1 /**
2  * \file psa/crypto_extra.h
3  *
4  * \brief PSA cryptography module: Mbed TLS vendor extensions
5  *
6  * \note This file may not be included directly. Applications must
7  * include psa/crypto.h.
8  *
9  * This file is reserved for vendor-specific definitions.
10  */
11 /*
12  *  Copyright The Mbed TLS Contributors
13  *  SPDX-License-Identifier: Apache-2.0
14  *
15  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
16  *  not use this file except in compliance with the License.
17  *  You may obtain a copy of the License at
18  *
19  *  http://www.apache.org/licenses/LICENSE-2.0
20  *
21  *  Unless required by applicable law or agreed to in writing, software
22  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
23  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24  *  See the License for the specific language governing permissions and
25  *  limitations under the License.
26  */
27 
28 #ifndef PSA_CRYPTO_EXTRA_H
29 #define PSA_CRYPTO_EXTRA_H
30 #include "mbedtls/private_access.h"
31 
32 #include "mbedtls/platform_util.h"
33 
34 #include "crypto_types.h"
35 #include "crypto_compat.h"
36 
37 #ifdef __cplusplus
38 extern "C" {
39 #endif
40 
41 /* UID for secure storage seed */
42 #define PSA_CRYPTO_ITS_RANDOM_SEED_UID 0xFFFFFF52
43 
44 /* See mbedtls_config.h for definition */
45 #if !defined(MBEDTLS_PSA_KEY_SLOT_COUNT)
46 #define MBEDTLS_PSA_KEY_SLOT_COUNT 32
47 #endif
48 
49 /** \addtogroup attributes
50  * @{
51  */
52 
53 /** \brief Declare the enrollment algorithm for a key.
54  *
55  * An operation on a key may indifferently use the algorithm set with
56  * psa_set_key_algorithm() or with this function.
57  *
58  * \param[out] attributes       The attribute structure to write to.
59  * \param alg2                  A second algorithm that the key may be used
60  *                              for, in addition to the algorithm set with
61  *                              psa_set_key_algorithm().
62  *
63  * \warning Setting an enrollment algorithm is not recommended, because
64  *          using the same key with different algorithms can allow some
65  *          attacks based on arithmetic relations between different
66  *          computations made with the same key, or can escalate harmless
67  *          side channels into exploitable ones. Use this function only
68  *          if it is necessary to support a protocol for which it has been
69  *          verified that the usage of the key with multiple algorithms
70  *          is safe.
71  */
psa_set_key_enrollment_algorithm(psa_key_attributes_t * attributes,psa_algorithm_t alg2)72 static inline void psa_set_key_enrollment_algorithm(
73     psa_key_attributes_t *attributes,
74     psa_algorithm_t alg2)
75 {
76     attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) = alg2;
77 }
78 
79 /** Retrieve the enrollment algorithm policy from key attributes.
80  *
81  * \param[in] attributes        The key attribute structure to query.
82  *
83  * \return The enrollment algorithm stored in the attribute structure.
84  */
psa_get_key_enrollment_algorithm(const psa_key_attributes_t * attributes)85 static inline psa_algorithm_t psa_get_key_enrollment_algorithm(
86     const psa_key_attributes_t *attributes)
87 {
88     return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) );
89 }
90 
91 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
92 
93 /** Retrieve the slot number where a key is stored.
94  *
95  * A slot number is only defined for keys that are stored in a secure
96  * element.
97  *
98  * This information is only useful if the secure element is not entirely
99  * managed through the PSA Cryptography API. It is up to the secure
100  * element driver to decide how PSA slot numbers map to any other interface
101  * that the secure element may have.
102  *
103  * \param[in] attributes        The key attribute structure to query.
104  * \param[out] slot_number      On success, the slot number containing the key.
105  *
106  * \retval #PSA_SUCCESS
107  *         The key is located in a secure element, and \p *slot_number
108  *         indicates the slot number that contains it.
109  * \retval #PSA_ERROR_NOT_PERMITTED
110  *         The caller is not permitted to query the slot number.
111  *         Mbed Crypto currently does not return this error.
112  * \retval #PSA_ERROR_INVALID_ARGUMENT
113  *         The key is not located in a secure element.
114  */
115 psa_status_t psa_get_key_slot_number(
116     const psa_key_attributes_t *attributes,
117     psa_key_slot_number_t *slot_number );
118 
119 /** Choose the slot number where a key is stored.
120  *
121  * This function declares a slot number in the specified attribute
122  * structure.
123  *
124  * A slot number is only meaningful for keys that are stored in a secure
125  * element. It is up to the secure element driver to decide how PSA slot
126  * numbers map to any other interface that the secure element may have.
127  *
128  * \note Setting a slot number in key attributes for a key creation can
129  *       cause the following errors when creating the key:
130  *       - #PSA_ERROR_NOT_SUPPORTED if the selected secure element does
131  *         not support choosing a specific slot number.
132  *       - #PSA_ERROR_NOT_PERMITTED if the caller is not permitted to
133  *         choose slot numbers in general or to choose this specific slot.
134  *       - #PSA_ERROR_INVALID_ARGUMENT if the chosen slot number is not
135  *         valid in general or not valid for this specific key.
136  *       - #PSA_ERROR_ALREADY_EXISTS if there is already a key in the
137  *         selected slot.
138  *
139  * \param[out] attributes       The attribute structure to write to.
140  * \param slot_number           The slot number to set.
141  */
psa_set_key_slot_number(psa_key_attributes_t * attributes,psa_key_slot_number_t slot_number)142 static inline void psa_set_key_slot_number(
143     psa_key_attributes_t *attributes,
144     psa_key_slot_number_t slot_number )
145 {
146     attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
147     attributes->MBEDTLS_PRIVATE(slot_number) = slot_number;
148 }
149 
150 /** Remove the slot number attribute from a key attribute structure.
151  *
152  * This function undoes the action of psa_set_key_slot_number().
153  *
154  * \param[out] attributes       The attribute structure to write to.
155  */
psa_clear_key_slot_number(psa_key_attributes_t * attributes)156 static inline void psa_clear_key_slot_number(
157     psa_key_attributes_t *attributes )
158 {
159     attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) &= ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
160 }
161 
162 /** Register a key that is already present in a secure element.
163  *
164  * The key must be located in a secure element designated by the
165  * lifetime field in \p attributes, in the slot set with
166  * psa_set_key_slot_number() in the attribute structure.
167  * This function makes the key available through the key identifier
168  * specified in \p attributes.
169  *
170  * \param[in] attributes        The attributes of the existing key.
171  *
172  * \retval #PSA_SUCCESS
173  *         The key was successfully registered.
174  *         Note that depending on the design of the driver, this may or may
175  *         not guarantee that a key actually exists in the designated slot
176  *         and is compatible with the specified attributes.
177  * \retval #PSA_ERROR_ALREADY_EXISTS
178  *         There is already a key with the identifier specified in
179  *         \p attributes.
180  * \retval #PSA_ERROR_NOT_SUPPORTED
181  *         The secure element driver for the specified lifetime does not
182  *         support registering a key.
183  * \retval #PSA_ERROR_INVALID_ARGUMENT
184  *         The identifier in \p attributes is invalid, namely the identifier is
185  *         not in the user range, or
186  *         \p attributes specifies a lifetime which is not located
187  *         in a secure element, or no slot number is specified in \p attributes,
188  *         or the specified slot number is not valid.
189  * \retval #PSA_ERROR_NOT_PERMITTED
190  *         The caller is not authorized to register the specified key slot.
191  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
192  * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
193  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
194  * \retval #PSA_ERROR_DATA_INVALID
195  * \retval #PSA_ERROR_DATA_CORRUPT
196  * \retval #PSA_ERROR_CORRUPTION_DETECTED
197  * \retval #PSA_ERROR_BAD_STATE
198  *         The library has not been previously initialized by psa_crypto_init().
199  *         It is implementation-dependent whether a failure to initialize
200  *         results in this error code.
201  */
202 psa_status_t mbedtls_psa_register_se_key(
203     const psa_key_attributes_t *attributes);
204 
205 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
206 
207 /**@}*/
208 
209 /**
210  * \brief Library deinitialization.
211  *
212  * This function clears all data associated with the PSA layer,
213  * including the whole key store.
214  *
215  * This is an Mbed TLS extension.
216  */
217 void mbedtls_psa_crypto_free( void );
218 
219 /** \brief Statistics about
220  * resource consumption related to the PSA keystore.
221  *
222  * \note The content of this structure is not part of the stable API and ABI
223  *       of Mbed Crypto and may change arbitrarily from version to version.
