/*1* Copyright (c) 2016 Thomas Pornin <[email protected]>2*3* Permission is hereby granted, free of charge, to any person obtaining4* a copy of this software and associated documentation files (the5* "Software"), to deal in the Software without restriction, including6* without limitation the rights to use, copy, modify, merge, publish,7* distribute, sublicense, and/or sell copies of the Software, and to8* permit persons to whom the Software is furnished to do so, subject to9* the following conditions:10*11* The above copyright notice and this permission notice shall be12* included in all copies or substantial portions of the Software.13*14* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,15* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF16* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND17* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS18* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN19* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN20* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE21* SOFTWARE.22*/2324#ifndef BR_BEARSSL_EC_H__25#define BR_BEARSSL_EC_H__2627#include <stddef.h>28#include <stdint.h>2930#include "bearssl_rand.h"3132#ifdef __cplusplus33extern "C" {34#endif3536/** \file bearssl_ec.h37*38* # Elliptic Curves39*40* This file documents the EC implementations provided with BearSSL, and41* ECDSA.42*43* ## Elliptic Curve API44*45* Only "named curves" are supported. Each EC implementation supports46* one or several named curves, identified by symbolic identifiers.47* These identifiers are small integers, that correspond to the values48* registered by the49* [IANA](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8).50*51* Since all currently defined elliptic curve identifiers are in the 0..3152* range, it is convenient to encode support of some curves in a 32-bit53* word, such that bit x corresponds to curve of identifier x.54*55* An EC implementation is incarnated by a `br_ec_impl` instance, that56* offers the following fields:57*58* - `supported_curves`59*60* A 32-bit word that documents the identifiers of the curves supported61* by this implementation.62*63* - `generator()`64*65* Callback method that returns a pointer to the conventional generator66* point for that curve.67*68* - `order()`69*70* Callback method that returns a pointer to the subgroup order for71* that curve. That value uses unsigned big-endian encoding.72*73* - `xoff()`74*75* Callback method that returns the offset and length of the X76* coordinate in an encoded point.77*78* - `mul()`79*80* Multiply a curve point with an integer.81*82* - `mulgen()`83*84* Multiply the curve generator with an integer. This may be faster85* than the generic `mul()`.86*87* - `muladd()`88*89* Multiply two curve points by two integers, and return the sum of90* the two products.91*92* All curve points are represented in uncompressed format. The `mul()`93* and `muladd()` methods take care to validate that the provided points94* are really part of the relevant curve subgroup.95*96* For all point multiplication functions, the following holds:97*98* - Functions validate that the provided points are valid members99* of the relevant curve subgroup. An error is reported if that is100* not the case.101*102* - Processing is constant-time, even if the point operands are not103* valid. This holds for both the source and resulting points, and104* the multipliers (integers). Only the byte length of the provided105* multiplier arrays (not their actual value length in bits) may106* leak through timing-based side channels.107*108* - The multipliers (integers) MUST be lower than the subgroup order.109* If this property is not met, then the result is indeterminate,110* but an error value is not necessarily returned.111*112*113* ## ECDSA114*115* ECDSA signatures have two standard formats, called "raw" and "asn1".116* Internally, such a signature is a pair of modular integers `(r,s)`.117* The "raw" format is the concatenation of the unsigned big-endian118* encodings of these two integers, possibly left-padded with zeros so119* that they have the same encoded length. The "asn1" format is the120* DER encoding of an ASN.1 structure