2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 #ifndef BR_BEARSSL_EC_H__
26 #define BR_BEARSSL_EC_H__
31 /** \file bearssl_ec.h
35 * This file documents the EC implementations provided with BearSSL, and
38 * ## Elliptic Curve API
40 * Only "named curves" are supported. Each EC implementation supports
41 * one or several named curves, identified by symbolic identifiers.
42 * These identifiers are small integers, that correspond to the values
44 * [IANA](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8).
46 * Since all currently defined elliptic curve identifiers are in the 0..31
47 * range, it is convenient to encode support of some curves in a 32-bit
48 * word, such that bit x corresponds to curve of identifier x.
50 * An EC implementation is incarnated by a `br_ec_impl` instance, that
51 * offers the following fields:
53 * - `supported_curves`
55 * A 32-bit word that documents the identifiers of the curves supported
56 * by this implementation.
60 * Callback method that returns a pointer to the conventional generator
61 * point for that curve.
65 * Callback method that returns a pointer to the subgroup order for
66 * that curve. That value uses unsigned big-endian encoding.
70 * Callback method that returns the offset and length of the X
71 * coordinate in an encoded point.
75 * Multiply a curve point with an integer.
79 * Multiply the curve generator with an integer. This may be faster
80 * than the generic `mul()`.
84 * Multiply two curve points by two integers, and return the sum of
87 * All curve points are represented in uncompressed format. The `mul()`
88 * and `muladd()` methods take care to validate that the provided points
89 * are really part of the relevant curve subgroup.
91 * For all point multiplication functions, the following holds:
93 * - Functions validate that the provided points are valid members
94 * of the relevant curve subgroup. An error is reported if that is
97 * - Processing is constant-time, even if the point operands are not
98 * valid. This holds for both the source and resulting points, and
99 * the multipliers (integers). Only the byte length of the provided
100 * multiplier arrays (not their actual value length in bits) may
101 * leak through timing-based side channels.
103 * - The multipliers (integers) MUST be lower than the subgroup order.
104 * If this property is not met, then the result is indeterminate,
105 * but an error value is not ncessearily returned.
110 * ECDSA signatures have two standard formats, called "raw" and "asn1".
111 * Internally, such a signature is a pair of modular integers `(r,s)`.
112 * The "raw" format is the concatenation of the unsigned big-endian
113 * encodings of these two integers, possibly left-padded with zeros so
114 * that they have the same encoded length. The "asn1" format is the
115 * DER encoding of an ASN.1 structure that contains the two integer
118 * ECDSASignature ::= SEQUENCE {
123 * In general, in all of X.509 and SSL/TLS, the "asn1" format is used.
124 * BearSSL offers ECDSA implementations for both formats; conversion
125 * functions between the two formats are also provided. Conversion of a
126 * "raw" format signature into "asn1" may enlarge a signature by no more
127 * than 9 bytes for all supported curves; conversely, conversion of an
128 * "asn1" signature to "raw" may expand the signature but the "raw"
129 * length will never be more than twice the length of the "asn1" length
130 * (and usually it will be shorter).
132 * Note that for a given signature, the "raw" format is not fully
133 * deterministic, in that it does not enforce a minimal common length.
