Home | History | Annotate | Download | only in openssl 
      1 /* Copyright (c) 2015, Google Inc.
      2  *
      3  * Permission to use, copy, modify, and/or distribute this software for any
      4  * purpose with or without fee is hereby granted, provided that the above
      5  * copyright notice and this permission notice appear in all copies.
      6  *
      7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
      8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
      9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
     10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
     12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
     13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
     14 
     15 #ifndef OPENSSL_HEADER_CURVE25519_H
     16 #define OPENSSL_HEADER_CURVE25519_H
     17 
     18 #include <openssl/base.h>
     19 
     20 #if defined(__cplusplus)
     21 extern "C" {
     22 #endif
     23 
     24 
     25 // Curve25519.
     26 //
     27 // Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748.
     28 
     29 
     30 // X25519.
     31 //
     32 // X25519 is the Diffie-Hellman primitive built from curve25519. It is
     33 // sometimes referred to as curve25519, but X25519 is a more precise name.
     34 // See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748.
     35 
     36 #define X25519_PRIVATE_KEY_LEN 32
     37 #define X25519_PUBLIC_VALUE_LEN 32
     38 #define X25519_SHARED_KEY_LEN 32
     39 
     40 // X25519_keypair sets |out_public_value| and |out_private_key| to a freshly
     41 // generated, publicprivate key pair.
     42 OPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32],
     43                                    uint8_t out_private_key[32]);
     44 
     45 // X25519 writes a shared key to |out_shared_key| that is calculated from the
     46 // given private key and the peer's public value. It returns one on success and
     47 // zero on error.
     48 //
     49 // Don't use the shared key directly, rather use a KDF and also include the two
     50 // public values as inputs.
     51 OPENSSL_EXPORT int X25519(uint8_t out_shared_key[32],
     52                           const uint8_t private_key[32],
     53                           const uint8_t peer_public_value[32]);
     54 
     55 // X25519_public_from_private calculates a Diffie-Hellman public value from the
     56 // given private key and writes it to |out_public_value|.
     57 OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32],
     58                                                const uint8_t private_key[32]);
     59 
     60 
     61 // Ed25519.
     62 //
     63 // Ed25519 is a signature scheme using a twisted-Edwards curve that is
     64 // birationally equivalent to curve25519.
     65 //
     66 // Note that, unlike RFC 8032's formulation, our private key representation
     67 // includes a public key suffix to make multiple key signing operations with the
     68 // same key more efficient. The RFC 8032 key private key is referred to in this
     69 // implementation as the "seed" and is the first 32 bytes of our private key.
     70 
     71 #define ED25519_PRIVATE_KEY_LEN 64
     72 #define ED25519_PUBLIC_KEY_LEN 32
     73 #define ED25519_SIGNATURE_LEN 64
     74 
     75 // ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
     76 // generated, publicprivate key pair.
     77 OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32],
     78                                     uint8_t out_private_key[64]);
     79 
     80 // ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
     81 // |message| using |private_key|. It returns one on success or zero on
     82 // error.
     83 OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
     84                                 size_t message_len,
     85                                 const uint8_t private_key[64]);
     86 
     87 // ED25519_verify returns one iff |signature| is a valid signature, by
     88 // |public_key| of |message_len| bytes from |message|. It returns zero
     89 // otherwise.
     90 OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len,
     91                                   const uint8_t signature[64],
     92                                   const uint8_t public_key[32]);
     93 
     94 // ED25519_keypair_from_seed calculates a public and private key from an
     95 // Ed25519 seed. Seed values are not exposed by this API (although they
     96 // happen to be the first 32 bytes of a private key) so this function is for
     97 // interoperating with systems that may store just a seed instead of a full
     98 // private key.
     99 OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[32],
    100                                               uint8_t out_private_key[64],
    101                                               const uint8_t seed[32]);
    102 
    103 
    104 // SPAKE2.
    105 //
    106 // SPAKE2 is a password-authenticated key-exchange. It allows two parties,
    107 // who share a low-entropy secret (i.e. password), to agree on a shared key.
    108 // An attacker can only make one guess of the password per execution of the
    109 // protocol.
    110 //
    111 // See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02.
    112 
    113 // spake2_role_t enumerates the different roles in SPAKE2. The protocol
    114 // requires that the symmetry of the two parties be broken so one participant
    115 // must be Alice and the other be Bob.
    116 enum spake2_role_t {
    117   spake2_role_alice,
    118   spake2_role_bob,
    119 };
    120 
    121 // SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a
    122 // single execution of the protocol). SPAKE2 requires the symmetry of the two
    123 // parties to be broken which is indicated via |my_role|  each party must pass
    124 // a different value for this argument.
    125 //
    126 // The |my_name| and |their_name| arguments allow optional, opaque names to be
    127 // bound into the protocol. For example MAC addresses, hostnames, usernames
    128 // etc. These values are not exposed and can avoid context-confusion attacks
    129 // when a password is shared between several devices.
    130 OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new(
    131     enum spake2_role_t my_role,
    132     const uint8_t *my_name, size_t my_name_len,
    133     const uint8_t *their_name, size_t their_name_len);
    134 
    135 // SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated.
    136 OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx);
    137 
    138 // SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message.
    139 #define SPAKE2_MAX_MSG_SIZE 32
    140 
    141 // SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes
    142 // it to |out| and sets |*out_len| to the number of bytes written.
    143 //
    144 // At most |max_out_len| bytes are written to |out| and, in order to ensure
    145 // success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes.
    146 //
    147 // This function can only be called once for a given |SPAKE2_CTX|.
    148 //
    149 // It returns one on success and zero on error.
    150 OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out,
    151                                        size_t *out_len, size_t max_out_len,
    152                                        const uint8_t *password,
    153                                        size_t password_len);
    154 
    155 // SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will
    156 // produce.
    157 #define SPAKE2_MAX_KEY_SIZE 64
    158 
    159 // SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in
    160 // |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets
    161 // |*out_key_len| to the number of bytes written.
    162 //
    163 // The resulting keying material is suitable for:
    164 //   a) Using directly in a key-confirmation step: i.e. each side could
    165 //      transmit a hash of their role, a channel-binding value and the key
    166 //      material to prove to the other side that they know the shared key.
    167 //   b) Using as input keying material to HKDF to generate a variety of subkeys
    168 //      for encryption etc.
    169 //
    170 // If |max_out_key_key| is smaller than the amount of key material generated
    171 // then the key is silently truncated. If you want to ensure that no truncation
    172 // occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|.
    173 //
    174 // You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling
    175 // this function. On successful return, |ctx| is complete and calling
    176 // |SPAKE2_CTX_free| is the only acceptable operation on it.
    177 //
    178 // Returns one on success or zero on error.
    179 OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key,
    180                                       size_t *out_key_len,
    181                                       size_t max_out_key_len,
    182                                       const uint8_t *their_msg,
    183                                       size_t their_msg_len);
    184 
    185 
    186 #if defined(__cplusplus)
    187 }  // extern C
    188 
    189 extern "C++" {
    190 
    191 namespace bssl {
    192 
    193 BORINGSSL_MAKE_DELETER(SPAKE2_CTX, SPAKE2_CTX_free)
    194 
    195 }  // namespace bssl
    196 
    197 }  // extern C++
    198 
    199 #endif
    200 
    201 #endif  // OPENSSL_HEADER_CURVE25519_H
    202