Added AES+GHASH implementation using AES-NI opcodes; also ARM-Thumb assembly for...
[BearSSL] / inc / bearssl_ec.h
1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #ifndef BR_BEARSSL_EC_H__
26 #define BR_BEARSSL_EC_H__
27
28 #include <stddef.h>
29 #include <stdint.h>
30
31 /** \file bearssl_ec.h
32 *
33 * # Elliptic Curves
34 *
35 * This file documents the EC implementations provided with BearSSL, and
36 * ECDSA.
37 *
38 * ## Elliptic Curve API
39 *
40 * Only "named curves" are supported. Each EC implementation supports
41 * one or several named curves, identified by symbolic identifiers.
42 * These identifiers are small integers, that correspond to the values
43 * registered by the
44 * [IANA](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8).
45 *
46 * Since all currently defined elliptic curve identifiers are in the 0..31
47 * range, it is convenient to encode support of some curves in a 32-bit
48 * word, such that bit x corresponds to curve of identifier x.
49 *
50 * An EC implementation is incarnated by a `br_ec_impl` instance, that
51 * offers the following fields:
52 *
53 * - `supported_curves`
54 *
55 * A 32-bit word that documents the identifiers of the curves supported
56 * by this implementation.
57 *
58 * - `generator()`
59 *
60 * Callback method that returns a pointer to the conventional generator
61 * point for that curve.
62 *
63 * - `order()`
64 *
65 * Callback method that returns a pointer to the subgroup order for
66 * that curve. That value uses unsigned big-endian encoding.
67 *
68 * - `xoff()`
69 *
70 * Callback method that returns the offset and length of the X
71 * coordinate in an encoded point.
72 *
73 * - `mul()`
74 *
75 * Multiply a curve point with an integer.
76 *
77 * - `mulgen()`
78 *
79 * Multiply the curve generator with an integer. This may be faster
80 * than the generic `mul()`.
81 *
82 * - `muladd()`
83 *
84 * Multiply two curve points by two integers, and return the sum of
85 * the two products.
86 *
87 * All curve points are represented in uncompressed format. The `mul()`
88 * and `muladd()` methods take care to validate that the provided points
89 * are really part of the relevant curve subgroup.
90 *
91 * For all point multiplication functions, the following holds:
92 *
93 * - Functions validate that the provided points are valid members
94 * of the relevant curve subgroup. An error is reported if that is
95 * not the case.
96 *
97 * - Processing is constant-time, even if the point operands are not
98 * valid. This holds for both the source and resulting points, and
99 * the multipliers (integers). Only the byte length of the provided
100 * multiplier arrays (not their actual value length in bits) may
101 * leak through timing-based side channels.
102 *
103 * - The multipliers (integers) MUST be lower than the subgroup order.
104 * If this property is not met, then the result is indeterminate,
105 * but an error value is not ncessearily returned.
106 *
107 *
108 * ## ECDSA
109 *
110 * ECDSA signatures have two standard formats, called "raw" and "asn1".
111 * Internally, such a signature is a pair of modular integers `(r,s)`.
112 * The "raw" format is the concatenation of the unsigned big-endian
113 * encodings of these two integers, possibly left-padded with zeros so
114 * that they have the same encoded length. The "asn1" format is the
115 * DER encoding of an ASN.1 structure that contains the two integer
116 * values:
117 *
118 * ECDSASignature ::= SEQUENCE {
119 * r INTEGER,
120 * s INTEGER
121 * }
122 *
123 * In general, in all of X.509 and SSL/TLS, the "asn1" format is used.
124 * BearSSL offers ECDSA implementations for both formats; conversion
125 * functions between the two formats are also provided. Conversion of a
126 * "raw" format signature into "asn1" may enlarge a signature by no more
127 * than 9 bytes for all supported curves; conversely, conversion of an
128 * "asn1" signature to "raw" may expand the signature but the "raw"
129 * length will never be more than twice the length of the "asn1" length
130 * (and usually it will be shorter).
131 *
132 * Note that for a given signature, the "raw" format is not fully
133 * deterministic, in that it does not enforce a minimal common length.
