1*8fb009dcSAndroid Build Coastguard Worker /* Copyright (c) 2015, Google Inc. 2*8fb009dcSAndroid Build Coastguard Worker * 3*8fb009dcSAndroid Build Coastguard Worker * Permission to use, copy, modify, and/or distribute this software for any 4*8fb009dcSAndroid Build Coastguard Worker * purpose with or without fee is hereby granted, provided that the above 5*8fb009dcSAndroid Build Coastguard Worker * copyright notice and this permission notice appear in all copies. 6*8fb009dcSAndroid Build Coastguard Worker * 7*8fb009dcSAndroid Build Coastguard Worker * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8*8fb009dcSAndroid Build Coastguard Worker * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9*8fb009dcSAndroid Build Coastguard Worker * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10*8fb009dcSAndroid Build Coastguard Worker * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11*8fb009dcSAndroid Build Coastguard Worker * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12*8fb009dcSAndroid Build Coastguard Worker * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13*8fb009dcSAndroid Build Coastguard Worker * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14*8fb009dcSAndroid Build Coastguard Worker 15*8fb009dcSAndroid Build Coastguard Worker #ifndef OPENSSL_HEADER_CURVE25519_H 16*8fb009dcSAndroid Build Coastguard Worker #define OPENSSL_HEADER_CURVE25519_H 17*8fb009dcSAndroid Build Coastguard Worker 18*8fb009dcSAndroid Build Coastguard Worker #include <openssl/base.h> 19*8fb009dcSAndroid Build Coastguard Worker 20*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 21*8fb009dcSAndroid Build Coastguard Worker extern "C" { 22*8fb009dcSAndroid Build Coastguard Worker #endif 23*8fb009dcSAndroid Build Coastguard Worker 24*8fb009dcSAndroid Build Coastguard Worker 25*8fb009dcSAndroid Build Coastguard Worker // Curve25519. 26*8fb009dcSAndroid Build Coastguard Worker // 27*8fb009dcSAndroid Build Coastguard Worker // Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748. 28*8fb009dcSAndroid Build Coastguard Worker 29*8fb009dcSAndroid Build Coastguard Worker 30*8fb009dcSAndroid Build Coastguard Worker // X25519. 31*8fb009dcSAndroid Build Coastguard Worker // 32*8fb009dcSAndroid Build Coastguard Worker // X25519 is the Diffie-Hellman primitive built from curve25519. It is 33*8fb009dcSAndroid Build Coastguard Worker // sometimes referred to as “curve25519”, but “X25519” is a more precise name. 34*8fb009dcSAndroid Build Coastguard Worker // See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748. 35*8fb009dcSAndroid Build Coastguard Worker 36*8fb009dcSAndroid Build Coastguard Worker #define X25519_PRIVATE_KEY_LEN 32 37*8fb009dcSAndroid Build Coastguard Worker #define X25519_PUBLIC_VALUE_LEN 32 38*8fb009dcSAndroid Build Coastguard Worker #define X25519_SHARED_KEY_LEN 32 39*8fb009dcSAndroid Build Coastguard Worker 40*8fb009dcSAndroid Build Coastguard Worker // X25519_keypair sets |out_public_value| and |out_private_key| to a freshly 41*8fb009dcSAndroid Build Coastguard Worker // generated, public–private key pair. 42*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32], 43*8fb009dcSAndroid Build Coastguard Worker uint8_t out_private_key[32]); 44*8fb009dcSAndroid Build Coastguard Worker 45*8fb009dcSAndroid Build Coastguard Worker // X25519 writes a shared key to |out_shared_key| that is calculated from the 46*8fb009dcSAndroid Build Coastguard Worker // given private key and the peer's public value. It returns one on success and 47*8fb009dcSAndroid Build Coastguard Worker // zero on error. 48*8fb009dcSAndroid Build Coastguard Worker // 49*8fb009dcSAndroid Build Coastguard Worker // Don't use the shared key directly, rather use a KDF and also include the two 50*8fb009dcSAndroid Build Coastguard Worker // public values as inputs. 