/* * PSA PAKE layer on top of Mbed TLS software crypto */ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "common.h" #if defined(MBEDTLS_PSA_CRYPTO_C) #include #include "psa_crypto_core.h" #include "psa_crypto_slot_management.h" #include #include #include #include #include /* * State sequence: * * psa_pake_setup() * | * |-- In any order: * | | psa_pake_set_password_key() * | | psa_pake_set_user() * | | psa_pake_set_peer() * | | psa_pake_set_role() * | * |--- In any order: (First round input before or after first round output) * | | * | |------ In Order * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) * | | * | |------ In Order: * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) * | * |--- In any order: (Second round input before or after second round output) * | | * | |------ In Order * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) * | | * | |------ In Order: * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) * | * psa_pake_get_implicit_key() * psa_pake_abort() */ enum psa_pake_step { PSA_PAKE_STEP_INVALID = 0, PSA_PAKE_STEP_X1_X2 = 1, PSA_PAKE_STEP_X2S = 2, PSA_PAKE_STEP_DERIVE = 3, }; enum psa_pake_state { PSA_PAKE_STATE_INVALID = 0, PSA_PAKE_STATE_SETUP = 1, PSA_PAKE_STATE_READY = 2, PSA_PAKE_OUTPUT_X1_X2 = 3, PSA_PAKE_OUTPUT_X2S = 4, PSA_PAKE_INPUT_X1_X2 = 5, PSA_PAKE_INPUT_X4S = 6, }; /* * The first PAKE step shares the same sequences of the second PAKE step * but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs. * It's simpler to share the same sequences numbers of the first * set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs in both PAKE steps. * * State sequence with step, state & sequence enums: * => Input & Output Step = PSA_PAKE_STEP_INVALID * => state = PSA_PAKE_STATE_INVALID * psa_pake_setup() * => Input & Output Step = PSA_PAKE_STEP_X1_X2 * => state = PSA_PAKE_STATE_SETUP * => sequence = PSA_PAKE_SEQ_INVALID * | * |--- In any order: (First round input before or after first round output) * | | First call of psa_pake_output() or psa_pake_input() sets * | | state = PSA_PAKE_STATE_READY * | | * | |------ In Order: => state = PSA_PAKE_OUTPUT_X1_X2 * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF * | | | => state = PSA_PAKE_STATE_READY * | | | => sequence = PSA_PAKE_SEQ_INVALID * | | | => Output Step = PSA_PAKE_STEP_X2S * | | * | |------ In Order: => state = PSA_PAKE_INPUT_X1_X2 * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF * | | | => state = PSA_PAKE_STATE_READY * | | | => sequence = PSA_PAKE_SEQ_INVALID * | | | => Output Step = PSA_PAKE_INPUT_X4S * | * |--- In any order: (Second round input before or after second round output) * | | * | |------ In Order: => state = PSA_PAKE_OUTPUT_X2S * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF * | | | => state = PSA_PAKE_STATE_READY * | | | => sequence = PSA_PAKE_SEQ_INVALID * | | | => Output Step = PSA_PAKE_STEP_DERIVE * | | * | |------ In Order: => state = PSA_PAKE_INPUT_X4S * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF * | | | => state = PSA_PAKE_STATE_READY * | | | => sequence = PSA_PAKE_SEQ_INVALID * | | | => Output Step = PSA_PAKE_STEP_DERIVE * | * psa_pake_get_implicit_key() * => Input & Output Step = PSA_PAKE_STEP_INVALID */ enum psa_pake_sequence { PSA_PAKE_SEQ_INVALID = 0, PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */ PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */ PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */ PSA_PAKE_X2_STEP_KEY_SHARE = 4, PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, PSA_PAKE_X2_STEP_ZK_PROOF = 6, PSA_PAKE_SEQ_END = 7, }; #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t mbedtls_ecjpake_to_psa_error( int ret ) { switch( ret ) { case MBEDTLS_ERR_MPI_BAD_INPUT_DATA: case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: case MBEDTLS_ERR_ECP_INVALID_KEY: case MBEDTLS_ERR_ECP_VERIFY_FAILED: return( PSA_ERROR_DATA_INVALID ); case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL: case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: return( PSA_ERROR_BUFFER_TOO_SMALL ); case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: return( PSA_ERROR_NOT_SUPPORTED ); case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: return( PSA_ERROR_CORRUPTION_DETECTED ); default: return( PSA_ERROR_GENERIC_ERROR ); } } #endif #if defined(MBEDTLS_PSA_BUILTIN_PAKE) psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { /* A context must be freshly initialized before it can be set up. */ if( operation->alg != PSA_ALG_NONE ) return( PSA_ERROR_BAD_STATE ); if( cipher_suite == NULL || PSA_ALG_IS_PAKE(cipher_suite->algorithm ) == 0 || ( cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH ) || PSA_ALG_IS_HASH( cipher_suite->hash ) == 0 ) { return( PSA_ERROR_INVALID_ARGUMENT ); } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if( cipher_suite->algorithm == PSA_ALG_JPAKE ) { if( cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC || cipher_suite->family != PSA_ECC_FAMILY_SECP_R1 || cipher_suite->bits != 256 || cipher_suite->hash != PSA_ALG_SHA_256 ) { return( PSA_ERROR_NOT_SUPPORTED ); } operation->alg = cipher_suite->algorithm; mbedtls_ecjpake_init( &operation->ctx.ecjpake ); operation->state = PSA_PAKE_STATE_SETUP; operation->sequence = PSA_PAKE_SEQ_INVALID; operation->input_step = PSA_PAKE_STEP_X1_X2; operation->output_step = PSA_PAKE_STEP_X1_X2; mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; operation->buffer_offset = 0; return( PSA_SUCCESS ); } else #endif return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, mbedtls_svc_key_id_t password ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes = psa_key_attributes_init(); psa_key_type_t type; psa_key_usage_t usage; psa_key_slot_t *slot = NULL; if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { return( PSA_ERROR_BAD_STATE ); } status = psa_get_key_attributes( password, &attributes ); if( status != PSA_SUCCESS ) return( status ); type = psa_get_key_type( &attributes ); usage = psa_get_key_usage_flags( &attributes ); psa_reset_key_attributes( &attributes ); if( type != PSA_KEY_TYPE_PASSWORD && type != PSA_KEY_TYPE_PASSWORD_HASH ) { return( PSA_ERROR_INVALID_ARGUMENT ); } if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 ) return( PSA_ERROR_NOT_PERMITTED ); if( operation->password != NULL ) return( PSA_ERROR_BAD_STATE ); status = psa_get_and_lock_key_slot_with_policy( password, &slot, PSA_KEY_USAGE_DERIVE, PSA_ALG_JPAKE ); if( status != PSA_SUCCESS ) return( status ); operation->password = mbedtls_calloc( 1, slot->key.bytes ); if( operation->password == NULL ) { psa_unlock_key_slot( slot ); return( PSA_ERROR_INSUFFICIENT_MEMORY ); } memcpy( operation->password, slot->key.data, slot->key.bytes ); operation->password_len = slot->key.bytes; status = psa_unlock_key_slot( slot ); if( status != PSA_SUCCESS ) return( status ); return( PSA_SUCCESS ); } psa_status_t psa_pake_set_user( psa_pake_operation_t *operation, const uint8_t *user_id, size_t user_id_len ) { if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { return( PSA_ERROR_BAD_STATE ); } if( user_id_len == 0 || user_id == NULL ) return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation, const uint8_t *peer_id, size_t peer_id_len ) { if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { return( PSA_ERROR_BAD_STATE ); } if( peer_id_len == 0 || peer_id == NULL ) return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role ) { if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { return( PSA_ERROR_BAD_STATE ); } if( role != PSA_PAKE_ROLE_NONE && role != PSA_PAKE_ROLE_FIRST && role != PSA_PAKE_ROLE_SECOND && role != PSA_PAKE_ROLE_CLIENT && role != PSA_PAKE_ROLE_SERVER ) { return( PSA_ERROR_INVALID_ARGUMENT ); } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if( operation->alg == PSA_ALG_JPAKE ) { if( role != PSA_PAKE_ROLE_CLIENT && role != PSA_PAKE_ROLE_SERVER ) return( PSA_ERROR_NOT_SUPPORTED ); operation->role = role; return( PSA_SUCCESS ); } else #endif return( PSA_ERROR_NOT_SUPPORTED ); } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ecjpake_role role; if( operation->role == PSA_PAKE_ROLE_CLIENT ) role = MBEDTLS_ECJPAKE_CLIENT; else if( operation->role == PSA_PAKE_ROLE_SERVER ) role = MBEDTLS_ECJPAKE_SERVER; else return( PSA_ERROR_BAD_STATE ); if( operation->password_len == 0 ) return( PSA_ERROR_BAD_STATE ); ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake, role, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, operation->password, operation->password_len ); mbedtls_platform_zeroize( operation->password, operation->password_len ); mbedtls_free( operation->password ); operation->password = NULL; operation->password_len = 0; if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); operation->state = PSA_PAKE_STATE_READY; return( PSA_SUCCESS ); } #endif static psa_status_t psa_pake_output_internal( psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t length; if( operation->alg == PSA_ALG_NONE || operation->state == PSA_PAKE_STATE_INVALID ) return( PSA_ERROR_BAD_STATE ); if( output == NULL || output_size == 0 || output_length == NULL ) return( PSA_ERROR_INVALID_ARGUMENT ); #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different * handling of output sequencing. * * The MbedTLS JPAKE API outputs the whole X1+X2 and X2S steps data * at once, on the other side the PSA CRYPTO PAKE api requires * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be * retrieved in sequence. * * In order to achieve API compatibility, the whole X1+X2 or X2S steps * data is stored in an intermediate buffer at first step output call, * and data is sliced down by parsing the ECPoint records in order * to return the right parts on each step. */ if( operation->alg == PSA_ALG_JPAKE ) { if( step != PSA_PAKE_STEP_KEY_SHARE && step != PSA_PAKE_STEP_ZK_PUBLIC && step != PSA_PAKE_STEP_ZK_PROOF ) return( PSA_ERROR_INVALID_ARGUMENT ); if( operation->state == PSA_PAKE_STATE_SETUP ) { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) return( status ); } if( operation->state != PSA_PAKE_STATE_READY && operation->state != PSA_PAKE_OUTPUT_X1_X2 && operation->state != PSA_PAKE_OUTPUT_X2S ) { return( PSA_ERROR_BAD_STATE ); } if( operation->state == PSA_PAKE_STATE_READY ) { if( step != PSA_PAKE_STEP_KEY_SHARE ) return( PSA_ERROR_BAD_STATE ); switch( operation->output_step ) { case PSA_PAKE_STEP_X1_X2: operation->state = PSA_PAKE_OUTPUT_X1_X2; break; case PSA_PAKE_STEP_X2S: operation->state = PSA_PAKE_OUTPUT_X2S; break; default: return( PSA_ERROR_BAD_STATE ); } operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; } /* Check if step matches current sequence */ switch( operation->sequence ) { case PSA_PAKE_X1_STEP_KEY_SHARE: case PSA_PAKE_X2_STEP_KEY_SHARE: if( step != PSA_PAKE_STEP_KEY_SHARE ) return( PSA_ERROR_BAD_STATE ); break; case PSA_PAKE_X1_STEP_ZK_PUBLIC: case PSA_PAKE_X2_STEP_ZK_PUBLIC: if( step != PSA_PAKE_STEP_ZK_PUBLIC ) return( PSA_ERROR_BAD_STATE ); break; case PSA_PAKE_X1_STEP_ZK_PROOF: case PSA_PAKE_X2_STEP_ZK_PROOF: if( step != PSA_PAKE_STEP_ZK_PROOF ) return( PSA_ERROR_BAD_STATE ); break; default: return( PSA_ERROR_BAD_STATE ); } /* Initialize & write round on KEY_SHARE sequences */ if( operation->state == PSA_PAKE_OUTPUT_X1_X2 && operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE ) { ret = mbedtls_ecjpake_write_round_one( &operation->ctx.ecjpake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); operation->buffer_offset = 0; } else if( operation->state == PSA_PAKE_OUTPUT_X2S && operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE ) { ret = mbedtls_ecjpake_write_round_two( &operation->ctx.ecjpake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); operation->buffer_offset = 0; } /* * mbedtls_ecjpake_write_round_xxx() outputs thing in the format * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is * that the data for each step is prepended with a length byte, and * then they're concatenated. Additionally, the server's second round * output is prepended with a 3-bytes ECParameters structure. * * In PSA, we output each step separately, and don't prepend the * output with a length byte, even less a curve identifier, as that * information is already available. */ if( operation->state == PSA_PAKE_OUTPUT_X2S && operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_SERVER ) { /* Skip ECParameters, with is 3 bytes (RFC 8422) */ operation->buffer_offset += 3; } /* Read the length byte then move past it to the data */ length = operation->buffer[operation->buffer_offset]; operation->buffer_offset += 1; if( operation->buffer_offset + length > operation->buffer_length ) return( PSA_ERROR_DATA_CORRUPT ); if( output_size < length ) return( PSA_ERROR_BUFFER_TOO_SMALL ); memcpy( output, operation->buffer + operation->buffer_offset, length ); *output_length = length; operation->buffer_offset += length; /* Reset buffer after ZK_PROOF sequence */ if( ( operation->state == PSA_PAKE_OUTPUT_X1_X2 && operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) || ( operation->state == PSA_PAKE_OUTPUT_X2S && operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) ) { mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; operation->buffer_offset = 0; operation->state = PSA_PAKE_STATE_READY; operation->output_step++; operation->sequence = PSA_PAKE_SEQ_INVALID; } else operation->sequence++; return( PSA_SUCCESS ); } else #endif return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t psa_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length ) { psa_status_t status = psa_pake_output_internal( operation, step, output, output_size, output_length ); if( status != PSA_SUCCESS ) psa_pake_abort( operation ); return( status ); } static psa_status_t psa_pake_input_internal( psa_pake_operation_t *operation, psa_pake_step_t step, const uint8_t *input, size_t input_length ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( operation->alg == PSA_ALG_NONE || operation->state == PSA_PAKE_STATE_INVALID ) return( PSA_ERROR_BAD_STATE ); if( input == NULL || input_length == 0 ) return( PSA_ERROR_INVALID_ARGUMENT ); #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different * handling of input sequencing. * * The MbedTLS JPAKE API takes the whole X1+X2 or X4S steps data * at once as input, on the other side the PSA CRYPTO PAKE api requires * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be * given in sequence. * * In order to achieve API compatibility, each X1+X2 or X4S step data * is stored sequentially in an intermediate buffer and given to the * MbedTLS JPAKE API on the last step. * * This causes any input error to be only detected on the last step. */ if( operation->alg == PSA_ALG_JPAKE ) { if( step != PSA_PAKE_STEP_KEY_SHARE && step != PSA_PAKE_STEP_ZK_PUBLIC && step != PSA_PAKE_STEP_ZK_PROOF ) return( PSA_ERROR_INVALID_ARGUMENT ); const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256 ); if( input_length > (size_t) PSA_PAKE_INPUT_SIZE( PSA_ALG_JPAKE, prim, step ) ) return( PSA_ERROR_INVALID_ARGUMENT ); if( operation->state == PSA_PAKE_STATE_SETUP ) { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) return( status ); } if( operation->state != PSA_PAKE_STATE_READY && operation->state != PSA_PAKE_INPUT_X1_X2 && operation->state != PSA_PAKE_INPUT_X4S ) { return( PSA_ERROR_BAD_STATE ); } if( operation->state == PSA_PAKE_STATE_READY ) { if( step != PSA_PAKE_STEP_KEY_SHARE ) return( PSA_ERROR_BAD_STATE ); switch( operation->input_step ) { case PSA_PAKE_STEP_X1_X2: operation->state = PSA_PAKE_INPUT_X1_X2; break; case PSA_PAKE_STEP_X2S: operation->state = PSA_PAKE_INPUT_X4S; break; default: return( PSA_ERROR_BAD_STATE ); } operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; } /* Check if step matches current sequence */ switch( operation->sequence ) { case PSA_PAKE_X1_STEP_KEY_SHARE: case PSA_PAKE_X2_STEP_KEY_SHARE: if( step != PSA_PAKE_STEP_KEY_SHARE ) return( PSA_ERROR_BAD_STATE ); break; case PSA_PAKE_X1_STEP_ZK_PUBLIC: case PSA_PAKE_X2_STEP_ZK_PUBLIC: if( step != PSA_PAKE_STEP_ZK_PUBLIC ) return( PSA_ERROR_BAD_STATE ); break; case PSA_PAKE_X1_STEP_ZK_PROOF: case PSA_PAKE_X2_STEP_ZK_PROOF: if( step != PSA_PAKE_STEP_ZK_PROOF ) return( PSA_ERROR_BAD_STATE ); break; default: return( PSA_ERROR_BAD_STATE ); } /* * Copy input to local buffer and format it as the Mbed TLS API * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. * The summary is that the data for each step is