that contains the two integer121* values:122*123* ECDSASignature ::= SEQUENCE {124* r INTEGER,125* s INTEGER126* }127*128* In general, in all of X.509 and SSL/TLS, the "asn1" format is used.129* BearSSL offers ECDSA implementations for both formats; conversion130* functions between the two formats are also provided. Conversion of a131* "raw" format signature into "asn1" may enlarge a signature by no more132* than 9 bytes for all supported curves; conversely, conversion of an133* "asn1" signature to "raw" may expand the signature but the "raw"134* length will never be more than twice the length of the "asn1" length135* (and usually it will be shorter).136*137* Note that for a given signature, the "raw" format is not fully138* deterministic, in that it does not enforce a minimal common length.139*/140141/*142* Standard curve ID. These ID are equal to the assigned numerical143* identifiers assigned to these curves for TLS:144* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8145*/146147/** \brief Identifier for named curve sect163k1. */148#define BR_EC_sect163k1 1149150/** \brief Identifier for named curve sect163r1. */151#define BR_EC_sect163r1 2152153/** \brief Identifier for named curve sect163r2. */154#define BR_EC_sect163r2 3155156/** \brief Identifier for named curve sect193r1. */157#define BR_EC_sect193r1 4158159/** \brief Identifier for named curve sect193r2. */160#define BR_EC_sect193r2 5161162/** \brief Identifier for named curve sect233k1. */163#define BR_EC_sect233k1 6164165/** \brief Identifier for named curve sect233r1. */166#define BR_EC_sect233r1 7167168/** \brief Identifier for named curve sect239k1. */169#define BR_EC_sect239k1 8170171/** \brief Identifier for named curve sect283k1. */172#define BR_EC_sect283k1 9173174/** \brief Identifier for named curve sect283r1. */175#define BR_EC_sect283r1 10176177/** \brief Identifier for named curve sect409k1. */178#define BR_EC_sect409k1 11179180/** \brief Identifier for named curve sect409r1. */181#define BR_EC_sect409r1 12182183/** \brief Identifier for named curve sect571k1. */184#define BR_EC_sect571k1 13185186/** \brief Identifier for named curve sect571r1. */187#define BR_EC_sect571r1 14188189/** \brief Identifier for named curve secp160k1. */190#define BR_EC_secp160k1 15191192/** \brief Identifier for named curve secp160r1. */193#define BR_EC_secp160r1 16194195/** \brief Identifier for named curve secp160r2. */196#define BR_EC_secp160r2 17197198/** \brief Identifier for named curve secp192k1. */199#define BR_EC_secp192k1 18200201/** \brief Identifier for named curve secp192r1. */202#define BR_EC_secp192r1 19203204/** \brief Identifier for named curve secp224k1. */205#define BR_EC_secp224k1 20206207/** \brief Identifier for named curve secp224r1. */208#define BR_EC_secp224r1 21209210/** \brief Identifier for named curve secp256k1. */211#define BR_EC_secp256k1 22212213/** \brief Identifier for named curve secp256r1. */214#define BR_EC_secp256r1 23215216/** \brief Identifier for named curve secp384r1. */217#define BR_EC_secp384r1 24218219/** \brief Identifier for named curve secp521r1. */220#define BR_EC_secp521r1 25221222/** \brief Identifier for named curve brainpoolP256r1. */223#define BR_EC_brainpoolP256r1 26224225/** \brief Identifier for named curve brainpoolP384r1. */226#define BR_EC_brainpoolP384r1 27227228/** \brief Identifier for named curve brainpoolP512r1. */229#define BR_EC_brainpoolP512r1 28230231/** \brief Identifier for named curve Curve25519. */232#define BR_EC_curve25519 29233234/** \brief Identifier for named curve Curve448. */235#define BR_EC_curve448 30236237/**238* \brief Structure for an EC public key.239*/240typedef struct {241/** \brief Identifier for the curve used by this key. */242int curve;243/** \brief Public curve point (uncompressed format). */244unsigned char *q;245/** \brief Length of public curve point (in bytes). */246size_t qlen;247} br_ec_public_key;248249/**250* \brief Structure for an EC private key.251*252* The private key is an integer modulo the curve subgroup order. The253* encoding below tolerates extra leading zeros. In general, it is254* recommended that the private key has the same length as the