Add the Labs projects provided in the V10.2.1_191129 zip file.

[freertos] / FreeRTOS-Labs / Source / mbedtls / include / mbedtls / ecp.h

/**\r
 * \file ecp.h\r
 *\r
 * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).\r
 *\r
 * The use of ECP in cryptography and TLS is defined in\r
 * <em>Standards for Efficient Cryptography Group (SECG): SEC1\r
 * Elliptic Curve Cryptography</em> and\r
 * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites\r
 * for Transport Layer Security (TLS)</em>.\r
 *\r
 * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP\r
 * group types.\r
 *\r
 */\r
\r
/*\r
 *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved\r
 *  SPDX-License-Identifier: Apache-2.0\r
 *\r
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may\r
 *  not use this file except in compliance with the License.\r
 *  You may obtain a copy of the License at\r
 *\r
 *  http://www.apache.org/licenses/LICENSE-2.0\r
 *\r
 *  Unless required by applicable law or agreed to in writing, software\r
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\r
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 *  See the License for the specific language governing permissions and\r
 *  limitations under the License.\r
 *\r
 *  This file is part of Mbed TLS (https://tls.mbed.org)\r
 */\r
\r
#ifndef MBEDTLS_ECP_H\r
#define MBEDTLS_ECP_H\r
\r
#if !defined(MBEDTLS_CONFIG_FILE)\r
#include "config.h"\r
#else\r
#include MBEDTLS_CONFIG_FILE\r
#endif\r
\r
#include "bignum.h"\r
\r
/*\r
 * ECP error codes\r
 */\r
#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA                    -0x4F80  /**< Bad input parameters to function. */\r
#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL                  -0x4F00  /**< The buffer is too small to write to. */\r
#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80  /**< The requested feature is not available, for example, the requested curve is not supported. */\r
#define MBEDTLS_ERR_ECP_VERIFY_FAILED                     -0x4E00  /**< The signature is not valid. */\r
#define MBEDTLS_ERR_ECP_ALLOC_FAILED                      -0x4D80  /**< Memory allocation failed. */\r
#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00  /**< Generation of random value, such as ephemeral key, failed. */\r
#define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80  /**< Invalid private or public key. */\r
#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00  /**< The buffer contains a valid signature followed by more data. */\r
\r
/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */\r
#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80  /**< The ECP hardware accelerator failed. */\r
\r
#define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00  /**< Operation in progress, call again with the same parameters to continue. */\r
\r
#ifdef __cplusplus\r
extern "C" {\r
#endif\r
\r
/**\r
 * Domain-parameter identifiers: curve, subgroup, and generator.\r
 *\r
 * \note Only curves over prime fields are supported.\r
 *\r
 * \warning This library does not support validation of arbitrary domain\r
 * parameters. Therefore, only standardized domain parameters from trusted\r
 * sources should be used. See mbedtls_ecp_group_load().\r
 */\r
typedef enum\r
{\r
    MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */\r
    MBEDTLS_ECP_DP_SECP192R1,      /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */\r
    MBEDTLS_ECP_DP_SECP224R1,      /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */\r
    MBEDTLS_ECP_DP_SECP256R1,      /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */\r
    MBEDTLS_ECP_DP_SECP384R1,      /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */\r
    MBEDTLS_ECP_DP_SECP521R1,      /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */\r
    MBEDTLS_ECP_DP_BP256R1,        /*!< Domain parameters for 256-bit Brainpool curve. */\r
    MBEDTLS_ECP_DP_BP384R1,        /*!< Domain parameters for 384-bit Brainpool curve. */\r
    MBEDTLS_ECP_DP_BP512R1,        /*!< Domain parameters for 512-bit Brainpool curve. */\r
    MBEDTLS_ECP_DP_CURVE25519,     /*!< Domain parameters for Curve25519. */\r
    MBEDTLS_ECP_DP_SECP192K1,      /*!< Domain parameters for 192-bit "Koblitz" curve. */\r
    MBEDTLS_ECP_DP_SECP224K1,      /*!< Domain parameters for 224-bit "Koblitz" curve. */\r
    MBEDTLS_ECP_DP_SECP256K1,      /*!< Domain parameters for 256-bit "Koblitz" curve. */\r
    MBEDTLS_ECP_DP_CURVE448,       /*!< Domain parameters for Curve448. */\r
} mbedtls_ecp_group_id;\r
\r
/**\r
 * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.\r
 *\r
 * \note Montgomery curves are currently excluded.\r
 */\r
#define MBEDTLS_ECP_DP_MAX     12\r
\r
/*\r
 * Curve types\r
 */\r
typedef enum\r
{\r
    MBEDTLS_ECP_TYPE_NONE = 0,\r
    MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */\r
    MBEDTLS_ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */\r
} mbedtls_ecp_curve_type;\r
\r
/**\r
 * Curve information, for use by other modules.\r
 */\r
typedef struct mbedtls_ecp_curve_info\r
{\r
    mbedtls_ecp_group_id grp_id;    /*!< An internal identifier. */\r
    uint16_t tls_id;                /*!< The TLS NamedCurve identifier. */\r
    uint16_t bit_size;              /*!< The curve size in bits. */\r
    const char *name;               /*!< A human-friendly name. */\r
} mbedtls_ecp_curve_info;\r
\r
/**\r
 * \brief           The ECP point structure, in Jacobian coordinates.\r
 *\r
 * \note            All functions expect and return points satisfying\r
 *                  the following condition: <code>Z == 0</code> or\r
 *                  <code>Z == 1</code>. Other values of \p Z are\r
 *                  used only by internal functions.\r
 *                  The point is zero, or "at infinity", if <code>Z == 0</code>.\r
 *                  Otherwise, \p X and \p Y are its standard (affine)\r
 *                  coordinates.\r
 */\r
typedef struct mbedtls_ecp_point\r
{\r
    mbedtls_mpi X;          /*!< The X coordinate of the ECP point. */\r
    mbedtls_mpi Y;          /*!< The Y coordinate of the ECP point. */\r
    mbedtls_mpi Z;          /*!< The Z coordinate of the ECP point. */\r