224  */
225 typedef struct mbedtls_psa_stats_s
226 {
227     /** Number of slots containing key material for a volatile key. */
228     size_t MBEDTLS_PRIVATE(volatile_slots);
229     /** Number of slots containing key material for a key which is in
230      * internal persistent storage. */
231     size_t MBEDTLS_PRIVATE(persistent_slots);
232     /** Number of slots containing a reference to a key in a
233      * secure element. */
234     size_t MBEDTLS_PRIVATE(external_slots);
235     /** Number of slots which are occupied, but do not contain
236      * key material yet. */
237     size_t MBEDTLS_PRIVATE(half_filled_slots);
238     /** Number of slots that contain cache data. */
239     size_t MBEDTLS_PRIVATE(cache_slots);
240     /** Number of slots that are not used for anything. */
241     size_t MBEDTLS_PRIVATE(empty_slots);
242     /** Number of slots that are locked. */
243     size_t MBEDTLS_PRIVATE(locked_slots);
244     /** Largest key id value among open keys in internal persistent storage. */
245     psa_key_id_t MBEDTLS_PRIVATE(max_open_internal_key_id);
246     /** Largest key id value among open keys in secure elements. */
247     psa_key_id_t MBEDTLS_PRIVATE(max_open_external_key_id);
248 } mbedtls_psa_stats_t;
249 
250 /** \brief Get statistics about
251  * resource consumption related to the PSA keystore.
252  *
253  * \note When Mbed Crypto is built as part of a service, with isolation
254  *       between the application and the keystore, the service may or
255  *       may not expose this function.
256  */
257 void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats );
258 
259 /**
260  * \brief Inject an initial entropy seed for the random generator into
261  *        secure storage.
262  *
263  * This function injects data to be used as a seed for the random generator
264  * used by the PSA Crypto implementation. On devices that lack a trusted
265  * entropy source (preferably a hardware random number generator),
266  * the Mbed PSA Crypto implementation uses this value to seed its
267  * random generator.
268  *
269  * On devices without a trusted entropy source, this function must be
270  * called exactly once in the lifetime of the device. On devices with
271  * a trusted entropy source, calling this function is optional.
272  * In all cases, this function may only be called before calling any
273  * other function in the PSA Crypto API, including psa_crypto_init().
274  *
275  * When this function returns successfully, it populates a file in
276  * persistent storage. Once the file has been created, this function
277  * can no longer succeed.
278  *
279  * If any error occurs, this function does not change the system state.
280  * You can call this function again after correcting the reason for the
281  * error if possible.
282  *
283  * \warning This function **can** fail! Callers MUST check the return status.
284  *
285  * \warning If you use this function, you should use it as part of a
286  *          factory provisioning process. The value of the injected seed
287  *          is critical to the security of the device. It must be
288  *          *secret*, *unpredictable* and (statistically) *unique per device*.
289  *          You should be generate it randomly using a cryptographically
290  *          secure random generator seeded from trusted entropy sources.
291  *          You should transmit it securely to the device and ensure
292  *          that its value is not leaked or stored anywhere beyond the
293  *          needs of transmitting it from the point of generation to
294  *          the call of this function, and erase all copies of the value
295  *          once this function returns.
296  *
297  * This is an Mbed TLS extension.
298  *
299  * \note This function is only available on the following platforms:
300  * * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled.
301  *   Note that you must provide compatible implementations of
302  *   mbedtls_nv_seed_read and mbedtls_nv_seed_write.
303  * * In a client-server integration of PSA Cryptography, on the client side,
304  *   if the server supports this feature.
305  * \param[in] seed          Buffer containing the seed value to inject.
306  * \param[in] seed_size     Size of the \p seed buffer.
307  *                          The size of the seed in bytes must be greater
308  *                          or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE
309  *                          and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM
310  *                          in `library/entropy_poll.h` in the Mbed TLS source
311  *                          code.
312  *                          It must be less or equal to
313  *                          #MBEDTLS_ENTROPY_MAX_SEED_SIZE.
314  *
315  * \retval #PSA_SUCCESS
316  *         The seed value was injected successfully. The random generator
317  *         of the PSA Crypto implementation is now ready for use.
318  *         You may now call psa_crypto_init() and use the PSA Crypto
319  *         implementation.
320  * \retval #PSA_ERROR_INVALID_ARGUMENT
321  *         \p seed_size is out of range.
322  * \retval #PSA_ERROR_STORAGE_FAILURE
323  *         There was a failure reading or writing from storage.
324  * \retval #PSA_ERROR_NOT_PERMITTED
325  *         The library has already been initialized. It is no longer
326  *         possible to call this function.
327  */
328 psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
329                                         size_t seed_size);
330 
331 /** \addtogroup crypto_types
332  * @{
333  */
334 
335 /** DSA public key.
336  *
337  * The import and export format is the
338  * representation of the public key `y = g^x mod p` as a big-endian byte
339  * string. The length of the byte string is the length of the base prime `p`
340  * in bytes.
341  */
342 #define PSA_KEY_TYPE_DSA_PUBLIC_KEY                 ((psa_key_type_t)0x4002)
343 
344 /** DSA key pair (private and public key).
345  *
346  * The import and export format is the
347  * representation of the private key `x` as a big-endian byte string. The
348  * length of the byte string is the private key size in bytes (leading zeroes
349  * are not stripped).
350  *
351  * Deterministic DSA key derivation with psa_generate_derived_key follows
352  * FIPS 186-4 §B.1.2: interpret the byte string as integer
353  * in big-endian order. Discard it if it is not in the range
354  * [0, *N* - 2] where *N* is the boundary of the private key domain
355  * (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
356  * or the order of the curve's base point for ECC).
357  * Add 1 to the resulting integer and use this as the private key *x*.
358  *
359  */
360 #define PSA_KEY_TYPE_DSA_KEY_PAIR                    ((psa_key_type_t)0x7002)
361 
362 /** Whether a key type is a DSA key (pair or public-only). */
363 #define PSA_KEY_TYPE_IS_DSA(type)                                       \
364     (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY)
365 
366 #define PSA_ALG_DSA_BASE                        ((psa_algorithm_t)0x06000400)
367 /** DSA signature with hashing.
368  *
369  * This is the signature scheme defined by FIPS 186-4,
370  * with a random per-message secret number (*k*).
371  *
372  * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
373  *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
374  *                      This includes #PSA_ALG_ANY_HASH
375  *                      when specifying the algorithm in a usage policy.
376  *
377  * \return              The corresponding DSA signature algorithm.
378  * \return              Unspecified if \p hash_alg is not a supported
379  *                      hash algorithm.
380  */
381 #define PSA_ALG_DSA(hash_alg)                             \
382     (PSA_ALG_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
383 #define PSA_ALG_DETERMINISTIC_DSA_BASE          ((psa_algorithm_t)0x06000500)
384 #define PSA_ALG_DSA_DETERMINISTIC_FLAG PSA_ALG_ECDSA_DETERMINISTIC_FLAG
385 /** Deterministic DSA signature with hashing.
386  *
387  * This is the deterministic variant defined by RFC 6979 of
388  * the signature scheme defined by FIPS 186-4.
389  *
390  * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
391  *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
392  *                      This includes #PSA_ALG_ANY_HASH
393  *                      when specifying the algorithm in a usage policy.
394  *
395  * \return              The corresponding DSA signature algorithm.
396  * \return              Unspecified if \p hash_alg is not a supported
397  *                      hash algorithm.
398  */
399 #define PSA_ALG_DETERMINISTIC_DSA(hash_alg)                             \
400     (PSA_ALG_DETERMINISTIC_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
401 #define PSA_ALG_IS_DSA(alg)                                             \
402     (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_DSA_DETERMINISTIC_FLAG) ==  \
403      PSA_ALG_DSA_BASE)
404 #define PSA_ALG_DSA_IS_DETERMINISTIC(alg)               \
405     (((alg) & PSA_ALG_DSA_DETERMINISTIC_FLAG) != 0)
406 #define PSA_ALG_IS_DETERMINISTIC_DSA(alg)                       \
407     (PSA_ALG_IS_DSA(alg) && PSA_ALG_DSA_IS_DETERMINISTIC(alg))
408 #define PSA_ALG_IS_RANDOMIZED_DSA(alg)                          \
409     (PSA_ALG_IS_DSA(alg) && !PSA_ALG_DSA_IS_DETERMINISTIC(alg))
410 
411 
412 /* We need to expand the sample definition of this macro from
413  * the API definition. */
414 #undef PSA_ALG_IS_VENDOR_HASH_AND_SIGN
415 #define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg)    \
416     PSA_ALG_IS_DSA(alg)
417 
418 /**@}*/
419 
420 /** \addtogroup attributes
421  * @{
422  */
423 
424 /** Custom Diffie-Hellman group.
