File ecdh.h

This file contains ECDH definitions and functions.

The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous key agreement protocol allowing two parties to establish a shared secret over an insecure channel. Each party must have an elliptic-curve public–private key pair.

For more information, see NIST SP 800-56A Rev. 2: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography.

Defines

MBEDTLS_ECDH_LEGACY_CONTEXT

Typedefs

typedef struct mbedtls_ecdh_context_mbed mbedtls_ecdh_context_mbed

The context used by the default ECDH implementation.

Later versions might change the structure of this context, therefore users should not make any assumptions about the structure of mbedtls_ecdh_context_mbed.

typedef struct mbedtls_ecdh_context mbedtls_ecdh_context

The ECDH context structure.

Warning

Performing multiple operations concurrently on the same ECDSA context is not supported; objects of this type should not be shared between multiple threads.

Enums

enum mbedtls_ecdh_side

Defines the source of the imported EC key.

Values:

enumerator MBEDTLS_ECDH_OURS

Our key.

enumerator MBEDTLS_ECDH_THEIRS

The key of the peer.

enum mbedtls_ecdh_variant

Defines the ECDH implementation used.

Later versions of the library may add new variants, therefore users should not make any assumptions about them.

Values:

enumerator MBEDTLS_ECDH_VARIANT_NONE

Implementation not defined.

enumerator MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0

The default Mbed TLS implementation

enumerator MBEDTLS_ECDH_VARIANT_EVEREST

Everest implementation

Functions

mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx)

Return the ECP group for provided context.

Note

To access group specific fields, users should use mbedtls_ecp_curve_info_from_grp_id or mbedtls_ecp_group_load on the extracted group_id.

Parameters:

ctx – The ECDH context to parse. This must not be NULL.

Returns:

The mbedtls_ecp_group_id of the context.

int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid)

Check whether a given group can be used for ECDH.

Parameters:

gid – The ECP group ID to check.

Returns:

1 if the group can be used, 0 otherwise

int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng)

This function generates an ECDH keypair on an elliptic curve.

This function performs the first of two core computations implemented during the ECDH key exchange. The second core computation is performed by mbedtls_ecdh_compute_shared().

See also

ecp.h

Parameters:
  • grp – The ECP group to use. This must be initialized and have domain parameters loaded, for example through mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().

  • d – The destination MPI (private key). This must be initialized.

  • Q – The destination point (public key). This must be initialized.

  • f_rng – The RNG function to use. This must not be NULL.

  • p_rng – The RNG context to be passed to f_rng. This may be NULL in case f_rng doesn’t need a context argument.

Returns:

0 on success.

Returns:

Another MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code on failure.

int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z, const mbedtls_ecp_point *Q, const mbedtls_mpi *d, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng)

This function computes the shared secret.

             This function performs the second of two core computations
             implemented during the ECDH key exchange. The first core
             computation is performed by mbedtls_ecdh_gen_public().

See also

ecp.h

Note

If f_rng is not NULL, it is used to implement countermeasures against side-channel attacks. For more information, see mbedtls_ecp_mul().

Parameters:
  • grp – The ECP group to use. This must be initialized and have domain parameters loaded, for example through mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().

  • z – The destination MPI (shared secret). This must be initialized.

  • Q – The public key from another party. This must be initialized.

  • d – Our secret exponent (private key). This must be initialized.

  • f_rng – The RNG function to use. This must not be NULL.

  • p_rng – The RNG context to be passed to f_rng. This may be NULL if f_rng is NULL or doesn’t need a context argument.

Returns:

0 on success.

Returns:

Another MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code on failure.

void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx)

This function initializes an ECDH context.

Parameters:

ctx – The ECDH context to initialize. This must not be NULL.

int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id)

This function sets up the ECDH context with the information given.

This function should be called after mbedtls_ecdh_init() but before mbedtls_ecdh_make_params(). There is no need to call this function before mbedtls_ecdh_read_params().

This is the first function used by a TLS server for ECDHE ciphersuites.

Parameters:
  • ctx – The ECDH context to set up. This must be initialized.

  • grp_id – The group id of the group to set up the context for.

Returns:

0 on success.

void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx)

This function frees a context.

Parameters:

ctx – The context to free. This may be NULL, in which case this function does nothing. If it is not NULL, it must point to an initialized ECDH context.

int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng)

This function generates an EC key pair and exports its in the format used in a TLS ServerKeyExchange handshake message.

This is the second function used by a TLS server for ECDHE ciphersuites. (It is called after mbedtls_ecdh_setup().)

See also

ecp.h

Parameters:
  • ctx – The ECDH context to use. This must be initialized and bound to a group, for example via mbedtls_ecdh_setup().

  • olen – The address at which to store the number of Bytes written.

  • buf – The destination buffer. This must be a writable buffer of length blen Bytes.

  • blen – The length of the destination buffer buf in Bytes.

  • f_rng – The RNG function to use. This must not be NULL.

  • p_rng – The RNG context to be passed to f_rng. This may be NULL in case f_rng doesn’t need a context argument.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of operations was reached: see mbedtls_ecp_set_max_ops().

Returns:

Another MBEDTLS_ERR_ECP_XXX error code on failure.

int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx, const unsigned char **buf, const unsigned char *end)

This function parses the ECDHE parameters in a TLS ServerKeyExchange handshake message.