}\r
mbedtls_ecp_point;\r
\r
#if !defined(MBEDTLS_ECP_ALT)\r
/*\r
 * default mbed TLS elliptic curve arithmetic implementation\r
 *\r
 * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an\r
 * alternative implementation for the whole module and it will replace this\r
 * one.)\r
 */\r
\r
/**\r
 * \brief           The ECP group structure.\r
 *\r
 * We consider two types of curve equations:\r
 * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>\r
 * (SEC1 + RFC-4492)</li>\r
 * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,\r
 * Curve448)</li></ul>\r
 * In both cases, the generator (\p G) for a prime-order subgroup is fixed.\r
 *\r
 * For Short Weierstrass, this subgroup is the whole curve, and its\r
 * cardinality is denoted by \p N. Our code requires that \p N is an\r
 * odd prime as mbedtls_ecp_mul() requires an odd number, and\r
 * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.\r
 *\r
 * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,\r
 * which is the quantity used in the formulas. Additionally, \p nbits is\r
 * not the size of \p N but the required size for private keys.\r
 *\r
 * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.\r
 * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the\r
 * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer\r
 * which is congruent mod \p P to the given MPI, and is close enough to \p pbits\r
 * in size, so that it may be efficiently brought in the 0..P-1 range by a few\r
 * additions or subtractions. Therefore, it is only an approximative modular\r
 * reduction. It must return 0 on success and non-zero on failure.\r
 *\r
 * \note        Alternative implementations must keep the group IDs distinct. If\r
 *              two group structures have the same ID, then they must be\r
 *              identical.\r
 *\r
 */\r
typedef struct mbedtls_ecp_group\r
{\r
    mbedtls_ecp_group_id id;    /*!< An internal group identifier. */\r
    mbedtls_mpi P;              /*!< The prime modulus of the base field. */\r
    mbedtls_mpi A;              /*!< For Short Weierstrass: \p A in the equation. For\r
                                     Montgomery curves: <code>(A + 2) / 4</code>. */\r
    mbedtls_mpi B;              /*!< For Short Weierstrass: \p B in the equation.\r
                                     For Montgomery curves: unused. */\r
    mbedtls_ecp_point G;        /*!< The generator of the subgroup used. */\r
    mbedtls_mpi N;              /*!< The order of \p G. */\r
    size_t pbits;               /*!< The number of bits in \p P.*/\r
    size_t nbits;               /*!< For Short Weierstrass: The number of bits in \p P.\r
                                     For Montgomery curves: the number of bits in the\r
                                     private keys. */\r
    unsigned int h;             /*!< \internal 1 if the constants are static. */\r
    int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction\r
                                     mod \p P (see above).*/\r
    int (*t_pre)(mbedtls_ecp_point *, void *);  /*!< Unused. */\r
    int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */\r
    void *t_data;               /*!< Unused. */\r
    mbedtls_ecp_point *T;       /*!< Pre-computed points for ecp_mul_comb(). */\r
    size_t T_size;              /*!< The number of pre-computed points. */\r
}\r
mbedtls_ecp_group;\r
\r
/**\r
 * \name SECTION: Module settings\r
 *\r
 * The configuration options you can set for this module are in this section.\r
 * Either change them in config.h, or define them using the compiler command line.\r
 * \{\r
 */\r
\r
#if !defined(MBEDTLS_ECP_MAX_BITS)\r
/**\r
 * The maximum size of the groups, that is, of \c N and \c P.\r
 */\r
#define MBEDTLS_ECP_MAX_BITS     521   /**< The maximum size of groups, in bits. */\r
#endif\r
\r
#define MBEDTLS_ECP_MAX_BYTES    ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )\r
#define MBEDTLS_ECP_MAX_PT_LEN   ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 )\r
\r
#if !defined(MBEDTLS_ECP_WINDOW_SIZE)\r
/*\r
 * Maximum "window" size used for point multiplication.\r
 * Default: 6.\r
 * Minimum value: 2. Maximum value: 7.\r
 *\r
 * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )\r
 * points used for point multiplication. This value is directly tied to EC\r
 * peak memory usage, so decreasing it by one should roughly cut memory usage\r
 * by two (if large curves are in use).\r
 *\r
 * Reduction in size may reduce speed, but larger curves are impacted first.\r
 * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):\r
 *      w-size:     6       5       4       3       2\r
 *      521       145     141     135     120      97\r
 *      384       214     209     198     177     146\r
 *      256       320     320     303     262     226\r
 *      224       475     475     453     398     342\r
 *      192       640     640     633     587     476\r
 */\r
#define MBEDTLS_ECP_WINDOW_SIZE    6   /**< The maximum window size used. */\r
#endif /* MBEDTLS_ECP_WINDOW_SIZE */\r
\r
#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)\r
/*\r
 * Trade memory for speed on fixed-point multiplication.\r
 *\r
 * This speeds up repeated multiplication of the generator (that is, the\r
 * multiplication in ECDSA signatures, and half of the multiplications in\r
 * ECDSA verification and ECDHE) by a factor roughly 3 to 4.\r
 *\r
 * The cost is increasing EC peak memory usage by a factor roughly 2.\r
 *\r
 * Change this value to 0 to reduce peak memory usage.\r
 */\r
#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up. */\r
#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */\r
\r
/* \} name SECTION: Module settings */\r
\r
#else  /* MBEDTLS_ECP_ALT */\r
#include "ecp_alt.h"\r
#endif /* MBEDTLS_ECP_ALT */\r
\r
#if defined(MBEDTLS_ECP_RESTARTABLE)\r
\r
/**\r
 * \brief           Internal restart context for multiplication\r
 *\r
 * \note            Opaque struct\r
 */\r
typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;\r
\r
/**\r
 * \brief           Internal restart context for ecp_muladd()\r
 *\r
 * \note            Opaque struct\r
 */\r
typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;\r