425  *
426  * For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
427  * #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM), the group data comes
428  * from domain parameters set by psa_set_key_domain_parameters().
429  */
430 #define PSA_DH_FAMILY_CUSTOM             ((psa_dh_family_t) 0x7e)
431 
432 
433 /**
434  * \brief Set domain parameters for a key.
435  *
436  * Some key types require additional domain parameters in addition to
437  * the key type identifier and the key size. Use this function instead
438  * of psa_set_key_type() when you need to specify domain parameters.
439  *
440  * The format for the required domain parameters varies based on the key type.
441  *
442  * - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR),
443  *   the domain parameter data consists of the public exponent,
444  *   represented as a big-endian integer with no leading zeros.
445  *   This information is used when generating an RSA key pair.
446  *   When importing a key, the public exponent is read from the imported
447  *   key data and the exponent recorded in the attribute structure is ignored.
448  *   As an exception, the public exponent 65537 is represented by an empty
449  *   byte string.
450  * - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR),
451  *   the `Dss-Params` format as defined by RFC 3279 §2.3.2.
452  *   ```
453  *   Dss-Params ::= SEQUENCE  {
454  *      p       INTEGER,
455  *      q       INTEGER,
456  *      g       INTEGER
457  *   }
458  *   ```
459  * - For Diffie-Hellman key exchange keys
460  *   (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
461  *   #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the
462  *   `DomainParameters` format as defined by RFC 3279 §2.3.3.
463  *   ```
464  *   DomainParameters ::= SEQUENCE {
465  *      p               INTEGER,                    -- odd prime, p=jq +1
466  *      g               INTEGER,                    -- generator, g
467  *      q               INTEGER,                    -- factor of p-1
468  *      j               INTEGER OPTIONAL,           -- subgroup factor
469  *      validationParams ValidationParams OPTIONAL
470  *   }
471  *   ValidationParams ::= SEQUENCE {
472  *      seed            BIT STRING,
473  *      pgenCounter     INTEGER
474  *   }
475  *   ```
476  *
477  * \note This function may allocate memory or other resources.
478  *       Once you have called this function on an attribute structure,
479  *       you must call psa_reset_key_attributes() to free these resources.
480  *
481  * \note This is an experimental extension to the interface. It may change
482  *       in future versions of the library.
483  *
484  * \param[in,out] attributes    Attribute structure where the specified domain
485  *                              parameters will be stored.
486  *                              If this function fails, the content of
487  *                              \p attributes is not modified.
488  * \param type                  Key type (a \c PSA_KEY_TYPE_XXX value).
489  * \param[in] data              Buffer containing the key domain parameters.
490  *                              The content of this buffer is interpreted
491  *                              according to \p type as described above.
492  * \param data_length           Size of the \p data buffer in bytes.
493  *
494  * \retval #PSA_SUCCESS
495  * \retval #PSA_ERROR_INVALID_ARGUMENT
496  * \retval #PSA_ERROR_NOT_SUPPORTED
497  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
498  */
499 psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
500                                            psa_key_type_t type,
501                                            const uint8_t *data,
502                                            size_t data_length);
503 
504 /**
505  * \brief Get domain parameters for a key.
506  *
507  * Get the domain parameters for a key with this function, if any. The format
508  * of the domain parameters written to \p data is specified in the
509  * documentation for psa_set_key_domain_parameters().
510  *
511  * \note This is an experimental extension to the interface. It may change
512  *       in future versions of the library.
513  *
514  * \param[in] attributes        The key attribute structure to query.
515  * \param[out] data             On success, the key domain parameters.
516  * \param data_size             Size of the \p data buffer in bytes.
517  *                              The buffer is guaranteed to be large
518  *                              enough if its size in bytes is at least
519  *                              the value given by
520  *                              PSA_KEY_DOMAIN_PARAMETERS_SIZE().
521  * \param[out] data_length      On success, the number of bytes
522  *                              that make up the key domain parameters data.
523  *
524  * \retval #PSA_SUCCESS
525  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
526  */
527 psa_status_t psa_get_key_domain_parameters(
528     const psa_key_attributes_t *attributes,
529     uint8_t *data,
530     size_t data_size,
531     size_t *data_length);
532 
533 /** Safe output buffer size for psa_get_key_domain_parameters().
534  *
535  * This macro returns a compile-time constant if its arguments are
536  * compile-time constants.
537  *
538  * \warning This function may call its arguments multiple times or
539  *          zero times, so you should not pass arguments that contain
540  *          side effects.
541  *
542  * \note This is an experimental extension to the interface. It may change
543  *       in future versions of the library.
544  *
545  * \param key_type  A supported key type.
546  * \param key_bits  The size of the key in bits.
547  *
548  * \return If the parameters are valid and supported, return
549  *         a buffer size in bytes that guarantees that
550  *         psa_get_key_domain_parameters() will not fail with
551  *         #PSA_ERROR_BUFFER_TOO_SMALL.
552  *         If the parameters are a valid combination that is not supported
553  *         by the implementation, this macro shall return either a
554  *         sensible size or 0.
555  *         If the parameters are not valid, the
556  *         return value is unspecified.
557  */
558 #define PSA_KEY_DOMAIN_PARAMETERS_SIZE(key_type, key_bits)              \
559     (PSA_KEY_TYPE_IS_RSA(key_type) ? sizeof(int) :                      \
560      PSA_KEY_TYPE_IS_DH(key_type) ? PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \
561      PSA_KEY_TYPE_IS_DSA(key_type) ? PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \
562      0)
563 #define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)     \
564     (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 3 /*without optional parts*/)
565 #define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)    \
566     (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 2 /*p, g*/ + 34 /*q*/)
567 
568 /**@}*/
569 
570 /** \defgroup psa_tls_helpers TLS helper functions
571  * @{
572  */
573 
574 #if defined(MBEDTLS_ECP_C)
575 #include <mbedtls/ecp.h>
576 
577 /** Convert an ECC curve identifier from the Mbed TLS encoding to PSA.
578  *
579  * \note This function is provided solely for the convenience of
580  *       Mbed TLS and may be removed at any time without notice.
581  *
582  * \param grpid         An Mbed TLS elliptic curve identifier
583  *                      (`MBEDTLS_ECP_DP_xxx`).
584  * \param[out] bits     On success, the bit size of the curve.
585  *
586  * \return              The corresponding PSA elliptic curve identifier
587  *                      (`PSA_ECC_FAMILY_xxx`).
588  * \return              \c 0 on failure (\p grpid is not recognized).
589  */
mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,size_t * bits)590 static inline psa_ecc_family_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
591                                                         size_t *bits )
592 {
593     switch( grpid )
594     {
595         case MBEDTLS_ECP_DP_SECP192R1:
596             *bits = 192;
597             return( PSA_ECC_FAMILY_SECP_R1 );
598         case MBEDTLS_ECP_DP_SECP224R1:
599             *bits = 224;
600             return( PSA_ECC_FAMILY_SECP_R1 );
601         case MBEDTLS_ECP_DP_SECP256R1:
602             *bits = 256;
603             return( PSA_ECC_FAMILY_SECP_R1 );
604         case MBEDTLS_ECP_DP_SECP384R1:
605             *bits = 384;
606             return( PSA_ECC_FAMILY_SECP_R1 );
607         case MBEDTLS_ECP_DP_SECP521R1:
608             *bits = 521;
609             return( PSA_ECC_FAMILY_SECP_R1 );
610         case MBEDTLS_ECP_DP_BP256R1:
611             *bits = 256;
612             return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
613         case MBEDTLS_ECP_DP_BP384R1:
614             *bits = 384;
615             return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
616         case MBEDTLS_ECP_DP_BP512R1:
617             *bits = 512;
618             return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
619         case MBEDTLS_ECP_DP_CURVE25519:
620             *bits = 255;
621             return( PSA_ECC_FAMILY_MONTGOMERY );
622         case MBEDTLS_ECP_DP_SECP192K1:
623             *bits = 192;
624             return( PSA_ECC_FAMILY_SECP_K1 );
625         case MBEDTLS_ECP_DP_SECP224K1:
626             *bits = 224;
627             return( PSA_ECC_FAMILY_SECP_K1 );
628         case MBEDTLS_ECP_DP_SECP256K1:
629             *bits = 256;
630             return( PSA_ECC_FAMILY_SECP_K1 );
631         case MBEDTLS_ECP_DP_CURVE448:
632             *bits = 448;
633             return( PSA_ECC_FAMILY_MONTGOMERY );
634         default:
635             *bits = 0;
636             return( 0 );
637     }
638 }
639 
640 /** Convert an ECC curve identifier from the PSA encoding to Mbed TLS.
