@@ -125,6 +125,16 @@ typedef void mbedtls_ecdsa_restart_ctx;
125125
126126#endif /* MBEDTLS_ECP_RESTARTABLE */
127127
128+ /**
129+ * \brief This function checks whether a given group can be used
130+ * for ECDSA.
131+ *
132+ * \param gid The ECP group ID to check.
133+ *
134+ * \return \c 1 if the group can be used, \c 0 otherwise
135+ */
136+ int mbedtls_ecdsa_can_do ( mbedtls_ecp_group_id gid );
137+
128138/**
129139 * \brief This function computes the ECDSA signature of a
130140 * previously-hashed message.
@@ -166,6 +176,12 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
166176 int (* f_rng )(void * , unsigned char * , size_t ), void * p_rng );
167177
168178#if defined(MBEDTLS_ECDSA_DETERMINISTIC )
179+ #if ! defined(MBEDTLS_DEPRECATED_REMOVED )
180+ #if defined(MBEDTLS_DEPRECATED_WARNING )
181+ #define MBEDTLS_DEPRECATED __attribute__((deprecated))
182+ #else
183+ #define MBEDTLS_DEPRECATED
184+ #endif
169185/**
170186 * \brief This function computes the ECDSA signature of a
171187 * previously-hashed message, deterministic version.
@@ -180,6 +196,19 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
180196 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
181197 * 4.1.3, step 5.
182198 *
199+ * \warning Since the output of the internal RNG is always the same for
200+ * the same key and message, this limits the efficiency of
201+ * blinding and leaks information through side channels. For
202+ * secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
203+ *
204+ * (Optimally the blinding is a random value that is different
205+ * on every execution. In this case the blinding is still
206+ * random from the attackers perspective, but is the same on
207+ * each execution. This means that this blinding does not
208+ * prevent attackers from recovering secrets by combining
209+ * several measurement traces, but may prevent some attacks
210+ * that exploit relationships between secret data.)
211+ *
183212 * \see ecp.h
184213 *
185214 * \param grp The context for the elliptic curve to use.
@@ -204,7 +233,55 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
204233int mbedtls_ecdsa_sign_det ( mbedtls_ecp_group * grp , mbedtls_mpi * r ,
205234 mbedtls_mpi * s , const mbedtls_mpi * d ,
206235 const unsigned char * buf , size_t blen ,
207- mbedtls_md_type_t md_alg );
236+ mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED ;
237+ #undef MBEDTLS_DEPRECATED
238+ #endif /* MBEDTLS_DEPRECATED_REMOVED */
239+
240+ /**
241+ * \brief This function computes the ECDSA signature of a
242+ * previously-hashed message, deterministic version.
243+ *
244+ * For more information, see <em>RFC-6979: Deterministic
245+ * Usage of the Digital Signature Algorithm (DSA) and Elliptic
246+ * Curve Digital Signature Algorithm (ECDSA)</em>.
247+ *
248+ * \note If the bitlength of the message hash is larger than the
249+ * bitlength of the group order, then the hash is truncated as
250+ * defined in <em>Standards for Efficient Cryptography Group
251+ * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
252+ * 4.1.3, step 5.
253+ *
254+ * \see ecp.h
255+ *
256+ * \param grp The context for the elliptic curve to use.
257+ * This must be initialized and have group parameters
258+ * set, for example through mbedtls_ecp_group_load().
259+ * \param r The MPI context in which to store the first part
260+ * the signature. This must be initialized.
261+ * \param s The MPI context in which to store the second part
262+ * the signature. This must be initialized.
263+ * \param d The private signing key. This must be initialized
264+ * and setup, for example through mbedtls_ecp_gen_privkey().
265+ * \param buf The hashed content to be signed. This must be a readable
266+ * buffer of length \p blen Bytes. It may be \c NULL if
267+ * \p blen is zero.
268+ * \param blen The length of \p buf in Bytes.
269+ * \param md_alg The hash algorithm used to hash the original data.
270+ * \param f_rng_blind The RNG function used for blinding. This must not be
271+ * \c NULL.
272+ * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be
273+ * \c NULL if \p f_rng doesn't need a context parameter.
274+ *
275+ * \return \c 0 on success.
276+ * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
277+ * error code on failure.
278+ */
279+ int mbedtls_ecdsa_sign_det_ext ( mbedtls_ecp_group * grp , mbedtls_mpi * r ,
280+ mbedtls_mpi * s , const mbedtls_mpi * d ,
281+ const unsigned char * buf , size_t blen ,
282+ mbedtls_md_type_t md_alg ,
283+ int (* f_rng_blind )(void * , unsigned char * , size_t ),
284+ void * p_rng_blind );
208285#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
209286
210287/**
@@ -283,7 +360,8 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
283360 * the signature written. Must not be \c NULL.
284361 * \param f_rng The RNG function. This must not be \c NULL if
285362 * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
286- * it is unused and may be set to \c NULL.
363+ * it is used only for blinding and may be set to \c NULL, but
364+ * doing so is DEPRECATED.
287365 * \param p_rng The RNG context to be passed to \p f_rng. This may be
288366 * \c NULL if \p f_rng is \c NULL or doesn't use a context.
289367 *
0 commit comments