS_ECP_DP_XXX value.
* *
* \return The associated curve information or NULL * \return The associated curve information on success.
* \return NULL on failure.
*/ */
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id ); const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id );
/** /**
* \brief Get curve information from a TLS NamedCurve value * \brief This function retrieves curve information from a TLS
* NamedCurve value.
* *
* \param tls_id A MBEDTLS_ECP_DP_XXX value * \param tls_id An \c MBEDTLS_ECP_DP_XXX value.
* *
* \return The associated curve information or NULL * \return The associated curve information on success.
* \return NULL on failure.
*/ */
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id ); const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id );
/** /**
* \brief Get curve information from a human-readable name * \brief This function retrieves curve information from a
* human-readable name.
* *
* \param name The name * \param name The human-readable name.
* *
* \return The associated curve information or NULL * \return The associated curve information on success.
* \return NULL on failure.
*/ */
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name ); const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name );
/** /**
* \brief Initialize a point (as zero) * \brief This function initializes a point as zero.
*
* \param pt The point to initialize.
*/ */
void mbedtls_ecp_point_init( mbedtls_ecp_point *pt ); void mbedtls_ecp_point_init( mbedtls_ecp_point *pt );
/** /**
* \brief Initialize a group (to something meaningless) * \brief This function initializes an ECP group context
* without loading any domain parameters.
*
* \note After this function is called, domain parameters
* for various ECP groups can be loaded through the
* mbedtls_ecp_load() or mbedtls_ecp_tls_read_group()
* functions.
*/ */
void mbedtls_ecp_group_init( mbedtls_ecp_group *grp ); void mbedtls_ecp_group_init( mbedtls_ecp_group *grp );
/** /**
* \brief Initialize a key pair (as an invalid one) * \brief This function initializes a key pair as an invalid one.
*
* \param key The key pair to initialize.
*/ */
void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key ); void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key );
/** /**
* \brief Free the components of a point * \brief This function frees the components of a point.
*
* \param pt The point to free.
*/ */
void mbedtls_ecp_point_free( mbedtls_ecp_point *pt ); void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );
/** /**
* \brief Free the components of an ECP group * \brief This function frees the components of an ECP group.
* \param grp The group to free.
*/ */
void mbedtls_ecp_group_free( mbedtls_ecp_group *grp ); void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );
/** /**
* \brief Free the components of a key pair * \brief This function frees the components of a key pair.
* \param key The key pair to free.
*/ */
void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key ); void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );
/** /**
* \brief Copy the contents of point Q into P * \brief This function copies the contents of point \p Q into
* point \p P.
* *
* \param P Destination point * \param P The destination point.
* \param Q Source point * \param Q The source point.
* *
* \return 0 if successful, * \return \c 0 on success.
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
*/ */
int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q ); int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
/** /**
* \brief Copy the contents of a group object * \brief This function copies the contents of group \p src into
* group \p dst.
* *
* \param dst Destination group * \param dst The destination group.
* \param src Source group * \param src The source group.
* *
* \return 0 if successful, * \return \c 0 on success.
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
*/ */
int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src ); int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src );
/** /**
* \brief Set a point to zero * \brief This function sets a point to zero.
* *
* \param pt Destination point * \param pt The point to set.
* *
* \return 0 if successful, * \return \c 0 on success.
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
*/ */
int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt ); int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );
/** /**
* \brief Tell if a point is zero * \brief This function checks if a point is zero.
* *
* \param pt Point to test * \param pt The point to test.
* *
* \return 1 if point is zero, 0 otherwise * \return \c 1 if the point is zero.
* \return \c 0 if the point is non-zero.
*/ */
int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt ); int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
/** /**
* \brief Compare two points * \brief This function compares two points.
* *
* \note This assumes the points are normalized. Otherwise, * \note This assumes that the points are normalized. Otherwise,
* they may compare as "not equal" even if they are. * they may compare as "not equal" even if they are.
* *
* \param P First point to compare * \param P The first point to compare.
* \param Q Second point to compare * \param Q The second point to compare.
* *
* \return 0 if the points are equal, * \return \c 0 if the points are equal.
* MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
*/ */
int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P, int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
const mbedtls_ecp_point *Q ); const mbedtls_ecp_point *Q );
/** /**
* \brief Import a non-zero point from two ASCII strings * \brief This function imports a non-zero point from two ASCII
* strings.
* *
* \param P Destination point * \param P The destination point.
* \param radix Input numeric base * \param radix The numeric base of the input.
