TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/mbedtls-2.28 / . / library / ecdh.c
blob: 29a732a08fddab0ff1aa452ea4f0176e15ac60ae [file] [log] [blame]
Manuel Pégourié-Gonnard0bad5c22013-01-26 15:30:46 +0100[diff] [blame]1/*
2 * Elliptic curve Diffie-Hellman
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman7ff79652023-11-03 12:04:52 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Manuel Pégourié-Gonnard0bad5c22013-01-26 15:30:46 +0100[diff] [blame]6 */
7
8/*
9 * References:
10 *
Xiaokang Qian0e5a27b2023-04-21 09:58:07 +0000[diff] [blame]11 * SEC1 https://www.secg.org/sec1-v2.pdf
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]12 * RFC 4492
Manuel Pégourié-Gonnard0bad5c22013-01-26 15:30:46 +0100[diff] [blame]13 */
14
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]15#include "common.h"
Manuel Pégourié-Gonnard0bad5c22013-01-26 15:30:46 +0100[diff] [blame]16
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]17#if defined(MBEDTLS_ECDH_C)
Manuel Pégourié-Gonnard0bad5c22013-01-26 15:30:46 +0100[diff] [blame]18
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]19#include "mbedtls/ecdh.h"
Hanno Becker91796d72018-12-17 18:10:51 +0000[diff] [blame]20#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]21#include "mbedtls/error.h"
Manuel Pégourié-Gonnard0bad5c22013-01-26 15:30:46 +0100[diff] [blame]22
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]23#include <string.h>
24
Hanno Becker91796d72018-12-17 18:10:51 +0000[diff] [blame]25/* Parameter validation macros based on platform_util.h */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]26#define ECDH_VALIDATE_RET(cond) \
27 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA)
28#define ECDH_VALIDATE(cond) \
29 MBEDTLS_INTERNAL_VALIDATE(cond)
Hanno Becker91796d72018-12-17 18:10:51 +0000[diff] [blame]30
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]31#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
32typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
33#endif
34
Gilles Peskine30816292019-02-22 12:31:25 +0100[diff] [blame]35static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]36 const mbedtls_ecdh_context *ctx)
Gilles Peskine30816292019-02-22 12:31:25 +0100[diff] [blame]37{
38#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]39 return ctx->grp.id;
Gilles Peskine30816292019-02-22 12:31:25 +0100[diff] [blame]40#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]41 return ctx->grp_id;
Gilles Peskine30816292019-02-22 12:31:25 +0100[diff] [blame]42#endif
43}
44
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]45int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid)
Gilles Peskine20b3ef32019-02-11 18:41:27 +0100[diff] [blame]46{
47 /* At this time, all groups support ECDH. */
48 (void) gid;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]49 return 1;
Gilles Peskine20b3ef32019-02-11 18:41:27 +0100[diff] [blame]50}
51
Ron Eldora84c1cb2017-10-10 19:04:27 +0300[diff] [blame]52#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]53/*
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]54 * Generate public key (restartable version)
Manuel Pégourié-Gonnardc0edc962018-10-16 10:38:19 +0200[diff] [blame]55 *
56 * Note: this internal function relies on its caller preserving the value of
Manuel Pégourié-Gonnardca29fdf2018-10-22 09:56:53 +0200[diff] [blame]57 * the output parameter 'd' across continuation calls. This would not be
Manuel Pégourié-Gonnardc0edc962018-10-16 10:38:19 +0200[diff] [blame]58 * acceptable for a public function but is OK here as we control call sites.
