Path: blob/master/thirdparty/mbedtls/library/ecp_invasive.h
9898 views
/**1* \file ecp_invasive.h2*3* \brief ECP module: interfaces for invasive testing only.4*5* The interfaces in this file are intended for testing purposes only.6* They SHOULD NOT be made available in library integrations except when7* building the library for testing.8*/9/*10* Copyright The Mbed TLS Contributors11* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later12*/13#ifndef MBEDTLS_ECP_INVASIVE_H14#define MBEDTLS_ECP_INVASIVE_H1516#include "common.h"17#include "mbedtls/bignum.h"18#include "bignum_mod.h"19#include "mbedtls/ecp.h"2021/*22* Curve modulus types23*/24typedef enum {25MBEDTLS_ECP_MOD_NONE = 0,26MBEDTLS_ECP_MOD_COORDINATE,27MBEDTLS_ECP_MOD_SCALAR28} mbedtls_ecp_modulus_type;2930typedef enum {31MBEDTLS_ECP_VARIANT_NONE = 0,32MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT,33MBEDTLS_ECP_VARIANT_WITH_MPI_UINT34} mbedtls_ecp_variant;3536#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_LIGHT)3738/** Queries the ecp variant.39*40* \return The id of the ecp variant.41*/42MBEDTLS_STATIC_TESTABLE43mbedtls_ecp_variant mbedtls_ecp_get_variant(void);4445#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)46/** Generate a private key on a Montgomery curve (Curve25519 or Curve448).47*48* This function implements key generation for the set of secret keys49* specified in [Curve25519] p. 5 and in [Curve448]. The resulting value50* has the lower bits masked but is not necessarily canonical.51*52* \note - [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf53* - [RFC7748] https://tools.ietf.org/html/rfc774854*55* \p high_bit The position of the high-order bit of the key to generate.56* This is the bit-size of the key minus 1:57* 254 for Curve25519 or 447 for Curve448.58* \param d The randomly generated key. This is a number of size59* exactly \p high_bit + 1 bits, with the least significant bits60* masked as specified in [Curve25519] and in [RFC7748] ยง5.61* \param f_rng The RNG function.62* \param p_rng The RNG context to be passed to \p f_rng.63*64* \return \c 0 on success.65* \return \c MBEDTLS_ERR_ECP_xxx or MBEDTLS_ERR_MPI_xxx on failure.66*/67int mbedtls_ecp_gen_privkey_mx(size_t high_bit,68mbedtls_mpi *d,69int (*f_rng)(void *, unsigned char *, size_t),70void *p_rng);7172#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */7374#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)7576/** Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)77*78* This operation expects a 384 bit MPI and the result of the reduction79* is a 192 bit MPI.80*81* \param[in,out] Np The address of the MPI to be converted.82* Must have twice as many limbs as the modulus.83* Upon return this holds the reduced value. The bitlength84* of the reduced value is the same as that of the modulus85* (192 bits).86* \param[in] Nn The length of \p Np in limbs.87*/88MBEDTLS_STATIC_TESTABLE89int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);9091#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */9293#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)9495/** Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)96*97* \param[in,out] X The address of the MPI to be converted.98* Must have exact limb size that stores a 448-bit MPI99* (double the bitlength of the modulus).100* Upon return holds the reduced value which is101* in range `0 <= X < 2 * N` (where N is the modulus).102* The bitlength of the reduced value is the same as103* that of the modulus (224 bits).104* \param[in] X_limbs The length of \p X in limbs.105*106* \return \c 0 on success.107* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the108* limb size that sores a 448-bit MPI.109*/110MBEDTLS_STATIC_TESTABLE111int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs);112113#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */114115#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)116117/** Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)118*119* \param[in,out] X The address of the MPI to be converted.120* Must have exact limb size that stores a 512-bit MPI121* (double the bitlength of the modulus).122* Upon return holds the reduced value which is123* in range `0 <= X < 2 * N` (where N is the modulus).124* The bitlength of the reduced value is the same as125* that of the modulus (256 bits).126* \param[in] X_limbs The length of \p X in limbs.127*128* \return \c 0 on success.129* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the130* limb size that sores a 512-bit MPI.131*/132MBEDTLS_STATIC_TESTABLE133int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs);134135#endif136137#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)138139/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)140*141* \param[in,out] X The address of the MPI to be converted.142* Must have twice as many limbs as the modulus143* (the modulus is 521 bits long). Upon return this144* holds the reduced value. The reduced value is145* in range `0 <= X < 2 * N` (where N is the modulus).146* and its the bitlength is one plus the bitlength147* of the modulus.148* \param[in] X_limbs The length of \p X in limbs.149*150* \return \c 0 on success.151* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have152* twice as many limbs as the modulus.153*/154MBEDTLS_STATIC_TESTABLE155int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs);156157#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */158159#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)160161/** Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)162*163* \param[in,out] X The address of the MPI to be converted.164* Must have exact limb size that stores a 768-bit MPI165* (double the bitlength of the modulus).166* Upon return holds the reduced value which is167* in range `0 <= X < 2 * N` (where N is the modulus).168* The bitlength of the reduced value is the same as169* that