blob: 08811a39561f355075c856312566c26ddef919a1 [file] [log] [blame]
Manuel Pégourié-Gonnard2aea1412013-01-26 16:33:44 +01001/**
2 * \file ecdsa.h
3 *
Rose Zadikbff87d92018-01-25 21:58:53 +00004 * \brief The Elliptic Curve Digital Signature Algorithm (ECDSA).
5 *
6 * ECDSA is defined in <em>Standards for Efficient Cryptography Group (SECG):
7 * SEC1 Elliptic Curve Cryptography</em>.
8 * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
9 * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
10 *
Darryl Greena40a1012018-01-05 15:33:17 +000011 */
12/*
Rose Zadikbff87d92018-01-25 21:58:53 +000013 * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +020014 * SPDX-License-Identifier: Apache-2.0
15 *
16 * Licensed under the Apache License, Version 2.0 (the "License"); you may
17 * not use this file except in compliance with the License.
18 * You may obtain a copy of the License at
19 *
20 * http://www.apache.org/licenses/LICENSE-2.0
21 *
22 * Unless required by applicable law or agreed to in writing, software
23 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
24 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25 * See the License for the specific language governing permissions and
26 * limitations under the License.
Manuel Pégourié-Gonnard2aea1412013-01-26 16:33:44 +010027 *
Rose Zadikbff87d92018-01-25 21:58:53 +000028 * This file is part of Mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnard2aea1412013-01-26 16:33:44 +010029 */
Rose Zadikbff87d92018-01-25 21:58:53 +000030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020031#ifndef MBEDTLS_ECDSA_H
32#define MBEDTLS_ECDSA_H
Manuel Pégourié-Gonnard2aea1412013-01-26 16:33:44 +010033
Ron Eldor0559c662018-02-14 16:02:41 +020034#if !defined(MBEDTLS_CONFIG_FILE)
35#include "config.h"
36#else
37#include MBEDTLS_CONFIG_FILE
38#endif
39
Manuel Pégourié-Gonnardbdc96762013-10-03 11:50:39 +020040#include "ecp.h"
Manuel Pégourié-Gonnard887aa5b2014-04-04 13:57:20 +020041#include "md.h"
Manuel Pégourié-Gonnard4daaef72014-01-06 14:25:56 +010042
Manuel Pégourié-Gonnard63e93192015-03-31 11:15:48 +020043/*
Rose Zadikbff87d92018-01-25 21:58:53 +000044 * RFC-4492 page 20:
Manuel Pégourié-Gonnard63e93192015-03-31 11:15:48 +020045 *
46 * Ecdsa-Sig-Value ::= SEQUENCE {
47 * r INTEGER,
48 * s INTEGER
49 * }
50 *
51 * Size is at most
52 * 1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s,
53 * twice that + 1 (tag) + 2 (len) for the sequence
54 * (assuming ECP_MAX_BYTES is less than 126 for r and s,
55 * and less than 124 (total len <= 255) for the sequence)
56 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020057#if MBEDTLS_ECP_MAX_BYTES > 124
58#error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
Manuel Pégourié-Gonnard63e93192015-03-31 11:15:48 +020059#endif
Rose Zadikbff87d92018-01-25 21:58:53 +000060/** The maximal size of an ECDSA signature in Bytes. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020061#define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
Manuel Pégourié-Gonnard63e93192015-03-31 11:15:48 +020062
Manuel Pégourié-Gonnardbec2f452013-06-27 10:17:07 +020063/**
Rose Zadikbff87d92018-01-25 21:58:53 +000064 * \brief The ECDSA context structure.
Manuel Pégourié-Gonnardbec2f452013-06-27 10:17:07 +020065 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020066typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
Manuel Pégourié-Gonnardbec2f452013-06-27 10:17:07 +020067
Manuel Pégourié-Gonnard2aea1412013-01-26 16:33:44 +010068#ifdef __cplusplus
69extern "C" {
70#endif
71
72/**
Rose Zadikbff87d92018-01-25 21:58:53 +000073 * \brief This function computes the ECDSA signature of a
74 * previously-hashed message.