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]59 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]60static int ecdh_gen_public_restartable(mbedtls_ecp_group *grp,
61 mbedtls_mpi *d, mbedtls_ecp_point *Q,
62 int (*f_rng)(void *, unsigned char *, size_t),
63 void *p_rng,
64 mbedtls_ecp_restart_ctx *rs_ctx)
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]65{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]66 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]67
David Horstmannd2091972022-10-06 19:11:28 +0100[diff] [blame]68 int restarting = 0;
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]69#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]70 restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]71#endif
David Horstmannd2091972022-10-06 19:11:28 +0100[diff] [blame]72 /* If multiplication is in progress, we already generated a privkey */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]73 if (!restarting) {
74 MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
75 }
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]76
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]77 MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, Q, d, &grp->G,
78 f_rng, p_rng, rs_ctx));
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]79
80cleanup:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]81 return ret;
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]82}
83
84/*
85 * Generate public key
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]86 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]87int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
88 int (*f_rng)(void *, unsigned char *, size_t),
89 void *p_rng)
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]90{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]91 ECDH_VALIDATE_RET(grp != NULL);
92 ECDH_VALIDATE_RET(d != NULL);
93 ECDH_VALIDATE_RET(Q != NULL);
94 ECDH_VALIDATE_RET(f_rng != NULL);
95 return ecdh_gen_public_restartable(grp, d, Q, f_rng, p_rng, NULL);
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]96}
Ron Eldor936d2842018-11-01 13:05:52 +0200[diff] [blame]97#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]98
Ron Eldora84c1cb2017-10-10 19:04:27 +0300[diff] [blame]99#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]100/*
101 * Compute shared secret (SEC1 3.3.1)
102 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]103static int ecdh_compute_shared_restartable(mbedtls_ecp_group *grp,
104 mbedtls_mpi *z,
105 const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
106 int (*f_rng)(void *, unsigned char *, size_t),
107 void *p_rng,
108 mbedtls_ecp_restart_ctx *rs_ctx)
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]109{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]110 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]111 mbedtls_ecp_point P;
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]112
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]113 mbedtls_ecp_point_init(&P);
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]114
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]115 MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &P, d, Q,
116 f_rng, p_rng, rs_ctx));
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]117
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]118 if (mbedtls_ecp_is_zero(&P)) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]119 ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Paul Bakkerb548d772013-07-26 14:21:34 +0200[diff] [blame]120 goto cleanup;
121 }
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]122
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]123 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(z, &P.X));
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]124
125cleanup:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]126 mbedtls_ecp_point_free(&P);
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]127
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]128 return ret;
Manuel Pégourié-Gonnard6545ca72013-01-26 16:05:22 +0100[diff] [blame]129}
130
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]131/*
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]132 * Compute shared secret (SEC1 3.3.1)
133 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]134int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
135 const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
136 int (*f_rng)(void *, unsigned char *, size_t),
137 void *p_rng)
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]138{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]139 ECDH_VALIDATE_RET(grp != NULL);
140 ECDH_VALIDATE_RET(Q != NULL);
141 ECDH_VALIDATE_RET(d != NULL);
142 ECDH_VALIDATE_RET(z != NULL);
143 return ecdh_compute_shared_restartable(grp, z, Q, d,
144 f_rng, p_rng, NULL);
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]145}
Ron Eldor936d2842018-11-01 13:05:52 +0200[diff] [blame]146#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]147
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]148static void ecdh_init_internal(mbedtls_ecdh_context_mbed *ctx)