137 * Standard curve ID. These ID are equal to the assigned numerical
138 * identifiers assigned to these curves for TLS:
139 * http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
142 /** \brief Identifier for named curve sect163k1. */
143 #define BR_EC_sect163k1 1
145 /** \brief Identifier for named curve sect163r1. */
146 #define BR_EC_sect163r1 2
148 /** \brief Identifier for named curve sect163r2. */
149 #define BR_EC_sect163r2 3
151 /** \brief Identifier for named curve sect193r1. */
152 #define BR_EC_sect193r1 4
154 /** \brief Identifier for named curve sect193r2. */
155 #define BR_EC_sect193r2 5
157 /** \brief Identifier for named curve sect233k1. */
158 #define BR_EC_sect233k1 6
160 /** \brief Identifier for named curve sect233r1. */
161 #define BR_EC_sect233r1 7
163 /** \brief Identifier for named curve sect239k1. */
164 #define BR_EC_sect239k1 8
166 /** \brief Identifier for named curve sect283k1. */
167 #define BR_EC_sect283k1 9
169 /** \brief Identifier for named curve sect283r1. */
170 #define BR_EC_sect283r1 10
172 /** \brief Identifier for named curve sect409k1. */
173 #define BR_EC_sect409k1 11
175 /** \brief Identifier for named curve sect409r1. */
176 #define BR_EC_sect409r1 12
178 /** \brief Identifier for named curve sect571k1. */
179 #define BR_EC_sect571k1 13
181 /** \brief Identifier for named curve sect571r1. */
182 #define BR_EC_sect571r1 14
184 /** \brief Identifier for named curve secp160k1. */
185 #define BR_EC_secp160k1 15
187 /** \brief Identifier for named curve secp160r1. */
188 #define BR_EC_secp160r1 16
190 /** \brief Identifier for named curve secp160r2. */
191 #define BR_EC_secp160r2 17
193 /** \brief Identifier for named curve secp192k1. */
194 #define BR_EC_secp192k1 18
196 /** \brief Identifier for named curve secp192r1. */
197 #define BR_EC_secp192r1 19
199 /** \brief Identifier for named curve secp224k1. */
200 #define BR_EC_secp224k1 20
202 /** \brief Identifier for named curve secp224r1. */
203 #define BR_EC_secp224r1 21
205 /** \brief Identifier for named curve secp256k1. */
206 #define BR_EC_secp256k1 22
208 /** \brief Identifier for named curve secp256r1. */
209 #define BR_EC_secp256r1 23
211 /** \brief Identifier for named curve secp384r1. */
212 #define BR_EC_secp384r1 24
214 /** \brief Identifier for named curve secp521r1. */
215 #define BR_EC_secp521r1 25
217 /** \brief Identifier for named curve brainpoolP256r1. */
218 #define BR_EC_brainpoolP256r1 26
220 /** \brief Identifier for named curve brainpoolP384r1. */
221 #define BR_EC_brainpoolP384r1 27
223 /** \brief Identifier for named curve brainpoolP512r1. */
224 #define BR_EC_brainpoolP512r1 28
226 /** \brief Identifier for named curve Curve25519. */
227 #define BR_EC_curve25519 29
229 /** \brief Identifier for named curve Curve448. */
230 #define BR_EC_curve448 30
233 * \brief Structure for an EC public key.
236 /** \brief Identifier for the curve used by this key. */
238 /** \brief Public curve point (uncompressed format). */
240 /** \brief Length of public curve point (in bytes). */
245 * \brief Structure for an EC private key.
247 * The private key is an integer modulo the curve subgroup order. The
248 * encoding below tolerates extra leading zeros. In general, it is
249 * recommended that the private key has the same length as the curve
253 /** \brief Identifier for the curve used by this key. */
255 /** \brief Private key (integer, unsigned big-endian encoding). */
257 /** \brief Private key length (in bytes). */
262 * \brief Type for an EC implementation.
266 * \brief Supported curves.
268 * This word is a bitfield: bit `x` is set if the curve of ID `x`
269 * is supported. E.g. an implementation supporting both NIST P-256
270 * (secp256r1, ID 23) and NIST P-384 (secp384r1, ID 24) will have
271 * value `0x01800000` in this field.
273 uint32_t supported_curves
;
276 * \brief Get the conventional generator.
278 * This function returns the conventional generator (encoded
279 * curve point) for the specified curve. This function MUST NOT
280 * be called if the curve is not supported.
282 * \param curve curve identifier.
283 * \param len receiver for the encoded generator length (in bytes).
284 * \return the encoded generator.
286 const unsigned char *(*generator
)(int curve
, size_t *len
);
289 * \brief Get the subgroup order.
291 * This function returns the order of the subgroup generated by
292 * the conventional generator, for the specified curve. Unsigned
293 * big-endian encoding is used. This function MUST NOT be called
294 * if the curve is not supported.
296 * \param curve curve identifier.
297 * \param len receiver for the encoded order length (in bytes).
298 * \return the encoded order.
300 const unsigned char *(*order
)(int curve
, size_t *len
);
303 * \brief Get the offset and length for the X coordinate.
305 * This function returns the offset and length (in bytes) of
306 * the X coordinate in an encoded non-zero point.
308 * \param curve curve identifier.
309 * \param len receiver for the X coordinate length (in bytes).
