33 #define ID_MINE     (ecjpake_id[ctx->role])
34 #define ID_PEER     (ecjpake_id[1 - ctx->role])
50 void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx)  in mbedtls_ecjpake_init()  argument
52     ctx->md_type = MBEDTLS_MD_NONE;  in mbedtls_ecjpake_init()
53     mbedtls_ecp_group_init(&ctx->grp);  in mbedtls_ecjpake_init()
54     ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;  in mbedtls_ecjpake_init()
56     mbedtls_ecp_point_init(&ctx->Xm1);  in mbedtls_ecjpake_init()
57     mbedtls_ecp_point_init(&ctx->Xm2);  in mbedtls_ecjpake_init()
58     mbedtls_ecp_point_init(&ctx->Xp1);  in mbedtls_ecjpake_init()
59     mbedtls_ecp_point_init(&ctx->Xp2);  in mbedtls_ecjpake_init()
60     mbedtls_ecp_point_init(&ctx->Xp);  in mbedtls_ecjpake_init()
62     mbedtls_mpi_init(&ctx->xm1);  in mbedtls_ecjpake_init()
63     mbedtls_mpi_init(&ctx->xm2);  in mbedtls_ecjpake_init()
64     mbedtls_mpi_init(&ctx->s);  in mbedtls_ecjpake_init()
70 void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx)  in mbedtls_ecjpake_free()  argument
72     if (ctx == NULL) {  in mbedtls_ecjpake_free()
76     ctx->md_type = MBEDTLS_MD_NONE;  in mbedtls_ecjpake_free()
77     mbedtls_ecp_group_free(&ctx->grp);  in mbedtls_ecjpake_free()
79     mbedtls_ecp_point_free(&ctx->Xm1);  in mbedtls_ecjpake_free()
80     mbedtls_ecp_point_free(&ctx->Xm2);  in mbedtls_ecjpake_free()
81     mbedtls_ecp_point_free(&ctx->Xp1);  in mbedtls_ecjpake_free()
82     mbedtls_ecp_point_free(&ctx->Xp2);  in mbedtls_ecjpake_free()
83     mbedtls_ecp_point_free(&ctx->Xp);  in mbedtls_ecjpake_free()
85     mbedtls_mpi_free(&ctx->xm1);  in mbedtls_ecjpake_free()
86     mbedtls_mpi_free(&ctx->xm2);  in mbedtls_ecjpake_free()
87     mbedtls_mpi_free(&ctx->s);  in mbedtls_ecjpake_free()
93 int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_setup()  argument
106     ctx->role = role;  in mbedtls_ecjpake_setup()
112     ctx->md_type = hash;  in mbedtls_ecjpake_setup()
114     MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ctx->grp, curve));  in mbedtls_ecjpake_setup()
116     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->s, secret, len));  in mbedtls_ecjpake_setup()
120         mbedtls_ecjpake_free(ctx);  in mbedtls_ecjpake_setup()
126 int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_set_point_format()  argument
132             ctx->point_format = point_format;  in mbedtls_ecjpake_set_point_format()
142 int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx)  in mbedtls_ecjpake_check()  argument
144     if (ctx->md_type == MBEDTLS_MD_NONE ||  in mbedtls_ecjpake_check()
145         ctx->grp.id == MBEDTLS_ECP_DP_NONE ||  in mbedtls_ecjpake_check()
146         ctx->s.p == NULL) {  in mbedtls_ecjpake_check()
516 int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_read_round_one()  argument
520     return ecjpake_kkpp_read(ctx->md_type, &ctx->grp, ctx->point_format,  in mbedtls_ecjpake_read_round_one()
521                              &ctx->grp.G,  in mbedtls_ecjpake_read_round_one()
522                              &ctx->Xp1, &ctx->Xp2, ID_PEER,  in mbedtls_ecjpake_read_round_one()
529 int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_write_round_one()  argument
534     return ecjpake_kkpp_write(ctx->md_type, &ctx->grp, ctx->point_format,  in mbedtls_ecjpake_write_round_one()
535                               &ctx->grp.G,  in mbedtls_ecjpake_write_round_one()
536                               &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,  in mbedtls_ecjpake_write_round_one()
566 int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_read_round_two()  argument
585     MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,  in mbedtls_ecjpake_read_round_two()
586                                      &ctx->Xm1, &ctx->Xm2, &ctx->Xp1));  in mbedtls_ecjpake_read_round_two()
594     if (ctx->role == MBEDTLS_ECJPAKE_CLIENT) {  in mbedtls_ecjpake_read_round_two()
596         if (grp.id != ctx->grp.id) {  in mbedtls_ecjpake_read_round_two()
