Google Git
Sign in
boringssl/boringssl/d671f42fa565a7f2dd2d01dc47376f182687b1d2/./include/openssl/curve25519.h
blob: 83d7d97e45d1334ef7dd362134ece49431ee07ab [file]
// Copyright 2015 The BoringSSL Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef OPENSSL_HEADER_CURVE25519_H
#define OPENSSL_HEADER_CURVE25519_H
#include <openssl/base.h> // IWYU pragma: export
#if defined(__cplusplus)
extern "C" {
#endif
// Curve25519.
//
// Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748.
// X25519.
//
// X25519 is the Diffie-Hellman primitive built from curve25519. It is
// sometimes referred to as “curve25519”, but “X25519” is a more precise name.
// See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748.
#define X25519_PRIVATE_KEY_LEN 32
#define X25519_PUBLIC_VALUE_LEN 32
#define X25519_SHARED_KEY_LEN 32
// X25519_keypair sets `out_public_value` and `out_private_key` to a freshly
// generated, public–private key pair.
OPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32],
uint8_t out_private_key[32]);
// X25519 writes a shared key to `out_shared_key` that is calculated from the
// given private key and the peer's public value. It returns one on success and
// zero on error.
//
// Don't use the shared key directly, rather use a KDF and also include the two
// public values as inputs.
OPENSSL_EXPORT int X25519(uint8_t out_shared_key[32],
const uint8_t private_key[32],
const uint8_t peer_public_value[32]);
// X25519_public_from_private calculates a Diffie-Hellman public value from the
// given private key and writes it to `out_public_value`.
OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32],
const uint8_t private_key[32]);
// Ed25519.
//
// Ed25519 is a signature scheme using a twisted-Edwards curve that is
// birationally equivalent to curve25519.
//
// Note that, unlike RFC 8032's formulation, our private key representation
// includes a public key suffix to make multiple key signing operations with the
// same key more efficient. The RFC 8032 private key is referred to in this
// implementation as the "seed" and is the first 32 bytes of our private key.
#define ED25519_PRIVATE_KEY_LEN 64
#define ED25519_PUBLIC_KEY_LEN 32
#define ED25519_SIGNATURE_LEN 64
// ED25519_keypair sets `out_public_key` and `out_private_key` to a freshly
// generated, public–private key pair.
OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32],
uint8_t out_private_key[64]);
// ED25519_sign sets `out_sig` to be a signature of `message_len` bytes from
// `message` using `private_key`. It returns one on success or zero on
// allocation failure.
OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
size_t message_len,
const uint8_t private_key[64]);
// ED25519_verify returns one iff `signature` is a valid signature, by
// `public_key` of `message_len` bytes from `message`. It returns zero
// otherwise.
OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len,
const uint8_t signature[64],
const uint8_t public_key[32]);
// ED25519_keypair_from_seed calculates a public and private key from an
// Ed25519 “seed”. Seed values are not exposed by this API (although they
// happen to be the first 32 bytes of a private key) so this function is for
// interoperating with systems that may store just a seed instead of a full
// private key.
OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[32],
uint8_t out_private_key[64],
const uint8_t seed[32]);
// SPAKE2.
//
// SPAKE2 is a password-authenticated key-exchange. It allows two parties,
// who share a low-entropy secret (i.e. password), to agree on a shared key.
// An attacker can only make one guess of the password per execution of the
// protocol.
//
// See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02.
// spake2_role_t enumerates the different “roles” in SPAKE2. The protocol
// requires that the symmetry of the two parties be broken so one participant
// must be “Alice” and the other be “Bob”.
enum spake2_role_t {
spake2_role_alice,
spake2_role_bob,
};
// SPAKE2_CTX_new creates a new `SPAKE2_CTX` (which can only be used for a
// single execution of the protocol). SPAKE2 requires the symmetry of the two
// parties to be broken which is indicated via `my_role` – each party must pass
// a different value for this argument.
//
// The `my_name` and `their_name` arguments allow optional, opaque names to be
// bound into the protocol. For example MAC addresses, hostnames, usernames
// etc. These values are not exposed and can avoid context-confusion attacks
// when a password is shared between several devices.
OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new(
enum spake2_role_t my_role,
const uint8_t *my_name, size_t my_name_len,
const uint8_t *their_name, size_t their_name_len);
// SPAKE2_CTX_free frees `ctx` and all the resources that it has allocated.
OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx);
// SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message.
#define SPAKE2_MAX_MSG_SIZE 32
// SPAKE2_generate_msg generates a SPAKE2 message given `password`, writes
// it to `out` and sets `*out_len` to the number of bytes written.
//
// At most `max_out_len` bytes are written to `out` and, in order to ensure
// success, `max_out_len` should be at least `SPAKE2_MAX_MSG_SIZE` bytes.
//
// This function can only be called once for a given `SPAKE2_CTX`.
//
// It returns one on success and zero on error.
OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *password,
size_t password_len);
// SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will
// produce.
#define SPAKE2_MAX_KEY_SIZE 64
// SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in
// `their_msg`, writes at most `max_out_key_len` bytes to `out_key` and sets
// `*out_key_len` to the number of bytes written.
//
// The resulting keying material is suitable for:
// - Using directly in a key-confirmation step: i.e. each side could
// transmit a hash of their role, a channel-binding value and the key
// material to prove to the other side that they know the shared key.
// - Using as input keying material to HKDF to generate a variety of subkeys
// for encryption etc.
//
// If `max_out_key_key` is smaller than the amount of key material generated
// then the key is silently truncated. If you want to ensure that no truncation
// occurs then `max_out_key` should be at least `SPAKE2_MAX_KEY_SIZE`.
//
// You must call `SPAKE2_generate_msg` on a given `SPAKE2_CTX` before calling
// this function. On successful return, `ctx` is complete and calling
// `SPAKE2_CTX_free` is the only acceptable operation on it.
//
// Returns one on success or zero on error.
OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key,
size_t *out_key_len,
size_t max_out_key_len,
const uint8_t *their_msg,
size_t their_msg_len);
#if defined(__cplusplus)
} // extern C
extern "C++" {
BSSL_NAMESPACE_BEGIN
BORINGSSL_MAKE_DELETER(SPAKE2_CTX, SPAKE2_CTX_free)
BSSL_NAMESPACE_END
} // extern C++
#endif
#endif // OPENSSL_HEADER_CURVE25519_H