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]149{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]150 mbedtls_ecp_group_init(&ctx->grp);
151 mbedtls_mpi_init(&ctx->d);
152 mbedtls_ecp_point_init(&ctx->Q);
153 mbedtls_ecp_point_init(&ctx->Qp);
154 mbedtls_mpi_init(&ctx->z);
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]155
156#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]157 mbedtls_ecp_restart_init(&ctx->rs);
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]158#endif
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]159}
160
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]161/*
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]162 * Initialize context
Janos Follathf61e4862018-10-30 11:53:25 +0000[diff] [blame]163 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]164void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]165{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]166 ECDH_VALIDATE(ctx != NULL);
Hanno Becker91796d72018-12-17 18:10:51 +0000[diff] [blame]167
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]168#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]169 ecdh_init_internal(ctx);
170 mbedtls_ecp_point_init(&ctx->Vi);
171 mbedtls_ecp_point_init(&ctx->Vf);
172 mbedtls_mpi_init(&ctx->_d);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]173#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]174 memset(ctx, 0, sizeof(mbedtls_ecdh_context));
Christoph M. Wintersteigerd8c45d52019-02-20 17:16:53 +0000[diff] [blame]175
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]176 ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
177#endif
178 ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
179#if defined(MBEDTLS_ECP_RESTARTABLE)
180 ctx->restart_enabled = 0;
181#endif
182}
183
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]184static int ecdh_setup_internal(mbedtls_ecdh_context_mbed *ctx,
185 mbedtls_ecp_group_id grp_id)
Janos Follathf61e4862018-10-30 11:53:25 +0000[diff] [blame]186{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Janos Follathf61e4862018-10-30 11:53:25 +0000[diff] [blame]188
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]189 ret = mbedtls_ecp_group_load(&ctx->grp, grp_id);
190 if (ret != 0) {
191 return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
Janos Follathf61e4862018-10-30 11:53:25 +0000[diff] [blame]192 }
193
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]194 return 0;
Janos Follathf61e4862018-10-30 11:53:25 +0000[diff] [blame]195}
196
197/*
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]198 * Setup context
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]199 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]200int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id)
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]201{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]202 ECDH_VALIDATE_RET(ctx != NULL);
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]203
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]204#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]205 return ecdh_setup_internal(ctx, grp_id);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]206#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]207 switch (grp_id) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]208#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
Christoph M. Wintersteiger3ff60bc2019-02-15 12:59:59 +0000[diff] [blame]209 case MBEDTLS_ECP_DP_CURVE25519:
210 ctx->point_format = MBEDTLS_ECP_PF_COMPRESSED;
211 ctx->var = MBEDTLS_ECDH_VARIANT_EVEREST;
212 ctx->grp_id = grp_id;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]213 return mbedtls_everest_setup(&ctx->ctx.everest_ecdh, grp_id);
Christoph M. Wintersteiger78c9c462018-12-06 17:16:32 +0000[diff] [blame]214#endif
Christoph M. Wintersteiger3ff60bc2019-02-15 12:59:59 +0000[diff] [blame]215 default:
216 ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
217 ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
218 ctx->grp_id = grp_id;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]219 ecdh_init_internal(&ctx->ctx.mbed_ecdh);
220 return ecdh_setup_internal(&ctx->ctx.mbed_ecdh, grp_id);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]221 }
222#endif
223}
224
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]225static void ecdh_free_internal(mbedtls_ecdh_context_mbed *ctx)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]226{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]227 mbedtls_ecp_group_free(&ctx->grp);
228 mbedtls_mpi_free(&ctx->d);
229 mbedtls_ecp_point_free(&ctx->Q);
230 mbedtls_ecp_point_free(&ctx->Qp);
231 mbedtls_mpi_free(&ctx->z);
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]232
233#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]234 mbedtls_ecp_restart_free(&ctx->rs);
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]235#endif
Manuel Pégourié-Gonnard63533e42013-02-10 14:21:04 +0100[diff] [blame]236}
237
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]238#if defined(MBEDTLS_ECP_RESTARTABLE)
239/*
240 * Enable restartable operations for context
241 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]242void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx)