Manuel Pégourié-Gonnardb309ab22013-01-26 17:24:59 +010075 *
Rose Zadikbff87d92018-01-25 21:58:53 +000076 * \note The deterministic version is usually preferred.
Manuel Pégourié-Gonnardb8cfe3f2015-03-31 11:04:45 +020077 *
Rose Zadikbff87d92018-01-25 21:58:53 +000078 * \param grp The ECP group.
79 * \param r The first output integer.
80 * \param s The second output integer.
81 * \param d The private signing key.
82 * \param buf The message hash.
83 * \param blen The length of \p buf.
84 * \param f_rng The RNG function.
85 * \param p_rng The RNG parameter.
Manuel Pégourié-Gonnardb309ab22013-01-26 17:24:59 +010086 *
Janos Follath0a5154b2017-03-10 11:31:41 +000087 * \note If the bitlength of the message hash is larger than the
Rose Zadikbff87d92018-01-25 21:58:53 +000088 * bitlength of the group order, then the hash is truncated
89 * as defined in <em>Standards for Efficient Cryptography Group
90 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
91 * 4.1.3, step 5.
Janos Follath0a5154b2017-03-10 11:31:41 +000092 *
Rose Zadikbff87d92018-01-25 21:58:53 +000093 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX
94 * or \c MBEDTLS_MPI_XXX error code on failure.
95 *
96 * \see ecp.h
Manuel Pégourié-Gonnardb309ab22013-01-26 17:24:59 +010097 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020098int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
99 const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
Manuel Pégourié-Gonnardb309ab22013-01-26 17:24:59 +0100100 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200102#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
Manuel Pégourié-Gonnard4daaef72014-01-06 14:25:56 +0100103/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000104 * \brief This function computes the ECDSA signature of a
105 * previously-hashed message, deterministic version.
106 * For more information, see <em>RFC-6979: Deterministic
107 * Usage of the Digital Signature Algorithm (DSA) and Elliptic
108 * Curve Digital Signature Algorithm (ECDSA)</em>.
Manuel Pégourié-Gonnard4daaef72014-01-06 14:25:56 +0100109 *
Janos Follath2934c322019-01-04 14:32:30 +0000110 *
111 * \warning Since the output of the internal RNG is always the same for
112 * the same key and message, this limits the efficiency of
113 * blinding and leaks information through side channels. For
114 * secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
115 *
116 * (Optimally the blinding is a random value that is different
117 * on every execution. In this case the blinding is still
118 * random from the attackers perspective, but is the same on
119 * each execution. This means that this blinding does not
120 * prevent attackers from recovering secrets by combining
121 * several measurement traces, but may prevent some attacks
122 * that exploit relationships between secret data.)
123 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000124 * \param grp The ECP group.
125 * \param r The first output integer.
126 * \param s The second output integer.
127 * \param d The private signing key.
128 * \param buf The message hash.
129 * \param blen The length of \p buf.
130 * \param md_alg The MD algorithm used to hash the message.
Manuel Pégourié-Gonnard4daaef72014-01-06 14:25:56 +0100131 *
Janos Follath0a5154b2017-03-10 11:31:41 +0000132 * \note If the bitlength of the message hash is larger than the
133 * bitlength of the group order, then the hash is truncated as
Rose Zadikbff87d92018-01-25 21:58:53 +0000134 * defined in <em>Standards for Efficient Cryptography Group
135 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
136 * 4.1.3, step 5.
Janos Follath0a5154b2017-03-10 11:31:41 +0000137 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000138 * \return \c 0 on success,
139 * or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
140 * error code on failure.
141 *
142 * \see ecp.h
Manuel Pégourié-Gonnard4daaef72014-01-06 14:25:56 +0100143 */
Janos Follath2934c322019-01-04 14:32:30 +0000144int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
145 mbedtls_mpi *s, const mbedtls_mpi *d,
146 const unsigned char *buf, size_t blen,
147 mbedtls_md_type_t md_alg );
148/**
149 * \brief This function computes the ECDSA signature of a
150 * previously-hashed message, deterministic version.