134 */
135
136 /*
137 * Standard curve ID. These ID are equal to the assigned numerical
138 * identifiers assigned to these curves for TLS:
139 * http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
140 */
141
142 /** \brief Identifier for named curve sect163k1. */
143 #define BR_EC_sect163k1 1
144
145 /** \brief Identifier for named curve sect163r1. */
146 #define BR_EC_sect163r1 2
147
148 /** \brief Identifier for named curve sect163r2. */
149 #define BR_EC_sect163r2 3
150
151 /** \brief Identifier for named curve sect193r1. */
152 #define BR_EC_sect193r1 4
153
154 /** \brief Identifier for named curve sect193r2. */
155 #define BR_EC_sect193r2 5
156
157 /** \brief Identifier for named curve sect233k1. */
158 #define BR_EC_sect233k1 6
159
160 /** \brief Identifier for named curve sect233r1. */
161 #define BR_EC_sect233r1 7
162
163 /** \brief Identifier for named curve sect239k1. */
164 #define BR_EC_sect239k1 8
165
166 /** \brief Identifier for named curve sect283k1. */
167 #define BR_EC_sect283k1 9
168
169 /** \brief Identifier for named curve sect283r1. */
170 #define BR_EC_sect283r1 10
171
172 /** \brief Identifier for named curve sect409k1. */
173 #define BR_EC_sect409k1 11
174
175 /** \brief Identifier for named curve sect409r1. */
176 #define BR_EC_sect409r1 12
177
178 /** \brief Identifier for named curve sect571k1. */
179 #define BR_EC_sect571k1 13
180
181 /** \brief Identifier for named curve sect571r1. */
182 #define BR_EC_sect571r1 14
183
184 /** \brief Identifier for named curve secp160k1. */
185 #define BR_EC_secp160k1 15
186
187 /** \brief Identifier for named curve secp160r1. */
188 #define BR_EC_secp160r1 16
189
190 /** \brief Identifier for named curve secp160r2. */
191 #define BR_EC_secp160r2 17
192
193 /** \brief Identifier for named curve secp192k1. */
194 #define BR_EC_secp192k1 18
195
196 /** \brief Identifier for named curve secp192r1. */
197 #define BR_EC_secp192r1 19
198
199 /** \brief Identifier for named curve secp224k1. */
200 #define BR_EC_secp224k1 20
201
202 /** \brief Identifier for named curve secp224r1. */
203 #define BR_EC_secp224r1 21
204
205 /** \brief Identifier for named curve secp256k1. */
206 #define BR_EC_secp256k1 22
207
208 /** \brief Identifier for named curve secp256r1. */
209 #define BR_EC_secp256r1 23
210
211 /** \brief Identifier for named curve secp384r1. */
212 #define BR_EC_secp384r1 24
213
214 /** \brief Identifier for named curve secp521r1. */
215 #define BR_EC_secp521r1 25
216
217 /** \brief Identifier for named curve brainpoolP256r1. */
218 #define BR_EC_brainpoolP256r1 26
219
220 /** \brief Identifier for named curve brainpoolP384r1. */
221 #define BR_EC_brainpoolP384r1 27
222
223 /** \brief Identifier for named curve brainpoolP512r1. */
224 #define BR_EC_brainpoolP512r1 28
225
226 /** \brief Identifier for named curve Curve25519. */
227 #define BR_EC_curve25519 29
228
229 /** \brief Identifier for named curve Curve448. */
230 #define BR_EC_curve448 30
231
232 /**
233 * \brief Structure for an EC public key.
234 */
235 typedef struct {
236 /** \brief Identifier for the curve used by this key. */
237 int curve;
238 /** \brief Public curve point (uncompressed format). */
239 unsigned char *q;
240 /** \brief Length of public curve point (in bytes). */
241 size_t qlen;
242 } br_ec_public_key;
243
244 /**
245 * \brief Structure for an EC private key.
246 *
247 * The private key is an integer modulo the curve subgroup order. The
248 * encoding below tolerates extra leading zeros. In general, it is
249 * recommended that the private key has the same length as the curve
250 * subgroup order.