* \param x First affine coordinate as a null-terminated string * \param x The first affine coordinate, as a null-terminated string.
* \param y Second affine coordinate as a null-terminated string * \param y The second affine coordinate, as a null-terminated string.
* *
* \return 0 if successful, or a MBEDTLS_ERR_MPI_XXX error code * \return \c 0 on success.
* \return An \c MBEDTLS_ERR_MPI_XXX error code on failure.
*/ */
int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix, int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
const char *x, const char *y ); const char *x, const char *y );
/** /**
* \brief Export a point into unsigned binary data * \brief This function exports a point into unsigned binary data.
* *
* \param grp Group to which the point should belong * \param grp The group to which the point should belong.
* \param P Point to export * \param P The point to export.
* \param format Point format, should be a MBEDTLS_ECP_PF_XXX macro * \param format The point format. Should be an \c MBEDTLS_ECP_PF_XXX macro.
* \param olen Length of the actual output * \param olen The length of the output.
* \param buf Output buffer * \param buf The output buffer.
* \param buflen Length of the output buffer * \param buflen The length of the output buffer.
* *
* \return 0 if successful, * \return \c 0 on success.
* or MBEDTLS_ERR_ECP_BAD_INPUT_DATA * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA
* or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL * or #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
*/ */
int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P, int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
int format, size_t *olen, int format, size_t *olen,
unsigned char *buf, size_t buflen ); unsigned char *buf, size_t buflen );
/** /**
* \brief Import a point from unsigned binary data * \brief This function imports a point from unsigned binary data.
* *
* \param grp Group to which the point should belong * \note This function does not check that the point actually
* \param P Point to import * belongs to the given group, see mbedtls_ecp_check_pubkey()
* \param buf Input buffer * for that.
* \param ilen Actual length of input
* *
* \return 0 if successful, * \param grp The group to which the point should belong.
* MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid, * \param P The point to import.
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed, * \param buf The input buffer.
* MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format * \param ilen The length of the input.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
* is not implemented. * is not implemented.
* *
* \note This function does NOT check that the point actually
* belongs to the given group, see mbedtls_ecp_check_pubkey() for
* that.
*/ */
int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P, int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
const unsigned char *buf, size_t ilen ); const unsigned char *buf, size_t ilen );
/** /**
* \brief Import a point from a TLS ECPoint record * \brief This function imports a point from a TLS ECPoint record.
* *
* \param grp ECP group used * \note On function return, \p buf is updated to point to immediately
* \param pt Destination point * after the ECPoint record.
* \param buf $(Start of input buffer)
* \param len Buffer length
* *
* \note buf is updated to point right after the ECPoint on exit * \param grp The ECP group used.
* \param pt The destination point.
* \param buf The address of the pointer to the start of the input buffer.
* \param len The length of the buffer.
* *
* \return 0 if successful, * \return \c 0 on success.
* MBEDTLS_ERR_MPI_XXX if initialization failed * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
* MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
*/ */
int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt, int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
const unsigned char **buf, size_t len ); const unsigned char **buf, size_t len );
/** /**
* \brief Export a point as a TLS ECPoint record * \brief This function exports a point as a TLS ECPoint record.
* *
* \param grp ECP group used * \param grp The ECP group used.
* \param pt Point to export * \param pt The point format to export to. The point format is an
* \param format Export format * \c MBEDTLS_ECP_PF_XXX constant.
* \param olen length of data written * \param format The export format.
* \param buf Buffer to write to * \param olen The length of the data written.
* \param blen Buffer length * \param buf The buffer to write to.
* \param blen The length of the buffer.
* *
* \return 0 if successful, * \return \c 0 on success.
* or MBEDTLS_ERR_ECP_BAD_INPUT_DATA * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA or
* or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL * #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
*/ */
int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt, int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
int format, size_t *olen, int format, size_t *olen,
unsigned char *buf, size_t blen ); unsigned char *buf, size_t blen );
/** /**
* \brief Set a group using well-known domain parameters * \brief This function sets a group using standardized domain parameters.
* *
* \param grp Destination group * \note The index should be a value of the NamedCurve enum,
* \param id Index in the list of well-known domain parameters * as defined in <em>RFC-4492: Elliptic Curve Cryptography
* (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
* usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
* *
* \return 0 if successful, * \param grp The destination group.
* MBEDTLS_ERR_MPI_XXX if initialization failed * \param id The identifier of the domain parameter set to load.
* MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for unkownn groups
* *
* \note Index should be a value of RFC 4492's enum NamedCurve, * \return \c 0 on success,
* usually in the form of a MBEDTLS_ECP_DP_XXX macro. * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for unkownn groups.
*/ */
int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ); int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
/** /**
* \brief Set a group from a TLS ECParameters record * \brief This function sets a group from a TLS ECParameters record.
* *
* \param grp Destination group * \note \p buf is updated to point right after the ECParameters record
* \param buf &(Start of input buffer) * on exit.
* \param len Buffer length
* *
* \note buf is updated to point right after ECParameters on exit * \param grp The destination group.
* \param buf The address of the pointer to the start of the input buffer.
* \param len The length of the buffer.
* *
* \return 0 if successful, * \return \c 0 on success.
* MBEDTLS_ERR_MPI_XXX if initialization failed * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
* MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
*/ */
int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len ); int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len );
/** /**
* \brief Write the TLS ECParameters record for a group * \brief This function writes the TLS ECParameters record for a group.
* *
* \param grp ECP group used * \param grp The ECP group used.
* \param olen Number of bytes actually written * \param olen The number of Bytes written.
* \param buf Buffer to write to * \param buf The buffer to write to.
* \param blen Buffer length * \param blen The length of the buffer.
* *
* \return 0 if successful, * \return \c 0 on success.
* or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
*/ */
int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen, int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
unsigned char *buf, size_t blen ); unsigned char *buf, size_t blen );
/** /**
* \brief Multiplication by an integer: R = m * P * \brief This function performs multiplication of a point by
* (Not thread-safe to use same group in multiple threads) * an integer: \p R = \p m * \p P.
* *
* \note In order to prevent timing attacks, this function * It is not thread-safe to use same group in multiple threads.
* executes the exact same sequence of (base field)
* operations for any valid m. It avoids any if-branch or
* array index depending on the value of m.
* *
* \note If f_rng is not NULL, it is used to randomize intermediate * \note To prevent timing attacks, this function
* results in order to prevent potential timing attacks * executes the exact same sequence of base-field
* targeting these results. It is recommended to always * operations for any valid \p m. It avoids any if-branch or
* provide a non-NULL f_rng (the overhead is negligible). * array index depending on the value of \p m.
* *
* \param grp ECP group * \note If \p f_rng is not NULL, it is used to randomize
* \param R Destination point * intermediate results to prevent potential timing attacks
* \param m Integer by which to multiply * targeting these results. We recommend always providing
* \param P Point to multiply * a non-NULL \p f_rng. The overhead is negligible.
* \param f_rng RNG function (see notes)
* \param p_rng RNG parameter
* *
* \return 0 if successful, * \param grp The ECP group.
* MBEDTLS_ERR_ECP_INVALID_KEY if m is not a valid privkey * \param R The destination point.
* or P is not a valid pubkey, * \param m The integer by which to multiply.
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed * \param P The point to multiply.
* \param f_rng The RNG function.
* \param p_rng The RNG context.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
* key, or \p P is not a valid public key.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
*/ */
int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P, const mbedtls_mpi *m, const mbedtls_ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/** /**
* \brief Multiplication and addition of two points by integers: * \brief This function performs multiplication and addition of two
* R = m * P + n * Q * points by integers: \p R = \p m * \p P + \p n * \p Q
* (Not thread-safe to use same group in multiple threads)
* *
* \note In contrast to mbedtls_ecp_mul(), this function does not guarantee * It is not thread-safe to use same group in multiple threads.
* a constant execution flow and timing.
* *
* \param grp ECP group * \note In contrast to mbedtls_ecp_mul(), this function does not
* \param R Destination point * guarantee a constant execution flow and timing.
* \param m Integer by which to multiply P
* \param P Point to multiply by m
* \param n Integer by which to multiply Q
* \param Q Point to be multiplied by n
* *
* \return 0 if successful, * \param grp The ECP group.
* MBEDTLS_ERR_ECP_INVALID_KEY if m or n is not a valid privkey * \param R The destination point.
* or P or Q is not a valid pubkey, * \param m The integer by which to multiply \p P.
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed * \param P The point to multiply by \p m.
* \param n The integer by which to multiply \p Q.
* \param Q The point to be multiplied by \p n.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
* valid private keys, or \p P or \p Q are not valid public
* keys.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
*/ */
int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P, const mbedtls_mpi *m, const mbedtls_ecp_point *P,
const mbedtls_mpi *n, const mbedtls_ecp_point *Q ); const mbedtls_mpi *n, const mbedtls_ecp_point *Q );
/** /**
* \brief Check that a point is a valid public key on this curve * \brief This function checks that a point is a valid public key
* on this curve.