prepended with a * length byte, and then they're concatenated. Additionally, the * server's second round output is prepended with a 3-bytes * ECParameters structure - which means we have to prepend that when * we're a client. */ if( operation->state == PSA_PAKE_INPUT_X4S && operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_CLIENT ) { /* We only support secp256r1. */ /* This is the ECParameters structure defined by RFC 8422. */ unsigned char ecparameters[3] = { 3, /* named_curve */ 0, 23 /* secp256r1 */ }; memcpy( operation->buffer + operation->buffer_length, ecparameters, sizeof( ecparameters ) ); operation->buffer_length += sizeof( ecparameters ); } /* Write the length byte */ operation->buffer[operation->buffer_length] = (uint8_t) input_length; operation->buffer_length += 1; /* Finally copy the data */ memcpy( operation->buffer + operation->buffer_length, input, input_length ); operation->buffer_length += input_length; /* Load buffer at each last round ZK_PROOF */ if( operation->state == PSA_PAKE_INPUT_X1_X2 && operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) { ret = mbedtls_ecjpake_read_round_one( &operation->ctx.ecjpake, operation->buffer, operation->buffer_length ); mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); } else if( operation->state == PSA_PAKE_INPUT_X4S && operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) { ret = mbedtls_ecjpake_read_round_two( &operation->ctx.ecjpake, operation->buffer, operation->buffer_length ); mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); } if( ( operation->state == PSA_PAKE_INPUT_X1_X2 && operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) || ( operation->state == PSA_PAKE_INPUT_X4S && operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) ) { operation->state = PSA_PAKE_STATE_READY; operation->input_step++; operation->sequence = PSA_PAKE_SEQ_INVALID; } else operation->sequence++; return( PSA_SUCCESS ); } else #endif return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t psa_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, const uint8_t *input, size_t input_length ) { psa_status_t status = psa_pake_input_internal( operation, step, input, input_length ); if( status != PSA_SUCCESS ) psa_pake_abort( operation ); return( status ); } psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, psa_key_derivation_operation_t *output) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_READY || operation->input_step != PSA_PAKE_STEP_DERIVE || operation->output_step != PSA_PAKE_STEP_DERIVE ) return( PSA_ERROR_BAD_STATE ); #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if( operation->alg == PSA_ALG_JPAKE ) { ret = mbedtls_ecjpake_write_shared_key( &operation->ctx.ecjpake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); if( ret != 0) { psa_pake_abort( operation ); return( mbedtls_ecjpake_to_psa_error( ret ) ); } status = psa_key_derivation_input_bytes( output, PSA_KEY_DERIVATION_INPUT_SECRET, operation->buffer, operation->buffer_length ); mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); psa_pake_abort( operation ); return( status ); } else #endif return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t psa_pake_abort(psa_pake_operation_t * operation) { if( operation->alg == PSA_ALG_NONE ) { return( PSA_SUCCESS ); } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if( operation->alg == PSA_ALG_JPAKE ) { operation->input_step = PSA_PAKE_STEP_INVALID; operation->output_step = PSA_PAKE_STEP_INVALID; if( operation->password_len > 0 ) mbedtls_platform_zeroize( operation->password, operation->password_len ); mbedtls_free( operation->password ); operation->password = NULL; operation->password_len = 0; operation->role = PSA_PAKE_ROLE_NONE; mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; operation->buffer_offset = 0; mbedtls_ecjpake_free( &operation->ctx.ecjpake ); } #endif operation->alg = PSA_ALG_NONE; operation->state = PSA_PAKE_STATE_INVALID; operation->sequence = PSA_PAKE_SEQ_INVALID; return( PSA_SUCCESS ); } #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #endif /* MBEDTLS_PSA_CRYPTO_C */