151 *
152 * For more information, see <em>RFC-6979: Deterministic
153 * Usage of the Digital Signature Algorithm (DSA) and Elliptic
154 * Curve Digital Signature Algorithm (ECDSA)</em>.
155 *
156 * \note If the bitlength of the message hash is larger than the
157 * bitlength of the group order, then the hash is truncated as
158 * defined in <em>Standards for Efficient Cryptography Group
159 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
160 * 4.1.3, step 5.
161 *
162 * \see ecp.h
163 *
164 * \param grp The context for the elliptic curve to use.
165 * This must be initialized and have group parameters
166 * set, for example through mbedtls_ecp_group_load().
167 * \param r The MPI context in which to store the first part
168 * the signature. This must be initialized.
169 * \param s The MPI context in which to store the second part
170 * the signature. This must be initialized.
171 * \param d The private signing key. This must be initialized
172 * and setup, for example through mbedtls_ecp_gen_privkey().
173 * \param buf The hashed content to be signed. This must be a readable
174 * buffer of length \p blen Bytes. It may be \c NULL if
175 * \p blen is zero.
176 * \param blen The length of \p buf in Bytes.
177 * \param md_alg The hash algorithm used to hash the original data.
178 * \param f_rng_blind The RNG function used for blinding. This must not be
179 * \c NULL.
180 * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be
181 * \c NULL if \p f_rng doesn't need a context parameter.
182 *
183 * \return \c 0 on success.
184 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
185 * error code on failure.
186 */
187int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
188 mbedtls_mpi *s, const mbedtls_mpi *d,
189 const unsigned char *buf, size_t blen,
190 mbedtls_md_type_t md_alg,
191 int (*f_rng_blind)(void *, unsigned char *,
192 size_t),
193 void *p_rng_blind );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200194#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
Manuel Pégourié-Gonnard4daaef72014-01-06 14:25:56 +0100195
Manuel Pégourié-Gonnardb309ab22013-01-26 17:24:59 +0100196/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000197 * \brief This function verifies the ECDSA signature of a
198 * previously-hashed message.
Manuel Pégourié-Gonnard3aeb5a72013-01-26 18:05:50 +0100199 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000200 * \param grp The ECP group.
201 * \param buf The message hash.
202 * \param blen The length of \p buf.
203 * \param Q The public key to use for verification.
204 * \param r The first integer of the signature.
205 * \param s The second integer of the signature.
Manuel Pégourié-Gonnard3aeb5a72013-01-26 18:05:50 +0100206 *
Janos Follath0a5154b2017-03-10 11:31:41 +0000207 * \note If the bitlength of the message hash is larger than the
208 * bitlength of the group order, then the hash is truncated as
Rose Zadikbff87d92018-01-25 21:58:53 +0000209 * defined in <em>Standards for Efficient Cryptography Group
210 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
211 * 4.1.4, step 3.
Janos Follath0a5154b2017-03-10 11:31:41 +0000212 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000213 * \return \c 0 on success,
214 * #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
215 * or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
216 * error code on failure for any other reason.
217 *
218 * \see ecp.h
Manuel Pégourié-Gonnard3aeb5a72013-01-26 18:05:50 +0100219 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200220int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
Manuel Pégourié-Gonnard3aeb5a72013-01-26 18:05:50 +0100221 const unsigned char *buf, size_t blen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200222 const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s);
Manuel Pégourié-Gonnard3aeb5a72013-01-26 18:05:50 +0100223
224/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000225 * \brief This function computes the ECDSA signature and writes it
226 * to a buffer, serialized as defined in <em>RFC-4492:
227 * Elliptic Curve Cryptography (ECC) Cipher Suites for
228 * Transport Layer Security (TLS)</em>.
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200229 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000230 * \warning It is not thread-safe to use the same context in
231 * multiple threads.
Manuel Pégourié-Gonnarddfdcac92015-03-31 11:41:42 +0200232 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000233 * \note The deterministic version is used if
234 * #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
235 * information, see <em>RFC-6979: Deterministic Usage
236 * of the Digital Signature Algorithm (DSA) and Elliptic
237 * Curve Digital Signature Algorithm (ECDSA)</em>.