* *
* \param grp Curve/group the point should belong to * It only checks that the point is non-zero, has
* \param pt Point to check * valid coordinates and lies on the curve. It does not verify
* that it is indeed a multiple of \p G. This additional
* check is computationally more expensive, is not required
* by standards, and should not be necessary if the group
* used has a small cofactor. In particular, it is useless for
* the NIST groups which all have a cofactor of 1.
* *
* \return 0 if point is a valid public key, * \note This function uses bare components rather than an
* MBEDTLS_ERR_ECP_INVALID_KEY otherwise. * ::mbedtls_ecp_keypair structure, to ease use with other
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
* *
* \note This function only checks the point is non-zero, has valid * \param grp The curve the point should lie on.
* coordinates and lies on the curve, but not that it is * \param pt The point to check.
* indeed a multiple of G. This is additional check is more
* expensive, isn't required by standards, and shouldn't be
* necessary if the group used has a small cofactor. In
* particular, it is useless for the NIST groups which all
* have a cofactor of 1.
* *
* \note Uses bare components rather than an mbedtls_ecp_keypair structure * \return \c 0 if the point is a valid public key.
* in order to ease use with other structures such as * \return #MBEDTLS_ERR_ECP_INVALID_KEY on failure.
* mbedtls_ecdh_context of mbedtls_ecdsa_context.
*/ */
int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt ); int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt );
/** /**
* \brief Check that an mbedtls_mpi is a valid private key for this curve * \brief This function checks that an \p mbedtls_mpi is a valid private
* key for this curve.
* *
* \param grp Group used * \note This function uses bare components rather than an
* \param d Integer to check * ::mbedtls_ecp_keypair structure to ease use with other
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
* *
* \return 0 if point is a valid private key, * \param grp The group used.
* MBEDTLS_ERR_ECP_INVALID_KEY otherwise. * \param d The integer to check.
* *
* \note Uses bare components rather than an mbedtls_ecp_keypair structure * \return \c 0 if the point is a valid private key.
* in order to ease use with other structures such as * \return #MBEDTLS_ERR_ECP_INVALID_KEY on failure.
* mbedtls_ecdh_context of mbedtls_ecdsa_context.
*/ */
int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d ); int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d );
/** /**
* \brief Generate a keypair with configurable base point * \brief This function generates a keypair with a configurable base
* point.
* *
* \param grp ECP group * \note This function uses bare components rather than an
* \param G Chosen base point * ::mbedtls_ecp_keypair structure to ease use with other
* \param d Destination MPI (secret part) * structures, such as ::mbedtls_ecdh_context or
* \param Q Destination point (public part) * ::mbedtls_ecdsa_context.
* \param f_rng RNG function
* \param p_rng RNG parameter
* *
* \return 0 if successful, * \param grp The ECP group.
* or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code * \param G The chosen base point.
* \param d The destination MPI (secret part).
* \param Q The destination point (public part).
* \param f_rng The RNG function.
* \param p_rng The RNG context.
* *
* \note Uses bare components rather than an mbedtls_ecp_keypair structure * \return \c 0 on success.
* in order to ease use with other structures such as * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* mbedtls_ecdh_context of mbedtls_ecdsa_context. * on failure.
*/ */
int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
const mbedtls_ecp_point *G, const mbedtls_ecp_point *G,
@ -624,57 +692,66 @@ int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
void *p_rng ); void *p_rng );
/** /**
* \brief Generate a keypair * \brief This function generates an ECP keypair.
* *
* \param grp ECP group * \note This function uses bare components rather than an
* \param d Destination MPI (secret part) * ::mbedtls_ecp_keypair structure to ease use with other
* \param Q Destination point (public part) * structures, such as ::mbedtls_ecdh_context or
* \param f_rng RNG function * ::mbedtls_ecdsa_context.
* \param p_rng RNG parameter
* *
* \return 0 if successful, * \param grp The ECP group.
* or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code * \param d The destination MPI (secret part).
* \param Q The destination point (public part).
* \param f_rng The RNG function.
* \param p_rng The RNG context.
* *
* \note Uses bare components rather than an mbedtls_ecp_keypair structure * \return \c 0 on success.
* in order to ease use with other structures such as * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* mbedtls_ecdh_context of mbedtls_ecdsa_context. * on failure.
*/ */
int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
int (*f_rng)(void *, unsigned char *, size_t), int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng ); void *p_rng );
/** /**
* \brief Generate a keypair * \brief This function generates an ECP key.