\r
/**\r
 * \brief           General context for resuming ECC operations\r
 */\r
typedef struct\r
{\r
    unsigned ops_done;                  /*!<  current ops count             */\r
    unsigned depth;                     /*!<  call depth (0 = top-level)    */\r
    mbedtls_ecp_restart_mul_ctx *rsm;   /*!<  ecp_mul_comb() sub-context    */\r
    mbedtls_ecp_restart_muladd_ctx *ma; /*!<  ecp_muladd() sub-context      */\r
} mbedtls_ecp_restart_ctx;\r
\r
/*\r
 * Operation counts for restartable functions\r
 */\r
#define MBEDTLS_ECP_OPS_CHK   3 /*!< basic ops count for ecp_check_pubkey()  */\r
#define MBEDTLS_ECP_OPS_DBL   8 /*!< basic ops count for ecp_double_jac()    */\r
#define MBEDTLS_ECP_OPS_ADD  11 /*!< basic ops count for see ecp_add_mixed() */\r
#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv()  */\r
\r
/**\r
 * \brief           Internal; for restartable functions in other modules.\r
 *                  Check and update basic ops budget.\r
 *\r
 * \param grp       Group structure\r
 * \param rs_ctx    Restart context\r
 * \param ops       Number of basic ops to do\r
 *\r
 * \return          \c 0 if doing \p ops basic ops is still allowed,\r
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.\r
 */\r
int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,\r
                              mbedtls_ecp_restart_ctx *rs_ctx,\r
                              unsigned ops );\r
\r
/* Utility macro for checking and updating ops budget */\r
#define MBEDTLS_ECP_BUDGET( ops )   \\r
    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \\r
                                               (unsigned) (ops) ) );\r
\r
#else /* MBEDTLS_ECP_RESTARTABLE */\r
\r
#define MBEDTLS_ECP_BUDGET( ops )   /* no-op; for compatibility */\r
\r
/* We want to declare restartable versions of existing functions anyway */\r
typedef void mbedtls_ecp_restart_ctx;\r
\r
#endif /* MBEDTLS_ECP_RESTARTABLE */\r
\r
/**\r
 * \brief    The ECP key-pair structure.\r
 *\r
 * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.\r
 *\r
 * \note    Members are deliberately in the same order as in the\r
 *          ::mbedtls_ecdsa_context structure.\r
 */\r
typedef struct mbedtls_ecp_keypair\r
{\r
    mbedtls_ecp_group grp;      /*!<  Elliptic curve and base point     */\r
    mbedtls_mpi d;              /*!<  our secret value                  */\r
    mbedtls_ecp_point Q;        /*!<  our public value                  */\r
}\r
mbedtls_ecp_keypair;\r
\r
/*\r
 * Point formats, from RFC 4492's enum ECPointFormat\r
 */\r
#define MBEDTLS_ECP_PF_UNCOMPRESSED    0   /**< Uncompressed point format. */\r
#define MBEDTLS_ECP_PF_COMPRESSED      1   /**< Compressed point format. */\r
\r
/*\r
 * Some other constants from RFC 4492\r
 */\r
#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< The named_curve of ECCurveType. */\r
\r
#if defined(MBEDTLS_ECP_RESTARTABLE)\r
/**\r
 * \brief           Set the maximum number of basic operations done in a row.\r
 *\r
 *                  If more operations are needed to complete a computation,\r
 *                  #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the\r
 *                  function performing the computation. It is then the\r
 *                  caller's responsibility to either call again with the same\r
 *                  parameters until it returns 0 or an error code; or to free\r
 *                  the restart context if the operation is to be aborted.\r
 *\r
 *                  It is strictly required that all input parameters and the\r
 *                  restart context be the same on successive calls for the\r
 *                  same operation, but output parameters need not be the\r
 *                  same; they must not be used until the function finally\r
 *                  returns 0.\r
 *\r
 *                  This only applies to functions whose documentation\r
 *                  mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or\r
 *                  #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the\r
 *                  SSL module). For functions that accept a "restart context"\r
 *                  argument, passing NULL disables restart and makes the\r
 *                  function equivalent to the function with the same name\r
 *                  with \c _restartable removed. For functions in the ECDH\r
 *                  module, restart is disabled unless the function accepts\r
 *                  an "ECDH context" argument and\r
 *                  mbedtls_ecdh_enable_restart() was previously called on\r
 *                  that context. For function in the SSL module, restart is\r
 *                  only enabled for specific sides and key exchanges\r
 *                  (currently only for clients and ECDHE-ECDSA).\r
 *\r
 * \param max_ops   Maximum number of basic operations done in a row.\r
 *                  Default: 0 (unlimited).\r
 *                  Lower (non-zero) values mean ECC functions will block for\r
 *                  a lesser maximum amount of time.\r
 *\r
 * \note            A "basic operation" is defined as a rough equivalent of a\r
 *                  multiplication in GF(p) for the NIST P-256 curve.\r
 *                  As an indication, with default settings, a scalar\r
 *                  multiplication (full run of \c mbedtls_ecp_mul()) is:\r
 *                  - about 3300 basic operations for P-256\r
 *                  - about 9400 basic operations for P-384\r
 *\r
 * \note            Very low values are not always respected: sometimes\r
 *                  functions need to block for a minimum number of\r
 *                  operations, and will do so even if max_ops is set to a\r
 *                  lower value.  That minimum depends on the curve size, and\r
 *                  can be made lower by decreasing the value of\r
 *                  \c MBEDTLS_ECP_WINDOW_SIZE.  As an indication, here is the\r
 *                  lowest effective value for various curves and values of\r
 *                  that parameter (w for short):\r
 *                          w=6     w=5     w=4     w=3     w=2\r
 *                  P-256   208     208     160     136     124\r
