Google Git
Sign in
boringssl / boringssl.git / 37e01b393cd4c4d2f8b2b48fe9b2a94907a495a9 / . / include / openssl / curve25519.h
blob: a9441cd4986c35bf940d25fee53760b03af26846 [file] [log] [blame]
Adam Langley4fb0dc42015-11-13 13:09:47 -0800[diff] [blame]1/* Copyright (c) 2015, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#ifndef OPENSSL_HEADER_CURVE25519_H
16#define OPENSSL_HEADER_CURVE25519_H
17
18#include <openssl/base.h>
19
20#if defined(__cplusplus)
21extern "C" {
22#endif
23
24
25/* Curve25519.
26 *
David Benjamin415564f2016-01-23 01:04:15 -0500[diff] [blame]27 * Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748. */
Adam Langley4fb0dc42015-11-13 13:09:47 -0800[diff] [blame]28
29
30/* X25519.
31 *
David Benjamina82e8dd2016-04-14 09:48:39 -0400[diff] [blame]32 * X25519 is the Diffie-Hellman primitive built from curve25519. It is
33 * sometimes referred to as “curve25519”, but “X25519” is a more precise name.
34 * See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748. */
Adam Langley4fb0dc42015-11-13 13:09:47 -0800[diff] [blame]35
36/* X25519_keypair sets |out_public_value| and |out_private_key| to a freshly
37 * generated, public–private key pair. */
38OPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32],
39 uint8_t out_private_key[32]);
40
41/* X25519 writes a shared key to |out_shared_key| that is calculated from the
42 * given private key and the peer's public value. It returns one on success and
43 * zero on error.
44 *
45 * Don't use the shared key directly, rather use a KDF and also include the two
46 * public values as inputs. */
47OPENSSL_EXPORT int X25519(uint8_t out_shared_key[32],
48 const uint8_t private_key[32],
49 const uint8_t peers_public_value[32]);
50
51/* X25519_public_from_private calculates a Diffie-Hellman public value from the
52 * given private key and writes it to |out_public_value|. */
53OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32],
54 const uint8_t private_key[32]);
55
56
57/* Ed25519.
58 *
59 * Ed25519 is a signature scheme using a twisted-Edwards curve that is
60 * birationally equivalent to curve25519. */
61
Matt Braithwaitec75c0ae2015-12-15 13:14:05 -0800[diff] [blame]62#define ED25519_PRIVATE_KEY_LEN 64
63#define ED25519_PUBLIC_KEY_LEN 32
64#define ED25519_SIGNATURE_LEN 64
65
Adam Langley4fb0dc42015-11-13 13:09:47 -0800[diff] [blame]66/* ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
67 * generated, public–private key pair. */
68OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32],
69 uint8_t out_private_key[64]);
70
71/* ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
72 * |message| using |private_key|. It returns one on success or zero on
73 * error. */
74OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
75 size_t message_len,
76 const uint8_t private_key[64]);
77
78/* ED25519_verify returns one iff |signature| is a valid signature, by
79 * |public_key| of |message_len| bytes from |message|. It returns zero
80 * otherwise. */
81OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len,
82 const uint8_t signature[64],
83 const uint8_t public_key[32]);
84
85
Arnar Birgissonf27459e2016-02-09 18:09:00 -0800[diff] [blame]86/* SPAKE2.
87 *
88 * SPAKE2 is a password-authenticated key-exchange. It allows two parties,
89 * who share a low-entropy secret (i.e. password), to agree on a shared key.
90 * An attacker can only make one guess of the password per execution of the
91 * protocol.
92 *
93 * See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02. */
94
95/* spake2_role_t enumerates the different “roles” in SPAKE2. The protocol
96 * requires that the symmetry of the two parties be broken so one participant
97 * must be “Alice” and the other be “Bob”. */
98enum spake2_role_t {
99 spake2_role_alice,
100 spake2_role_bob,
101};
102
103/* SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a
104 * single execution of the protocol). SPAKE2 requires the symmetry of the two
105 * parties to be broken which is indicated via |my_role| – each party must pass
106 * a different value for this argument.
107 *
108 * The |my_name| and |their_name| arguments allow optional, opaque names to be
109 * bound into the protocol. For example MAC addresses, hostnames, usernames
110 * etc. These values are not exposed and can avoid context-confusion attacks
111 * when a password is shared between several devices. */
112OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new(
113 enum spake2_role_t my_role,
114 const uint8_t *my_name, size_t my_name_len,
115 const uint8_t *their_name, size_t their_name_len);
116
117/* SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated. */
118OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx);
119
120/* SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message. */
121#define SPAKE2_MAX_MSG_SIZE 32
122
123/* SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes
124 * it to |out| and sets |*out_len| to the number of bytes written.
125 *
126 * At most |max_out_len| bytes are written to |out| and, in order to ensure
127 * success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes.
128 *
129 * This function can only be called once for a given |SPAKE2_CTX|.
130 *
131 * It returns one on success and zero on error. */
132OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out,
133 size_t *out_len, size_t max_out_len,
134 const uint8_t *password,
135 size_t password_len);
136
137/* SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will
138 * produce. */
139#define SPAKE2_MAX_KEY_SIZE 64
140
141/* SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in
142 * |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets
143 * |*out_key_len| to the number of bytes written.
144 *
145 * The resulting keying material is suitable for:
146 * a) Using directly in a key-confirmation step: i.e. each side could
147 * transmit a hash of their role, a channel-binding value and the key
148 * material to prove to the other side that they know the shared key.
149 * b) Using as input keying material to HKDF to generate a variety of subkeys
150 * for encryption etc.
151 *
152 * If |max_out_key_key| is smaller than the amount of key material generated
153 * then the key is silently truncated. If you want to ensure that no truncation
154 * occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|.
155 *
156 * You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling
157 * this function. On successful return, |ctx| is complete and calling
158 * |SPAKE2_CTX_free| is the only acceptable operation on it.
159 *
160 * Returns one on success or zero on error. */
161OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key,
162 size_t *out_key_len,
163 size_t max_out_key_len,
164 const uint8_t *their_msg,
165 size_t their_msg_len);
166
167
Adam Langley4fb0dc42015-11-13 13:09:47 -0800[diff] [blame]168#if defined(__cplusplus)
169} /* extern C */
170#endif
171
172#endif /* OPENSSL_HEADER_CURVE25519_H */