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200238 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000239 * \param ctx The ECDSA context.
240 * \param md_alg The message digest that was used to hash the message.
241 * \param hash The message hash.
242 * \param hlen The length of the hash.
243 * \param sig The buffer that holds the signature.
244 * \param slen The length of the signature written.
245 * \param f_rng The RNG function.
246 * \param p_rng The RNG parameter.
247 *
248 * \note The \p sig buffer must be at least twice as large as the
249 * size of the curve used, plus 9. For example, 73 Bytes if
250 * a 256-bit curve is used. A buffer length of
251 * #MBEDTLS_ECDSA_MAX_LEN is always safe.
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200252 *
Janos Follath0a5154b2017-03-10 11:31:41 +0000253 * \note If the bitlength of the message hash is larger than the
254 * bitlength of the group order, then the hash is truncated as
Rose Zadikbff87d92018-01-25 21:58:53 +0000255 * defined in <em>Standards for Efficient Cryptography Group
256 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
257 * 4.1.3, step 5.
Janos Follath0a5154b2017-03-10 11:31:41 +0000258 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000259 * \return \c 0 on success,
260 * or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
261 * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
262 *
263 * \see ecp.h
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200264 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200265int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200266 const unsigned char *hash, size_t hlen,
267 unsigned char *sig, size_t *slen,
268 int (*f_rng)(void *, unsigned char *, size_t),
269 void *p_rng );
270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200271#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
272#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
273#if defined(MBEDTLS_DEPRECATED_WARNING)
274#define MBEDTLS_DEPRECATED __attribute__((deprecated))
Manuel Pégourié-Gonnarddfdcac92015-03-31 11:41:42 +0200275#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200276#define MBEDTLS_DEPRECATED
Manuel Pégourié-Gonnarddfdcac92015-03-31 11:41:42 +0200277#endif
Manuel Pégourié-Gonnard937340b2014-01-06 10:27:16 +0100278/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000279 * \brief This function computes an ECDSA signature and writes it to a buffer,
280 * serialized as defined in <em>RFC-4492: Elliptic Curve Cryptography
281 * (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
282 *
283 * The deterministic version is defined in <em>RFC-6979:
284 * Deterministic Usage of the Digital Signature Algorithm (DSA) and
285 * Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
286 *
287 * \warning It is not thread-safe to use the same context in
288 * multiple threads.
289
Manuel Pégourié-Gonnard937340b2014-01-06 10:27:16 +0100290 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200291 * \deprecated Superseded by mbedtls_ecdsa_write_signature() in 2.0.0
Manuel Pégourié-Gonnarddfdcac92015-03-31 11:41:42 +0200292 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000293 * \param ctx The ECDSA context.
294 * \param hash The Message hash.
295 * \param hlen The length of the hash.
296 * \param sig The buffer that holds the signature.
297 * \param slen The length of the signature written.
298 * \param md_alg The MD algorithm used to hash the message.
Manuel Pégourié-Gonnard937340b2014-01-06 10:27:16 +0100299 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000300 * \note The \p sig buffer must be at least twice as large as the
301 * size of the curve used, plus 9. For example, 73 Bytes if a
302 * 256-bit curve is used. A buffer length of
303 * #MBEDTLS_ECDSA_MAX_LEN is always safe.
Manuel Pégourié-Gonnard937340b2014-01-06 10:27:16 +0100304 *
Janos Follath0a5154b2017-03-10 11:31:41 +0000305 * \note If the bitlength of the message hash is larger than the
306 * bitlength of the group order, then the hash is truncated as
Rose Zadikbff87d92018-01-25 21:58:53 +0000307 * defined in <em>Standards for Efficient Cryptography Group
308 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
309 * 4.1.3, step 5.