310 * \return the offset for the X coordinate (in bytes).
312 size_t (*xoff
)(int curve
, size_t *len
);
315 * \brief Multiply a curve point by an integer.
317 * The source point is provided in array `G` (of size `Glen` bytes);
318 * the multiplication result is written over it. The multiplier
319 * `x` (of size `xlen` bytes) uses unsigned big-endian encoding.
323 * - The specified curve MUST be supported.
325 * - The source point must be a valid point on the relevant curve
326 * subgroup (and not the "point at infinity" either). If this is
327 * not the case, then this function returns an error (0).
329 * - The multiplier integer MUST be non-zero and less than the
330 * curve subgroup order. If this property does not hold, then
331 * the result is indeterminate and an error code is not
334 * Returned value is 1 on success, 0 on error. On error, the
335 * contents of `G` are indeterminate.
337 * \param G point to multiply.
338 * \param Glen length of the encoded point (in bytes).
339 * \param x multiplier (unsigned big-endian).
340 * \param xlen multiplier length (in bytes).
341 * \param curve curve identifier.
342 * \return 1 on success, 0 on error.
344 uint32_t (*mul
)(unsigned char *G
, size_t Glen
,
345 const unsigned char *x
, size_t xlen
, int curve
);
348 * \brief Multiply the generator by an integer.
350 * The multiplier MUST be non-zero and less than the curve
351 * subgroup order. Results are indeterminate if this property
354 * \param R output buffer for the point.
355 * \param x multiplier (unsigned big-endian).
356 * \param xlen multiplier length (in bytes).
357 * \param curve curve identifier.
358 * \return encoded result point length (in bytes).
360 size_t (*mulgen
)(unsigned char *R
,
361 const unsigned char *x
, size_t xlen
, int curve
);
364 * \brief Multiply two points by two integers and add the
367 * The point `x*A + y*B` is computed and written back in the `A`
372 * - The specified curve MUST be supported.
374 * - The source points (`A` and `B`) must be valid points on
375 * the relevant curve subgroup (and not the "point at
376 * infinity" either). If this is not the case, then this
377 * function returns an error (0).
379 * - If the `B` pointer is `NULL`, then the conventional
380 * subgroup generator is used. With some implementations,
381 * this may be faster than providing a pointer to the
384 * - The multiplier integers (`x` and `y`) MUST be non-zero
385 * and less than the curve subgroup order. If either integer
386 * is zero, then an error is reported, but if one of them is
387 * not lower than the subgroup order, then the result is
388 * indeterminate and an error code is not guaranteed.
390 * - If the final result is the point at infinity, then an
393 * Returned value is 1 on success, 0 on error. On error, the
394 * contents of `A` are indeterminate.
396 * \param A first point to multiply.
397 * \param B second point to multiply (`NULL` for the generator).
398 * \param len common length of the encoded points (in bytes).
399 * \param x multiplier for `A` (unsigned big-endian).
400 * \param xlen length of multiplier for `A` (in bytes).
401 * \param y multiplier for `A` (unsigned big-endian).
402 * \param ylen length of multiplier for `A` (in bytes).
403 * \param curve curve identifier.
404 * \return 1 on success, 0 on error.
406 uint32_t (*muladd
)(unsigned char *A
, const unsigned char *B
, size_t len
,
407 const unsigned char *x
, size_t xlen
,
408 const unsigned char *y
, size_t ylen
, int curve
);
412 * \brief EC implementation "i31".
414 * This implementation internally uses generic code for modular integers,
415 * with a representation as sequences of 31-bit words. It supports secp256r1,
416 * secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).
418 extern const br_ec_impl br_ec_prime_i31
;
421 * \brief EC implementation "i15".
423 * This implementation internally uses generic code for modular integers,
424 * with a representation as sequences of 15-bit words. It supports secp256r1,
425 * secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).
427 extern const br_ec_impl br_ec_prime_i15
;
430 * \brief EC implementation "m15" for P-256.
432 * This implementation uses specialised code for curve secp256r1 (also
433 * known as NIST P-256), with optional Karatsuba decomposition, and fast
434 * modular reduction thanks to the field modulus special format. Only
435 * 32-bit multiplications are used (with 32-bit results, not 64-bit).