 *                  P-384   682     416     320     272     248\r
 *                  P-521  1364     832     640     544     496\r
 *\r
 * \note            This setting is currently ignored by Curve25519.\r
 */\r
void mbedtls_ecp_set_max_ops( unsigned max_ops );\r
\r
/**\r
 * \brief           Check if restart is enabled (max_ops != 0)\r
 *\r
 * \return          \c 0 if \c max_ops == 0 (restart disabled)\r
 * \return          \c 1 otherwise (restart enabled)\r
 */\r
int mbedtls_ecp_restart_is_enabled( void );\r
#endif /* MBEDTLS_ECP_RESTARTABLE */\r
\r
/*\r
 * Get the type of a curve\r
 */\r
mbedtls_ecp_curve_type mbedtls_ecp_get_type( const mbedtls_ecp_group *grp );\r
\r
/**\r
 * \brief           This function retrieves the information defined in\r
 *                  mbedtls_ecp_curve_info() for all supported curves in order\r
 *                  of preference.\r
 *\r
 * \return          A statically allocated array. The last entry is 0.\r
 */\r
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );\r
\r
/**\r
 * \brief           This function retrieves the list of internal group\r
 *                  identifiers of all supported curves in the order of\r
 *                  preference.\r
 *\r
 * \return          A statically allocated array,\r
 *                  terminated with MBEDTLS_ECP_DP_NONE.\r
 */\r
const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void );\r
\r
/**\r
 * \brief           This function retrieves curve information from an internal\r
 *                  group identifier.\r
 *\r
 * \param grp_id    An \c MBEDTLS_ECP_DP_XXX value.\r
 *\r
 * \return          The associated curve information on success.\r
 * \return          NULL on failure.\r
 */\r
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id );\r
\r
/**\r
 * \brief           This function retrieves curve information from a TLS\r
 *                  NamedCurve value.\r
 *\r
 * \param tls_id    An \c MBEDTLS_ECP_DP_XXX value.\r
 *\r
 * \return          The associated curve information on success.\r
 * \return          NULL on failure.\r
 */\r
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id );\r
\r
/**\r
 * \brief           This function retrieves curve information from a\r
 *                  human-readable name.\r
 *\r
 * \param name      The human-readable name.\r
 *\r
 * \return          The associated curve information on success.\r
 * \return          NULL on failure.\r
 */\r
const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name );\r
\r
/**\r
 * \brief           This function initializes a point as zero.\r
 *\r
 * \param pt        The point to initialize.\r
 */\r
void mbedtls_ecp_point_init( mbedtls_ecp_point *pt );\r
\r
/**\r
 * \brief           This function initializes an ECP group context\r
 *                  without loading any domain parameters.\r
 *\r
 * \note            After this function is called, domain parameters\r
 *                  for various ECP groups can be loaded through the\r
 *                  mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()\r
 *                  functions.\r
 */\r
void mbedtls_ecp_group_init( mbedtls_ecp_group *grp );\r
\r
/**\r
 * \brief           This function initializes a key pair as an invalid one.\r
 *\r
 * \param key       The key pair to initialize.\r
 */\r
void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key );\r
\r
/**\r
 * \brief           This function frees the components of a point.\r
 *\r
 * \param pt        The point to free.\r
 */\r
void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );\r
\r
/**\r
 * \brief           This function frees the components of an ECP group.\r
 *\r
 * \param grp       The group to free. This may be \c NULL, in which\r
 *                  case this function returns immediately. If it is not\r
 *                  \c NULL, it must point to an initialized ECP group.\r
 */\r
void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );\r
\r
/**\r
 * \brief           This function frees the components of a key pair.\r
 *\r
 * \param key       The key pair to free. This may be \c NULL, in which\r
 *                  case this function returns immediately. If it is not\r
 *                  \c NULL, it must point to an initialized ECP key pair.\r
 */\r
void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );\r
\r
#if defined(MBEDTLS_ECP_RESTARTABLE)\r
/**\r
 * \brief           Initialize a restart context.\r
 *\r
 * \param ctx       The restart context to initialize. This must\r
 *                  not be \c NULL.\r
 */\r
void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx );\r
\r
/**\r
 * \brief           Free the components of a restart context.\r
 *\r
 * \param ctx       The restart context to free. This may be \c NULL, in which\r
 *                  case this function returns immediately. If it is not\r
 *                  \c NULL, it must point to an initialized restart context.\r
 */\r
void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx );\r
#endif /* MBEDTLS_ECP_RESTARTABLE */\r
\r
/**\r
 * \brief           This function copies the contents of point \p Q into\r
 *                  point \p P.\r
 *\r
 * \param P         The destination point. This must be initialized.\r
 * \param Q         The source point. This must be initialized.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          Another negative error code for other kinds of failure.\r
 */\r
int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );\r
\r
/**\r
 * \brief           This function copies the contents of group \p src into\r
 *                  group \p dst.\r
 *\r
 * \param dst       The destination group. This must be initialized.\r
 * \param src       The source group. This must be initialized.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst,\r
                            const mbedtls_ecp_group *src );\r
\r
/**\r
 * \brief           This function sets a point to the point at infinity.\r
 *\r
 * \param pt        The point to set. This must be initialized.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );\r
\r
/**\r
 * \brief           This function checks if a point is the point at infinity.\r