641  *
642  * \note This function is provided solely for the convenience of
643  *       Mbed TLS and may be removed at any time without notice.
644  *
645  * \param curve         A PSA elliptic curve identifier
646  *                      (`PSA_ECC_FAMILY_xxx`).
647  * \param bits          The bit-length of a private key on \p curve.
648  * \param bits_is_sloppy If true, \p bits may be the bit-length rounded up
649  *                      to the nearest multiple of 8. This allows the caller
650  *                      to infer the exact curve from the length of a key
651  *                      which is supplied as a byte string.
652  *
653  * \return              The corresponding Mbed TLS elliptic curve identifier
654  *                      (`MBEDTLS_ECP_DP_xxx`).
655  * \return              #MBEDTLS_ECP_DP_NONE if \c curve is not recognized.
656  * \return              #MBEDTLS_ECP_DP_NONE if \p bits is not
657  *                      correct for \p curve.
658  */
659 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
660                                                size_t bits,
661                                                int bits_is_sloppy );
662 #endif /* MBEDTLS_ECP_C */
663 
664 /**@}*/
665 
666 /** \defgroup psa_external_rng External random generator
667  * @{
668  */
669 
670 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
671 /** External random generator function, implemented by the platform.
672  *
673  * When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled,
674  * this function replaces Mbed TLS's entropy and DRBG modules for all
675  * random generation triggered via PSA crypto interfaces.
676  *
677  * \note This random generator must deliver random numbers with cryptographic
678  *       quality and high performance. It must supply unpredictable numbers
679  *       with a uniform distribution. The implementation of this function
680  *       is responsible for ensuring that the random generator is seeded
681  *       with sufficient entropy. If you have a hardware TRNG which is slow
682  *       or delivers non-uniform output, declare it as an entropy source
683  *       with mbedtls_entropy_add_source() instead of enabling this option.
684  *
685  * \param[in,out] context       Pointer to the random generator context.
686  *                              This is all-bits-zero on the first call
687  *                              and preserved between successive calls.
688  * \param[out] output           Output buffer. On success, this buffer
689  *                              contains random data with a uniform
690  *                              distribution.
691  * \param output_size           The size of the \p output buffer in bytes.
692  * \param[out] output_length    On success, set this value to \p output_size.
693  *
694  * \retval #PSA_SUCCESS
695  *         Success. The output buffer contains \p output_size bytes of
696  *         cryptographic-quality random data, and \c *output_length is
697  *         set to \p output_size.
698  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
699  *         The random generator requires extra entropy and there is no
700  *         way to obtain entropy under current environment conditions.
701  *         This error should not happen under normal circumstances since
702  *         this function is responsible for obtaining as much entropy as
703  *         it needs. However implementations of this function may return
704  *         #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain
705  *         entropy without blocking indefinitely.
706  * \retval #PSA_ERROR_HARDWARE_FAILURE
707  *         A failure of the random generator hardware that isn't covered
708  *         by #PSA_ERROR_INSUFFICIENT_ENTROPY.
709  */
710 psa_status_t mbedtls_psa_external_get_random(
711     mbedtls_psa_external_random_context_t *context,
712     uint8_t *output, size_t output_size, size_t *output_length );
713 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
714 
715 /**@}*/
716 
717 /** \defgroup psa_builtin_keys Built-in keys
718  * @{
719  */
720 
721 /** The minimum value for a key identifier that is built into the
722  * implementation.
723  *
724  * The range of key identifiers from #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN
725  * to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX within the range from
726  * #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect
727  * with any other set of implementation-chosen key identifiers.
728  *
729  * This value is part of the library's ABI since changing it would invalidate
730  * the values of built-in key identifiers in applications.
731  */
732 #define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN          ((psa_key_id_t)0x7fff0000)
733 
734 /** The maximum value for a key identifier that is built into the
735  * implementation.
736  *
737  * See #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN for more information.
738  */
739 #define MBEDTLS_PSA_KEY_ID_BUILTIN_MAX          ((psa_key_id_t)0x7fffefff)
740 
741 /** A slot number identifying a key in a driver.
742  *
743  * Values of this type are used to identify built-in keys.
744  */
745 typedef uint64_t psa_drv_slot_number_t;
746 
747 #if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
748 /** Test whether a key identifier belongs to the builtin key range.
749  *
750  * \param key_id  Key identifier to test.
751  *
752  * \retval 1
753  *         The key identifier is a builtin key identifier.
754  * \retval 0
755  *         The key identifier is not a builtin key identifier.
756  */
psa_key_id_is_builtin(psa_key_id_t key_id)757 static inline int psa_key_id_is_builtin( psa_key_id_t key_id )
758 {
759     return( ( key_id >= MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ) &&
760             ( key_id <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX ) );
761 }
762 
763 /** Platform function to obtain the location and slot number of a built-in key.
764  *
765  * An application-specific implementation of this function must be provided if
766  * #MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled. This would typically be provided
767  * as part of a platform's system image.
768  *
769  * #MBEDTLS_SVC_KEY_ID_GET_KEY_ID(\p key_id) needs to be in the range from
770  * #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX.
771  *
772  * In a multi-application configuration
773  * (\c MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined),
774  * this function should check that #MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(\p key_id)
775  * is allowed to use the given key.
776  *
777  * \param key_id                The key ID for which to retrieve the
778  *                              location and slot attributes.
779  * \param[out] lifetime         On success, the lifetime associated with the key
780  *                              corresponding to \p key_id. Lifetime is a
781  *                              combination of which driver contains the key,
782  *                              and with what persistence level the key is
783  *                              intended to be used. If the platform
784  *                              implementation does not contain specific
785  *                              information about the intended key persistence
786  *                              level, the persistence level may be reported as
787  *                              #PSA_KEY_PERSISTENCE_DEFAULT.
788  * \param[out] slot_number      On success, the slot number known to the driver
789  *                              registered at the lifetime location reported
790  *                              through \p lifetime which corresponds to the
791  *                              requested built-in key.
792  *
793  * \retval #PSA_SUCCESS
794  *         The requested key identifier designates a built-in key.
795  *         In a multi-application configuration, the requested owner
796  *         is allowed to access it.
797  * \retval #PSA_ERROR_DOES_NOT_EXIST
798  *         The requested key identifier is not a built-in key which is known
799  *         to this function. If a key exists in the key storage with this
800  *         identifier, the data from the storage will be used.
801  * \return (any other error)
802  *         Any other error is propagated to the function that requested the key.
803  *         Common errors include:
804  *         - #PSA_ERROR_NOT_PERMITTED: the key exists but the requested owner
805  *           is not allowed to access it.
806  */
807 psa_status_t mbedtls_psa_platform_get_builtin_key(
808     mbedtls_svc_key_id_t key_id,
809     psa_key_lifetime_t *lifetime,
810     psa_drv_slot_number_t *slot_number );
811 #endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
812 
813 /** @} */
814 
815 /** \addtogroup crypto_types
816  * @{
817  */
818 
819 #define PSA_ALG_CATEGORY_PAKE                   ((psa_algorithm_t)0x0a000000)
820 
821 /** Whether the specified algorithm is a password-authenticated key exchange.
822  *
823  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
824  *
825  * \return 1 if \p alg is a password-authenticated key exchange (PAKE)
826  *         algorithm, 0 otherwise.
827  *         This macro may return either 0 or 1 if \p alg is not a supported
828  *         algorithm identifier.
829  */
830 #define PSA_ALG_IS_PAKE(alg)                                        \
831     (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_PAKE)
832 
833 /** The Password-authenticated key exchange by juggling (J-PAKE) algorithm.
834  *
835  * This is J-PAKE as defined by RFC 8236, instantiated with the following
836  * parameters:
837  *
838  * - The group can be either an elliptic curve or defined over a finite field.
839  * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the
840  *   J-PAKE algorithm.
841  * - A cryptographic hash function.
842  *
843  * To select these parameters and set up the cipher suite, call these functions
844  * in any order:
845  *
846  * \code
847  * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE);
848  * psa_pake_cs_set_primitive(cipher_suite,
849  *                           PSA_PAKE_PRIMITIVE(type, family, bits));
850  * psa_pake_cs_set_hash(cipher_suite, hash);
851  * \endcode
852  *
853  * For more information on how to set a specific curve or field, refer to the
854  * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
855  *
856  * After initializing a J-PAKE operation, call
857  *
858  * \code
859  * psa_pake_setup(operation, cipher_suite);
860  * psa_pake_set_user(operation, ...);
861  * psa_pake_set_peer(operation, ...);
862  * psa_pake_set_password_key(operation, ...);
863  * \endcode
864  *
865  * The password is provided as a key. This can be the password text itself,
866  * in an agreed character encoding, or some value derived from the password
867  * as required by a higher level protocol.