251 */
252 typedef struct {
253 /** \brief Identifier for the curve used by this key. */
254 int curve;
255 /** \brief Private key (integer, unsigned big-endian encoding). */
256 unsigned char *x;
257 /** \brief Private key length (in bytes). */
258 size_t xlen;
259 } br_ec_private_key;
260
261 /**
262 * \brief Type for an EC implementation.
263 */
264 typedef struct {
265 /**
266 * \brief Supported curves.
267 *
268 * This word is a bitfield: bit `x` is set if the curve of ID `x`
269 * is supported. E.g. an implementation supporting both NIST P-256
270 * (secp256r1, ID 23) and NIST P-384 (secp384r1, ID 24) will have
271 * value `0x01800000` in this field.
272 */
273 uint32_t supported_curves;
274
275 /**
276 * \brief Get the conventional generator.
277 *
278 * This function returns the conventional generator (encoded
279 * curve point) for the specified curve. This function MUST NOT
280 * be called if the curve is not supported.
281 *
282 * \param curve curve identifier.
283 * \param len receiver for the encoded generator length (in bytes).
284 * \return the encoded generator.
285 */
286 const unsigned char *(*generator)(int curve, size_t *len);
287
288 /**
289 * \brief Get the subgroup order.
290 *
291 * This function returns the order of the subgroup generated by
292 * the conventional generator, for the specified curve. Unsigned
293 * big-endian encoding is used. This function MUST NOT be called
294 * if the curve is not supported.
295 *
296 * \param curve curve identifier.
297 * \param len receiver for the encoded order length (in bytes).
298 * \return the encoded order.
299 */
300 const unsigned char *(*order)(int curve, size_t *len);
301
302 /**
303 * \brief Get the offset and length for the X coordinate.
304 *
305 * This function returns the offset and length (in bytes) of
306 * the X coordinate in an encoded non-zero point.
307 *
308 * \param curve curve identifier.
309 * \param len receiver for the X coordinate length (in bytes).
310 * \return the offset for the X coordinate (in bytes).
311 */
312 size_t (*xoff)(int curve, size_t *len);
313
314 /**
315 * \brief Multiply a curve point by an integer.
316 *
317 * The source point is provided in array `G` (of size `Glen` bytes);
318 * the multiplication result is written over it. The multiplier
319 * `x` (of size `xlen` bytes) uses unsigned big-endian encoding.
320 *
321 * Rules:
322 *
323 * - The specified curve MUST be supported.
324 *
325 * - The source point must be a valid point on the relevant curve
326 * subgroup (and not the "point at infinity" either). If this is
327 * not the case, then this function returns an error (0).
328 *
329 * - The multiplier integer MUST be non-zero and less than the
330 * curve subgroup order. If this property does not hold, then
331 * the result is indeterminate and an error code is not
332 * guaranteed.
333 *
334 * Returned value is 1 on success, 0 on error. On error, the
335 * contents of `G` are indeterminate.
336 *
337 * \param G point to multiply.
338 * \param Glen length of the encoded point (in bytes).
339 * \param x multiplier (unsigned big-endian).
340 * \param xlen multiplier length (in bytes).
341 * \param curve curve identifier.
342 * \return 1 on success, 0 on error.
343 */
344 uint32_t (*mul)(unsigned char *G, size_t Glen,
345 const unsigned char *x, size_t xlen, int curve);
346
347 /**
348 * \brief Multiply the generator by an integer.
349 *
350 * The multiplier MUST be non-zero and less than the curve
351 * subgroup order. Results are indeterminate if this property
352 * does not hold.
353 *
354 * \param R output buffer for the point.
355 * \param x multiplier (unsigned big-endian).
356 * \param xlen multiplier length (in bytes).
357 * \param curve curve identifier.
358 * \return encoded result point length (in bytes).
359 */
360 size_t (*mulgen)(unsigned char *R,
361 const unsigned char *x, size_t xlen, int curve);
362
363 /**
364 * \brief Multiply two points by two integers and add the
365 * results.
366 *
367 * The point `x*A + y*B` is computed and written back in the `A`
368 * array.