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]243{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]244 ECDH_VALIDATE(ctx != NULL);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]245
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]246 ctx->restart_enabled = 1;
247}
248#endif
249
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]250/*
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]251 * Free context
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]252 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]253void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]254{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]255 if (ctx == NULL) {
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]256 return;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]257 }
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]258
259#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]260 mbedtls_ecp_point_free(&ctx->Vi);
261 mbedtls_ecp_point_free(&ctx->Vf);
262 mbedtls_mpi_free(&ctx->_d);
263 ecdh_free_internal(ctx);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]264#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]265 switch (ctx->var) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]266#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
267 case MBEDTLS_ECDH_VARIANT_EVEREST:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]268 mbedtls_everest_free(&ctx->ctx.everest_ecdh);
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]269 break;
270#endif
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]271 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]272 ecdh_free_internal(&ctx->ctx.mbed_ecdh);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]273 break;
274 default:
275 break;
276 }
277
278 ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
279 ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
280 ctx->grp_id = MBEDTLS_ECP_DP_NONE;
281#endif
282}
283
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]284static int ecdh_make_params_internal(mbedtls_ecdh_context_mbed *ctx,
285 size_t *olen, int point_format,
286 unsigned char *buf, size_t blen,
287 int (*f_rng)(void *,
288 unsigned char *,
289 size_t),
290 void *p_rng,
291 int restart_enabled)
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]292{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]293 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]294 size_t grp_len, pt_len;
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]295#if defined(MBEDTLS_ECP_RESTARTABLE)
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]296 mbedtls_ecp_restart_ctx *rs_ctx = NULL;
Ron Eldor936d2842018-11-01 13:05:52 +0200[diff] [blame]297#endif
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]298
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]299 if (ctx->grp.pbits == 0) {
300 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
301 }
Manuel Pégourié-Gonnardf35b7392013-02-11 22:12:39 +0100[diff] [blame]302
Ron Eldor19779c42018-11-05 16:58:13 +0200[diff] [blame]303#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]304 if (restart_enabled) {
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]305 rs_ctx = &ctx->rs;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]306 }
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]307#else
308 (void) restart_enabled;
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]309#endif
310
Ron Eldor8493f802018-11-01 11:32:15 +0200[diff] [blame]311
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]312#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]313 if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
314 f_rng, p_rng, rs_ctx)) != 0) {
315 return ret;
316 }
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]317#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]318 if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
319 f_rng, p_rng)) != 0) {
320 return ret;
321 }
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]322#endif /* MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]323
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]324 if ((ret = mbedtls_ecp_tls_write_group(&ctx->grp, &grp_len, buf,
325 blen)) != 0) {
326 return ret;
327 }
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]328
329 buf += grp_len;
330 blen -= grp_len;
331
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]332 if ((ret = mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format,
333 &pt_len, buf, blen)) != 0) {
334 return ret;
335 }
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]336
337 *olen = grp_len + pt_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]338 return 0;
Manuel Pégourié-Gonnard13724762013-02-10 15:01:54 +0100[diff] [blame]339}
340
Manuel Pégourié-Gonnard854fbd72013-02-11 20:28:55 +0100[diff] [blame]341/*
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]342 * Setup and write the ServerKeyExchange parameters (RFC 4492)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]343 * struct {
344 * ECParameters curve_params;
345 * ECPoint public;
346 * } ServerECDHParams;
347 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]348int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