868  *
869  * (The implementation converts the key material to a number as described in
870  * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_
871  * (https://www.secg.org/sec1-v2.pdf), before reducing it modulo \c q. Here
872  * \c q is order of the group defined by the primitive set in the cipher suite.
873  * The \c psa_pake_set_password_key() function returns an error if the result
874  * of the reduction is 0.)
875  *
876  * The key exchange flow for J-PAKE is as follows:
877  * -# To get the first round data that needs to be sent to the peer, call
878  *    \code
879  *    // Get g1
880  *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
881  *    // Get the ZKP public key for x1
882  *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
883  *    // Get the ZKP proof for x1
884  *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
885  *    // Get g2
886  *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
887  *    // Get the ZKP public key for x2
888  *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
889  *    // Get the ZKP proof for x2
890  *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
891  *    \endcode
892  * -# To provide the first round data received from the peer to the operation,
893  *    call
894  *    \code
895  *    // Set g3
896  *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
897  *    // Set the ZKP public key for x3
898  *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
899  *    // Set the ZKP proof for x3
900  *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
901  *    // Set g4
902  *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
903  *    // Set the ZKP public key for x4
904  *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
905  *    // Set the ZKP proof for x4
906  *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
907  *    \endcode
908  * -# To get the second round data that needs to be sent to the peer, call
909  *    \code
910  *    // Get A
911  *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
912  *    // Get ZKP public key for x2*s
913  *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
914  *    // Get ZKP proof for x2*s
915  *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
916  *    \endcode
917  * -# To provide the second round data received from the peer to the operation,
918  *    call
919  *    \code
920  *    // Set B
921  *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
922  *    // Set ZKP public key for x4*s
923  *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
924  *    // Set ZKP proof for x4*s
925  *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
926  *    \endcode
927  * -# To access the shared secret call
928  *    \code
929  *    // Get Ka=Kb=K
930  *    psa_pake_get_implicit_key()
931  *    \endcode
932  *
933  * For more information consult the documentation of the individual
934  * \c PSA_PAKE_STEP_XXX constants.
935  *
936  * At this point there is a cryptographic guarantee that only the authenticated
937  * party who used the same password is able to compute the key. But there is no
938  * guarantee that the peer is the party it claims to be and was able to do so.
939  *
940  * That is, the authentication is only implicit (the peer is not authenticated
941  * at this point, and no action should be taken that assume that they are - like
942  * for example accessing restricted files).
943  *
944  * To make the authentication explicit there are various methods, see Section 5
945  * of RFC 8236 for two examples.
946  *
947  */
948 #define PSA_ALG_JPAKE                   ((psa_algorithm_t)0x0a000100)
949 
950 /** @} */
951 
952 /** \defgroup pake Password-authenticated key exchange (PAKE)
953  *
954  * This is a proposed PAKE interface for the PSA Crypto API. It is not part of
955  * the official PSA Crypto API yet.
956  *
957  * \note The content of this section is not part of the stable API and ABI
958  *       of Mbed Crypto and may change arbitrarily from version to version.
959  *       Same holds for the corresponding macros #PSA_ALG_CATEGORY_PAKE and
960  *       #PSA_ALG_JPAKE.
961  * @{
962  */
963 
964 /** \brief Encoding of the application role of PAKE
965  *
966  * Encodes the application's role in the algorithm is being executed. For more
967  * information see the documentation of individual \c PSA_PAKE_ROLE_XXX
968  * constants.
969  */
970 typedef uint8_t psa_pake_role_t;
971 
972 /** Encoding of input and output indicators for PAKE.
973  *
974  * Some PAKE algorithms need to exchange more data than just a single key share.
975  * This type is for encoding additional input and output data for such
976  * algorithms.
977  */
978 typedef uint8_t psa_pake_step_t;
979 
980 /** Encoding of the type of the PAKE's primitive.
981  *
982  * Values defined by this standard will never be in the range 0x80-0xff.
983  * Vendors who define additional types must use an encoding in this range.
984  *
985  * For more information see the documentation of individual
986  * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
987  */
988 typedef uint8_t psa_pake_primitive_type_t;
989 
990 /** \brief Encoding of the family of the primitive associated with the PAKE.
991  *
992  * For more information see the documentation of individual
993  * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
994  */
995 typedef uint8_t psa_pake_family_t;
996 
997 /** \brief Encoding of the primitive associated with the PAKE.
998  *
999  * For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro.
1000  */
1001 typedef uint32_t psa_pake_primitive_t;
1002 
1003 /** A value to indicate no role in a PAKE algorithm.
1004  * This value can be used in a call to psa_pake_set_role() for symmetric PAKE
1005  * algorithms which do not assign roles.
1006  */
1007 #define PSA_PAKE_ROLE_NONE                  ((psa_pake_role_t)0x00)
1008 
1009 /** The first peer in a balanced PAKE.
1010  *
1011  * Although balanced PAKE algorithms are symmetric, some of them needs an
1012  * ordering of peers for the transcript calculations. If the algorithm does not
1013  * need this, both #PSA_PAKE_ROLE_FIRST and #PSA_PAKE_ROLE_SECOND are
1014  * accepted.
1015  */
1016 #define PSA_PAKE_ROLE_FIRST                ((psa_pake_role_t)0x01)
1017 
1018 /** The second peer in a balanced PAKE.
1019  *
1020  * Although balanced PAKE algorithms are symmetric, some of them needs an
1021  * ordering of peers for the transcript calculations. If the algorithm does not
1022  * need this, either #PSA_PAKE_ROLE_FIRST or #PSA_PAKE_ROLE_SECOND are
1023  * accepted.
1024  */
1025 #define PSA_PAKE_ROLE_SECOND                ((psa_pake_role_t)0x02)
1026 
1027 /** The client in an augmented PAKE.
1028  *
1029  * Augmented PAKE algorithms need to differentiate between client and server.
1030  */
1031 #define PSA_PAKE_ROLE_CLIENT                ((psa_pake_role_t)0x11)
1032 
1033 /** The server in an augmented PAKE.
1034  *
1035  * Augmented PAKE algorithms need to differentiate between client and server.
1036  */
1037 #define PSA_PAKE_ROLE_SERVER                ((psa_pake_role_t)0x12)
1038 
1039 /** The PAKE primitive type indicating the use of elliptic curves.
1040  *
1041  * The values of the \c family and \c bits fields of the cipher suite identify a
1042  * specific elliptic curve, using the same mapping that is used for ECC
1043  * (::psa_ecc_family_t) keys.
1044  *
1045  * (Here \c family means the value returned by psa_pake_cs_get_family() and
1046  * \c bits means the value returned by psa_pake_cs_get_bits().)
1047  *
1048  * Input and output during the operation can involve group elements and scalar
1049  * values:
1050  * -# The format for group elements is the same as for public keys on the
1051  *  specific curve would be. For more information, consult the documentation of
1052  *  psa_export_public_key().
1053  * -# The format for scalars is the same as for private keys on the specific
1054  *  curve would be. For more information, consult the documentation of
1055  *  psa_export_key().
1056  */
1057 #define PSA_PAKE_PRIMITIVE_TYPE_ECC       ((psa_pake_primitive_type_t)0x01)
1058 
1059 /** The PAKE primitive type indicating the use of Diffie-Hellman groups.
1060  *
1061  * The values of the \c family and \c bits fields of the cipher suite identify
1062  * a specific Diffie-Hellman group, using the same mapping that is used for
1063  * Diffie-Hellman (::psa_dh_family_t) keys.
1064  *
1065  * (Here \c family means the value returned by psa_pake_cs_get_family() and
1066  * \c bits means the value returned by psa_pake_cs_get_bits().)
1067  *
1068  * Input and output during the operation can involve group elements and scalar
1069  * values:
1070  * -# The format for group elements is the same as for public keys on the
1071  *  specific group would be. For more information, consult the documentation of
1072  *  psa_export_public_key().
1073  * -# The format for scalars is the same as for private keys on the specific
1074  *  group would be. For more information, consult the documentation of
1075  *  psa_export_key().
1076  */
1077 #define PSA_PAKE_PRIMITIVE_TYPE_DH       ((psa_pake_primitive_type_t)0x02)
1078 
1079 /** Construct a PAKE primitive from type, family and bit-size.
1080  *
1081  * \param pake_type     The type of the primitive
1082  *                      (value of type ::psa_pake_primitive_type_t).
