TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / aa584f9edec2b342cbc8354ae8251034dec9e49c / . / lib / libmbedtls / mbedtls / library / ecdh.c
blob: b276c6adadf4c4845950b540c831b2c8e0620f03 [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/*
2 * Elliptic curve Diffie-Hellman
3 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 */
7
8/*
9 * References:
10 *
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]11 * SEC1 https://www.secg.org/sec1-v2.pdf
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]12 * RFC 4492
13 */
14
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]15#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]16
17#if defined(MBEDTLS_ECDH_C)
18
19#include "mbedtls/ecdh.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]20#include "mbedtls/platform_util.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]21#include "mbedtls/error.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]22
23#include <string.h>
24
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]25#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
26typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
27#endif
28
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]29static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]30 const mbedtls_ecdh_context *ctx)
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]31{
32#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]33 return ctx->grp.id;
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]34#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]35 return ctx->grp_id;
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]36#endif
37}
38
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]39int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid)
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]40{
41 /* At this time, all groups support ECDH. */
42 (void) gid;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]43 return 1;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]44}
45
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]46#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]47/*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]48 * Generate public key (restartable version)
49 *
50 * Note: this internal function relies on its caller preserving the value of
51 * the output parameter 'd' across continuation calls. This would not be
52 * acceptable for a public function but is OK here as we control call sites.
53 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]54static int ecdh_gen_public_restartable(mbedtls_ecp_group *grp,
55 mbedtls_mpi *d, mbedtls_ecp_point *Q,
56 int (*f_rng)(void *, unsigned char *, size_t),
57 void *p_rng,
58 mbedtls_ecp_restart_ctx *rs_ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]59{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]60 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]61
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]62 int restarting = 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]63#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]64 restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]65#endif
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]66 /* If multiplication is in progress, we already generated a privkey */
67 if (!restarting) {
68 MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
69 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]70
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]71 MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, Q, d, &grp->G,
72 f_rng, p_rng, rs_ctx));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]73
74cleanup:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]75 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]76}
77
78/*
79 * Generate public key
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]80 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]81int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
82 int (*f_rng)(void *, unsigned char *, size_t),
83 void *p_rng)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]84{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]85 return ecdh_gen_public_restartable(grp, d, Q, f_rng, p_rng, NULL);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]86}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]87#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]88
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]89#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]90/*
91 * Compute shared secret (SEC1 3.3.1)
92 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]93static int ecdh_compute_shared_restartable(mbedtls_ecp_group *grp,
94 mbedtls_mpi *z,
95 const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
96 int (*f_rng)(void *, unsigned char *, size_t),
97 void *p_rng,
98 mbedtls_ecp_restart_ctx *rs_ctx)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]99{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]100 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]101 mbedtls_ecp_point P;
102
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]103 mbedtls_ecp_point_init(&P);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]104
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]105 MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &P, d, Q,
106 f_rng, p_rng, rs_ctx));
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]107
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]108 if (mbedtls_ecp_is_zero(&P)) {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]109 ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
110 goto cleanup;
111 }
112
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]113 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(z, &P.X));
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]114
115cleanup:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]116 mbedtls_ecp_point_free(&P);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]117
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]118 return ret;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]119}
120
121/*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]122 * Compute shared secret (SEC1 3.3.1)
123 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]124int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
125 const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
126 int (*f_rng)(void *, unsigned char *, size_t),
127 void *p_rng)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]128{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]129 return ecdh_compute_shared_restartable(grp, z, Q, d,
130 f_rng, p_rng, NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]131}
132#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
133
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]134static void ecdh_init_internal(mbedtls_ecdh_context_mbed *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]135{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]136 mbedtls_ecp_group_init(&ctx->grp);