369 *
370 * Rules:
371 *
372 * - The specified curve MUST be supported.
373 *
374 * - The source points (`A` and `B`) must be valid points on
375 * the relevant curve subgroup (and not the "point at
376 * infinity" either). If this is not the case, then this
377 * function returns an error (0).
378 *
379 * - If the `B` pointer is `NULL`, then the conventional
380 * subgroup generator is used. With some implementations,
381 * this may be faster than providing a pointer to the
382 * generator.
383 *
384 * - The multiplier integers (`x` and `y`) MUST be non-zero
385 * and less than the curve subgroup order. If either integer
386 * is zero, then an error is reported, but if one of them is
387 * not lower than the subgroup order, then the result is
388 * indeterminate and an error code is not guaranteed.
389 *
390 * - If the final result is the point at infinity, then an
391 * error is returned.
392 *
393 * Returned value is 1 on success, 0 on error. On error, the
394 * contents of `A` are indeterminate.
395 *
396 * \param A first point to multiply.
397 * \param B second point to multiply (`NULL` for the generator).
398 * \param len common length of the encoded points (in bytes).
399 * \param x multiplier for `A` (unsigned big-endian).
400 * \param xlen length of multiplier for `A` (in bytes).
401 * \param y multiplier for `A` (unsigned big-endian).
402 * \param ylen length of multiplier for `A` (in bytes).
403 * \param curve curve identifier.
404 * \return 1 on success, 0 on error.
405 */
406 uint32_t (*muladd)(unsigned char *A, const unsigned char *B, size_t len,
407 const unsigned char *x, size_t xlen,
408 const unsigned char *y, size_t ylen, int curve);
409 } br_ec_impl;
410
411 /**
412 * \brief EC implementation "i31".
413 *
414 * This implementation internally uses generic code for modular integers,
415 * with a representation as sequences of 31-bit words. It supports secp256r1,
416 * secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).
417 */
418 extern const br_ec_impl br_ec_prime_i31;
419
420 /**
421 * \brief EC implementation "i15".
422 *
423 * This implementation internally uses generic code for modular integers,
424 * with a representation as sequences of 15-bit words. It supports secp256r1,
425 * secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).
426 */
427 extern const br_ec_impl br_ec_prime_i15;
428
429 /**
430 * \brief EC implementation "m15" for P-256.
431 *
432 * This implementation uses specialised code for curve secp256r1 (also
433 * known as NIST P-256), with optional Karatsuba decomposition, and fast
434 * modular reduction thanks to the field modulus special format. Only
435 * 32-bit multiplications are used (with 32-bit results, not 64-bit).
436 */
437 extern const br_ec_impl br_ec_p256_m15;
438
439 /**
440 * \brief EC implementation "m31" for P-256.
441 *
442 * This implementation uses specialised code for curve secp256r1 (also
443 * known as NIST P-256), relying on multiplications of 31-bit values
444 * (MUL31).
445 */
446 extern const br_ec_impl br_ec_p256_m31;
447
448 /**
449 * \brief EC implementation "i15" (generic code) for Curve25519.
450 *
451 * This implementation uses the generic code for modular integers (with
452 * 15-bit words) to support Curve25519. Due to the specificities of the
453 * curve definition, the following applies:
454 *
455 * - `muladd()` is not implemented (the function returns 0 systematically).
456 * - `order()` returns 2^255-1, since the point multiplication algorithm
457 * accepts any 32-bit integer as input (it clears the top bit and low
458 * three bits systematically).
459 */
460 extern const br_ec_impl br_ec_c25519_i15;
461
462 /**
463 * \brief EC implementation "i31" (generic code) for Curve25519.
464 *
465 * This implementation uses the generic code for modular integers (with
466 * 31-bit words) to support Curve25519. Due to the specificities of the
467 * curve definition, the following applies:
468 *
469 * - `muladd()` is not implemented (the function returns 0 systematically).
470 * - `order()` returns 2^255-1, since the point multiplication algorithm
471 * accepts any 32-bit integer as input (it clears the top bit and low
472 * three bits systematically).