 *\r
 * \param pt        The point to test. This must be initialized.\r
 *\r
 * \return          \c 1 if the point is zero.\r
 * \return          \c 0 if the point is non-zero.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );\r
\r
/**\r
 * \brief           This function compares two points.\r
 *\r
 * \note            This assumes that the points are normalized. Otherwise,\r
 *                  they may compare as "not equal" even if they are.\r
 *\r
 * \param P         The first point to compare. This must be initialized.\r
 * \param Q         The second point to compare. This must be initialized.\r
 *\r
 * \return          \c 0 if the points are equal.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.\r
 */\r
int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,\r
                           const mbedtls_ecp_point *Q );\r
\r
/**\r
 * \brief           This function imports a non-zero point from two ASCII\r
 *                  strings.\r
 *\r
 * \param P         The destination point. This must be initialized.\r
 * \param radix     The numeric base of the input.\r
 * \param x         The first affine coordinate, as a null-terminated string.\r
 * \param y         The second affine coordinate, as a null-terminated string.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          An \c MBEDTLS_ERR_MPI_XXX error code on failure.\r
 */\r
int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,\r
                           const char *x, const char *y );\r
\r
/**\r
 * \brief           This function exports a point into unsigned binary data.\r
 *\r
 * \param grp       The group to which the point should belong.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param P         The point to export. This must be initialized.\r
 * \param format    The point format. This must be either\r
 *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.\r
 *                  (For groups without these formats, this parameter is\r
 *                  ignored. But it still has to be either of the above\r
 *                  values.)\r
 * \param olen      The address at which to store the length of\r
 *                  the output in Bytes. This must not be \c NULL.\r
 * \param buf       The output buffer. This must be a writable buffer\r
 *                  of length \p buflen Bytes.\r
 * \param buflen    The length of the output buffer \p buf in Bytes.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer\r
 *                  is too small to hold the point.\r
 * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format\r
 *                  or the export for the given group is not implemented.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp,\r
                                    const mbedtls_ecp_point *P,\r
                                    int format, size_t *olen,\r
                                    unsigned char *buf, size_t buflen );\r
\r
/**\r
 * \brief           This function imports a point from unsigned binary data.\r
 *\r
 * \note            This function does not check that the point actually\r
 *                  belongs to the given group, see mbedtls_ecp_check_pubkey()\r
 *                  for that.\r
 *\r
 * \param grp       The group to which the point should belong.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param P         The destination context to import the point to.\r
 *                  This must be initialized.\r
 * \param buf       The input buffer. This must be a readable buffer\r
 *                  of length \p ilen Bytes.\r
 * \param ilen      The length of the input buffer \p buf in Bytes.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the\r
 *                  given group is not implemented.\r
 */\r
int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,\r
                                   mbedtls_ecp_point *P,\r
                                   const unsigned char *buf, size_t ilen );\r
\r
/**\r
 * \brief           This function imports a point from a TLS ECPoint record.\r
 *\r
 * \note            On function return, \p *buf is updated to point immediately\r
 *                  after the ECPoint record.\r
 *\r
 * \param grp       The ECP group to use.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param pt        The destination point.\r
 * \param buf       The address of the pointer to the start of the input buffer.\r
 * \param len       The length of the buffer.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization\r
 *                  failure.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.\r
 */\r
int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,\r
                                mbedtls_ecp_point *pt,\r
                                const unsigned char **buf, size_t len );\r
\r
/**\r
 * \brief           This function exports a point as a TLS ECPoint record\r
 *                  defined in RFC 4492, Section 5.4.\r
 *\r
 * \param grp       The ECP group to use.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param pt        The point to be exported. This must be initialized.\r
 * \param format    The point format to use. This must be either\r
 *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.\r
 * \param olen      The address at which to store the length in Bytes\r
 *                  of the data written.\r
 * \param buf       The target buffer. This must be a writable buffer of\r
 *                  length \p blen Bytes.\r
 * \param blen      The length of the target buffer \p buf in Bytes.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.\r
 * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer\r
 *                  is too small to hold the exported point.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp,\r
                                 const mbedtls_ecp_point *pt,\r
                                 int format, size_t *olen,\r
                                 unsigned char *buf, size_t blen );\r
\r
/**\r
 * \brief           This function sets up an ECP group context\r
 *                  from a standardized set of domain parameters.\r
 *\r
 * \note            The index should be a value of the NamedCurve enum,\r
