1 /**
2  * \file ecjpake.h
3  *
4  * \brief Elliptic curve J-PAKE
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 #ifndef MBEDTLS_ECJPAKE_H
23 #define MBEDTLS_ECJPAKE_H
24 #include "mbedtls/private_access.h"
25 
26 /*
27  * J-PAKE is a password-authenticated key exchange that allows deriving a
28  * strong shared secret from a (potentially low entropy) pre-shared
29  * passphrase, with forward secrecy and mutual authentication.
30  * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
31  *
32  * This file implements the Elliptic Curve variant of J-PAKE,
33  * as defined in Chapter 7.4 of the Thread v1.0 Specification,
34  * available to members of the Thread Group http://threadgroup.org/
35  *
36  * As the J-PAKE algorithm is inherently symmetric, so is our API.
37  * Each party needs to send its first round message, in any order, to the
38  * other party, then each sends its second round message, in any order.
39  * The payloads are serialized in a way suitable for use in TLS, but could
40  * also be use outside TLS.
41  */
42 #include "mbedtls/build_info.h"
43 
44 #include "mbedtls/ecp.h"
45 #include "mbedtls/md.h"
46 
47 #ifdef __cplusplus
48 extern "C" {
49 #endif
50 
51 /**
52  * Roles in the EC J-PAKE exchange
53  */
54 typedef enum {
55     MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
56     MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
57 } mbedtls_ecjpake_role;
58 
59 #if !defined(MBEDTLS_ECJPAKE_ALT)
60 /**
61  * EC J-PAKE context structure.
62  *
63  * J-PAKE is a symmetric protocol, except for the identifiers used in
64  * Zero-Knowledge Proofs, and the serialization of the second message
65  * (KeyExchange) as defined by the Thread spec.
66  *
67  * In order to benefit from this symmetry, we choose a different naming
68  * convention from the Thread v1.0 spec. Correspondence is indicated in the
69  * description as a pair C: client name, S: server name
70  */
71 typedef struct mbedtls_ecjpake_context
72 {
73     mbedtls_md_type_t MBEDTLS_PRIVATE(md_type);          /**< Hash to use                    */
74     mbedtls_ecp_group MBEDTLS_PRIVATE(grp);              /**< Elliptic curve                 */
75     mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);          /**< Are we client or server?       */
76     int MBEDTLS_PRIVATE(point_format);                   /**< Format for point export        */
77 
78     mbedtls_ecp_point MBEDTLS_PRIVATE(Xm1);              /**< My public key 1   C: X1, S: X3 */
79     mbedtls_ecp_point MBEDTLS_PRIVATE(Xm2);              /**< My public key 2   C: X2, S: X4 */
80     mbedtls_ecp_point MBEDTLS_PRIVATE(Xp1);              /**< Peer public key 1 C: X3, S: X1 */
81     mbedtls_ecp_point MBEDTLS_PRIVATE(Xp2);              /**< Peer public key 2 C: X4, S: X2 */
82     mbedtls_ecp_point MBEDTLS_PRIVATE(Xp);               /**< Peer public key   C: Xs, S: Xc */
83 
84     mbedtls_mpi MBEDTLS_PRIVATE(xm1);                    /**< My private key 1  C: x1, S: x3 */
85     mbedtls_mpi MBEDTLS_PRIVATE(xm2);                    /**< My private key 2  C: x2, S: x4 */
86 
87     mbedtls_mpi MBEDTLS_PRIVATE(s);                      /**< Pre-shared secret (passphrase) */
88 } mbedtls_ecjpake_context;
89 
90 #else  /* MBEDTLS_ECJPAKE_ALT */
91 #include "ecjpake_alt.h"
92 #endif /* MBEDTLS_ECJPAKE_ALT */
93 
94 /**
95  * \brief           Initialize an ECJPAKE context.
96  *
97  * \param ctx       The ECJPAKE context to initialize.
98  *                  This must not be \c NULL.