473 */
474 extern const br_ec_impl br_ec_c25519_i31;
475
476 /**
477 * \brief EC implementation "m15" (specialised code) for Curve25519.
478 *
479 * This implementation uses custom code relying on multiplication of
480 * integers up to 15 bits. Due to the specificities of the curve
481 * definition, the following applies:
482 *
483 * - `muladd()` is not implemented (the function returns 0 systematically).
484 * - `order()` returns 2^255-1, since the point multiplication algorithm
485 * accepts any 32-bit integer as input (it clears the top bit and low
486 * three bits systematically).
487 */
488 extern const br_ec_impl br_ec_c25519_m15;
489
490 /**
491 * \brief EC implementation "m31" (specialised code) for Curve25519.
492 *
493 * This implementation uses custom code relying on multiplication of
494 * integers up to 31 bits. Due to the specificities of the curve
495 * definition, the following applies:
496 *
497 * - `muladd()` is not implemented (the function returns 0 systematically).
498 * - `order()` returns 2^255-1, since the point multiplication algorithm
499 * accepts any 32-bit integer as input (it clears the top bit and low
500 * three bits systematically).
501 */
502 extern const br_ec_impl br_ec_c25519_m31;
503
504 /**
505 * \brief Aggregate EC implementation "m15".
506 *
507 * This implementation is a wrapper for:
508 *
509 * - `br_ec_c25519_m15` for Curve25519
510 * - `br_ec_p256_m15` for NIST P-256
511 * - `br_ec_prime_i15` for other curves (NIST P-384 and NIST-P512)
512 */
513 extern const br_ec_impl br_ec_all_m15;
514
515 /**
516 * \brief Aggregate EC implementation "m31".
517 *
518 * This implementation is a wrapper for:
519 *
520 * - `br_ec_c25519_m31` for Curve25519
521 * - `br_ec_p256_m31` for NIST P-256
522 * - `br_ec_prime_i31` for other curves (NIST P-384 and NIST-P512)
523 */
524 extern const br_ec_impl br_ec_all_m31;
525
526 /**
527 * \brief Get the "default" EC implementation for the current system.
528 *
529 * This returns a pointer to the preferred implementation on the
530 * current system.
531 *
532 * \return the default EC implementation.
533 */
534 const br_ec_impl *br_ec_get_default(void);
535
536 /**
537 * \brief Convert a signature from "raw" to "asn1".
538 *
539 * Conversion is done "in place" and the new length is returned.
540 * Conversion may enlarge the signature, but by no more than 9 bytes at
541 * most. On error, 0 is returned (error conditions include an odd raw
542 * signature length, or an oversized integer).
543 *
544 * \param sig signature to convert.
545 * \param sig_len signature length (in bytes).
546 * \return the new signature length, or 0 on error.
547 */
548 size_t br_ecdsa_raw_to_asn1(void *sig, size_t sig_len);
549
550 /**
551 * \brief Convert a signature from "asn1" to "raw".
552 *
553 * Conversion is done "in place" and the new length is returned.
554 * Conversion may enlarge the signature, but the new signature length
555 * will be less than twice the source length at most. On error, 0 is
556 * returned (error conditions include an invalid ASN.1 structure or an
557 * oversized integer).
558 *
559 * \param sig signature to convert.
560 * \param sig_len signature length (in bytes).
561 * \return the new signature length, or 0 on error.
562 */
563 size_t br_ecdsa_asn1_to_raw(void *sig, size_t sig_len);
564
565 /**
566 * \brief Type for an ECDSA signer function.
567 *
568 * A pointer to the EC implementation is provided. The hash value is
569 * assumed to have the length inferred from the designated hash function
570 * class.
571 *
572 * Signature is written in the buffer pointed to by `sig`, and the length
573 * (in bytes) is returned. On error, nothing is written in the buffer,
574 * and 0 is returned. This function returns 0 if the specified curve is
575 * not supported by the provided EC implementation.
576 *
577 * The signature format is either "raw" or "asn1", depending on the
578 * implementation; maximum length is predictable from the implemented
579 * curve:
580 *
581 * | curve | raw | asn1 |
582 * | :--------- | --: | ---: |
583 * | NIST P-256 | 64 | 72 |
584 * | NIST P-384 | 96 | 104 |
585 * | NIST P-521 | 132 | 139 |
586 *
587 * \param impl EC implementation to use.