349 unsigned char *buf, size_t blen,
350 int (*f_rng)(void *, unsigned char *, size_t),
351 void *p_rng)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]352{
353 int restart_enabled = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]354 ECDH_VALIDATE_RET(ctx != NULL);
355 ECDH_VALIDATE_RET(olen != NULL);
356 ECDH_VALIDATE_RET(buf != NULL);
357 ECDH_VALIDATE_RET(f_rng != NULL);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]358
359#if defined(MBEDTLS_ECP_RESTARTABLE)
360 restart_enabled = ctx->restart_enabled;
361#else
362 (void) restart_enabled;
363#endif
364
365#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]366 return ecdh_make_params_internal(ctx, olen, ctx->point_format, buf, blen,
367 f_rng, p_rng, restart_enabled);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]368#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]369 switch (ctx->var) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]370#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
371 case MBEDTLS_ECDH_VARIANT_EVEREST:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]372 return mbedtls_everest_make_params(&ctx->ctx.everest_ecdh, olen,
373 buf, blen, f_rng, p_rng);
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]374#endif
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]375 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]376 return ecdh_make_params_internal(&ctx->ctx.mbed_ecdh, olen,
377 ctx->point_format, buf, blen,
378 f_rng, p_rng,
379 restart_enabled);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]380 default:
381 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
382 }
383#endif
384}
385
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]386static int ecdh_read_params_internal(mbedtls_ecdh_context_mbed *ctx,
387 const unsigned char **buf,
388 const unsigned char *end)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]389{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]390 return mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, buf,
391 end - *buf);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]392}
393
394/*
bootstrap-prime7ef96ea2022-05-18 14:08:33 -0400[diff] [blame]395 * Read the ServerKeyExchange parameters (RFC 4492)
Manuel Pégourié-Gonnard854fbd72013-02-11 20:28:55 +0100[diff] [blame]396 * struct {
397 * ECParameters curve_params;
398 * ECPoint public;
399 * } ServerECDHParams;
400 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]401int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
402 const unsigned char **buf,
403 const unsigned char *end)
Manuel Pégourié-Gonnard854fbd72013-02-11 20:28:55 +0100[diff] [blame]404{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]405 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Janos Follathf61e4862018-10-30 11:53:25 +0000[diff] [blame]406 mbedtls_ecp_group_id grp_id;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]407 ECDH_VALIDATE_RET(ctx != NULL);
408 ECDH_VALIDATE_RET(buf != NULL);
409 ECDH_VALIDATE_RET(*buf != NULL);
410 ECDH_VALIDATE_RET(end != NULL);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]411
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]412 if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, end - *buf))
413 != 0) {
414 return ret;
415 }
Manuel Pégourié-Gonnard854fbd72013-02-11 20:28:55 +0100[diff] [blame]416
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]417 if ((ret = mbedtls_ecdh_setup(ctx, grp_id)) != 0) {
418 return ret;
419 }
Janos Follathf61e4862018-10-30 11:53:25 +0000[diff] [blame]420
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]421#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]422 return ecdh_read_params_internal(ctx, buf, end);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]423#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]424 switch (ctx->var) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]425#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
426 case MBEDTLS_ECDH_VARIANT_EVEREST:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]427 return mbedtls_everest_read_params(&ctx->ctx.everest_ecdh,
428 buf, end);
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]429#endif
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]430 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]431 return ecdh_read_params_internal(&ctx->ctx.mbed_ecdh,
432 buf, end);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]433 default:
434 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
435 }
436#endif
Manuel Pégourié-Gonnard854fbd72013-02-11 20:28:55 +0100[diff] [blame]437}
Manuel Pégourié-Gonnard0bad5c22013-01-26 15:30:46 +0100[diff] [blame]438
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]439static int ecdh_get_params_internal(mbedtls_ecdh_context_mbed *ctx,
440 const mbedtls_ecp_keypair *key,
441 mbedtls_ecdh_side side)
Manuel Pégourié-Gonnardcdff3cf2013-12-12 09:55:52 +0100[diff] [blame]442{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]443 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardcdff3cf2013-12-12 09:55:52 +0100[diff] [blame]444
Manuel Pégourié-Gonnardcdff3cf2013-12-12 09:55:52 +0100[diff] [blame]445 /* If it's not our key, just import the public part as Qp */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]446 if (side == MBEDTLS_ECDH_THEIRS) {