curve255* subgroup order.256*/257typedef struct {258/** \brief Identifier for the curve used by this key. */259int curve;260/** \brief Private key (integer, unsigned big-endian encoding). */261unsigned char *x;262/** \brief Private key length (in bytes). */263size_t xlen;264} br_ec_private_key;265266/**267* \brief Type for an EC implementation.268*/269typedef struct {270/**271* \brief Supported curves.272*273* This word is a bitfield: bit `x` is set if the curve of ID `x`274* is supported. E.g. an implementation supporting both NIST P-256275* (secp256r1, ID 23) and NIST P-384 (secp384r1, ID 24) will have276* value `0x01800000` in this field.277*/278uint32_t supported_curves;279280/**281* \brief Get the conventional generator.282*283* This function returns the conventional generator (encoded284* curve point) for the specified curve. This function MUST NOT285* be called if the curve is not supported.286*287* \param curve curve identifier.288* \param len receiver for the encoded generator length (in bytes).289* \return the encoded generator.290*/291const unsigned char *(*generator)(int curve, size_t *len);292293/**294* \brief Get the subgroup order.295*296* This function returns the order of the subgroup generated by297* the conventional generator, for the specified curve. Unsigned298* big-endian encoding is used. This function MUST NOT be called299* if the curve is not supported.300*301* \param curve curve identifier.302* \param len receiver for the encoded order length (in bytes).303* \return the encoded order.304*/305const unsigned char *(*order)(int curve, size_t *len);306307/**308* \brief Get the offset and length for the X coordinate.309*310* This function returns the offset and length (in bytes) of311* the X coordinate in an encoded non-zero point.312*313* \param curve curve identifier.314* \param len receiver for the X coordinate length (in bytes).315* \return the offset for the X coordinate (in bytes).316*/317size_t (*xoff)(int curve, size_t *len);318319/**320* \brief Multiply a curve point by an integer.321*322* The source point is provided in array `G` (of size `Glen` bytes);323* the multiplication result is written over it. The multiplier324* `x` (of size `xlen` bytes) uses unsigned big-endian encoding.325*326* Rules:327*328* - The specified curve MUST be supported.329*330* - The source point must be a valid point on the relevant curve331* subgroup (and not the "point at infinity" either). If this is332* not the case, then this function returns an error (0).333*334* - The multiplier integer MUST be non-zero and less than the335* curve subgroup order. If this property does not hold, then336* the result is indeterminate and an error code is not337* guaranteed.338*339* Returned value is 1 on success, 0 on error. On error, the340* contents of `G` are indeterminate.341*342* \param G point to multiply.343* \param Glen length of the encoded point (in bytes).344* \param x multiplier (unsigned big-endian).345* \param xlen multiplier length (in bytes).346* \param curve curve identifier.347* \return 1 on success, 0 on error.348*/349uint32_t (*mul)(unsigned char *G, size_t Glen,350const unsigned char *x, size_t xlen, int curve);351352/**353* \brief Multiply the generator by an integer.354*355* The multiplier MUST be non-zero and less than the curve356* subgroup order. Results are indeterminate if this property357* does not hold.358*359* \param R output buffer for the point.360* \param x multiplier (unsigned big-endian).361* \param xlen multiplier length (in bytes).362* \param curve curve identifier.363* \return encoded result point length (in bytes).364*/365size_t (*mulgen)(unsigned char *R,366const unsigned char *x, size_t xlen, int curve);367368/**369* \brief Multiply two points by two integers and add the370* results.371*372* The point `x*A + y*B` is computed and written back in the `A`373* array.374*375* Rules:376*377* - The specified curve MUST be supported.378*379* - The source points (`A` and `B`) must be valid points on380* the relevant curve subgroup (and not the "point at381* infinity" either). If this is not the case, then this382* function returns an error (0).383*384* - If the `B` pointer is `NULL`, then