137 mbedtls_mpi_init(&ctx->d);
138 mbedtls_ecp_point_init(&ctx->Q);
139 mbedtls_ecp_point_init(&ctx->Qp);
140 mbedtls_mpi_init(&ctx->z);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]141
142#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]143 mbedtls_ecp_restart_init(&ctx->rs);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]144#endif
145}
146
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]147mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx)
148{
149#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
150 return ctx->MBEDTLS_PRIVATE(grp).id;
151#else
152 return ctx->MBEDTLS_PRIVATE(grp_id);
153#endif
154}
155
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]156/*
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]157 * Initialize context
158 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]159void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]160{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]161#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]162 ecdh_init_internal(ctx);
163 mbedtls_ecp_point_init(&ctx->Vi);
164 mbedtls_ecp_point_init(&ctx->Vf);
165 mbedtls_mpi_init(&ctx->_d);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]166#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]167 memset(ctx, 0, sizeof(mbedtls_ecdh_context));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]168
169 ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
170#endif
171 ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
172#if defined(MBEDTLS_ECP_RESTARTABLE)
173 ctx->restart_enabled = 0;
174#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]175}
176
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]177static int ecdh_setup_internal(mbedtls_ecdh_context_mbed *ctx,
178 mbedtls_ecp_group_id grp_id)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]179{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]180 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]181
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]182 ret = mbedtls_ecp_group_load(&ctx->grp, grp_id);
183 if (ret != 0) {
184 return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]185 }
186
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]187 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]188}
189
190/*
191 * Setup context
192 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]193int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]194{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]195#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]196 return ecdh_setup_internal(ctx, grp_id);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]197#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]198 switch (grp_id) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]199#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
200 case MBEDTLS_ECP_DP_CURVE25519:
201 ctx->point_format = MBEDTLS_ECP_PF_COMPRESSED;
202 ctx->var = MBEDTLS_ECDH_VARIANT_EVEREST;
203 ctx->grp_id = grp_id;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]204 return mbedtls_everest_setup(&ctx->ctx.everest_ecdh, grp_id);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]205#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]206 default:
207 ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
208 ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
209 ctx->grp_id = grp_id;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]210 ecdh_init_internal(&ctx->ctx.mbed_ecdh);
211 return ecdh_setup_internal(&ctx->ctx.mbed_ecdh, grp_id);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]212 }
213#endif
214}
215
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]216static void ecdh_free_internal(mbedtls_ecdh_context_mbed *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]217{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]218 mbedtls_ecp_group_free(&ctx->grp);
219 mbedtls_mpi_free(&ctx->d);
220 mbedtls_ecp_point_free(&ctx->Q);
221 mbedtls_ecp_point_free(&ctx->Qp);
222 mbedtls_mpi_free(&ctx->z);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]223
224#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]225 mbedtls_ecp_restart_free(&ctx->rs);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]226#endif
227}
228
229#if defined(MBEDTLS_ECP_RESTARTABLE)
230/*
231 * Enable restartable operations for context
232 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]233void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]234{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]235 ctx->restart_enabled = 1;
236}
237#endif
238
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]239/*
240 * Free context
241 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]242void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]243{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]244 if (ctx == NULL) {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]245 return;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]246 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]247
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]248#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]249 mbedtls_ecp_point_free(&ctx->Vi);
250 mbedtls_ecp_point_free(&ctx->Vf);
251 mbedtls_mpi_free(&ctx->_d);
252 ecdh_free_internal(ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]253#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]254 switch (ctx->var) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]255#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
256 case MBEDTLS_ECDH_VARIANT_EVEREST:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]257 mbedtls_everest_free(&ctx->ctx.everest_ecdh);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]258 break;
259#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]260 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]261 ecdh_free_internal(&ctx->ctx.mbed_ecdh);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]262 break;
263 default:
264 break;
265 }
266
267 ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
268 ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
269 ctx->grp_id = MBEDTLS_ECP_DP_NONE;
270#endif
271}
272
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]273static int ecdh_make_params_internal(mbedtls_ecdh_context_mbed *ctx,
274 size_t *olen, int point_format,
275 unsigned char *buf, size_t blen,
276 int (*f_rng)(void *,
277 unsigned char *,
278 size_t),
279 void *p_rng,
280 int restart_enabled)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]281{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]282 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]283 size_t grp_len, pt_len;
284#if defined(MBEDTLS_ECP_RESTARTABLE)
285 mbedtls_ecp_restart_ctx *rs_ctx = NULL;
286#endif
287