447 return mbedtls_ecp_copy(&ctx->Qp, &key->Q);
448 }
Manuel Pégourié-Gonnardcdff3cf2013-12-12 09:55:52 +0100[diff] [blame]449
450 /* Our key: import public (as Q) and private parts */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]451 if (side != MBEDTLS_ECDH_OURS) {
452 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
453 }
Manuel Pégourié-Gonnardcdff3cf2013-12-12 09:55:52 +0100[diff] [blame]454
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]455 if ((ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0 ||
456 (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0) {
457 return ret;
458 }
Manuel Pégourié-Gonnardcdff3cf2013-12-12 09:55:52 +0100[diff] [blame]459
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]460 return 0;
Manuel Pégourié-Gonnardcdff3cf2013-12-12 09:55:52 +0100[diff] [blame]461}
462
463/*
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]464 * Get parameters from a keypair
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]465 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]466int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
467 const mbedtls_ecp_keypair *key,
468 mbedtls_ecdh_side side)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]469{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]471 ECDH_VALIDATE_RET(ctx != NULL);
472 ECDH_VALIDATE_RET(key != NULL);
473 ECDH_VALIDATE_RET(side == MBEDTLS_ECDH_OURS ||
474 side == MBEDTLS_ECDH_THEIRS);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]475
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]476 if (mbedtls_ecdh_grp_id(ctx) == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine0b1b71d2018-11-07 22:10:59 +0100[diff] [blame]477 /* This is the first call to get_params(). Set up the context
478 * for use with the group. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]479 if ((ret = mbedtls_ecdh_setup(ctx, key->grp.id)) != 0) {
480 return ret;
481 }
482 } else {
Gilles Peskine0b1b71d2018-11-07 22:10:59 +0100[diff] [blame]483 /* This is not the first call to get_params(). Check that the
484 * current key's group is the same as the context's, which was set
485 * from the first key's group. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]486 if (mbedtls_ecdh_grp_id(ctx) != key->grp.id) {
487 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
488 }
Gilles Peskine0b1b71d2018-11-07 22:10:59 +0100[diff] [blame]489 }
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]490
491#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]492 return ecdh_get_params_internal(ctx, key, side);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]493#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]494 switch (ctx->var) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]495#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
496 case MBEDTLS_ECDH_VARIANT_EVEREST:
Christoph M. Wintersteiger4936beb2018-12-12 17:26:41 +0000[diff] [blame]497 {
Christoph M. Wintersteiger2e724a12019-01-07 14:19:41 +0000[diff] [blame]498 mbedtls_everest_ecdh_side s = side == MBEDTLS_ECDH_OURS ?
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]499 MBEDTLS_EVEREST_ECDH_OURS :
500 MBEDTLS_EVEREST_ECDH_THEIRS;
501 return mbedtls_everest_get_params(&ctx->ctx.everest_ecdh,
502 key, s);
Christoph M. Wintersteiger4936beb2018-12-12 17:26:41 +0000[diff] [blame]503 }
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]504#endif
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]505 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]506 return ecdh_get_params_internal(&ctx->ctx.mbed_ecdh,
507 key, side);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]508 default:
509 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
510 }
511#endif
512}
513
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]514static int ecdh_make_public_internal(mbedtls_ecdh_context_mbed *ctx,
515 size_t *olen, int point_format,
516 unsigned char *buf, size_t blen,
517 int (*f_rng)(void *,
518 unsigned char *,
519 size_t),
520 void *p_rng,
521 int restart_enabled)
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]522{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]523 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]524#if defined(MBEDTLS_ECP_RESTARTABLE)
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]525 mbedtls_ecp_restart_ctx *rs_ctx = NULL;
Ron Eldor936d2842018-11-01 13:05:52 +0200[diff] [blame]526#endif
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]527
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]528 if (ctx->grp.pbits == 0) {
529 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
530 }
Manuel Pégourié-Gonnardf35b7392013-02-11 22:12:39 +0100[diff] [blame]531
Ron Eldorb430d9f2018-11-05 17:18:29 +0200[diff] [blame]532#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]533 if (restart_enabled) {
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]534 rs_ctx = &ctx->rs;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]535 }
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]536#else
537 (void) restart_enabled;
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]538#endif