the conventional385* subgroup generator is used. With some implementations,386* this may be faster than providing a pointer to the387* generator.388*389* - The multiplier integers (`x` and `y`) MUST be non-zero390* and less than the curve subgroup order. If either integer391* is zero, then an error is reported, but if one of them is392* not lower than the subgroup order, then the result is393* indeterminate and an error code is not guaranteed.394*395* - If the final result is the point at infinity, then an396* error is returned.397*398* Returned value is 1 on success, 0 on error. On error, the399* contents of `A` are indeterminate.400*401* \param A first point to multiply.402* \param B second point to multiply (`NULL` for the generator).403* \param len common length of the encoded points (in bytes).404* \param x multiplier for `A` (unsigned big-endian).405* \param xlen length of multiplier for `A` (in bytes).406* \param y multiplier for `A` (unsigned big-endian).407* \param ylen length of multiplier for `A` (in bytes).408* \param curve curve identifier.409* \return 1 on success, 0 on error.410*/411uint32_t (*muladd)(unsigned char *A, const unsigned char *B, size_t len,412const unsigned char *x, size_t xlen,413const unsigned char *y, size_t ylen, int curve);414} br_ec_impl;415416/**417* \brief EC implementation "i31".418*419* This implementation internally uses generic code for modular integers,420* with a representation as sequences of 31-bit words. It supports secp256r1,421* secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).422*/423extern const br_ec_impl br_ec_prime_i31;424425/**426* \brief EC implementation "i15".427*428* This implementation internally uses generic code for modular integers,429* with a representation as sequences of 15-bit words. It supports secp256r1,430* secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).431*/432extern const br_ec_impl br_ec_prime_i15;433434/**435* \brief EC implementation "m15" for P-256.436*437* This implementation uses specialised code for curve secp256r1 (also438* known as NIST P-256), with optional Karatsuba decomposition, and fast439* modular reduction thanks to the field modulus special format. Only440* 32-bit multiplications are used (with 32-bit results, not 64-bit).441*/442extern const br_ec_impl br_ec_p256_m15;443444/**445* \brief EC implementation "m31" for P-256.446*447* This implementation uses specialised code for curve secp256r1 (also448* known as NIST P-256), relying on multiplications of 31-bit values449* (MUL31).450*/451extern const br_ec_impl br_ec_p256_m31;452453/**454* \brief EC implementation "m62" (specialised code) for P-256.455*456* This implementation uses custom code relying on multiplication of457* integers up to 64 bits, with a 128-bit result. This implementation is458* defined only on platforms that offer the 64x64->128 multiplication459* support; use `br_ec_p256_m62_get()` to dynamically obtain a pointer460* to that implementation.461*/462extern const br_ec_impl br_ec_p256_m62;463464/**465* \brief Get the "m62" implementation of P-256, if available.466*467* \return the implementation, or 0.468*/469const br_ec_impl *br_ec_p256_m62_get(void);470471/**472* \brief EC implementation "m64" (specialised code) for P-256.473*474* This implementation uses custom code relying on multiplication of475* integers up to 64 bits, with a 128-bit result. This implementation is476* defined only on platforms that offer the 64x64->128 multiplication477* support; use `br_ec_p256_m64_get()` to dynamically obtain a pointer478* to that implementation.479*/480extern const br_ec_impl br_ec_p256_m64;481482/**483* \brief Get the "m64" implementation of P-256, if available.484*485* \return the implementation, or 0.486*/487const br_ec_impl *br_ec_p256_m64_get(void);488489/**490* \brief EC implementation "i15" (generic code) for Curve25519.491*492* This implementation uses the generic code for modular integers (with493* 15-bit words) to support Curve25519. Due to the specificities of the494* curve definition, the following applies:495*496* - `muladd()` is not implemented (the function returns 0 systematically).497* - `order()` returns 2^255-1, since the