* *
* \param grp_id ECP group identifier * \param grp_id The ECP group identifier.
* \param key Destination keypair * \param key The destination key.
* \param f_rng RNG function * \param f_rng The RNG function.
* \param p_rng RNG parameter * \param p_rng The RNG context.
* *
* \return 0 if successful, * \return \c 0 on success.
* or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
*/ */
int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/** /**
* \brief Check a public-private key pair * \brief This function checks that the keypair objects
* \p pub and \p prv have the same group and the
* same public point, and that the private key in
* \p prv is consistent with the public key.
* *
* \param pub Keypair structure holding a public key * \param pub The keypair structure holding the public key.
* \param prv Keypair structure holding a private (plus public) key * If it contains a private key, that part is ignored.
* \param prv The keypair structure holding the full keypair.
* *
* \return 0 if successful (keys are valid and match), or * \return \c 0 on success, meaning that the keys are valid and match.
* MBEDTLS_ERR_ECP_BAD_INPUT_DATA, or * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
* a MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX code. * \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
* error code on calculation failure.
*/ */
int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv ); int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv );
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)
/** /**
* \brief Checkup routine * \brief The ECP checkup routine.
* *
* \return 0 if successful, or 1 if a test failed * \return \c 0 on success.
* \return \c 1 on failure.
*/ */
int mbedtls_ecp_self_test( int verbose ); int mbedtls_ecp_self_test( int verbose );

55
include/mbedtls/gcm.h
View file

@ -1,7 +1,9 @@
/** /**
* \file gcm.h * \file gcm.h
* *
* \brief Galois/Counter Mode (GCM) for 128-bit block ciphers, as defined * \brief This file contains GCM definitions and functions.
*
* The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
* in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
* (GCM), Natl. Inst. Stand. Technol.</em> * (GCM), Natl. Inst. Stand. Technol.</em>
* *
@ -95,7 +97,8 @@ void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
* <li>192 bits</li> * <li>192 bits</li>
* <li>256 bits</li></ul> * <li>256 bits</li></ul>
* *
* \return \c 0 on success, or a cipher specific error code. * \return \c 0 on success.
* \return A cipher-specific error code on failure.
*/ */
int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx, int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
mbedtls_cipher_id_t cipher, mbedtls_cipher_id_t cipher,
@ -105,15 +108,16 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
/** /**
* \brief This function performs GCM encryption or decryption of a buffer. * \brief This function performs GCM encryption or decryption of a buffer.
* *
* \note For encryption, the output buffer can be the same as the input buffer. * \note For encryption, the output buffer can be the same as the
* For decryption, the output buffer cannot be the same as input buffer. * input buffer. For decryption, the output buffer cannot be
* If the buffers overlap, the output buffer must trail at least 8 Bytes * the same as input buffer. If the buffers overlap, the output
* behind the input buffer. * buffer must trail at least 8 Bytes behind the input buffer.
* *
* \param ctx The GCM context to use for encryption or decryption. * \param ctx The GCM context to use for encryption or decryption.
* \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or * \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or
* #MBEDTLS_GCM_DECRYPT. * #MBEDTLS_GCM_DECRYPT.
* \param length The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish(). * \param length The length of the input data. This must be a multiple of
* 16 except in the last call before mbedtls_gcm_finish().
* \param iv The initialization vector. * \param iv The initialization vector.
* \param iv_len The length of the IV. * \param iv_len The length of the IV.
* \param add The buffer holding the additional data. * \param add The buffer holding the additional data.
@ -141,12 +145,13 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
* \brief This function performs a GCM authenticated decryption of a * \brief This function performs a GCM authenticated decryption of a
* buffer. * buffer.
* *
* \note For decryption, the output buffer cannot be the same as input buffer. * \note For decryption, the output buffer cannot be the same as
* If the buffers overlap, the output buffer must trail at least 8 Bytes * input buffer. If the buffers overlap, the output buffer
* behind the input buffer. * must trail at least 8 Bytes behind the input buffer.
* *
* \param ctx The GCM context. * \param ctx The GCM context.
* \param length The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish(). * \param length The length of the input data. This must be a multiple
* of 16 except in the last call before mbedtls_gcm_finish().
* \param iv The initialization vector. * \param iv The initialization vector.
* \param iv_len The length of the IV. * \param iv_len The length of the IV.
* \param add The buffer holding the additional data. * \param add The buffer holding the additional data.