602     MBEDTLS_MPI_CHK(ecjpake_kkp_read(ctx->md_type, &ctx->grp,  in mbedtls_ecjpake_read_round_two()
603                                      ctx->point_format,  in mbedtls_ecjpake_read_round_two()
604                                      &G, &ctx->Xp, ID_PEER, &p, end));  in mbedtls_ecjpake_read_round_two()
652 int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_write_round_two()  argument
676     MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,  in mbedtls_ecjpake_write_round_two()
677                                      &ctx->Xp1, &ctx->Xp2, &ctx->Xm1));  in mbedtls_ecjpake_write_round_two()
678     MBEDTLS_MPI_CHK(ecjpake_mul_secret(&xm, 1, &ctx->xm2, &ctx->s,  in mbedtls_ecjpake_write_round_two()
679                                        &ctx->grp.N, f_rng, p_rng));  in mbedtls_ecjpake_write_round_two()
680     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &Xm, &xm, &G, f_rng, p_rng));  in mbedtls_ecjpake_write_round_two()
690     if (ctx->role == MBEDTLS_ECJPAKE_SERVER) {  in mbedtls_ecjpake_write_round_two()
695         MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_group(&ctx->grp, &ec_len,  in mbedtls_ecjpake_write_round_two()
704     MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(&ctx->grp, &Xm,  in mbedtls_ecjpake_write_round_two()
705                                                 ctx->point_format, &ec_len, p, (size_t) (end - p)));  in mbedtls_ecjpake_write_round_two()
708     MBEDTLS_MPI_CHK(ecjpake_zkp_write(ctx->md_type, &ctx->grp,  in mbedtls_ecjpake_write_round_two()
709                                       ctx->point_format,  in mbedtls_ecjpake_write_round_two()
726 static int mbedtls_ecjpake_derive_k(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_derive_k()  argument
744     MBEDTLS_MPI_CHK(ecjpake_mul_secret(&m_xm2_s, -1, &ctx->xm2, &ctx->s,  in mbedtls_ecjpake_derive_k()
745                                        &ctx->grp.N, f_rng, p_rng));  in mbedtls_ecjpake_derive_k()
746     MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(&ctx->grp, K,  in mbedtls_ecjpake_derive_k()
747                                        &one, &ctx->Xp,  in mbedtls_ecjpake_derive_k()
748                                        &m_xm2_s, &ctx->Xp2));  in mbedtls_ecjpake_derive_k()
749     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, K, &ctx->xm2, K,  in mbedtls_ecjpake_derive_k()
759 int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_derive_secret()  argument
769     *olen = mbedtls_md_get_size_from_type(ctx->md_type);  in mbedtls_ecjpake_derive_secret()
776     ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);  in mbedtls_ecjpake_derive_secret()
782     x_bytes = (ctx->grp.pbits + 7) / 8;  in mbedtls_ecjpake_derive_secret()
784     MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(ctx->md_type,  in mbedtls_ecjpake_derive_secret()
793 int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,  in mbedtls_ecjpake_write_shared_key()  argument
803     ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);  in mbedtls_ecjpake_write_shared_key()
808     ret = mbedtls_ecp_point_write_binary(&ctx->grp, &K, ctx->point_format,  in mbedtls_ecjpake_write_shared_key()
987 static int self_test_rng(void *ctx, unsigned char *out, size_t len)  in self_test_rng()  argument
991     (void) ctx;  in self_test_rng()
1002 static int ecjpake_test_load(mbedtls_ecjpake_context *ctx,  in ecjpake_test_load()  argument
1008     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm1, xm1, len1));  in ecjpake_test_load()
1009     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm2, xm2, len2));  in ecjpake_test_load()
1010     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm1, &ctx->xm1,  in ecjpake_test_load()
1011                                     &ctx->grp.G, self_test_rng, NULL));  in ecjpake_test_load()
1012     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm2, &ctx->xm2,  in ecjpake_test_load()
1013                                     &ctx->grp.G, self_test_rng, NULL));  in ecjpake_test_load()