 *                  as defined in <em>RFC-4492: Elliptic Curve Cryptography\r
 *                  (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,\r
 *                  usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.\r
 *\r
 * \param grp       The group context to setup. This must be initialized.\r
 * \param id        The identifier of the domain parameter set to load.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't\r
 *                  correspond to a known group.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );\r
\r
/**\r
 * \brief           This function sets up an ECP group context from a TLS\r
 *                  ECParameters record as defined in RFC 4492, Section 5.4.\r
 *\r
 * \note            The read pointer \p buf is updated to point right after\r
 *                  the ECParameters record on exit.\r
 *\r
 * \param grp       The group context to setup. This must be initialized.\r
 * \param buf       The address of the pointer to the start of the input buffer.\r
 * \param len       The length of the input buffer \c *buf in Bytes.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.\r
 * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not\r
 *                  recognized.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,\r
                                const unsigned char **buf, size_t len );\r
\r
/**\r
 * \brief           This function extracts an elliptic curve group ID from a\r
 *                  TLS ECParameters record as defined in RFC 4492, Section 5.4.\r
 *\r
 * \note            The read pointer \p buf is updated to point right after\r
 *                  the ECParameters record on exit.\r
 *\r
 * \param grp       The address at which to store the group id.\r
 *                  This must not be \c NULL.\r
 * \param buf       The address of the pointer to the start of the input buffer.\r
 * \param len       The length of the input buffer \c *buf in Bytes.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.\r
 * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not\r
 *                  recognized.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,\r
                                   const unsigned char **buf,\r
                                   size_t len );\r
/**\r
 * \brief           This function exports an elliptic curve as a TLS\r
 *                  ECParameters record as defined in RFC 4492, Section 5.4.\r
 *\r
 * \param grp       The ECP group to be exported.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param olen      The address at which to store the number of Bytes written.\r
 *                  This must not be \c NULL.\r
 * \param buf       The buffer to write to. This must be a writable buffer\r
 *                  of length \p blen Bytes.\r
 * \param blen      The length of the output buffer \p buf in Bytes.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output\r
 *                  buffer is too small to hold the exported group.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,\r
                                 size_t *olen,\r
                                 unsigned char *buf, size_t blen );\r
\r
/**\r
 * \brief           This function performs a scalar multiplication of a point\r
 *                  by an integer: \p R = \p m * \p P.\r
 *\r
 *                  It is not thread-safe to use same group in multiple threads.\r
 *\r
 * \note            To prevent timing attacks, this function\r
 *                  executes the exact same sequence of base-field\r
 *                  operations for any valid \p m. It avoids any if-branch or\r
 *                  array index depending on the value of \p m.\r
 *\r
 * \note            If \p f_rng is not NULL, it is used to randomize\r
 *                  intermediate results to prevent potential timing attacks\r
 *                  targeting these results. We recommend always providing\r
 *                  a non-NULL \p f_rng. The overhead is negligible.\r
 *\r
 * \param grp       The ECP group to use.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param R         The point in which to store the result of the calculation.\r
 *                  This must be initialized.\r
 * \param m         The integer by which to multiply. This must be initialized.\r
 * \param P         The point to multiply. This must be initialized.\r
 * \param f_rng     The RNG function. This may be \c NULL if randomization\r
 *                  of intermediate results isn't desired (discouraged).\r
 * \param p_rng     The RNG context to be passed to \p p_rng.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private\r
 *                  key, or \p P is not a valid public key.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,\r
             const mbedtls_mpi *m, const mbedtls_ecp_point *P,\r
             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );\r
\r
/**\r
 * \brief           This function performs multiplication of a point by\r
 *                  an integer: \p R = \p m * \p P in a restartable way.\r
 *\r
 * \see             mbedtls_ecp_mul()\r
 *\r
 * \note            This function does the same as \c mbedtls_ecp_mul(), but\r
 *                  it can return early and restart according to the limit set\r
 *                  with \c mbedtls_ecp_set_max_ops() to reduce blocking.\r
 *\r
 * \param grp       The ECP group to use.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param R         The point in which to store the result of the calculation.\r
 *                  This must be initialized.\r
 * \param m         The integer by which to multiply. This must be initialized.\r
 * \param P         The point to multiply. This must be initialized.\r
 * \param f_rng     The RNG function. This may be \c NULL if randomization\r
 *                  of intermediate results isn't desired (discouraged).\r
 * \param p_rng     The RNG context to be passed to \p p_rng.\r
 * \param rs_ctx    The restart context (NULL disables restart).\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private\r
 *                  key, or \p P is not a valid public key.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of\r