51*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int X25519(uint8_t out_shared_key[32], 52*8fb009dcSAndroid Build Coastguard Worker const uint8_t private_key[32], 53*8fb009dcSAndroid Build Coastguard Worker const uint8_t peer_public_value[32]); 54*8fb009dcSAndroid Build Coastguard Worker 55*8fb009dcSAndroid Build Coastguard Worker // X25519_public_from_private calculates a Diffie-Hellman public value from the 56*8fb009dcSAndroid Build Coastguard Worker // given private key and writes it to |out_public_value|. 57*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32], 58*8fb009dcSAndroid Build Coastguard Worker const uint8_t private_key[32]); 59*8fb009dcSAndroid Build Coastguard Worker 60*8fb009dcSAndroid Build Coastguard Worker 61*8fb009dcSAndroid Build Coastguard Worker // Ed25519. 62*8fb009dcSAndroid Build Coastguard Worker // 63*8fb009dcSAndroid Build Coastguard Worker // Ed25519 is a signature scheme using a twisted-Edwards curve that is 64*8fb009dcSAndroid Build Coastguard Worker // birationally equivalent to curve25519. 65*8fb009dcSAndroid Build Coastguard Worker // 66*8fb009dcSAndroid Build Coastguard Worker // Note that, unlike RFC 8032's formulation, our private key representation 67*8fb009dcSAndroid Build Coastguard Worker // includes a public key suffix to make multiple key signing operations with the 68*8fb009dcSAndroid Build Coastguard Worker // same key more efficient. The RFC 8032 private key is referred to in this 69*8fb009dcSAndroid Build Coastguard Worker // implementation as the "seed" and is the first 32 bytes of our private key. 70*8fb009dcSAndroid Build Coastguard Worker 71*8fb009dcSAndroid Build Coastguard Worker #define ED25519_PRIVATE_KEY_LEN 64 72*8fb009dcSAndroid Build Coastguard Worker #define ED25519_PUBLIC_KEY_LEN 32 73*8fb009dcSAndroid Build Coastguard Worker #define ED25519_SIGNATURE_LEN 64 74*8fb009dcSAndroid Build Coastguard Worker 75*8fb009dcSAndroid Build Coastguard Worker // ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly 76*8fb009dcSAndroid Build Coastguard Worker // generated, public–private key pair. 77*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32], 78*8fb009dcSAndroid Build Coastguard Worker uint8_t out_private_key[64]); 79*8fb009dcSAndroid Build Coastguard Worker 80*8fb009dcSAndroid Build Coastguard Worker // ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from 81*8fb009dcSAndroid Build Coastguard Worker // |message| using |private_key|. It returns one on success or zero on 82*8fb009dcSAndroid Build Coastguard Worker // allocation failure. 83*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message, 84*8fb009dcSAndroid Build Coastguard Worker size_t message_len, 85*8fb009dcSAndroid Build Coastguard Worker const uint8_t private_key[64]); 86*8fb009dcSAndroid Build Coastguard Worker 87*8fb009dcSAndroid Build Coastguard Worker // ED25519_verify returns one iff |signature| is a valid signature, by 88*8fb009dcSAndroid Build Coastguard Worker // |public_key| of |message_len| bytes from |message|. It returns zero 89*8fb009dcSAndroid Build Coastguard Worker // otherwise. 90*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len, 91*8fb009dcSAndroid Build Coastguard Worker const uint8_t signature[64], 92*8fb009dcSAndroid Build Coastguard Worker const uint8_t public_key[32]); 93*8fb009dcSAndroid Build Coastguard Worker 94*8fb009dcSAndroid Build Coastguard Worker // ED25519_keypair_from_seed calculates a public and private key from an 95*8fb009dcSAndroid Build Coastguard Worker // Ed25519 “seed”. Seed values are not exposed by this API (although they 96*8fb009dcSAndroid Build Coastguard Worker // happen to be the first 32 bytes of a private key) so this function is for 97*8fb009dcSAndroid Build Coastguard Worker // interoperating with systems that may store just a seed instead of a full 98*8fb009dcSAndroid Build Coastguard Worker // private key. 99*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[32], 100*8fb009dcSAndroid Build Coastguard Worker uint8_t out_private_key[64], 101*8fb009dcSAndroid Build Coastguard Worker const uint8_t seed[32]); 102*8fb009dcSAndroid Build Coastguard Worker 103*8fb009dcSAndroid Build Coastguard Worker 104*8fb009dcSAndroid Build Coastguard Worker // SPAKE2. 