1083  * \param pake_family   The family of the primitive
1084  *                      (the type and interpretation of this parameter depends
1085  *                      on \p type, for more information consult the
1086  *                      documentation of individual ::psa_pake_primitive_type_t
1087  *                      constants).
1088  * \param pake_bits     The bit-size of the primitive
1089  *                      (Value of type \c size_t. The interpretation
1090  *                      of this parameter depends on \p family, for more
1091  *                      information consult the documentation of individual
1092  *                      ::psa_pake_primitive_type_t constants).
1093  *
1094  * \return The constructed primitive value of type ::psa_pake_primitive_t.
1095  *         Return 0 if the requested primitive can't be encoded as
1096  *         ::psa_pake_primitive_t.
1097  */
1098 #define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \
1099     ((pake_bits & 0xFFFF) != pake_bits) ? 0 :                 \
1100     ((psa_pake_primitive_t) (((pake_type) << 24 |             \
1101             (pake_family) << 16) | (pake_bits)))
1102 
1103 /** The key share being sent to or received from the peer.
1104  *
1105  * The format for both input and output at this step is the same as for public
1106  * keys on the group determined by the primitive (::psa_pake_primitive_t) would
1107  * be.
1108  *
1109  * For more information on the format, consult the documentation of
1110  * psa_export_public_key().
1111  *
1112  * For information regarding how the group is determined, consult the
1113  * documentation #PSA_PAKE_PRIMITIVE.
1114  */
1115 #define PSA_PAKE_STEP_KEY_SHARE                 ((psa_pake_step_t)0x01)
1116 
1117 /** A Schnorr NIZKP public key.
1118  *
1119  * This is the ephemeral public key in the Schnorr Non-Interactive
1120  * Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235).
1121  *
1122  * The format for both input and output at this step is the same as for public
1123  * keys on the group determined by the primitive (::psa_pake_primitive_t) would
1124  * be.
1125  *
1126  * For more information on the format, consult the documentation of
1127  * psa_export_public_key().
1128  *
1129  * For information regarding how the group is determined, consult the
1130  * documentation #PSA_PAKE_PRIMITIVE.
1131  */
1132 #define PSA_PAKE_STEP_ZK_PUBLIC                 ((psa_pake_step_t)0x02)
1133 
1134 /** A Schnorr NIZKP proof.
1135  *
1136  * This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the
1137  * value denoted by the letter 'r' in RFC 8235).
1138  *
1139  * Both for input and output, the value at this step is an integer less than
1140  * the order of the group selected in the cipher suite. The format depends on
1141  * the group as well:
1142  *
1143  * - For Montgomery curves, the encoding is little endian.
1144  * - For everything else the encoding is big endian (see Section 2.3.8 of
1145  *   _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf).
1146  *
1147  * In both cases leading zeroes are allowed as long as the length in bytes does
1148  * not exceed the byte length of the group order.
1149  *
1150  * For information regarding how the group is determined, consult the
1151  * documentation #PSA_PAKE_PRIMITIVE.
1152  */
1153 #define PSA_PAKE_STEP_ZK_PROOF                  ((psa_pake_step_t)0x03)
1154 
1155 /** The type of the data structure for PAKE cipher suites.
1156  *
1157  * This is an implementation-defined \c struct. Applications should not
1158  * make any assumptions about the content of this structure.
1159  * Implementation details can change in future versions without notice.
1160  */
1161 typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t;
1162 
1163 /** Return an initial value for a PAKE cipher suite object.
1164  */
1165 static psa_pake_cipher_suite_t psa_pake_cipher_suite_init( void );
1166 
1167 /** Retrieve the PAKE algorithm from a PAKE cipher suite.
1168  *
1169  * \param[in] cipher_suite     The cipher suite structure to query.
1170  *
1171  * \return The PAKE algorithm stored in the cipher suite structure.
1172  */
1173 static psa_algorithm_t psa_pake_cs_get_algorithm(
1174                            const psa_pake_cipher_suite_t *cipher_suite );
1175 
1176 /** Declare the PAKE algorithm for the cipher suite.
1177  *
1178  * This function overwrites any PAKE algorithm
1179  * previously set in \p cipher_suite.
1180  *
1181  * \param[out] cipher_suite    The cipher suite structure to write to.
1182  * \param algorithm            The PAKE algorithm to write.
1183  *                             (`PSA_ALG_XXX` values of type ::psa_algorithm_t
1184  *                             such that #PSA_ALG_IS_PAKE(\c alg) is true.)
1185  *                             If this is 0, the PAKE algorithm in
1186  *                             \p cipher_suite becomes unspecified.
1187  */
1188 static void psa_pake_cs_set_algorithm( psa_pake_cipher_suite_t *cipher_suite,
1189                                        psa_algorithm_t algorithm );
1190 
1191 /** Retrieve the primitive from a PAKE cipher suite.
1192  *
1193  * \param[in] cipher_suite     The cipher suite structure to query.
1194  *
1195  * \return The primitive stored in the cipher suite structure.
1196  */
1197 static psa_pake_primitive_t psa_pake_cs_get_primitive(
1198                            const psa_pake_cipher_suite_t *cipher_suite );
1199 
1200 /** Declare the primitive for a PAKE cipher suite.
1201  *
1202  * This function overwrites any primitive previously set in \p cipher_suite.
1203  *
1204  * \param[out] cipher_suite    The cipher suite structure to write to.
1205  * \param primitive            The primitive to write. If this is 0, the
1206  *                             primitive type in \p cipher_suite becomes
1207  *                             unspecified.
1208  */
1209 static void psa_pake_cs_set_primitive( psa_pake_cipher_suite_t *cipher_suite,
1210                                        psa_pake_primitive_t primitive );
1211 
1212 /** Retrieve the PAKE family from a PAKE cipher suite.
1213  *
1214  * \param[in] cipher_suite     The cipher suite structure to query.
1215  *
1216  * \return The PAKE family stored in the cipher suite structure.
1217  */
1218 static psa_pake_family_t psa_pake_cs_get_family(
1219                            const psa_pake_cipher_suite_t *cipher_suite );
1220 
1221 /** Retrieve the PAKE primitive bit-size from a PAKE cipher suite.
1222  *
1223  * \param[in] cipher_suite     The cipher suite structure to query.
1224  *
1225  * \return The PAKE primitive bit-size stored in the cipher suite structure.
1226  */
1227 static uint16_t psa_pake_cs_get_bits(
1228                            const psa_pake_cipher_suite_t *cipher_suite );
1229 
1230 /** Retrieve the hash algorithm from a PAKE cipher suite.
1231  *
1232  * \param[in] cipher_suite      The cipher suite structure to query.
1233  *
1234  * \return The hash algorithm stored in the cipher suite structure. The return
1235  *         value is 0 if the PAKE is not parametrised by a hash algorithm or if
1236  *         the hash algorithm is not set.
1237  */
1238 static psa_algorithm_t psa_pake_cs_get_hash(
1239                            const psa_pake_cipher_suite_t *cipher_suite );
1240 
1241 /** Declare the hash algorithm for a PAKE cipher suite.
1242  *
1243  * This function overwrites any hash algorithm
1244  * previously set in \p cipher_suite.
1245  *
1246  * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1247  * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1248  * for more information.
1249  *
1250  * \param[out] cipher_suite     The cipher suite structure to write to.
1251  * \param hash                  The hash involved in the cipher suite.
1252  *                              (`PSA_ALG_XXX` values of type ::psa_algorithm_t
1253  *                              such that #PSA_ALG_IS_HASH(\c alg) is true.)
1254  *                              If this is 0, the hash algorithm in
1255  *                              \p cipher_suite becomes unspecified.
1256  */
1257 static void psa_pake_cs_set_hash( psa_pake_cipher_suite_t *cipher_suite,
1258                                   psa_algorithm_t hash );
1259 
1260 /** The type of the state data structure for PAKE operations.
1261  *
1262  * Before calling any function on a PAKE operation object, the application
1263  * must initialize it by any of the following means:
1264  * - Set the structure to all-bits-zero, for example:
1265  *   \code
1266  *   psa_pake_operation_t operation;
1267  *   memset(&operation, 0, sizeof(operation));
1268  *   \endcode
1269  * - Initialize the structure to logical zero values, for example:
1270  *   \code
1271  *   psa_pake_operation_t operation = {0};
1272  *   \endcode
1273  * - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT,
1274  *   for example:
1275  *   \code
1276  *   psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT;
1277  *   \endcode
1278  * - Assign the result of the function psa_pake_operation_init()
1279  *   to the structure, for example:
1280  *   \code
1281  *   psa_pake_operation_t operation;
1282  *   operation = psa_pake_operation_init();
1283  *   \endcode
1284  *
1285  * This is an implementation-defined \c struct. Applications should not
1286  * make any assumptions about the content of this structure.