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,\r
             const mbedtls_mpi *m, const mbedtls_ecp_point *P,\r
             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,\r
             mbedtls_ecp_restart_ctx *rs_ctx );\r
\r
/**\r
 * \brief           This function performs multiplication and addition of two\r
 *                  points by integers: \p R = \p m * \p P + \p n * \p Q\r
 *\r
 *                  It is not thread-safe to use same group in multiple threads.\r
 *\r
 * \note            In contrast to mbedtls_ecp_mul(), this function does not\r
 *                  guarantee a constant execution flow and timing.\r
 *\r
 * \param grp       The ECP group to use.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param R         The point in which to store the result of the calculation.\r
 *                  This must be initialized.\r
 * \param m         The integer by which to multiply \p P.\r
 *                  This must be initialized.\r
 * \param P         The point to multiply by \p m. This must be initialized.\r
 * \param n         The integer by which to multiply \p Q.\r
 *                  This must be initialized.\r
 * \param Q         The point to be multiplied by \p n.\r
 *                  This must be initialized.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not\r
 *                  valid private keys, or \p P or \p Q are not valid public\r
 *                  keys.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,\r
             const mbedtls_mpi *m, const mbedtls_ecp_point *P,\r
             const mbedtls_mpi *n, const mbedtls_ecp_point *Q );\r
\r
/**\r
 * \brief           This function performs multiplication and addition of two\r
 *                  points by integers: \p R = \p m * \p P + \p n * \p Q in a\r
 *                  restartable way.\r
 *\r
 * \see             \c mbedtls_ecp_muladd()\r
 *\r
 * \note            This function works the same as \c mbedtls_ecp_muladd(),\r
 *                  but it can return early and restart according to the limit\r
 *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.\r
 *\r
 * \param grp       The ECP group to use.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param R         The point in which to store the result of the calculation.\r
 *                  This must be initialized.\r
 * \param m         The integer by which to multiply \p P.\r
 *                  This must be initialized.\r
 * \param P         The point to multiply by \p m. This must be initialized.\r
 * \param n         The integer by which to multiply \p Q.\r
 *                  This must be initialized.\r
 * \param Q         The point to be multiplied by \p n.\r
 *                  This must be initialized.\r
 * \param rs_ctx    The restart context (NULL disables restart).\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not\r
 *                  valid private keys, or \p P or \p Q are not valid public\r
 *                  keys.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.\r
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of\r
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_muladd_restartable(\r
             mbedtls_ecp_group *grp, mbedtls_ecp_point *R,\r
             const mbedtls_mpi *m, const mbedtls_ecp_point *P,\r
             const mbedtls_mpi *n, const mbedtls_ecp_point *Q,\r
             mbedtls_ecp_restart_ctx *rs_ctx );\r
\r
/**\r
 * \brief           This function checks that a point is a valid public key\r
 *                  on this curve.\r
 *\r
 *                  It only checks that the point is non-zero, has\r
 *                  valid coordinates and lies on the curve. It does not verify\r
 *                  that it is indeed a multiple of \p G. This additional\r
 *                  check is computationally more expensive, is not required\r
 *                  by standards, and should not be necessary if the group\r
 *                  used has a small cofactor. In particular, it is useless for\r
 *                  the NIST groups which all have a cofactor of 1.\r
 *\r
 * \note            This function uses bare components rather than an\r
 *                  ::mbedtls_ecp_keypair structure, to ease use with other\r
 *                  structures, such as ::mbedtls_ecdh_context or\r
 *                  ::mbedtls_ecdsa_context.\r
 *\r
 * \param grp       The ECP group the point should belong to.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param pt        The point to check. This must be initialized.\r
 *\r
 * \return          \c 0 if the point is a valid public key.\r
 * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not\r
 *                  a valid public key for the given curve.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,\r
                              const mbedtls_ecp_point *pt );\r
\r
/**\r
 * \brief           This function checks that an \p mbedtls_mpi is a\r
 *                  valid private key for this curve.\r
 *\r
 * \note            This function uses bare components rather than an\r
 *                  ::mbedtls_ecp_keypair structure to ease use with other\r
 *                  structures, such as ::mbedtls_ecdh_context or\r
 *                  ::mbedtls_ecdsa_context.\r
 *\r
 * \param grp       The ECP group the private key should belong to.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param d         The integer to check. This must be initialized.\r
 *\r
 * \return          \c 0 if the point is a valid private key.\r
 * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid\r
 *                  private key for the given curve.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,\r
                               const mbedtls_mpi *d );\r
\r
/**\r
 * \brief           This function generates a private key.\r
 *\r
 * \param grp       The ECP group to generate a private key for.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param d         The destination MPI (secret part). This must be initialized.\r
 * \param f_rng     The RNG function. This must not be \c NULL.\r
 * \param p_rng     The RNG parameter to be passed to \p f_rng. This may be\r