437 extern const br_ec_impl br_ec_p256_m15
;
440 * \brief EC implementation "m31" for P-256.
442 * This implementation uses specialised code for curve secp256r1 (also
443 * known as NIST P-256), relying on multiplications of 31-bit values
446 extern const br_ec_impl br_ec_p256_m31
;
449 * \brief EC implementation "i15" (generic code) for Curve25519.
451 * This implementation uses the generic code for modular integers (with
452 * 15-bit words) to support Curve25519. Due to the specificities of the
453 * curve definition, the following applies:
455 * - `muladd()` is not implemented (the function returns 0 systematically).
456 * - `order()` returns 2^255-1, since the point multiplication algorithm
457 * accepts any 32-bit integer as input (it clears the top bit and low
458 * three bits systematically).
460 extern const br_ec_impl br_ec_c25519_i15
;
463 * \brief EC implementation "i31" (generic code) for Curve25519.
465 * This implementation uses the generic code for modular integers (with
466 * 31-bit words) to support Curve25519. Due to the specificities of the
467 * curve definition, the following applies:
469 * - `muladd()` is not implemented (the function returns 0 systematically).
470 * - `order()` returns 2^255-1, since the point multiplication algorithm
471 * accepts any 32-bit integer as input (it clears the top bit and low
472 * three bits systematically).
474 extern const br_ec_impl br_ec_c25519_i31
;
477 * \brief EC implementation "m15" (specialised code) for Curve25519.
479 * This implementation uses custom code relying on multiplication of
480 * integers up to 15 bits. Due to the specificities of the curve
481 * definition, the following applies:
483 * - `muladd()` is not implemented (the function returns 0 systematically).
484 * - `order()` returns 2^255-1, since the point multiplication algorithm
485 * accepts any 32-bit integer as input (it clears the top bit and low
486 * three bits systematically).
488 extern const br_ec_impl br_ec_c25519_m15
;
491 * \brief EC implementation "m31" (specialised code) for Curve25519.
493 * This implementation uses custom code relying on multiplication of
494 * integers up to 31 bits. Due to the specificities of the curve
495 * definition, the following applies:
497 * - `muladd()` is not implemented (the function returns 0 systematically).
498 * - `order()` returns 2^255-1, since the point multiplication algorithm
499 * accepts any 32-bit integer as input (it clears the top bit and low
500 * three bits systematically).
502 extern const br_ec_impl br_ec_c25519_m31
;
505 * \brief Aggregate EC implementation "m15".
507 * This implementation is a wrapper for:
509 * - `br_ec_c25519_m15` for Curve25519
510 * - `br_ec_p256_m15` for NIST P-256
511 * - `br_ec_prime_i15` for other curves (NIST P-384 and NIST-P512)
513 extern const br_ec_impl br_ec_all_m15
;
516 * \brief Aggregate EC implementation "m31".
518 * This implementation is a wrapper for:
520 * - `br_ec_c25519_m31` for Curve25519
521 * - `br_ec_p256_m31` for NIST P-256
522 * - `br_ec_prime_i31` for other curves (NIST P-384 and NIST-P512)
524 extern const br_ec_impl br_ec_all_m31
;
527 * \brief Get the "default" EC implementation for the current system.
529 * This returns a pointer to the preferred implementation on the
532 * \return the default EC implementation.
534 const br_ec_impl
*br_ec_get_default(void);
537 * \brief Convert a signature from "raw" to "asn1".
539 * Conversion is done "in place" and the new length is returned.
540 * Conversion may enlarge the signature, but by no more than 9 bytes at
541 * most. On error, 0 is returned (error conditions include an odd raw
542 * signature length, or an oversized integer).
544 * \param sig signature to convert.
545 * \param sig_len signature length (in bytes).
546 * \return the new signature length, or 0 on error.
548 size_t br_ecdsa_raw_to_asn1(void *sig
, size_t sig_len
);
551 * \brief Convert a signature from "asn1" to "raw".
553 * Conversion is done "in place" and the new length is returned.
554 * Conversion may enlarge the signature, but the new signature length
555 * will be less than twice the source length at most. On error, 0 is
556 * returned (error conditions include an invalid ASN.1 structure or an
557 * oversized integer).
559 * \param sig signature to convert.