point multiplication algorithm498* accepts any 32-bit integer as input (it clears the top bit and low499* three bits systematically).500*/501extern const br_ec_impl br_ec_c25519_i15;502503/**504* \brief EC implementation "i31" (generic code) for Curve25519.505*506* This implementation uses the generic code for modular integers (with507* 31-bit words) to support Curve25519. Due to the specificities of the508* curve definition, the following applies:509*510* - `muladd()` is not implemented (the function returns 0 systematically).511* - `order()` returns 2^255-1, since the point multiplication algorithm512* accepts any 32-bit integer as input (it clears the top bit and low513* three bits systematically).514*/515extern const br_ec_impl br_ec_c25519_i31;516517/**518* \brief EC implementation "m15" (specialised code) for Curve25519.519*520* This implementation uses custom code relying on multiplication of521* integers up to 15 bits. Due to the specificities of the curve522* definition, the following applies:523*524* - `muladd()` is not implemented (the function returns 0 systematically).525* - `order()` returns 2^255-1, since the point multiplication algorithm526* accepts any 32-bit integer as input (it clears the top bit and low527* three bits systematically).528*/529extern const br_ec_impl br_ec_c25519_m15;530531/**532* \brief EC implementation "m31" (specialised code) for Curve25519.533*534* This implementation uses custom code relying on multiplication of535* integers up to 31 bits. Due to the specificities of the curve536* definition, the following applies:537*538* - `muladd()` is not implemented (the function returns 0 systematically).539* - `order()` returns 2^255-1, since the point multiplication algorithm540* accepts any 32-bit integer as input (it clears the top bit and low541* three bits systematically).542*/543extern const br_ec_impl br_ec_c25519_m31;544545/**546* \brief EC implementation "m62" (specialised code) for Curve25519.547*548* This implementation uses custom code relying on multiplication of549* integers up to 62 bits, with a 124-bit result. This implementation is550* defined only on platforms that offer the 64x64->128 multiplication551* support; use `br_ec_c25519_m62_get()` to dynamically obtain a pointer552* to that implementation. Due to the specificities of the curve553* definition, the following applies:554*555* - `muladd()` is not implemented (the function returns 0 systematically).556* - `order()` returns 2^255-1, since the point multiplication algorithm557* accepts any 32-bit integer as input (it clears the top bit and low558* three bits systematically).559*/560extern const br_ec_impl br_ec_c25519_m62;561562/**563* \brief Get the "m62" implementation of Curve25519, if available.564*565* \return the implementation, or 0.566*/567const br_ec_impl *br_ec_c25519_m62_get(void);568569/**570* \brief EC implementation "m64" (specialised code) for Curve25519.571*572* This implementation uses custom code relying on multiplication of573* integers up to 64 bits, with a 128-bit result. This implementation is574* defined only on platforms that offer the 64x64->128 multiplication575* support; use `br_ec_c25519_m64_get()` to dynamically obtain a pointer576* to that implementation. Due to the specificities of the curve577* definition, the following applies:578*579* - `muladd()` is not implemented (the function returns 0 systematically).580* - `order()` returns 2^255-1, since the point multiplication algorithm581* accepts any 32-bit integer as input (it clears the top bit and low582* three bits systematically).583*/584extern const br_ec_impl br_ec_c25519_m64;585586/**587* \brief Get the "m64" implementation of Curve25519, if available.588*589* \return the implementation, or 0.590*/591const br_ec_impl *br_ec_c25519_m64_get(void);592593/**594* \brief Aggregate EC implementation "m15".595*596* This implementation is a wrapper for:597*598* - `br_ec_c25519_m15` for Curve25519599* - `br_ec_p256_m15` for NIST P-256600* - `br_ec_prime_i15` for other curves (NIST P-384 and NIST-P512)601*/602extern const br_ec_impl br_ec_all_m15;603604/**605* \brief Aggregate EC implementation "m31".606*607* This implementation is