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]288 if (ctx->grp.pbits == 0) {
289 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
290 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]291
292#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]293 if (restart_enabled) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]294 rs_ctx = &ctx->rs;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]295 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]296#else
297 (void) restart_enabled;
298#endif
299
300
301#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]302 if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
303 f_rng, p_rng, rs_ctx)) != 0) {
304 return ret;
305 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]306#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]307 if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
308 f_rng, p_rng)) != 0) {
309 return ret;
310 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]311#endif /* MBEDTLS_ECP_RESTARTABLE */
312
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]313 if ((ret = mbedtls_ecp_tls_write_group(&ctx->grp, &grp_len, buf,
314 blen)) != 0) {
315 return ret;
316 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]317
318 buf += grp_len;
319 blen -= grp_len;
320
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]321 if ((ret = mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format,
322 &pt_len, buf, blen)) != 0) {
323 return ret;
324 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]325
326 *olen = grp_len + pt_len;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]327 return 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]328}
329
330/*
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]331 * Setup and write the ServerKeyExchange parameters (RFC 4492)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]332 * struct {
333 * ECParameters curve_params;
334 * ECPoint public;
335 * } ServerECDHParams;
336 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]337int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
338 unsigned char *buf, size_t blen,
339 int (*f_rng)(void *, unsigned char *, size_t),
340 void *p_rng)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]341{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]342 int restart_enabled = 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]343#if defined(MBEDTLS_ECP_RESTARTABLE)
344 restart_enabled = ctx->restart_enabled;
345#else
346 (void) restart_enabled;
347#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]348
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]349#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]350 return ecdh_make_params_internal(ctx, olen, ctx->point_format, buf, blen,
351 f_rng, p_rng, restart_enabled);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]352#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]353 switch (ctx->var) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]354#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
355 case MBEDTLS_ECDH_VARIANT_EVEREST:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]356 return mbedtls_everest_make_params(&ctx->ctx.everest_ecdh, olen,
357 buf, blen, f_rng, p_rng);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]358#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]359 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]360 return ecdh_make_params_internal(&ctx->ctx.mbed_ecdh, olen,
361 ctx->point_format, buf, blen,
362 f_rng, p_rng,
363 restart_enabled);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]364 default:
365 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
366 }
367#endif
368}
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]369
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]370static int ecdh_read_params_internal(mbedtls_ecdh_context_mbed *ctx,
371 const unsigned char **buf,
372 const unsigned char *end)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]373{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]374 return mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, buf,
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]375 (size_t) (end - *buf));
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]376}
377
378/*
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]379 * Read the ServerKeyExchange parameters (RFC 4492)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]380 * struct {
381 * ECParameters curve_params;
382 * ECPoint public;
383 * } ServerECDHParams;
384 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]385int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
386 const unsigned char **buf,
387 const unsigned char *end)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]388{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]389 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]390 mbedtls_ecp_group_id grp_id;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]391 if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, (size_t) (end - *buf)))
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]392 != 0) {
393 return ret;
394 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]395
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]396 if ((ret = mbedtls_ecdh_setup(ctx, grp_id)) != 0) {
397 return ret;
398 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]399
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]400#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]401 return ecdh_read_params_internal(ctx, buf, end);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]402#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]403 switch (ctx->var) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]404#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
405 case MBEDTLS_ECDH_VARIANT_EVEREST:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]406 return mbedtls_everest_read_params(&ctx->ctx.everest_ecdh,
407 buf, end);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]408#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]409 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]410 return ecdh_read_params_internal(&ctx->ctx.mbed_ecdh,
411 buf, end);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]412 default:
413 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
414 }
415#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]416}
417
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]418static int ecdh_get_params_internal(mbedtls_ecdh_context_mbed *ctx,
419 const mbedtls_ecp_keypair *key,
420 mbedtls_ecdh_side side)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]421{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]422 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]423
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]424 /* If it's not our key, just import the public part as Qp */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]425 if (side == MBEDTLS_ECDH_THEIRS) {