560 * \param sig_len signature length (in bytes).
561 * \return the new signature length, or 0 on error.
563 size_t br_ecdsa_asn1_to_raw(void *sig
, size_t sig_len
);
566 * \brief Type for an ECDSA signer function.
568 * A pointer to the EC implementation is provided. The hash value is
569 * assumed to have the length inferred from the designated hash function
572 * Signature is written in the buffer pointed to by `sig`, and the length
573 * (in bytes) is returned. On error, nothing is written in the buffer,
574 * and 0 is returned. This function returns 0 if the specified curve is
575 * not supported by the provided EC implementation.
577 * The signature format is either "raw" or "asn1", depending on the
578 * implementation; maximum length is predictable from the implemented
581 * | curve | raw | asn1 |
582 * | :--------- | --: | ---: |
583 * | NIST P-256 | 64 | 72 |
584 * | NIST P-384 | 96 | 104 |
585 * | NIST P-521 | 132 | 139 |
587 * \param impl EC implementation to use.
588 * \param hf hash function used to process the data.
589 * \param hash_value signed data (hashed).
590 * \param sk EC private key.
591 * \param sig destination buffer.
592 * \return the signature length (in bytes), or 0 on error.
594 typedef size_t (*br_ecdsa_sign
)(const br_ec_impl
*impl
,
595 const br_hash_class
*hf
, const void *hash_value
,
596 const br_ec_private_key
*sk
, void *sig
);
599 * \brief Type for an ECDSA signature verification function.
601 * A pointer to the EC implementation is provided. The hashed value,
602 * computed over the purportedly signed data, is also provided with
605 * The signature format is either "raw" or "asn1", depending on the
608 * Returned value is 1 on success (valid signature), 0 on error. This
609 * function returns 0 if the specified curve is not supported by the
610 * provided EC implementation.
612 * \param impl EC implementation to use.
613 * \param hash signed data (hashed).
614 * \param hash_len hash value length (in bytes).
615 * \param pk EC public key.
616 * \param sig signature.
617 * \param sig_len signature length (in bytes).
618 * \return 1 on success, 0 on error.
620 typedef uint32_t (*br_ecdsa_vrfy
)(const br_ec_impl
*impl
,
621 const void *hash
, size_t hash_len
,
622 const br_ec_public_key
*pk
, const void *sig
, size_t sig_len
);
625 * \brief ECDSA signature generator, "i31" implementation, "asn1" format.
627 * \see br_ecdsa_sign()
629 * \param impl EC implementation to use.
630 * \param hf hash function used to process the data.
631 * \param hash_value signed data (hashed).
632 * \param sk EC private key.
633 * \param sig destination buffer.
634 * \return the signature length (in bytes), or 0 on error.
636 size_t br_ecdsa_i31_sign_asn1(const br_ec_impl
*impl
,
637 const br_hash_class
*hf
, const void *hash_value
,
638 const br_ec_private_key
*sk
, void *sig
);
641 * \brief ECDSA signature generator, "i31" implementation, "raw" format.
643 * \see br_ecdsa_sign()
645 * \param impl EC implementation to use.
646 * \param hf hash function used to process the data.
647 * \param hash_value signed data (hashed).
648 * \param sk EC private key.
649 * \param sig destination buffer.
650 * \return the signature length (in bytes), or 0 on error.
652 size_t br_ecdsa_i31_sign_raw(const br_ec_impl
*impl
,
653 const br_hash_class
*hf
, const void *hash_value
,
654 const br_ec_private_key
*sk
, void *sig
);
657 * \brief ECDSA signature verifier, "i31" implementation, "asn1" format.
659 * \see br_ecdsa_vrfy()
661 * \param impl EC implementation to use.
662 * \param hash signed data (hashed).
663 * \param hash_len hash value length (in bytes).
664 * \param pk EC public key.
665 * \param sig signature.
666 * \param sig_len signature length (in bytes).
667 * \return 1 on success, 0 on error.
669 uint32_t br_ecdsa_i31_vrfy_asn1(const br_ec_impl
*impl
,
670 const void *hash
, size_t hash_len
,
671 const br_ec_public_key
*pk
, const void *sig
, size_t sig_len
);
674 * \brief ECDSA signature verifier, "i31" implementation, "raw" format.