a wrapper for:608*609* - `br_ec_c25519_m31` for Curve25519610* - `br_ec_p256_m31` for NIST P-256611* - `br_ec_prime_i31` for other curves (NIST P-384 and NIST-P512)612*/613extern const br_ec_impl br_ec_all_m31;614615/**616* \brief Get the "default" EC implementation for the current system.617*618* This returns a pointer to the preferred implementation on the619* current system.620*621* \return the default EC implementation.622*/623const br_ec_impl *br_ec_get_default(void);624625/**626* \brief Convert a signature from "raw" to "asn1".627*628* Conversion is done "in place" and the new length is returned.629* Conversion may enlarge the signature, but by no more than 9 bytes at630* most. On error, 0 is returned (error conditions include an odd raw631* signature length, or an oversized integer).632*633* \param sig signature to convert.634* \param sig_len signature length (in bytes).635* \return the new signature length, or 0 on error.636*/637size_t br_ecdsa_raw_to_asn1(void *sig, size_t sig_len);638639/**640* \brief Convert a signature from "asn1" to "raw".641*642* Conversion is done "in place" and the new length is returned.643* Conversion may enlarge the signature, but the new signature length644* will be less than twice the source length at most. On error, 0 is645* returned (error conditions include an invalid ASN.1 structure or an646* oversized integer).647*648* \param sig signature to convert.649* \param sig_len signature length (in bytes).650* \return the new signature length, or 0 on error.651*/652size_t br_ecdsa_asn1_to_raw(void *sig, size_t sig_len);653654/**655* \brief Type for an ECDSA signer function.656*657* A pointer to the EC implementation is provided. The hash value is658* assumed to have the length inferred from the designated hash function659* class.660*661* Signature is written in the buffer pointed to by `sig`, and the length662* (in bytes) is returned. On error, nothing is written in the buffer,663* and 0 is returned. This function returns 0 if the specified curve is664* not supported by the provided EC implementation.665*666* The signature format is either "raw" or "asn1", depending on the667* implementation; maximum length is predictable from the implemented668* curve:669*670* | curve | raw | asn1 |671* | :--------- | --: | ---: |672* | NIST P-256 | 64 | 72 |673* | NIST P-384 | 96 | 104 |674* | NIST P-521 | 132 | 139 |675*676* \param impl EC implementation to use.677* \param hf hash function used to process the data.678* \param hash_value signed data (hashed).679* \param sk EC private key.680* \param sig destination buffer.681* \return the signature length (in bytes), or 0 on error.682*/683typedef size_t (*br_ecdsa_sign)(const br_ec_impl *impl,684const br_hash_class *hf, const void *hash_value,685const br_ec_private_key *sk, void *sig);686687/**688* \brief Type for an ECDSA signature verification function.689*690* A pointer to the EC implementation is provided. The hashed value,691* computed over the purportedly signed data, is also provided with692* its length.693*694* The signature format is either "raw" or "asn1", depending on the695* implementation.696*697* Returned value is 1 on success (valid signature), 0 on error. This698* function returns 0 if the specified curve is not supported by the699* provided EC implementation.700*701* \param impl EC implementation to use.702* \param hash signed data (hashed).703* \param hash_len hash value length (in bytes).704* \param pk EC public key.705* \param sig signature.706* \param sig_len signature length (in bytes).707* \return 1 on success, 0 on error.708*/709typedef uint32_t (*br_ecdsa_vrfy)(const br_ec_impl *impl,710const void *hash, size_t hash_len,711const br_ec_public_key *pk, const void *sig, size_t sig_len);712713/**714* \brief ECDSA signature generator, "i31" implementation, "asn1" format.715*716* \see br_ecdsa_sign()717*718* \param impl EC implementation to use.719* \param hf hash function used to process the data.720* \param hash_value signed data (hashed).721* \param sk EC private key.722* \param sig destination buffer.723* \return the signature length (in bytes), or 0 on error.724*/725size_t br_ecdsa_i31_sign_asn1(const br_ec_impl *impl,726const br_hash_class *hf, const void *hash_value,727const br_ec_private_key *sk, void *sig);728729/**730* \brief ECDSA signature generator, "i31" implementation, "raw" format.731*732* \see br_ecdsa_sign()733*734* \param impl EC implementation to use.735* \param hf hash function used to process the data.736* \param hash_value signed data (hashed).737* \param sk EC private key.738* \param sig destination buffer.739* \return the signature length (in bytes), or 0 on error.740*/741size_t br_ecdsa_i31_sign_raw(const br_ec_impl *impl,742const br_hash_class *hf, const void *hash_value,743const br_ec_private_key *sk, void *sig);744745/**746* \brief ECDSA signature verifier, "i31" implementation, "asn1" format.747*748* \see br_ecdsa_vrfy()749*750* \param impl EC implementation to use.751* \param hash signed data (hashed).752* \param hash_len hash value length (in bytes).753* \param pk EC public key.754* \param sig signature.755* \param sig_len signature length (in bytes).756* \return 1 on success, 0 on error.757*/758uint32_t br_ecdsa_i31_vrfy_asn1(const br_ec_impl *impl,759const void *hash, size_t hash_len,760const br_ec_public_key *pk, const void *sig, size_t sig_len);761762/**763* \brief ECDSA signature verifier, "i31" implementation, "raw" format.764*765* \see br_ecdsa_vrfy()766*767* \param impl EC implementation to use.768* \param hash signed data (hashed).769* \param hash_len hash value length (in bytes).770* \param pk EC public key.771* \param sig signature.772* \param sig_len signature length (in bytes).773* \return 1 on success, 0 on error.774*/775uint32_t br_ecdsa_i31_vrfy_raw(const br_ec_impl *impl,776const void *hash, size_t hash_len,777const br_ec_public_key *pk, const void *sig, size_t sig_len);778779/**780* \brief ECDSA signature generator, "i15" implementation, "asn1" format.781*782* \see br_ecdsa_sign()783*784* \param impl EC implementation to use.785* \param hf hash function used to process the data.786* \param hash_value signed data (hashed).787* \param sk EC private key.788* \param sig destination buffer.789* \return the signature length (in bytes), or 0 on error.790*/791size_t br_ecdsa_i15_sign_asn1(const br_ec_impl *impl,792const br_hash_class *hf, const void *hash_value,793const br_ec_private_key *sk, void *sig);794795/**796* \brief ECDSA signature generator, "i15" implementation, "raw" format.797*798* \see br_ecdsa_sign()799*800* \param impl EC implementation to use.801* \param hf hash function used to process the data.802* \param hash_value signed data (hashed).803* \param sk EC private key.804* \param sig destination buffer.805* \return the signature length (in bytes), or 0 on error.806*/807size_t br_ecdsa_i15_sign_raw(const br_ec_impl *impl,808const br_hash_class *hf, const void *hash_value,809const br_ec_private_key *sk, void *sig);810811/**812* \brief ECDSA signature verifier, "i15" implementation, "asn1" format.813*814* \see br_ecdsa_vrfy()815*816* \param impl EC implementation to use.817* \param hash signed data (hashed).818* \param hash_len hash value length (in bytes).819* \param pk EC public key.820* \param sig signature.821* \param sig_len signature length (in bytes).822* \return 1 on success, 0 on error.823*/824uint32_t br_ecdsa_i15_vrfy_asn1(const br_ec_impl *impl,825const void *hash, size_t hash_len,826const br_ec_public_key *pk, const void *sig, size_t sig_len);827828/**829* \brief ECDSA signature verifier, "i15" implementation, "raw" format.830*831* \see br_ecdsa_vrfy()832*833* \param impl EC implementation to use.834* \param hash signed data (hashed).835* \param hash_len hash value length (in bytes).836* \param pk EC public key.837* \param sig signature.838* \param sig_len signature length (in bytes).839* \return 1 on success, 0 on error.840*/841uint32_t br_ecdsa_i15_vrfy_raw(const br_ec_impl *impl,842const void *hash, size_t hash_len,843const br_ec_public_key *pk, const void *sig, size_t sig_len);844845/**846* \brief Get "default" ECDSA implementation (signer, asn1 format).847*848* This returns the preferred implementation of ECDSA signature generation849* ("asn1" output format) on the current system.850*851* \return the default implementation.852*/853br_ecdsa_sign