539
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]540#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]541 if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
542 f_rng, p_rng, rs_ctx)) != 0) {
543 return ret;
544 }
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]545#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]546 if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
547 f_rng, p_rng)) != 0) {
548 return ret;
549 }
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]550#endif /* MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]551
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]552 return mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format, olen,
553 buf, blen);
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]554}
555
556/*
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]557 * Setup and export the client public value
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]558 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]559int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
560 unsigned char *buf, size_t blen,
561 int (*f_rng)(void *, unsigned char *, size_t),
562 void *p_rng)
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]563{
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]564 int restart_enabled = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]565 ECDH_VALIDATE_RET(ctx != NULL);
566 ECDH_VALIDATE_RET(olen != NULL);
567 ECDH_VALIDATE_RET(buf != NULL);
568 ECDH_VALIDATE_RET(f_rng != NULL);
Manuel Pégourié-Gonnardf35b7392013-02-11 22:12:39 +0100[diff] [blame]569
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]570#if defined(MBEDTLS_ECP_RESTARTABLE)
571 restart_enabled = ctx->restart_enabled;
572#endif
573
574#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]575 return ecdh_make_public_internal(ctx, olen, ctx->point_format, buf, blen,
576 f_rng, p_rng, restart_enabled);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]577#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]578 switch (ctx->var) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]579#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
580 case MBEDTLS_ECDH_VARIANT_EVEREST:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]581 return mbedtls_everest_make_public(&ctx->ctx.everest_ecdh, olen,
582 buf, blen, f_rng, p_rng);
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]583#endif
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]584 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]585 return ecdh_make_public_internal(&ctx->ctx.mbed_ecdh, olen,
586 ctx->point_format, buf, blen,
587 f_rng, p_rng,
588 restart_enabled);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]589 default:
590 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
591 }
592#endif
593}
594
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]595static int ecdh_read_public_internal(mbedtls_ecdh_context_mbed *ctx,
596 const unsigned char *buf, size_t blen)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]597{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]598 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]599 const unsigned char *p = buf;
600
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]601 if ((ret = mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, &p,
602 blen)) != 0) {
603 return ret;
604 }
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]605
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]606 if ((size_t) (p - buf) != blen) {
607 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
608 }
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]609
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]610 return 0;
Manuel Pégourié-Gonnard5cceb412013-02-11 21:51:45 +0100[diff] [blame]611}
612
Manuel Pégourié-Gonnard424fda52013-02-11 22:05:42 +0100[diff] [blame]613/*
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]614 * Parse and import the client's public value
Manuel Pégourié-Gonnard424fda52013-02-11 22:05:42 +0100[diff] [blame]615 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]616int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
617 const unsigned char *buf, size_t blen)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]618{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]619 ECDH_VALIDATE_RET(ctx != NULL);
620 ECDH_VALIDATE_RET(buf != NULL);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]621
622#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]623 return ecdh_read_public_internal(ctx, buf, blen);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]624#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]625 switch (ctx->var) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]626#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
627 case MBEDTLS_ECDH_VARIANT_EVEREST:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]628 return mbedtls_everest_read_public(&ctx->ctx.everest_ecdh,
629 buf, blen);
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]630#endif
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]631 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]632 return ecdh_read_public_internal(&ctx->ctx.mbed_ecdh,