of the modulus (384 bits).170* \param[in] X_limbs The length of \p N in limbs.171*172* \return \c 0 on success.173* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p N_n does not have174* twice as many limbs as the modulus.175*/176MBEDTLS_STATIC_TESTABLE177int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);178179#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */180181#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)182183/** Fast quasi-reduction modulo p192k1 = 2^192 - R,184* with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9185*186* \param[in,out] X The address of the MPI to be converted.187* Must have exact limb size that stores a 384-bit MPI188* (double the bitlength of the modulus).189* Upon return holds the reduced value which is190* in range `0 <= X < 2 * N` (where N is the modulus).191* The bitlength of the reduced value is the same as192* that of the modulus (192 bits).193* \param[in] X_limbs The length of \p X in limbs.194*195* \return \c 0 on success.196* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have197* twice as many limbs as the modulus.198* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.199*/200MBEDTLS_STATIC_TESTABLE201int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);202203#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */204205#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)206207/** Fast quasi-reduction modulo p224k1 = 2^224 - R,208* with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93209*210* \param[in,out] X The address of the MPI to be converted.211* Must have exact limb size that stores a 448-bit MPI212* (double the bitlength of the modulus).213* Upon return holds the reduced value which is214* in range `0 <= X < 2 * N` (where N is the modulus).215* The bitlength of the reduced value is the same as216* that of the modulus (224 bits).217* \param[in] X_limbs The length of \p X in limbs.218*219* \return \c 0 on success.220* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have221* twice as many limbs as the modulus.222* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.223*/224MBEDTLS_STATIC_TESTABLE225int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);226227#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */228229#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)230231/** Fast quasi-reduction modulo p256k1 = 2^256 - R,232* with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1233*234* \param[in,out] X The address of the MPI to be converted.235* Must have exact limb size that stores a 512-bit MPI236* (double the bitlength of the modulus).237* Upon return holds the reduced value which is238* in range `0 <= X < 2 * N` (where N is the modulus).239* The bitlength of the reduced value is the same as240* that of the modulus (256 bits).241* \param[in] X_limbs The length of \p X in limbs.242*243* \return \c 0 on success.244* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have245* twice as many limbs as the modulus.246* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.247*/248MBEDTLS_STATIC_TESTABLE249int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);250251#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */252253#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)254255/** Fast quasi-reduction modulo p255 = 2^255 - 19256*257* \param[in,out] X The address of the MPI to be converted.258* Must have exact limb size that stores a 510-bit MPI259* (double the bitlength of the modulus).260* Upon return holds the reduced value which is261* in range `0 <= X < 2 * N` (where N is the modulus).262* \param[in] X_limbs The length of \p X in limbs.263*264* \return \c 0 on success.265* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have266* twice as many limbs as the modulus.267* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.268*/269MBEDTLS_STATIC_TESTABLE270int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);271272#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */273274#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)275276/** Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1277* Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +278* (B0 + B1) * 2^224.279*280* \param[in,out] X The address of the MPI to be converted.281* Must have exact limb size that stores a 896-bit MPI282* (double the bitlength of the modulus). Upon return283* holds the reduced value which is in range `0 <= X <284* N` (where N is the modulus). The bitlength of the285* reduced value is the same as that of the modulus286* (448 bits).287* \param[in] X_limbs The length of \p X in limbs.288*289* \return \c 0 on Success.290* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have291* twice as many limbs as the modulus.292* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation293* failed.294*/295MBEDTLS_STATIC_TESTABLE296int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs);297298#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */299300/** Initialise a modulus with hard-coded const curve data.301*302* \note The caller is responsible for the \p N modulus' memory.303* mbedtls_mpi_mod_modulus_free(&N) should be invoked at the304* end of its lifecycle.305*306* \param[in,out] N The address of the modulus structure to populate.307* Must be initialized.308* \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus.309* \param[in] ctype The mbedtls_ecp_modulus_type identifier for a coordinate modulus (P)310* or a scalar modulus (N).311*312* \return \c 0 if successful.313* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not314* have the correct number of limbs.315*316*/317MBEDTLS_STATIC_TESTABLE318int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,319const mbedtls_ecp_group_id id,320const mbedtls_ecp_modulus_type ctype);321322#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */323324#endif /* MBEDTLS_ECP_INVASIVE_H */325326327