Janos Follath0a5154b2017-03-10 11:31:41 +0000310 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000311 * \return \c 0 on success,
312 * or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
313 * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
314 *
315 * \see ecp.h
Manuel Pégourié-Gonnard937340b2014-01-06 10:27:16 +0100316 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200317int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
Manuel Pégourié-Gonnard937340b2014-01-06 10:27:16 +0100318 const unsigned char *hash, size_t hlen,
319 unsigned char *sig, size_t *slen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200320 mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
321#undef MBEDTLS_DEPRECATED
322#endif /* MBEDTLS_DEPRECATED_REMOVED */
323#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
Manuel Pégourié-Gonnard937340b2014-01-06 10:27:16 +0100324
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200325/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000326 * \brief This function reads and verifies an ECDSA signature.
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200327 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000328 * \param ctx The ECDSA context.
329 * \param hash The message hash.
330 * \param hlen The size of the hash.
331 * \param sig The signature to read and verify.
332 * \param slen The size of \p sig.
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200333 *
Janos Follath0a5154b2017-03-10 11:31:41 +0000334 * \note If the bitlength of the message hash is larger than the
335 * bitlength of the group order, then the hash is truncated as
Rose Zadikbff87d92018-01-25 21:58:53 +0000336 * defined in <em>Standards for Efficient Cryptography Group
337 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
338 * 4.1.4, step 3.
Janos Follath0a5154b2017-03-10 11:31:41 +0000339 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000340 * \return \c 0 on success,
341 * #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
Gilles Peskine5114d3e2018-03-30 07:12:15 +0200342 * #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
343 * signature in sig but its length is less than \p siglen,
Rose Zadikbff87d92018-01-25 21:58:53 +0000344 * or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
345 * error code on failure for any other reason.
346 *
347 * \see ecp.h
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200348 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200349int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
Manuel Pégourié-Gonnardb694b482013-08-08 13:30:57 +0200350 const unsigned char *hash, size_t hlen,
351 const unsigned char *sig, size_t slen );
352
353/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000354 * \brief This function generates an ECDSA keypair on the given curve.
Manuel Pégourié-Gonnard8eebd012013-08-09 16:21:34 +0200355 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000356 * \param ctx The ECDSA context to store the keypair in.
357 * \param gid The elliptic curve to use. One of the various
358 * \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
359 * \param f_rng The RNG function.
360 * \param p_rng The RNG parameter.
Manuel Pégourié-Gonnard8eebd012013-08-09 16:21:34 +0200361 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000362 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on
363 * failure.
364 *
365 * \see ecp.h
Manuel Pégourié-Gonnard8eebd012013-08-09 16:21:34 +0200366 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200367int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
Manuel Pégourié-Gonnard8eebd012013-08-09 16:21:34 +0200368 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
369
370/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000371 * \brief This function sets an ECDSA context from an EC key pair.
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200372 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000373 * \param ctx The ECDSA context to set.
374 * \param key The EC key to use.
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200375 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000376 * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on
377 * failure.
378 *
379 * \see ecp.h
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200380 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200381int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key );
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200382
383/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000384 * \brief This function initializes an ECDSA context.
Manuel Pégourié-Gonnard7c8934e2013-06-27 12:54:02 +0200385 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000386 * \param ctx The ECDSA context to initialize.
Manuel Pégourié-Gonnard7c8934e2013-06-27 12:54:02 +0200387 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200388void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
Manuel Pégourié-Gonnard7c8934e2013-06-27 12:54:02 +0200389
390/**
Rose Zadikbff87d92018-01-25 21:58:53 +0000391 * \brief This function frees an ECDSA context.
Manuel Pégourié-Gonnard7c8934e2013-06-27 12:54:02 +0200392 *
Rose Zadikbff87d92018-01-25 21:58:53 +0000393 * \param ctx The ECDSA context to free.
Manuel Pégourié-Gonnard7c8934e2013-06-27 12:54:02 +0200394 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200395void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
Manuel Pégourié-Gonnard7c8934e2013-06-27 12:54:02 +0200396
Manuel Pégourié-Gonnard2aea1412013-01-26 16:33:44 +0100397#ifdef __cplusplus
398}
399#endif
400
Paul Bakker9af723c2014-05-01 13:03:14 +0200401#endif /* ecdsa.h */