633 buf, blen);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]634 default:
635 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
636 }
637#endif
638}
639
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]640static int ecdh_calc_secret_internal(mbedtls_ecdh_context_mbed *ctx,
641 size_t *olen, unsigned char *buf,
642 size_t blen,
643 int (*f_rng)(void *,
644 unsigned char *,
645 size_t),
646 void *p_rng,
647 int restart_enabled)
Manuel Pégourié-Gonnard424fda52013-02-11 22:05:42 +0100[diff] [blame]648{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]649 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]650#if defined(MBEDTLS_ECP_RESTARTABLE)
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]651 mbedtls_ecp_restart_ctx *rs_ctx = NULL;
Ron Eldor936d2842018-11-01 13:05:52 +0200[diff] [blame]652#endif
Manuel Pégourié-Gonnard424fda52013-02-11 22:05:42 +0100[diff] [blame]653
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]654 if (ctx == NULL || ctx->grp.pbits == 0) {
655 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
656 }
Manuel Pégourié-Gonnardf35b7392013-02-11 22:12:39 +0100[diff] [blame]657
Ron Eldorb430d9f2018-11-05 17:18:29 +0200[diff] [blame]658#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]659 if (restart_enabled) {
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]660 rs_ctx = &ctx->rs;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]661 }
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]662#else
663 (void) restart_enabled;
Manuel Pégourié-Gonnard66ba48a2017-04-27 11:38:26 +0200[diff] [blame]664#endif
665
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]666#if defined(MBEDTLS_ECP_RESTARTABLE)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]667 if ((ret = ecdh_compute_shared_restartable(&ctx->grp, &ctx->z, &ctx->Qp,
668 &ctx->d, f_rng, p_rng,
669 rs_ctx)) != 0) {
670 return ret;
Manuel Pégourié-Gonnarde09d2f82013-09-02 14:29:09 +0200[diff] [blame]671 }
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]672#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]673 if ((ret = mbedtls_ecdh_compute_shared(&ctx->grp, &ctx->z, &ctx->Qp,
674 &ctx->d, f_rng, p_rng)) != 0) {
675 return ret;
Ron Eldor2981d8f2018-11-05 18:07:10 +0200[diff] [blame]676 }
677#endif /* MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard424fda52013-02-11 22:05:42 +0100[diff] [blame]678
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]679 if (mbedtls_mpi_size(&ctx->z) > blen) {
680 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
681 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]682
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]683 *olen = ctx->grp.pbits / 8 + ((ctx->grp.pbits % 8) != 0);
Janos Follathab0f71a2019-02-20 10:48:49 +0000[diff] [blame]684
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]685 if (mbedtls_ecp_get_type(&ctx->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
686 return mbedtls_mpi_write_binary_le(&ctx->z, buf, *olen);
687 }
Janos Follathab0f71a2019-02-20 10:48:49 +0000[diff] [blame]688
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]689 return mbedtls_mpi_write_binary(&ctx->z, buf, *olen);
Manuel Pégourié-Gonnard424fda52013-02-11 22:05:42 +0100[diff] [blame]690}
691
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]692/*
693 * Derive and export the shared secret
694 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]695int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
696 unsigned char *buf, size_t blen,
697 int (*f_rng)(void *, unsigned char *, size_t),
698 void *p_rng)
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]699{
700 int restart_enabled = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]701 ECDH_VALIDATE_RET(ctx != NULL);
702 ECDH_VALIDATE_RET(olen != NULL);
703 ECDH_VALIDATE_RET(buf != NULL);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]704
705#if defined(MBEDTLS_ECP_RESTARTABLE)
706 restart_enabled = ctx->restart_enabled;
707#endif
708
709#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]710 return ecdh_calc_secret_internal(ctx, olen, buf, blen, f_rng, p_rng,
711 restart_enabled);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]712#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]713 switch (ctx->var) {
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]714#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
715 case MBEDTLS_ECDH_VARIANT_EVEREST:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]716 return mbedtls_everest_calc_secret(&ctx->ctx.everest_ecdh, olen,
717 buf, blen, f_rng, p_rng);
Christoph M. Wintersteigerc9f737b2018-10-25 13:03:05 +0100[diff] [blame]718#endif
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]719 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]720 return ecdh_calc_secret_internal(&ctx->ctx.mbed_ecdh, olen, buf,
721 blen, f_rng, p_rng,
722 restart_enabled);
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]723 default:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]724 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Janos Follath5a3e1bf2018-08-13 15:54:22 +0100[diff] [blame]725 }
726#endif
727}
728
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729#endif /* MBEDTLS_ECDH_C */