kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3519 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 5fa2538162
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5fa2538162'
${ noResults }
boringssl/include/openssl/curve25519.h

196 lines
7.9 KiB
Raw Blame History 

  1. /* Copyright (c) 2015, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #ifndef OPENSSL_HEADER_CURVE25519_H

  16. #define OPENSSL_HEADER_CURVE25519_H

  17. 

  18. #include <openssl/base.h>

  19. 

  20. #if defined(__cplusplus)

  21. extern "C" {

  22. #endif

  23. 

  24. 

  25. /* Curve25519.

  26.  *

  27.  * Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748. */

  28. 

  29. 

  30. /* X25519.

  31.  *

  32.  * X25519 is the Diffie-Hellman primitive built from curve25519. It is

  33.  * sometimes referred to as “curve25519”, but “X25519” is a more precise name.

  34.  * See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748. */

  35. 

  36. #define X25519_PRIVATE_KEY_LEN 32

  37. #define X25519_PUBLIC_VALUE_LEN 32

  38. 

  39. /* X25519_keypair sets |out_public_value| and |out_private_key| to a freshly

  40.  * generated, public–private key pair. */

  41. OPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32],

  42.                                    uint8_t out_private_key[32]);

  43. 

  44. /* X25519 writes a shared key to |out_shared_key| that is calculated from the

  45.  * given private key and the peer's public value. It returns one on success and

  46.  * zero on error.

  47.  *

  48.  * Don't use the shared key directly, rather use a KDF and also include the two

  49.  * public values as inputs. */

  50. OPENSSL_EXPORT int X25519(uint8_t out_shared_key[32],

  51.                           const uint8_t private_key[32],

  52.                           const uint8_t peers_public_value[32]);

  53. 

  54. /* X25519_public_from_private calculates a Diffie-Hellman public value from the

  55.  * given private key and writes it to |out_public_value|. */

  56. OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32],

  57.                                                const uint8_t private_key[32]);

  58. 

  59. 

  60. /* Ed25519.

  61.  *

  62.  * Ed25519 is a signature scheme using a twisted-Edwards curve that is

  63.  * birationally equivalent to curve25519. */

  64. 

  65. #define ED25519_PRIVATE_KEY_LEN 64

  66. #define ED25519_PUBLIC_KEY_LEN 32

  67. #define ED25519_SIGNATURE_LEN 64

  68. 

  69. /* ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly

  70.  * generated, public–private key pair. */

  71. OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32],

  72.                                     uint8_t out_private_key[64]);

  73. 

  74. /* ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from

  75.  * |message| using |private_key|. It returns one on success or zero on

  76.  * error. */

  77. OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,

  78.                                 size_t message_len,

  79.                                 const uint8_t private_key[64]);

  80. 

  81. /* ED25519_verify returns one iff |signature| is a valid signature, by

  82.  * |public_key| of |message_len| bytes from |message|. It returns zero

  83.  * otherwise. */

  84. OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len,

  85.                                   const uint8_t signature[64],

  86.                                   const uint8_t public_key[32]);

  87. 

  88. /* ED25519_keypair_from_seed calculates a public and private key from an

  89.  * Ed25519 “seed”. Seed values are not exposed by this API (although they

  90.  * happen to be the first 32 bytes of a private key) so this function is for

  91.  * interoperating with systems that may store just a seed instead of a full

  92.  * private key. */

  93. OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[32],

  94.                                               uint8_t out_private_key[64],

  95.                                               const uint8_t seed[32]);

  96. 

  97. 

  98. /* SPAKE2.

  99.  *

  100.  * SPAKE2 is a password-authenticated key-exchange. It allows two parties,

  101.  * who share a low-entropy secret (i.e. password), to agree on a shared key.

  102.  * An attacker can only make one guess of the password per execution of the

  103.  * protocol.

  104.  *

  105.  * See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02. */

  106. 

  107. /* spake2_role_t enumerates the different “roles” in SPAKE2. The protocol

  108.  * requires that the symmetry of the two parties be broken so one participant

  109.  * must be “Alice” and the other be “Bob”. */

  110. enum spake2_role_t {

  111.   spake2_role_alice,

  112.   spake2_role_bob,

  113. };

  114. 

  115. /* SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a

  116.  * single execution of the protocol). SPAKE2 requires the symmetry of the two

  117.  * parties to be broken which is indicated via |my_role| – each party must pass

  118.  * a different value for this argument.

  119.  *

  120.  * The |my_name| and |their_name| arguments allow optional, opaque names to be

  121.  * bound into the protocol. For example MAC addresses, hostnames, usernames

  122.  * etc. These values are not exposed and can avoid context-confusion attacks

  123.  * when a password is shared between several devices. */

  124. OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new(

  125.     enum spake2_role_t my_role,

  126.     const uint8_t *my_name, size_t my_name_len,

  127.     const uint8_t *their_name, size_t their_name_len);

  128. 

  129. /* SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated. */

  130. OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx);

  131. 

  132. /* SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message. */

  133. #define SPAKE2_MAX_MSG_SIZE 32

  134. 

  135. /* SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes

  136.  * it to |out| and sets |*out_len| to the number of bytes written.

  137.  *

  138.  * At most |max_out_len| bytes are written to |out| and, in order to ensure

  139.  * success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes.

  140.  *

  141.  * This function can only be called once for a given |SPAKE2_CTX|.

  142.  *

  143.  * It returns one on success and zero on error. */

  144. OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out,

  145.                                        size_t *out_len, size_t max_out_len,

  146.                                        const uint8_t *password,

  147.                                        size_t password_len);

  148. 

  149. /* SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will

  150.  * produce. */

  151. #define SPAKE2_MAX_KEY_SIZE 64

  152. 

  153. /* SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in

  154.  * |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets

  155.  * |*out_key_len| to the number of bytes written.

  156.  *

  157.  * The resulting keying material is suitable for:

  158.  *   a) Using directly in a key-confirmation step: i.e. each side could

  159.  *      transmit a hash of their role, a channel-binding value and the key

  160.  *      material to prove to the other side that they know the shared key.

  161.  *   b) Using as input keying material to HKDF to generate a variety of subkeys

  162.  *      for encryption etc.

  163.  *

  164.  * If |max_out_key_key| is smaller than the amount of key material generated

  165.  * then the key is silently truncated. If you want to ensure that no truncation

  166.  * occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|.

  167.  *

  168.  * You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling

  169.  * this function. On successful return, |ctx| is complete and calling

  170.  * |SPAKE2_CTX_free| is the only acceptable operation on it.

  171.  *

  172.  * Returns one on success or zero on error. */

  173. OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key,

  174.                                       size_t *out_key_len,

  175.                                       size_t max_out_key_len,

  176.                                       const uint8_t *their_msg,

  177.                                       size_t their_msg_len);

  178. 

  179. 

  180. #if defined(__cplusplus)

  181. }  /* extern C */

  182. 

  183. extern "C++" {

  184. 

  185. namespace bssl {

  186. 

  187. BORINGSSL_MAKE_DELETER(SPAKE2_CTX, SPAKE2_CTX_free)

  188. 

  189. }  // namespace bssl

  190. 

  191. }  /* extern C++ */

  192. 

  193. #endif

  194. 

  195. #endif  /* OPENSSL_HEADER_CURVE25519_H */