105*8fb009dcSAndroid Build Coastguard Worker // 106*8fb009dcSAndroid Build Coastguard Worker // SPAKE2 is a password-authenticated key-exchange. It allows two parties, 107*8fb009dcSAndroid Build Coastguard Worker // who share a low-entropy secret (i.e. password), to agree on a shared key. 108*8fb009dcSAndroid Build Coastguard Worker // An attacker can only make one guess of the password per execution of the 109*8fb009dcSAndroid Build Coastguard Worker // protocol. 110*8fb009dcSAndroid Build Coastguard Worker // 111*8fb009dcSAndroid Build Coastguard Worker // See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02. 112*8fb009dcSAndroid Build Coastguard Worker 113*8fb009dcSAndroid Build Coastguard Worker // spake2_role_t enumerates the different “roles” in SPAKE2. The protocol 114*8fb009dcSAndroid Build Coastguard Worker // requires that the symmetry of the two parties be broken so one participant 115*8fb009dcSAndroid Build Coastguard Worker // must be “Alice” and the other be “Bob”. 116*8fb009dcSAndroid Build Coastguard Worker enum spake2_role_t { 117*8fb009dcSAndroid Build Coastguard Worker spake2_role_alice, 118*8fb009dcSAndroid Build Coastguard Worker spake2_role_bob, 119*8fb009dcSAndroid Build Coastguard Worker }; 120*8fb009dcSAndroid Build Coastguard Worker 121*8fb009dcSAndroid Build Coastguard Worker // SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a 122*8fb009dcSAndroid Build Coastguard Worker // single execution of the protocol). SPAKE2 requires the symmetry of the two 123*8fb009dcSAndroid Build Coastguard Worker // parties to be broken which is indicated via |my_role| – each party must pass 124*8fb009dcSAndroid Build Coastguard Worker // a different value for this argument. 125*8fb009dcSAndroid Build Coastguard Worker // 126*8fb009dcSAndroid Build Coastguard Worker // The |my_name| and |their_name| arguments allow optional, opaque names to be 127*8fb009dcSAndroid Build Coastguard Worker // bound into the protocol. For example MAC addresses, hostnames, usernames 128*8fb009dcSAndroid Build Coastguard Worker // etc. These values are not exposed and can avoid context-confusion attacks 129*8fb009dcSAndroid Build Coastguard Worker // when a password is shared between several devices. 130*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new( 131*8fb009dcSAndroid Build Coastguard Worker enum spake2_role_t my_role, 132*8fb009dcSAndroid Build Coastguard Worker const uint8_t *my_name, size_t my_name_len, 133*8fb009dcSAndroid Build Coastguard Worker const uint8_t *their_name, size_t their_name_len); 134*8fb009dcSAndroid Build Coastguard Worker 135*8fb009dcSAndroid Build Coastguard Worker // SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated. 136*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx); 137*8fb009dcSAndroid Build Coastguard Worker 138*8fb009dcSAndroid Build Coastguard Worker // SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message. 139*8fb009dcSAndroid Build Coastguard Worker #define SPAKE2_MAX_MSG_SIZE 32 140*8fb009dcSAndroid Build Coastguard Worker 141*8fb009dcSAndroid Build Coastguard Worker // SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes 142*8fb009dcSAndroid Build Coastguard Worker // it to |out| and sets |*out_len| to the number of bytes written. 143*8fb009dcSAndroid Build Coastguard Worker // 144*8fb009dcSAndroid Build Coastguard Worker // At most |max_out_len| bytes are written to |out| and, in order to ensure 145*8fb009dcSAndroid Build Coastguard Worker // success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes. 146*8fb009dcSAndroid Build Coastguard Worker // 147*8fb009dcSAndroid Build Coastguard Worker // This function can only be called once for a given |SPAKE2_CTX|. 