API documentation

API reference for the mbed TLS glue layer.

mbed TLS glue layer

group mbedcrypto_glue

nrf_security mbedcrypto glue library containing glue functionality for mbedcrypto APIs when using multiple backends.

mbedcrypto AES glue

group mbedcrypto_glue_aes

Glue layer for mbedcrypto AES APIs, including typedefs for backend API abstraction.

mbedcrypto AES CCM glue

group mbedcrypto_glue_aes_ccm

Glue layer for mbedcrypto AES CCM APIs, including typedefs for backend API abstraction.

Defines

CC3XX_MBEDTLS_CCM_CONTEXT_WORDS

Context size of AES CCM in words in the mbed_cc3xx_mbedcrypto library.

OBERON_MBEDTLS_CCM_CONTEXT_WORDS
VANILLA_MBEDTLS_CCM_CONTEXT_WORDS

mbedcrypto DHM glue

group mbedcrypto_glue_dhm

This is a glue layer for mbedcrypto DHM APIs, including typedefs for backend API abstraction.

mbedcrypto ECDH glue

group mbedcrypto_glue_ecdh

Glue layer for mbedcrypto ECDH APIs, including typedefs for backend API abstraction.

Defines

MBEDTLS_ECDH_GEN_PUBLIC_FUNCTION

Macro definition to identify an ECDH generate public functionality.

MBEDTLS_ECDH_COMPUTE_SHARED_FUNCTION

Macro definition to identify an ECDH compute shared secret functionality.

Typedefs

typedef int (*mbedtls_ecdh_check_fn)(mbedtls_ecp_group *grp, int function)

Function pointer to check if the backend supports ECDH, depending on the given ECP group.

The value returned by the backend implementing this function pointer is dynamically checked. If the return value is 0, then the backend does not support the ECC curve. If the value is positive, then the backend with the highest value is selected (priority based).

Parameters

  • grp[in] ECP group.

  • function[in] Reserved type, currently not in use.

Returns

0 if the ECDH functionality is not supported, otherwise a priority where higher is better.

typedef int (*mbedtls_ecdh_gen_public_fn)(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng, )

Function pointer to generate an ECDH key pair.

This function pointer has a signature equal to mbedtls_ecdh_gen_public.

Parameters

  • grp[in] Pointer to the MPI of the ECP group.

  • d[out] Pointer to the destination MPI for private key. Must be initialized.

  • Q[out] Pointer to the destination public key. Must be initialized.

  • f_rng[in] RNG function.

  • p_rng[inout] RNG context.

Returns

0 if operation was successful, otherwise a negative value corresponding to the error.

typedef int (*mbedtls_ecdh_compute_shared_fn)(mbedtls_ecp_group *grp, mbedtls_mpi *z, const mbedtls_ecp_point *Q, const mbedtls_mpi *d, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng, )

Function pointer to generate an ECDH shared secret.

This function pointer has a signature equal to mbedtls_ecdh_compute_shared.

Note

Note that f_rng may be NULL if randomization of intermediate result is not needed.

Parameters

  • grp[in] Pointer to the MPI of the ECP group.

  • z[out] Pointer to the destination MPI for shared secret. Must be initialized.

  • Q[in] Pointer to a public key from another party. Must be initialized.

  • d[in] Pointer to a local private key. Must be initialized.

  • f_rng[in] RNG function.

  • p_rng[inout] RNG context.

Returns

0 if operation was successful, otherwise a negative value corresponding to the error.

struct mbedtls_ecdh_funcs
#include <backend_ecdh.h>

Structure type holding the ECDH calling interface for a backend.

The backend must provide an instance of this structure to enable mbedcrypto glue functionality.

Public Members

mbedtls_ecdh_check_fn check

Check for ECDH support in the backend.

mbedtls_ecdh_gen_public_fn gen_public

Generate ECDH key pair.

mbedtls_ecdh_compute_shared_fn compute_shared

Calculate ECDH shared secret.

mbedcrypto ECDSA glue

group mbedcrypto_glue_ecdsa

Glue layer for mbedcrypto ECDSA APIs, including typedefs for backend API abstraction.