426 return mbedtls_ecp_copy(&ctx->Qp, &key->Q);
427 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]428
429 /* Our key: import public (as Q) and private parts */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]430 if (side != MBEDTLS_ECDH_OURS) {
431 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
432 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]433
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]434 if ((ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0 ||
435 (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0) {
436 return ret;
437 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]438
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]439 return 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]440}
441
442/*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]443 * Get parameters from a keypair
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]444 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]445int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
446 const mbedtls_ecp_keypair *key,
447 mbedtls_ecdh_side side)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]448{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]449 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]450 if (side != MBEDTLS_ECDH_OURS && side != MBEDTLS_ECDH_THEIRS) {
451 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
452 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]453
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]454 if (mbedtls_ecdh_grp_id(ctx) == MBEDTLS_ECP_DP_NONE) {
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]455 /* This is the first call to get_params(). Set up the context
456 * for use with the group. */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]457 if ((ret = mbedtls_ecdh_setup(ctx, key->grp.id)) != 0) {
458 return ret;
459 }
460 } else {
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]461 /* This is not the first call to get_params(). Check that the
462 * current key's group is the same as the context's, which was set
463 * from the first key's group. */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]464 if (mbedtls_ecdh_grp_id(ctx) != key->grp.id) {
465 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
466 }
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]467 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]468
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]469#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]470 return ecdh_get_params_internal(ctx, key, side);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]471#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]472 switch (ctx->var) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]473#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
474 case MBEDTLS_ECDH_VARIANT_EVEREST:
475 {
476 mbedtls_everest_ecdh_side s = side == MBEDTLS_ECDH_OURS ?
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]477 MBEDTLS_EVEREST_ECDH_OURS :
478 MBEDTLS_EVEREST_ECDH_THEIRS;
479 return mbedtls_everest_get_params(&ctx->ctx.everest_ecdh,
480 key, s);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]481 }
482#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]483 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]484 return ecdh_get_params_internal(&ctx->ctx.mbed_ecdh,
485 key, side);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]486 default:
487 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
488 }
489#endif
490}
491
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]492static int ecdh_make_public_internal(mbedtls_ecdh_context_mbed *ctx,
493 size_t *olen, int point_format,
494 unsigned char *buf, size_t blen,
495 int (*f_rng)(void *,
496 unsigned char *,
497 size_t),
498 void *p_rng,
499 int restart_enabled)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]500{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]501 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]502#if defined(MBEDTLS_ECP_RESTARTABLE)
503 mbedtls_ecp_restart_ctx *rs_ctx = NULL;
504#endif
505
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]506 if (ctx->grp.pbits == 0) {
507 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
508 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]509
510#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]511 if (restart_enabled) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]512 rs_ctx = &ctx->rs;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]513 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]514#else
515 (void) restart_enabled;
516#endif
517
518#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]519 if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
520 f_rng, p_rng, rs_ctx)) != 0) {
521 return ret;
522 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]523#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]524 if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
525 f_rng, p_rng)) != 0) {
526 return ret;
527 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]528#endif /* MBEDTLS_ECP_RESTARTABLE */
529
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]530 return mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format, olen,
531 buf, blen);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]532}
533
534/*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]535 * Setup and export the client public value
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]536 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]537int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
538 unsigned char *buf, size_t blen,
539 int (*f_rng)(void *, unsigned char *, size_t),
540 void *p_rng)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]541{
542 int restart_enabled = 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]543#if defined(MBEDTLS_ECP_RESTARTABLE)
544 restart_enabled = ctx->restart_enabled;
545#endif
546
547#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]548 return ecdh_make_public_internal(ctx, olen, ctx->point_format, buf, blen,
549 f_rng, p_rng, restart_enabled);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]550#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]551 switch (ctx->var) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]552#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
553 case MBEDTLS_ECDH_VARIANT_EVEREST:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]554 return mbedtls_everest_make_public(&ctx->ctx.everest_ecdh, olen,
555 buf, blen, f_rng, p_rng);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]556#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]557 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]558 return ecdh_make_public_internal(&ctx->ctx.mbed_ecdh, olen,
559 ctx->point_format, buf, blen,
560 f_rng, p_rng,