148*8fb009dcSAndroid Build Coastguard Worker // 149*8fb009dcSAndroid Build Coastguard Worker // It returns one on success and zero on error. 150*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, 151*8fb009dcSAndroid Build Coastguard Worker size_t *out_len, size_t max_out_len, 152*8fb009dcSAndroid Build Coastguard Worker const uint8_t *password, 153*8fb009dcSAndroid Build Coastguard Worker size_t password_len); 154*8fb009dcSAndroid Build Coastguard Worker 155*8fb009dcSAndroid Build Coastguard Worker // SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will 156*8fb009dcSAndroid Build Coastguard Worker // produce. 157*8fb009dcSAndroid Build Coastguard Worker #define SPAKE2_MAX_KEY_SIZE 64 158*8fb009dcSAndroid Build Coastguard Worker 159*8fb009dcSAndroid Build Coastguard Worker // SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in 160*8fb009dcSAndroid Build Coastguard Worker // |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets 161*8fb009dcSAndroid Build Coastguard Worker // |*out_key_len| to the number of bytes written. 162*8fb009dcSAndroid Build Coastguard Worker // 163*8fb009dcSAndroid Build Coastguard Worker // The resulting keying material is suitable for: 164*8fb009dcSAndroid Build Coastguard Worker // - Using directly in a key-confirmation step: i.e. each side could 165*8fb009dcSAndroid Build Coastguard Worker // transmit a hash of their role, a channel-binding value and the key 166*8fb009dcSAndroid Build Coastguard Worker // material to prove to the other side that they know the shared key. 167*8fb009dcSAndroid Build Coastguard Worker // - Using as input keying material to HKDF to generate a variety of subkeys 168*8fb009dcSAndroid Build Coastguard Worker // for encryption etc. 169*8fb009dcSAndroid Build Coastguard Worker // 170*8fb009dcSAndroid Build Coastguard Worker // If |max_out_key_key| is smaller than the amount of key material generated 171*8fb009dcSAndroid Build Coastguard Worker // then the key is silently truncated. If you want to ensure that no truncation 172*8fb009dcSAndroid Build Coastguard Worker // occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|. 173*8fb009dcSAndroid Build Coastguard Worker // 174*8fb009dcSAndroid Build Coastguard Worker // You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling 175*8fb009dcSAndroid Build Coastguard Worker // this function. On successful return, |ctx| is complete and calling 176*8fb009dcSAndroid Build Coastguard Worker // |SPAKE2_CTX_free| is the only acceptable operation on it. 177*8fb009dcSAndroid Build Coastguard Worker // 178*8fb009dcSAndroid Build Coastguard Worker // Returns one on success or zero on error. 179*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, 180*8fb009dcSAndroid Build Coastguard Worker size_t *out_key_len, 181*8fb009dcSAndroid Build Coastguard Worker size_t max_out_key_len, 182*8fb009dcSAndroid Build Coastguard Worker const uint8_t *their_msg, 183*8fb009dcSAndroid Build Coastguard Worker size_t their_msg_len); 184*8fb009dcSAndroid Build Coastguard Worker 185*8fb009dcSAndroid Build Coastguard Worker 186*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 187*8fb009dcSAndroid Build Coastguard Worker } // extern C 188*8fb009dcSAndroid Build Coastguard Worker 189*8fb009dcSAndroid Build Coastguard Worker extern "C++" { 190*8fb009dcSAndroid Build Coastguard Worker 191*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_BEGIN 192*8fb009dcSAndroid Build Coastguard Worker 193*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(SPAKE2_CTX, SPAKE2_CTX_free) 194*8fb009dcSAndroid Build Coastguard Worker 195*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_END 196*8fb009dcSAndroid Build Coastguard Worker 197*8fb009dcSAndroid Build Coastguard Worker } // extern C++ 198*8fb009dcSAndroid Build Coastguard Worker 199*8fb009dcSAndroid Build Coastguard Worker #endif 200*8fb009dcSAndroid Build Coastguard Worker 201*8fb009dcSAndroid Build Coastguard Worker #endif // OPENSSL_HEADER_CURVE25519_H 202