See also

ecp.h

Note

In a TLS handshake, this is the how the client sets up its ECDHE context from the server’s public ECDHE key material.

Parameters:
  • ctx – The ECDHE context to use. This must be initialized.

  • buf – On input, *buf must be the start of the input buffer. On output, *buf is updated to point to the end of the data that has been read. On success, this is the first byte past the end of the ServerKeyExchange parameters. On error, this is the point at which an error has been detected, which is usually not useful except to debug failures.

  • end – The end of the input buffer.

Returns:

0 on success.

Returns:

An MBEDTLS_ERR_ECP_XXX error code on failure.

int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key, mbedtls_ecdh_side side)

This function sets up an ECDH context from an EC key.

             It is used by clients and servers in place of the
             ServerKeyExchange for static ECDH, and imports ECDH
             parameters from the EC key information of a certificate.

See also

ecp.h

Parameters:
  • ctx – The ECDH context to set up. This must be initialized.

  • key – The EC key to use. This must be initialized.

  • side – Defines the source of the key. Possible values are:

Returns:

0 on success.

Returns:

Another MBEDTLS_ERR_ECP_XXX error code on failure.

int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng)

This function generates a public key and exports it as a TLS ClientKeyExchange payload.

This is the second function used by a TLS client for ECDH(E) ciphersuites.

See also

ecp.h

Parameters:
  • ctx – The ECDH context to use. This must be initialized and bound to a group, the latter usually by mbedtls_ecdh_read_params().

  • olen – The address at which to store the number of Bytes written. This must not be NULL.

  • buf – The destination buffer. This must be a writable buffer of length blen Bytes.

  • blen – The size of the destination buffer buf in Bytes.

  • f_rng – The RNG function to use. This must not be NULL.

  • p_rng – The RNG context to be passed to f_rng. This may be NULL in case f_rng doesn’t need a context argument.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of operations was reached: see mbedtls_ecp_set_max_ops().

Returns:

Another MBEDTLS_ERR_ECP_XXX error code on failure.

int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx, const unsigned char *buf, size_t blen)

This function parses and processes the ECDHE payload of a TLS ClientKeyExchange message.

This is the third function used by a TLS server for ECDH(E) ciphersuites. (It is called after mbedtls_ecdh_setup() and mbedtls_ecdh_make_params().)

See also

ecp.h

Parameters:
  • ctx – The ECDH context to use. This must be initialized and bound to a group, for example via mbedtls_ecdh_setup().

  • buf – The pointer to the ClientKeyExchange payload. This must be a readable buffer of length blen Bytes.

  • blen – The length of the input buffer buf in Bytes.

Returns:

0 on success.

Returns:

An MBEDTLS_ERR_ECP_XXX error code on failure.

int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng)

This function derives and exports the shared secret.

             This is the last function used by both TLS client
             and servers.

See also

ecp.h

Note

If f_rng is not NULL, it is used to implement countermeasures against side-channel attacks. For more information, see mbedtls_ecp_mul().

Parameters:
  • ctx – The ECDH context to use. This must be initialized and have its own private key generated and the peer’s public key imported.

  • olen – The address at which to store the total number of Bytes written on success. This must not be NULL.

  • buf – The buffer to write the generated shared key to. This must be a writable buffer of size blen Bytes.

  • blen – The length of the destination buffer buf in Bytes.

  • f_rng – The RNG function to use. This must not be NULL.

  • p_rng – The RNG context. This may be NULL if f_rng doesn’t need a context argument.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of operations was reached: see mbedtls_ecp_set_max_ops().

Returns:

Another MBEDTLS_ERR_ECP_XXX error code on failure.

void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx)

This function enables restartable EC computations for this context. (Default: disabled.)

Note

It is not possible to safely disable restartable computations once enabled, except by free-ing the context, which cancels possible in-progress operations.

Parameters:

ctx – The ECDH context to use. This must be initialized.

struct mbedtls_ecdh_context_mbed
#include <ecdh.h>

The context used by the default ECDH implementation.

Later versions might change the structure of this context, therefore users should not make any assumptions about the structure of mbedtls_ecdh_context_mbed.

Public Members

mbedtls_ecp_group private_grp

The elliptic curve used.

mbedtls_mpi private_d

The private key.

mbedtls_ecp_point private_Q

The public key.

mbedtls_ecp_point private_Qp

The value of the public key of the peer.

mbedtls_mpi private_z

The shared secret.

mbedtls_ecp_restart_ctx private_rs

The restart context for EC computations.

struct mbedtls_ecdh_context
#include <ecdh.h>

The ECDH context structure.

Warning

Performing multiple operations concurrently on the same ECDSA context is not supported; objects of this type should not be shared between multiple threads.

Public Members

uint8_t private_point_format

The format of point export in TLS messages as defined in RFC 4492.

mbedtls_ecp_group_id private_grp_id

The elliptic curve used.

mbedtls_ecdh_variant private_var

The ECDH implementation/structure used.

mbedtls_ecdh_context_mbed private_mbed_ecdh
mbedtls_ecdh_context_everest private_everest_ecdh
union mbedtls_ecdh_context::[anonymous] private_ctx

Implementation-specific context. The context in use is specified by the var field.

uint8_t private_restart_enabled

The flag for restartable mode. Functions of an alternative implementation not supporting restartable mode must return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error if this flag is set.