 *                  \c NULL if \p f_rng doesn't need a context argument.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code\r
 *                  on failure.\r
 */\r
int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,\r
                     mbedtls_mpi *d,\r
                     int (*f_rng)(void *, unsigned char *, size_t),\r
                     void *p_rng );\r
\r
/**\r
 * \brief           This function generates a keypair with a configurable base\r
 *                  point.\r
 *\r
 * \note            This function uses bare components rather than an\r
 *                  ::mbedtls_ecp_keypair structure to ease use with other\r
 *                  structures, such as ::mbedtls_ecdh_context or\r
 *                  ::mbedtls_ecdsa_context.\r
 *\r
 * \param grp       The ECP group to generate a key pair for.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param G         The base point to use. This must be initialized\r
 *                  and belong to \p grp. It replaces the default base\r
 *                  point \c grp->G used by mbedtls_ecp_gen_keypair().\r
 * \param d         The destination MPI (secret part).\r
 *                  This must be initialized.\r
 * \param Q         The destination point (public part).\r
 *                  This must be initialized.\r
 * \param f_rng     The RNG function. This must not be \c NULL.\r
 * \param p_rng     The RNG context to be passed to \p f_rng. This may\r
 *                  be \c NULL if \p f_rng doesn't need a context argument.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code\r
 *                  on failure.\r
 */\r
int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,\r
                                  const mbedtls_ecp_point *G,\r
                                  mbedtls_mpi *d, mbedtls_ecp_point *Q,\r
                                  int (*f_rng)(void *, unsigned char *, size_t),\r
                                  void *p_rng );\r
\r
/**\r
 * \brief           This function generates an ECP keypair.\r
 *\r
 * \note            This function uses bare components rather than an\r
 *                  ::mbedtls_ecp_keypair structure to ease use with other\r
 *                  structures, such as ::mbedtls_ecdh_context or\r
 *                  ::mbedtls_ecdsa_context.\r
 *\r
 * \param grp       The ECP group to generate a key pair for.\r
 *                  This must be initialized and have group parameters\r
 *                  set, for example through mbedtls_ecp_group_load().\r
 * \param d         The destination MPI (secret part).\r
 *                  This must be initialized.\r
 * \param Q         The destination point (public part).\r
 *                  This must be initialized.\r
 * \param f_rng     The RNG function. This must not be \c NULL.\r
 * \param p_rng     The RNG context to be passed to \p f_rng. This may\r
 *                  be \c NULL if \p f_rng doesn't need a context argument.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code\r
 *                  on failure.\r
 */\r
int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d,\r
                             mbedtls_ecp_point *Q,\r
                             int (*f_rng)(void *, unsigned char *, size_t),\r
                             void *p_rng );\r
\r
/**\r
 * \brief           This function generates an ECP key.\r
 *\r
 * \param grp_id    The ECP group identifier.\r
 * \param key       The destination key. This must be initialized.\r
 * \param f_rng     The RNG function to use. This must not be \c NULL.\r
 * \param p_rng     The RNG context to be passed to \p f_rng. This may\r
 *                  be \c NULL if \p f_rng doesn't need a context argument.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code\r
 *                  on failure.\r
 */\r
int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,\r
                         int (*f_rng)(void *, unsigned char *, size_t),\r
                         void *p_rng );\r
\r
/**\r
 * \brief           This function reads an elliptic curve private key.\r
 *\r
 * \param grp_id    The ECP group identifier.\r
 * \param key       The destination key.\r
 * \param buf       The the buffer containing the binary representation of the\r
 *                  key. (Big endian integer for Weierstrass curves, byte\r
 *                  string for Montgomery curves.)\r
 * \param buflen    The length of the buffer in bytes.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is\r
 *                  invalid.\r
 * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.\r
 * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for\r
 *                  the group is not implemented.\r
 * \return          Another negative error code on different kinds of failure.\r
 */\r
int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,\r
                          const unsigned char *buf, size_t buflen );\r
/**\r
 * \brief           This function checks that the keypair objects\r
 *                  \p pub and \p prv have the same group and the\r
 *                  same public point, and that the private key in\r
 *                  \p prv is consistent with the public key.\r
 *\r
 * \param pub       The keypair structure holding the public key. This\r
 *                  must be initialized. If it contains a private key, that\r
 *                  part is ignored.\r
 * \param prv       The keypair structure holding the full keypair.\r
 *                  This must be initialized.\r
 *\r
 * \return          \c 0 on success, meaning that the keys are valid and match.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.\r
 * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX\r
 *                  error code on calculation failure.\r
 */\r
int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub,\r
                                const mbedtls_ecp_keypair *prv );\r
\r
#if defined(MBEDTLS_SELF_TEST)\r
\r
/**\r
 * \brief          The ECP checkup routine.\r
 *\r
 * \return         \c 0 on success.\r
 * \return         \c 1 on failure.\r
 */\r
int mbedtls_ecp_self_test( int verbose );\r
\r
#endif /* MBEDTLS_SELF_TEST */\r
\r
#ifdef __cplusplus\r
}\r
#endif\r
\r
#endif /* ecp.h */\r