561 restart_enabled);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]562 default:
563 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
564 }
565#endif
566}
567
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]568static int ecdh_read_public_internal(mbedtls_ecdh_context_mbed *ctx,
569 const unsigned char *buf, size_t blen)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]570{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]571 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]572 const unsigned char *p = buf;
573
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]574 if ((ret = mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, &p,
575 blen)) != 0) {
576 return ret;
577 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]578
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]579 if ((size_t) (p - buf) != blen) {
580 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
581 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]582
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]583 return 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]584}
585
586/*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]587 * Parse and import the client's public value
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]588 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]589int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
590 const unsigned char *buf, size_t blen)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]591{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]592#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]593 return ecdh_read_public_internal(ctx, buf, blen);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]594#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]595 switch (ctx->var) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]596#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
597 case MBEDTLS_ECDH_VARIANT_EVEREST:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]598 return mbedtls_everest_read_public(&ctx->ctx.everest_ecdh,
599 buf, blen);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]600#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]601 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]602 return ecdh_read_public_internal(&ctx->ctx.mbed_ecdh,
603 buf, blen);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]604 default:
605 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
606 }
607#endif
608}
609
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]610static int ecdh_calc_secret_internal(mbedtls_ecdh_context_mbed *ctx,
611 size_t *olen, unsigned char *buf,
612 size_t blen,
613 int (*f_rng)(void *,
614 unsigned char *,
615 size_t),
616 void *p_rng,
617 int restart_enabled)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]618{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]619 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]620#if defined(MBEDTLS_ECP_RESTARTABLE)
621 mbedtls_ecp_restart_ctx *rs_ctx = NULL;
622#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]623
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]624 if (ctx == NULL || ctx->grp.pbits == 0) {
625 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
626 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]627
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]628#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]629 if (restart_enabled) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]630 rs_ctx = &ctx->rs;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]631 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]632#else
633 (void) restart_enabled;
634#endif
635
636#if defined(MBEDTLS_ECP_RESTARTABLE)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]637 if ((ret = ecdh_compute_shared_restartable(&ctx->grp, &ctx->z, &ctx->Qp,
638 &ctx->d, f_rng, p_rng,
639 rs_ctx)) != 0) {
640 return ret;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]641 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]642#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]643 if ((ret = mbedtls_ecdh_compute_shared(&ctx->grp, &ctx->z, &ctx->Qp,
644 &ctx->d, f_rng, p_rng)) != 0) {
645 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]646 }
647#endif /* MBEDTLS_ECP_RESTARTABLE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]648
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]649 if (mbedtls_mpi_size(&ctx->z) > blen) {
650 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
651 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]652
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]653 *olen = ctx->grp.pbits / 8 + ((ctx->grp.pbits % 8) != 0);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]654
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]655 if (mbedtls_ecp_get_type(&ctx->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
656 return mbedtls_mpi_write_binary_le(&ctx->z, buf, *olen);
657 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]658
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]659 return mbedtls_mpi_write_binary(&ctx->z, buf, *olen);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]660}
661
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]662/*
663 * Derive and export the shared secret
664 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]665int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
666 unsigned char *buf, size_t blen,
667 int (*f_rng)(void *, unsigned char *, size_t),
668 void *p_rng)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]669{
670 int restart_enabled = 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]671#if defined(MBEDTLS_ECP_RESTARTABLE)
672 restart_enabled = ctx->restart_enabled;
673#endif
674
675#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]676 return ecdh_calc_secret_internal(ctx, olen, buf, blen, f_rng, p_rng,
677 restart_enabled);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]678#else
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]679 switch (ctx->var) {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]680#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
681 case MBEDTLS_ECDH_VARIANT_EVEREST:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]682 return mbedtls_everest_calc_secret(&ctx->ctx.everest_ecdh, olen,
683 buf, blen, f_rng, p_rng);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]684#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]685 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]686 return ecdh_calc_secret_internal(&ctx->ctx.mbed_ecdh, olen, buf,
687 blen, f_rng, p_rng,
688 restart_enabled);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]689 default:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]690 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]691 }
692#endif
693}
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]694#endif /* MBEDTLS_ECDH_C */