@ -156,8 +161,8 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
* \param input The buffer holding the input data. * \param input The buffer holding the input data.
* \param output The buffer for holding the output data. * \param output The buffer for holding the output data.
* *
* \return 0 if successful and authenticated, or * \return 0 if successful and authenticated.
* #MBEDTLS_ERR_GCM_AUTH_FAILED if tag does not match. * \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
*/ */
int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx, int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
size_t length, size_t length,
@ -179,8 +184,10 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
* #MBEDTLS_GCM_DECRYPT. * #MBEDTLS_GCM_DECRYPT.
* \param iv The initialization vector. * \param iv The initialization vector.
* \param iv_len The length of the IV. * \param iv_len The length of the IV.
* \param add The buffer holding the additional data, or NULL if \p add_len is 0. * \param add The buffer holding the additional data, or NULL
* \param add_len The length of the additional data. If 0, \p add is NULL. * if \p add_len is 0.
* \param add_len The length of the additional data. If 0,
* \p add is NULL.
* *
* \return \c 0 on success. * \return \c 0 on success.
*/ */
@ -199,16 +206,18 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
* Bytes. Only the last call before calling * Bytes. Only the last call before calling
* mbedtls_gcm_finish() can be less than 16 Bytes. * mbedtls_gcm_finish() can be less than 16 Bytes.
* *
* \note For decryption, the output buffer cannot be the same as input buffer. * \note For decryption, the output buffer cannot be the same as
* If the buffers overlap, the output buffer must trail at least 8 Bytes * input buffer. If the buffers overlap, the output buffer
* behind the input buffer. * must trail at least 8 Bytes behind the input buffer.
* *
* \param ctx The GCM context. * \param ctx The GCM context.
* \param length The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish(). * \param length The length of the input data. This must be a multiple of
* 16 except in the last call before mbedtls_gcm_finish().
* \param input The buffer holding the input data. * \param input The buffer holding the input data.
* \param output The buffer for holding the output data. * \param output The buffer for holding the output data.
* *
* \return \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure. * \return \c 0 on success.
* \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
*/ */
int mbedtls_gcm_update( mbedtls_gcm_context *ctx, int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
size_t length, size_t length,
@ -226,7 +235,8 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
* \param tag The buffer for holding the tag. * \param tag The buffer for holding the tag.
* \param tag_len The length of the tag to generate. Must be at least four. * \param tag_len The length of the tag to generate. Must be at least four.
* *
* \return \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure. * \return \c 0 on success.
* \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
*/ */
int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
unsigned char *tag, unsigned char *tag,
@ -243,7 +253,8 @@ void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
/** /**
* \brief The GCM checkup routine. * \brief The GCM checkup routine.
* *
* \return \c 0 on success, or \c 1 on failure. * \return \c 0 on success.
* \return \c 1 on failure.
*/ */
int mbedtls_gcm_self_test( int verbose ); int mbedtls_gcm_self_test( int verbose );

6
library/error.c
View file

@ -256,19 +256,19 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
if( use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL) ) if( use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL) )
mbedtls_snprintf( buf, buflen, "ECP - The buffer is too small to write to" ); mbedtls_snprintf( buf, buflen, "ECP - The buffer is too small to write to" );
if( use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) ) if( use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) )
mbedtls_snprintf( buf, buflen, "ECP - Requested curve not available" ); mbedtls_snprintf( buf, buflen, "ECP - The requested feature is not available, for example, the requested curve is not supported" );
if( use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED) ) if( use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED) )
mbedtls_snprintf( buf, buflen, "ECP - The signature is not valid" ); mbedtls_snprintf( buf, buflen, "ECP - The signature is not valid" );
if( use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED) ) if( use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED) )
mbedtls_snprintf( buf, buflen, "ECP - Memory allocation failed" ); mbedtls_snprintf( buf, buflen, "ECP - Memory allocation failed" );
if( use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED) ) if( use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED) )
mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as (ephemeral) key, failed" ); mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as ephemeral key, failed" );
if( use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY) ) if( use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY) )
mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" ); mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" );
if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) ) if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) )
mbedtls_snprintf( buf, buflen, "ECP - The buffer contains a valid signature followed by more data" ); mbedtls_snprintf( buf, buflen, "ECP - The buffer contains a valid signature followed by more data" );
if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) ) if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) )
mbedtls_snprintf( buf, buflen, "ECP - ECP hardware accelerator failed" ); mbedtls_snprintf( buf, buflen, "ECP - The ECP hardware accelerator failed" );
#endif /* MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)