br_ecdsa_sign_asn1_get_default(void);854855/**856* \brief Get "default" ECDSA implementation (signer, raw format).857*858* This returns the preferred implementation of ECDSA signature generation859* ("raw" output format) on the current system.860*861* \return the default implementation.862*/863br_ecdsa_sign br_ecdsa_sign_raw_get_default(void);864865/**866* \brief Get "default" ECDSA implementation (verifier, asn1 format).867*868* This returns the preferred implementation of ECDSA signature verification869* ("asn1" output format) on the current system.870*871* \return the default implementation.872*/873br_ecdsa_vrfy br_ecdsa_vrfy_asn1_get_default(void);874875/**876* \brief Get "default" ECDSA implementation (verifier, raw format).877*878* This returns the preferred implementation of ECDSA signature verification879* ("raw" output format) on the current system.880*881* \return the default implementation.882*/883br_ecdsa_vrfy br_ecdsa_vrfy_raw_get_default(void);884885/**886* \brief Maximum size for EC private key element buffer.887*888* This is the largest number of bytes that `br_ec_keygen()` may need or889* ever return.890*/891#define BR_EC_KBUF_PRIV_MAX_SIZE 72892893/**894* \brief Maximum size for EC public key element buffer.895*896* This is the largest number of bytes that `br_ec_compute_public()` may897* need or ever return.898*/899#define BR_EC_KBUF_PUB_MAX_SIZE 145900901/**902* \brief Generate a new EC private key.903*904* If the specified `curve` is not supported by the elliptic curve905* implementation (`impl`), then this function returns zero.906*907* The `sk` structure fields are set to the new private key data. In908* particular, `sk.x` is made to point to the provided key buffer (`kbuf`),909* in which the actual private key data is written. That buffer is assumed910* to be large enough. The `BR_EC_KBUF_PRIV_MAX_SIZE` defines the maximum911* size for all supported curves.912*913* The number of bytes used in `kbuf` is returned. If `kbuf` is `NULL`, then914* the private key is not actually generated, and `sk` may also be `NULL`;915* the minimum length for `kbuf` is still computed and returned.916*917* If `sk` is `NULL` but `kbuf` is not `NULL`, then the private key is918* still generated and stored in `kbuf`.919*920* \param rng_ctx source PRNG context (already initialized).921* \param impl the elliptic curve implementation.922* \param sk the private key structure to fill, or `NULL`.923* \param kbuf the key element buffer, or `NULL`.924* \param curve the curve identifier.925* \return the key data length (in bytes), or zero.926*/927size_t br_ec_keygen(const br_prng_class **rng_ctx,928const br_ec_impl *impl, br_ec_private_key *sk,929void *kbuf, int curve);930931/**932* \brief Compute EC public key from EC private key.933*934* This function uses the provided elliptic curve implementation (`impl`)935* to compute the public key corresponding to the private key held in `sk`.936* The public key point is written into `kbuf`, which is then linked from937* the `*pk` structure. The size of the public key point, i.e. the number938* of bytes used in `kbuf`, is returned.939*940* If `kbuf` is `NULL`, then the public key point is NOT computed, and941* the public key structure `*pk` is unmodified (`pk` may be `NULL` in942* that case). The size of the public key point is still returned.943*944* If `pk` is `NULL` but `kbuf` is not `NULL`, then the public key945* point is computed and stored in `kbuf`, and its size is returned.946*947* If the curve used by the private key is not supported by the curve948* implementation, then this function returns zero.949*950* The private key MUST be valid. An off-range private key value is not951* necessarily detected, and leads to unpredictable results.952*953* \param impl the elliptic curve implementation.954* \param pk the public key structure to fill (or `NULL`).955* \param kbuf the public key point buffer (or `NULL`).956* \param sk the source private key.957* \return the public key point length (in bytes), or zero.958*/959size_t br_ec_compute_pub(const br_ec_impl *impl, br_ec_public_key *pk,960void *kbuf, const br_ec_private_key *sk);961962#ifdef __cplusplus963}964#endif965966#endif967968969