99  */
100 void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
101 
102 /**
103  * \brief           Set up an ECJPAKE context for use.
104  *
105  * \note            Currently the only values for hash/curve allowed by the
106  *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
107  *
108  * \param ctx       The ECJPAKE context to set up. This must be initialized.
109  * \param role      The role of the caller. This must be either
110  *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
111  * \param hash      The identifier of the hash function to use,
112  *                  for example #MBEDTLS_MD_SHA256.
113  * \param curve     The identifier of the elliptic curve to use,
114  *                  for example #MBEDTLS_ECP_DP_SECP256R1.
115  * \param secret    The pre-shared secret (passphrase). This must be
116  *                  a readable not empty buffer of length \p len Bytes. It need
117  *                  only be valid for the duration of this call.
118  * \param len       The length of the pre-shared secret \p secret.
119  *
120  * \return          \c 0 if successful.
121  * \return          A negative error code on failure.
122  */
123 int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
124                            mbedtls_ecjpake_role role,
125                            mbedtls_md_type_t hash,
126                            mbedtls_ecp_group_id curve,
127                            const unsigned char *secret,
128                            size_t len );
129 
130 /**
131  * \brief               Set the point format for future reads and writes.
132  *
133  * \param ctx           The ECJPAKE context to configure.
134  * \param point_format  The point format to use:
135  *                      #MBEDTLS_ECP_PF_UNCOMPRESSED (default)
136  *                      or #MBEDTLS_ECP_PF_COMPRESSED.
137  *
138  * \return              \c 0 if successful.
139  * \return              #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format
140  *                      is invalid.
141  */
142 int mbedtls_ecjpake_set_point_format( mbedtls_ecjpake_context *ctx,
143                                       int point_format );
144 
145 /**
146  * \brief           Check if an ECJPAKE context is ready for use.
147  *
148  * \param ctx       The ECJPAKE context to check. This must be
149  *                  initialized.
150  *
151  * \return          \c 0 if the context is ready for use.
152  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
153  */
154 int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
155 
156 /**
157  * \brief           Generate and write the first round message
158  *                  (TLS: contents of the Client/ServerHello extension,
159  *                  excluding extension type and length bytes).
160  *
161  * \param ctx       The ECJPAKE context to use. This must be
162  *                  initialized and set up.
163  * \param buf       The buffer to write the contents to. This must be a
164  *                  writable buffer of length \p len Bytes.
165  * \param len       The length of \p buf in Bytes.
166  * \param olen      The address at which to store the total number
167  *                  of Bytes written to \p buf. This must not be \c NULL.
168  * \param f_rng     The RNG function to use. This must not be \c NULL.
169  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
170  *                  may be \c NULL if \p f_rng doesn't use a context.
171  *
172  * \return          \c 0 if successful.
173  * \return          A negative error code on failure.
174  */
175 int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
176                             unsigned char *buf, size_t len, size_t *olen,
177                             int (*f_rng)(void *, unsigned char *, size_t),
178                             void *p_rng );
179 
180 /**
181  * \brief           Read and process the first round message
182  *                  (TLS: contents of the Client/ServerHello extension,
183  *                  excluding extension type and length bytes).
184  *
185  * \param ctx       The ECJPAKE context to use. This must be initialized
186  *                  and set up.
187  * \param buf       The buffer holding the first round message. This must
188  *                  be a readable buffer of length \p len Bytes.
189  * \param len       The length in Bytes of \p buf.
190  *
191  * \return          \c 0 if successful.
192  * \return          A negative error code on failure.
193  */
194 int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
195                                     const unsigned char *buf,
196                                     size_t len );
197 
198 /**
199  * \brief           Generate and write the second round message
200  *                  (TLS: contents of the Client/ServerKeyExchange).
201  *
202  * \param ctx       The ECJPAKE context to use. This must be initialized,
203  *                  set up, and already have performed round one.
204  * \param buf       The buffer to write the round two contents to.
205  *                  This must be a writable buffer of length \p len Bytes.
206  * \param len       The size of \p buf in Bytes.