676 * \see br_ecdsa_vrfy()
678 * \param impl EC implementation to use.
679 * \param hash signed data (hashed).
680 * \param hash_len hash value length (in bytes).
681 * \param pk EC public key.
682 * \param sig signature.
683 * \param sig_len signature length (in bytes).
684 * \return 1 on success, 0 on error.
686 uint32_t br_ecdsa_i31_vrfy_raw(const br_ec_impl
*impl
,
687 const void *hash
, size_t hash_len
,
688 const br_ec_public_key
*pk
, const void *sig
, size_t sig_len
);
691 * \brief ECDSA signature generator, "i15" implementation, "asn1" format.
693 * \see br_ecdsa_sign()
695 * \param impl EC implementation to use.
696 * \param hf hash function used to process the data.
697 * \param hash_value signed data (hashed).
698 * \param sk EC private key.
699 * \param sig destination buffer.
700 * \return the signature length (in bytes), or 0 on error.
702 size_t br_ecdsa_i15_sign_asn1(const br_ec_impl
*impl
,
703 const br_hash_class
*hf
, const void *hash_value
,
704 const br_ec_private_key
*sk
, void *sig
);
707 * \brief ECDSA signature generator, "i15" implementation, "raw" format.
709 * \see br_ecdsa_sign()
711 * \param impl EC implementation to use.
712 * \param hf hash function used to process the data.
713 * \param hash_value signed data (hashed).
714 * \param sk EC private key.
715 * \param sig destination buffer.
716 * \return the signature length (in bytes), or 0 on error.
718 size_t br_ecdsa_i15_sign_raw(const br_ec_impl
*impl
,
719 const br_hash_class
*hf
, const void *hash_value
,
720 const br_ec_private_key
*sk
, void *sig
);
723 * \brief ECDSA signature verifier, "i15" implementation, "asn1" format.
725 * \see br_ecdsa_vrfy()
727 * \param impl EC implementation to use.
728 * \param hash signed data (hashed).
729 * \param hash_len hash value length (in bytes).
730 * \param pk EC public key.
731 * \param sig signature.
732 * \param sig_len signature length (in bytes).
733 * \return 1 on success, 0 on error.
735 uint32_t br_ecdsa_i15_vrfy_asn1(const br_ec_impl
*impl
,
736 const void *hash
, size_t hash_len
,
737 const br_ec_public_key
*pk
, const void *sig
, size_t sig_len
);
740 * \brief ECDSA signature verifier, "i15" implementation, "raw" format.
742 * \see br_ecdsa_vrfy()
744 * \param impl EC implementation to use.
745 * \param hash signed data (hashed).
746 * \param hash_len hash value length (in bytes).
747 * \param pk EC public key.
748 * \param sig signature.
749 * \param sig_len signature length (in bytes).
750 * \return 1 on success, 0 on error.
752 uint32_t br_ecdsa_i15_vrfy_raw(const br_ec_impl
*impl
,
753 const void *hash
, size_t hash_len
,
754 const br_ec_public_key
*pk
, const void *sig
, size_t sig_len
);
757 * \brief Get "default" ECDSA implementation (signer, asn1 format).
759 * This returns the preferred implementation of ECDSA signature generation
760 * ("asn1" output format) on the current system.
762 * \return the default implementation.
764 br_ecdsa_sign
br_ecdsa_sign_asn1_get_default(void);
767 * \brief Get "default" ECDSA implementation (signer, raw format).
769 * This returns the preferred implementation of ECDSA signature generation
770 * ("raw" output format) on the current system.
772 * \return the default implementation.
774 br_ecdsa_sign
br_ecdsa_sign_raw_get_default(void);
777 * \brief Get "default" ECDSA implementation (verifier, asn1 format).
779 * This returns the preferred implementation of ECDSA signature verification
780 * ("asn1" output format) on the current system.
782 * \return the default implementation.
784 br_ecdsa_vrfy
br_ecdsa_vrfy_asn1_get_default(void);
787 * \brief Get "default" ECDSA implementation (verifier, raw format).
789 * This returns the preferred implementation of ECDSA signature verification
790 * ("raw" output format) on the current system.
792 * \return the default implementation.
794 br_ecdsa_vrfy
br_ecdsa_vrfy_raw_get_default(void);