Defines

MBEDTLS_ECDSA_SIGN_FUNCTION

Macro definition to identify an ECDSA sign function.

MBEDTLS_ECDSA_VERIFY_FUNCTION

Macro definition to identify an ECDSA verify function.

MBEDTLS_ECDSA_GENKEY_FUNCTION

Macro definition to identify an ECDSA generate key pair function.

Typedefs

typedef int (*mbedtls_ecdsa_check_fn)(mbedtls_ecp_group *grp, mbedtls_ecp_group_id gid, int function)

Function pointer to check if the backend supports ECDSA, depending on the given group and curve type.

The value returned by the backend implementing this function pointer is dynamically checked. If the return value is 0, then the backend does not support the ECC curve. If the value is positive, then the backend with the highest value is selected (priority based).

Parameters

  • grp[in] ECP group. If NULL, gid is used instead.

  • gid[in] Curve type, might be overridden by grp.

  • function[in] Reserved type, currently not in use.

Returns

0 if the ECDSA functionality is not supported, otherwise a priority where higher is better.

typedef int (*mbedtls_ecdsa_sign_fn)(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, const mbedtls_mpi *d, const unsigned char *buf, size_t blen, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng, )

Function pointer to sign a hash using ECDSA.

This function pointer has a signature equal to mbedtls_ecdsa_sign.

Parameters

  • grp[in] Pointer to an ECP group.

  • r[out] Pointer to the MPI context to store the first part of the signature. Must be initialized.

  • s[out] Pointer to the MPI context to store the second part of the signature. Must be initialized.

  • buf[in] Pointer to the buffer holding the hash to be signed.

  • blen[in] Length of the buffer to sign.

  • f_rng[in] RNG function.

  • p_rng[inout] RNG context.

Returns

0 if operation was successful, otherwise a negative value corresponding to the error.

typedef int (*mbedtls_ecdsa_verify_fn)(mbedtls_ecp_group *grp, const unsigned char *buf, size_t blen, const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s)

Function pointer to verify a hash using ECDSA.

This function pointer has a signature equal to mbedtls_ecdsa_verify.

Parameters

  • grp[in] Pointer to an ECP group.

  • buf[in] Pointer to the buffer holding the hash to be verified.

  • blen[in] Length of the buffer to verify.

  • Q[in] Pointer to the ECP point used for verification (the public key).

  • r[in] Pointer to the MPI holding the first part of the signature. Must be initialized.

  • s[in] Pointer to the MPI holding the second part of the signature. Must be initialized.

Returns

0 if operation was successful, otherwise a negative value corresponding to the error.

typedef int (*mbedtls_ecdsa_genkey_fn)(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, int (*f_rng)(void*, unsigned char*, size_t), void *p_rng, )

Function pointer to generate an ECDSA key pair.

This function pointer has a signature equal to mbedtls_ecdsa_genkey.

Parameters

  • ctx[inout] Pointer to the ECDSA context to store the keypair in. Must be initialized.

  • gid[in] Curve type.

  • f_rng[in] RNG function.

  • p_rng[inout] RNG context.

Returns

0 if operation was successful, otherwise a negative value corresponding to the error.

struct mbedtls_ecdsa_funcs
#include <backend_ecdsa.h>

Typedef for structure type holding the ECDSA calling interface for a backend.

The backend must provide an instance of this structure to enable mbedcrypto glue functionality.

Public Members

mbedtls_ecdsa_check_fn check

Check for ECDSA support in the backend.

mbedtls_ecdsa_sign_fn sign

Create a signature using ECDSA.

mbedtls_ecdsa_verify_fn verify

Verify a signature using ECDSA.

mbedtls_ecdsa_genkey_fn genkey

Generate ECDSA key pair.

mbedcrypto RSA glue

group mbedcrypto_glue_rsa

Glue layer for mbedcrypto RSA APIs, including typedefs for backend API abstraction.

Defines

CC3XX_MBEDTLS_RSA_CONTEXT_WORDS

Context size in words in nrf_cc3xx_mbedcrypto library in words.

VANILLA_MBEDTLS_RSA_CONTEXT_WORDS

Context size in words in standard mbed TLS in words.