1287  * Implementation details can change in future versions without notice. */
1288 typedef struct psa_pake_operation_s psa_pake_operation_t;
1289 
1290 /** Return an initial value for a PAKE operation object.
1291  */
1292 static psa_pake_operation_t psa_pake_operation_init( void );
1293 
1294 /** Set the session information for a password-authenticated key exchange.
1295  *
1296  * The sequence of operations to set up a password-authenticated key exchange
1297  * is as follows:
1298  * -# Allocate an operation object which will be passed to all the functions
1299  *    listed here.
1300  * -# Initialize the operation object with one of the methods described in the
1301  *    documentation for #psa_pake_operation_t, e.g.
1302  *    #PSA_PAKE_OPERATION_INIT.
1303  * -# Call psa_pake_setup() to specify the cipher suite.
1304  * -# Call \c psa_pake_set_xxx() functions on the operation to complete the
1305  *    setup. The exact sequence of \c psa_pake_set_xxx() functions that needs
1306  *    to be called depends on the algorithm in use.
1307  *
1308  * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1309  * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1310  * for more information.
1311  *
1312  * A typical sequence of calls to perform a password-authenticated key
1313  * exchange:
1314  * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the
1315  *    key share that needs to be sent to the peer.
1316  * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide
1317  *    the key share that was received from the peer.
1318  * -# Depending on the algorithm additional calls to psa_pake_output() and
1319  *    psa_pake_input() might be necessary.
1320  * -# Call psa_pake_get_implicit_key() for accessing the shared secret.
1321  *
1322  * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1323  * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1324  * for more information.
1325  *
1326  * If an error occurs at any step after a call to psa_pake_setup(),
1327  * the operation will need to be reset by a call to psa_pake_abort(). The
1328  * application may call psa_pake_abort() at any time after the operation
1329  * has been initialized.
1330  *
1331  * After a successful call to psa_pake_setup(), the application must
1332  * eventually terminate the operation. The following events terminate an
1333  * operation:
1334  * - A call to psa_pake_abort().
1335  * - A successful call to psa_pake_get_implicit_key().
1336  *
1337  * \param[in,out] operation     The operation object to set up. It must have
1338  *                              been initialized but not set up yet.
1339  * \param[in] cipher_suite      The cipher suite to use. (A cipher suite fully
1340  *                              characterizes a PAKE algorithm and determines
1341  *                              the algorithm as well.)
1342  *
1343  * \retval #PSA_SUCCESS
1344  *         Success.
1345  * \retval #PSA_ERROR_INVALID_ARGUMENT
1346  *         The algorithm in \p cipher_suite is not a PAKE algorithm, or the
1347  *         PAKE primitive in \p cipher_suite is not compatible with the
1348  *         PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid
1349  *         or not compatible with the PAKE algorithm and primitive.
1350  * \retval #PSA_ERROR_NOT_SUPPORTED
1351  *         The algorithm in \p cipher_suite is not a supported PAKE algorithm,
1352  *         or the PAKE primitive in \p cipher_suite is not supported or not
1353  *         compatible with the PAKE algorithm, or the hash algorithm in
1354  *         \p cipher_suite is not supported or not compatible with the PAKE
1355  *         algorithm and primitive.
1356  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1357  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1358  * \retval #PSA_ERROR_BAD_STATE
1359  *         The operation state is not valid, or
1360  *         the library has not been previously initialized by psa_crypto_init().
1361  *         It is implementation-dependent whether a failure to initialize
1362  *         results in this error code.
1363  */
1364 psa_status_t psa_pake_setup( psa_pake_operation_t *operation,
1365                              const psa_pake_cipher_suite_t *cipher_suite );
1366 
1367 /** Set the password for a password-authenticated key exchange from key ID.
1368  *
1369  * Call this function when the password, or a value derived from the password,
1370  * is already present in the key store.
1371  *
1372  * \param[in,out] operation     The operation object to set the password for. It
1373  *                              must have been set up by psa_pake_setup() and
1374  *                              not yet in use (neither psa_pake_output() nor
1375  *                              psa_pake_input() has been called yet). It must
1376  *                              be on operation for which the password hasn't
1377  *                              been set yet (psa_pake_set_password_key()
1378  *                              hasn't been called yet).
1379  * \param password              Identifier of the key holding the password or a
1380  *                              value derived from the password (eg. by a
1381  *                              memory-hard function).  It must remain valid
1382  *                              until the operation terminates. It must be of
1383  *                              type #PSA_KEY_TYPE_PASSWORD or
1384  *                              #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow
1385  *                              the usage #PSA_KEY_USAGE_DERIVE.
1386  *
1387  * \retval #PSA_SUCCESS
1388  *         Success.
1389  * \retval #PSA_ERROR_INVALID_HANDLE
1390  *         \p password is not a valid key identifier.
1391  * \retval #PSA_ERROR_NOT_PERMITTED
1392  *         The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not
1393  *         permit the \p operation's algorithm.
1394  * \retval #PSA_ERROR_INVALID_ARGUMENT
1395  *         The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or
1396  *         #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with
1397  *         the \p operation's cipher suite.
1398  * \retval #PSA_ERROR_NOT_SUPPORTED
1399  *         The key type or key size of \p password is not supported with the
1400  *         \p operation's cipher suite.
1401  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1402  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1403  * \retval #PSA_ERROR_STORAGE_FAILURE
1404  * \retval #PSA_ERROR_DATA_CORRUPT
1405  * \retval #PSA_ERROR_DATA_INVALID
1406  * \retval #PSA_ERROR_BAD_STATE
1407  *         The operation state is not valid (it must have been set up.), or
1408  *         the library has not been previously initialized by psa_crypto_init().
1409  *         It is implementation-dependent whether a failure to initialize
1410  *         results in this error code.
1411  */
1412 psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
1413                                         mbedtls_svc_key_id_t password );
1414 
1415 /** Set the user ID for a password-authenticated key exchange.
1416  *
1417  * Call this function to set the user ID. For PAKE algorithms that associate a
1418  * user identifier with each side of the session you need to call
1419  * psa_pake_set_peer() as well. For PAKE algorithms that associate a single
1420  * user identifier with the session, call psa_pake_set_user() only.
1421  *
1422  * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1423  * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1424  * for more information.
1425  *
1426  * \param[in,out] operation     The operation object to set the user ID for. It
1427  *                              must have been set up by psa_pake_setup() and
1428  *                              not yet in use (neither psa_pake_output() nor
1429  *                              psa_pake_input() has been called yet). It must
1430  *                              be on operation for which the user ID hasn't
1431  *                              been set (psa_pake_set_user() hasn't been
1432  *                              called yet).
1433  * \param[in] user_id           The user ID to authenticate with.
1434  * \param user_id_len           Size of the \p user_id buffer in bytes.
1435  *
1436  * \retval #PSA_SUCCESS
1437  *         Success.
1438  * \retval #PSA_ERROR_INVALID_ARGUMENT
1439  *         \p user_id is not valid for the \p operation's algorithm and cipher
1440  *         suite.
1441  * \retval #PSA_ERROR_NOT_SUPPORTED
1442  *         The value of \p user_id is not supported by the implementation.
1443  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1444  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1445  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1446  * \retval #PSA_ERROR_BAD_STATE
1447  *         The operation state is not valid, or
1448  *         the library has not been previously initialized by psa_crypto_init().
1449  *         It is implementation-dependent whether a failure to initialize
1450  *         results in this error code.
1451  */
1452 psa_status_t psa_pake_set_user( psa_pake_operation_t *operation,
1453                                 const uint8_t *user_id,
1454                                 size_t user_id_len );
1455 
1456 /** Set the peer ID for a password-authenticated key exchange.
1457  *
1458  * Call this function in addition to psa_pake_set_user() for PAKE algorithms
1459  * that associate a user identifier with each side of the session. For PAKE
1460  * algorithms that associate a single user identifier with the session, call
1461  * psa_pake_set_user() only.
1462  *
1463  * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1464  * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1465  * for more information.
1466  *
1467  * \param[in,out] operation     The operation object to set the peer ID for. It
1468  *                              must have been set up by psa_pake_setup() and
1469  *                              not yet in use (neither psa_pake_output() nor
1470  *                              psa_pake_input() has been called yet). It must
1471  *                              be on operation for which the peer ID hasn't
1472  *                              been set (psa_pake_set_peer() hasn't been
1473  *                              called yet).