588 * \param hf hash function used to process the data.
589 * \param hash_value signed data (hashed).
590 * \param sk EC private key.
591 * \param sig destination buffer.
592 * \return the signature length (in bytes), or 0 on error.
593 */
594 typedef size_t (*br_ecdsa_sign)(const br_ec_impl *impl,
595 const br_hash_class *hf, const void *hash_value,
596 const br_ec_private_key *sk, void *sig);
597
598 /**
599 * \brief Type for an ECDSA signature verification function.
600 *
601 * A pointer to the EC implementation is provided. The hashed value,
602 * computed over the purportedly signed data, is also provided with
603 * its length.
604 *
605 * The signature format is either "raw" or "asn1", depending on the
606 * implementation.
607 *
608 * Returned value is 1 on success (valid signature), 0 on error. This
609 * function returns 0 if the specified curve is not supported by the
610 * provided EC implementation.
611 *
612 * \param impl EC implementation to use.
613 * \param hash signed data (hashed).
614 * \param hash_len hash value length (in bytes).
615 * \param pk EC public key.
616 * \param sig signature.
617 * \param sig_len signature length (in bytes).
618 * \return 1 on success, 0 on error.
619 */
620 typedef uint32_t (*br_ecdsa_vrfy)(const br_ec_impl *impl,
621 const void *hash, size_t hash_len,
622 const br_ec_public_key *pk, const void *sig, size_t sig_len);
623
624 /**
625 * \brief ECDSA signature generator, "i31" implementation, "asn1" format.
626 *
627 * \see br_ecdsa_sign()
628 *
629 * \param impl EC implementation to use.
630 * \param hf hash function used to process the data.
631 * \param hash_value signed data (hashed).
632 * \param sk EC private key.
633 * \param sig destination buffer.
634 * \return the signature length (in bytes), or 0 on error.
635 */
636 size_t br_ecdsa_i31_sign_asn1(const br_ec_impl *impl,
637 const br_hash_class *hf, const void *hash_value,
638 const br_ec_private_key *sk, void *sig);
639
640 /**
641 * \brief ECDSA signature generator, "i31" implementation, "raw" format.
642 *
643 * \see br_ecdsa_sign()
644 *
645 * \param impl EC implementation to use.
646 * \param hf hash function used to process the data.
647 * \param hash_value signed data (hashed).
648 * \param sk EC private key.
649 * \param sig destination buffer.
650 * \return the signature length (in bytes), or 0 on error.
651 */
652 size_t br_ecdsa_i31_sign_raw(const br_ec_impl *impl,
653 const br_hash_class *hf, const void *hash_value,
654 const br_ec_private_key *sk, void *sig);
655
656 /**
657 * \brief ECDSA signature verifier, "i31" implementation, "asn1" format.
658 *
659 * \see br_ecdsa_vrfy()
660 *
661 * \param impl EC implementation to use.
662 * \param hash signed data (hashed).
663 * \param hash_len hash value length (in bytes).
664 * \param pk EC public key.
665 * \param sig signature.
666 * \param sig_len signature length (in bytes).
667 * \return 1 on success, 0 on error.
668 */
669 uint32_t br_ecdsa_i31_vrfy_asn1(const br_ec_impl *impl,
670 const void *hash, size_t hash_len,
671 const br_ec_public_key *pk, const void *sig, size_t sig_len);
672
673 /**
674 * \brief ECDSA signature verifier, "i31" implementation, "raw" format.
675 *
676 * \see br_ecdsa_vrfy()
677 *
678 * \param impl EC implementation to use.
679 * \param hash signed data (hashed).
680 * \param hash_len hash value length (in bytes).
681 * \param pk EC public key.
682 * \param sig signature.
683 * \param sig_len signature length (in bytes).
684 * \return 1 on success, 0 on error.