207  * \param olen      The address at which to store the total number of Bytes
208  *                  written to \p buf. This must not be \c NULL.
209  * \param f_rng     The RNG function to use. This must not be \c NULL.
210  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
211  *                  may be \c NULL if \p f_rng doesn't use a context.
212  *
213  * \return          \c 0 if successful.
214  * \return          A negative error code on failure.
215  */
216 int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
217                             unsigned char *buf, size_t len, size_t *olen,
218                             int (*f_rng)(void *, unsigned char *, size_t),
219                             void *p_rng );
220 
221 /**
222  * \brief           Read and process the second round message
223  *                  (TLS: contents of the Client/ServerKeyExchange).
224  *
225  * \param ctx       The ECJPAKE context to use. This must be initialized
226  *                  and set up and already have performed round one.
227  * \param buf       The buffer holding the second round message. This must
228  *                  be a readable buffer of length \p len Bytes.
229  * \param len       The length in Bytes of \p buf.
230  *
231  * \return          \c 0 if successful.
232  * \return          A negative error code on failure.
233  */
234 int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
235                                     const unsigned char *buf,
236                                     size_t len );
237 
238 /**
239  * \brief           Derive the shared secret
240  *                  (TLS: Pre-Master Secret).
241  *
242  * \param ctx       The ECJPAKE context to use. This must be initialized,
243  *                  set up and have performed both round one and two.
244  * \param buf       The buffer to write the derived secret to. This must
245  *                  be a writable buffer of length \p len Bytes.
246  * \param len       The length of \p buf in Bytes.
247  * \param olen      The address at which to store the total number of Bytes
248  *                  written to \p buf. This must not be \c NULL.
249  * \param f_rng     The RNG function to use. This must not be \c NULL.
250  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
251  *                  may be \c NULL if \p f_rng doesn't use a context.
252  *
253  * \return          \c 0 if successful.
254  * \return          A negative error code on failure.
255  */
256 int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
257                             unsigned char *buf, size_t len, size_t *olen,
258                             int (*f_rng)(void *, unsigned char *, size_t),
259                             void *p_rng );
260 
261 /**
262  * \brief           Write the shared key material to be passed to a Key
263  *                  Derivation Function as described in RFC8236.
264  *
265  * \param ctx       The ECJPAKE context to use. This must be initialized,
266  *                  set up and have performed both round one and two.
267  * \param buf       The buffer to write the derived secret to. This must
268  *                  be a writable buffer of length \p len Bytes.
269  * \param len       The length of \p buf in Bytes.
270  * \param olen      The address at which to store the total number of bytes
271  *                  written to \p buf. This must not be \c NULL.
272  * \param f_rng     The RNG function to use. This must not be \c NULL.
273  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
274  *                  may be \c NULL if \p f_rng doesn't use a context.
275  *
276  * \return          \c 0 if successful.
277  * \return          A negative error code on failure.
278  */
279 int mbedtls_ecjpake_write_shared_key( mbedtls_ecjpake_context *ctx,
280                             unsigned char *buf, size_t len, size_t *olen,
281                             int (*f_rng)(void *, unsigned char *, size_t),
282                             void *p_rng );
283 
284 /**
285  * \brief           This clears an ECJPAKE context and frees any
286  *                  embedded data structure.
287  *
288  * \param ctx       The ECJPAKE context to free. This may be \c NULL,
289  *                  in which case this function does nothing. If it is not
290  *                  \c NULL, it must point to an initialized ECJPAKE context.
291  */
292 void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
293 
294 #if defined(MBEDTLS_SELF_TEST)
295 
296 /**
297  * \brief          Checkup routine
298  *
299  * \return         0 if successful, or 1 if a test failed
300  */
301 int mbedtls_ecjpake_self_test( int verbose );
302 
303 #endif /* MBEDTLS_SELF_TEST */
304 
305 #ifdef __cplusplus
306 }
307 #endif
308 
309 
310 #endif /* ecjpake.h */
311