685 */
686 uint32_t br_ecdsa_i31_vrfy_raw(const br_ec_impl *impl,
687 const void *hash, size_t hash_len,
688 const br_ec_public_key *pk, const void *sig, size_t sig_len);
689
690 /**
691 * \brief ECDSA signature generator, "i15" implementation, "asn1" format.
692 *
693 * \see br_ecdsa_sign()
694 *
695 * \param impl EC implementation to use.
696 * \param hf hash function used to process the data.
697 * \param hash_value signed data (hashed).
698 * \param sk EC private key.
699 * \param sig destination buffer.
700 * \return the signature length (in bytes), or 0 on error.
701 */
702 size_t br_ecdsa_i15_sign_asn1(const br_ec_impl *impl,
703 const br_hash_class *hf, const void *hash_value,
704 const br_ec_private_key *sk, void *sig);
705
706 /**
707 * \brief ECDSA signature generator, "i15" implementation, "raw" format.
708 *
709 * \see br_ecdsa_sign()
710 *
711 * \param impl EC implementation to use.
712 * \param hf hash function used to process the data.
713 * \param hash_value signed data (hashed).
714 * \param sk EC private key.
715 * \param sig destination buffer.
716 * \return the signature length (in bytes), or 0 on error.
717 */
718 size_t br_ecdsa_i15_sign_raw(const br_ec_impl *impl,
719 const br_hash_class *hf, const void *hash_value,
720 const br_ec_private_key *sk, void *sig);
721
722 /**
723 * \brief ECDSA signature verifier, "i15" implementation, "asn1" format.
724 *
725 * \see br_ecdsa_vrfy()
726 *
727 * \param impl EC implementation to use.
728 * \param hash signed data (hashed).
729 * \param hash_len hash value length (in bytes).
730 * \param pk EC public key.
731 * \param sig signature.
732 * \param sig_len signature length (in bytes).
733 * \return 1 on success, 0 on error.
734 */
735 uint32_t br_ecdsa_i15_vrfy_asn1(const br_ec_impl *impl,
736 const void *hash, size_t hash_len,
737 const br_ec_public_key *pk, const void *sig, size_t sig_len);
738
739 /**
740 * \brief ECDSA signature verifier, "i15" implementation, "raw" format.
741 *
742 * \see br_ecdsa_vrfy()
743 *
744 * \param impl EC implementation to use.
745 * \param hash signed data (hashed).
746 * \param hash_len hash value length (in bytes).
747 * \param pk EC public key.
748 * \param sig signature.
749 * \param sig_len signature length (in bytes).
750 * \return 1 on success, 0 on error.
751 */
752 uint32_t br_ecdsa_i15_vrfy_raw(const br_ec_impl *impl,
753 const void *hash, size_t hash_len,
754 const br_ec_public_key *pk, const void *sig, size_t sig_len);
755
756 /**
757 * \brief Get "default" ECDSA implementation (signer, asn1 format).
758 *
759 * This returns the preferred implementation of ECDSA signature generation
760 * ("asn1" output format) on the current system.
761 *
762 * \return the default implementation.
763 */
764 br_ecdsa_sign br_ecdsa_sign_asn1_get_default(void);
765
766 /**
767 * \brief Get "default" ECDSA implementation (signer, raw format).
768 *
769 * This returns the preferred implementation of ECDSA signature generation
770 * ("raw" output format) on the current system.
771 *
772 * \return the default implementation.
773 */
774 br_ecdsa_sign br_ecdsa_sign_raw_get_default(void);
775
776 /**
777 * \brief Get "default" ECDSA implementation (verifier, asn1 format).
778 *
779 * This returns the preferred implementation of ECDSA signature verification
780 * ("asn1" output format) on the current system.
781 *
782 * \return the default implementation.
783 */
784 br_ecdsa_vrfy br_ecdsa_vrfy_asn1_get_default(void);
785
786 /**
787 * \brief Get "default" ECDSA implementation (verifier, raw format).
788 *
789 * This returns the preferred implementation of ECDSA signature verification
790 * ("raw" output format) on the current system.
791 *
792 * \return the default implementation.
793 */
794 br_ecdsa_vrfy br_ecdsa_vrfy_raw_get_default(void);
795
796 #endif