1474  * \param[in] peer_id           The peer's ID to authenticate.
1475  * \param peer_id_len           Size of the \p peer_id buffer in bytes.
1476  *
1477  * \retval #PSA_SUCCESS
1478  *         Success.
1479  * \retval #PSA_ERROR_INVALID_ARGUMENT
1480  *         \p user_id is not valid for the \p operation's algorithm and cipher
1481  *         suite.
1482  * \retval #PSA_ERROR_NOT_SUPPORTED
1483  *         The algorithm doesn't associate a second identity with the session.
1484  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1485  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1486  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1487  * \retval #PSA_ERROR_BAD_STATE
1488  *         Calling psa_pake_set_peer() is invalid with the \p operation's
1489  *         algorithm, the operation state is not valid, or the library has not
1490  *         been previously initialized by psa_crypto_init().
1491  *         It is implementation-dependent whether a failure to initialize
1492  *         results in this error code.
1493  */
1494 psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation,
1495                                 const uint8_t *peer_id,
1496                                 size_t peer_id_len );
1497 
1498 /** Set the application role for a password-authenticated key exchange.
1499  *
1500  * Not all PAKE algorithms need to differentiate the communicating entities.
1501  * It is optional to call this function for PAKEs that don't require a role
1502  * to be specified. For such PAKEs the application role parameter is ignored,
1503  * or #PSA_PAKE_ROLE_NONE can be passed as \c role.
1504  *
1505  * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1506  * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1507  * for more information.
1508  *
1509  * \param[in,out] operation     The operation object to specify the
1510  *                              application's role for. It must have been set up
1511  *                              by psa_pake_setup() and not yet in use (neither
1512  *                              psa_pake_output() nor psa_pake_input() has been
1513  *                              called yet). It must be on operation for which
1514  *                              the application's role hasn't been specified
1515  *                              (psa_pake_set_role() hasn't been called yet).
1516  * \param role                  A value of type ::psa_pake_role_t indicating the
1517  *                              application's role in the PAKE the algorithm
1518  *                              that is being set up. For more information see
1519  *                              the documentation of \c PSA_PAKE_ROLE_XXX
1520  *                              constants.
1521  *
1522  * \retval #PSA_SUCCESS
1523  *         Success.
1524  * \retval #PSA_ERROR_INVALID_ARGUMENT
1525  *         The \p role is not a valid PAKE role in the \p operation’s algorithm.
1526  * \retval #PSA_ERROR_NOT_SUPPORTED
1527  *         The \p role for this algorithm is not supported or is not valid.
1528  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1529  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1530  * \retval #PSA_ERROR_BAD_STATE
1531  *         The operation state is not valid, or
1532  *         the library has not been previously initialized by psa_crypto_init().
1533  *         It is implementation-dependent whether a failure to initialize
1534  *         results in this error code.
1535  */
1536 psa_status_t psa_pake_set_role( psa_pake_operation_t *operation,
1537                                 psa_pake_role_t role );
1538 
1539 /** Get output for a step of a password-authenticated key exchange.
1540  *
1541  * Depending on the algorithm being executed, you might need to call this
1542  * function several times or you might not need to call this at all.
1543  *
1544  * The exact sequence of calls to perform a password-authenticated key
1545  * exchange depends on the algorithm in use.  Refer to the documentation of
1546  * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
1547  * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
1548  * information.
1549  *
1550  * If this function returns an error status, the operation enters an error
1551  * state and must be aborted by calling psa_pake_abort().
1552  *
1553  * \param[in,out] operation    Active PAKE operation.
1554  * \param step                 The step of the algorithm for which the output is
1555  *                             requested.
1556  * \param[out] output          Buffer where the output is to be written in the
1557  *                             format appropriate for this \p step. Refer to
1558  *                             the documentation of the individual
1559  *                             \c PSA_PAKE_STEP_XXX constants for more
1560  *                             information.
1561  * \param output_size          Size of the \p output buffer in bytes. This must
1562  *                             be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p
1563  *                             primitive, \p step) where \p alg and
1564  *                             \p primitive are the PAKE algorithm and primitive
1565  *                             in the operation's cipher suite, and \p step is
1566  *                             the output step.
1567  *
1568  * \param[out] output_length   On success, the number of bytes of the returned
1569  *                             output.
1570  *
1571  * \retval #PSA_SUCCESS
1572  *         Success.
1573  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1574  *         The size of the \p output buffer is too small.
1575  * \retval #PSA_ERROR_INVALID_ARGUMENT
1576  *         \p step is not compatible with the operation's algorithm.
1577  * \retval #PSA_ERROR_NOT_SUPPORTED
1578  *         \p step is not supported with the operation's algorithm.
1579  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
1580  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1581  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1582  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1583  * \retval #PSA_ERROR_STORAGE_FAILURE
1584  * \retval #PSA_ERROR_DATA_CORRUPT
1585  * \retval #PSA_ERROR_DATA_INVALID
1586  * \retval #PSA_ERROR_BAD_STATE
1587  *         The operation state is not valid (it must be active, and fully set
1588  *         up, and this call must conform to the algorithm's requirements
1589  *         for ordering of input and output steps), or
1590  *         the library has not been previously initialized by psa_crypto_init().
1591  *         It is implementation-dependent whether a failure to initialize
1592  *         results in this error code.
1593  */
1594 psa_status_t psa_pake_output( psa_pake_operation_t *operation,
1595                               psa_pake_step_t step,
1596                               uint8_t *output,
1597                               size_t output_size,
1598                               size_t *output_length );
1599 
1600 /** Provide input for a step of a password-authenticated key exchange.
1601  *
1602  * Depending on the algorithm being executed, you might need to call this
1603  * function several times or you might not need to call this at all.
1604  *
1605  * The exact sequence of calls to perform a password-authenticated key
1606  * exchange depends on the algorithm in use.  Refer to the documentation of
1607  * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
1608  * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
1609  * information.
1610  *
1611  * If this function returns an error status, the operation enters an error
1612  * state and must be aborted by calling psa_pake_abort().
1613  *
1614  * \param[in,out] operation    Active PAKE operation.
1615  * \param step                 The step for which the input is provided.
1616  * \param[in] input            Buffer containing the input in the format
1617  *                             appropriate for this \p step. Refer to the
1618  *                             documentation of the individual
1619  *                             \c PSA_PAKE_STEP_XXX constants for more
1620  *                             information.
1621  * \param input_length         Size of the \p input buffer in bytes.
1622  *
1623  * \retval #PSA_SUCCESS
1624  *         Success.
1625  * \retval #PSA_ERROR_INVALID_SIGNATURE
1626  *         The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step.
1627  * \retval #PSA_ERROR_INVALID_ARGUMENT
1628  *         \p is not compatible with the \p operation’s algorithm, or the
1629  *         \p input is not valid for the \p operation's algorithm, cipher suite
1630  *         or \p step.
1631  * \retval #PSA_ERROR_NOT_SUPPORTED
1632  *         \p step p is not supported with the \p operation's algorithm, or the
1633  *         \p input is not supported for the \p operation's algorithm, cipher
1634  *         suite or \p step.
1635  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1636  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1637  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1638  * \retval #PSA_ERROR_STORAGE_FAILURE
1639  * \retval #PSA_ERROR_DATA_CORRUPT
1640  * \retval #PSA_ERROR_DATA_INVALID
1641  * \retval #PSA_ERROR_BAD_STATE
1642  *         The operation state is not valid (it must be active, and fully set
1643  *         up, and this call must conform to the algorithm's requirements
1644  *         for ordering of input and output steps), or
1645  *         the library has not been previously initialized by psa_crypto_init().
1646  *         It is implementation-dependent whether a failure to initialize
1647  *         results in this error code.
1648  */
1649 psa_status_t psa_pake_input( psa_pake_operation_t *operation,
1650                              psa_pake_step_t step,
1651                              const uint8_t *input,
1652                              size_t input_length );
1653 
1654 /** Get implicitly confirmed shared secret from a PAKE.
1655  *
1656  * At this point there is a cryptographic guarantee that only the authenticated
1657  * party who used the same password is able to compute the key. But there is no
1658  * guarantee that the peer is the party it claims to be and was able to do so.
1659  *
1660  * That is, the authentication is only implicit. Since the peer is not
1661  * authenticated yet, no action should be taken yet that assumes that the peer
1662  * is who it claims to be. For example, do not access restricted files on the
1663  * peer's behalf until an explicit authentication has succeeded.
1664  *
1665  * This function can be called after the key exchange phase of the operation
1666  * has completed. It imports the shared secret output of the PAKE into the
1667  * provided derivation operation. The input step
1668  * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key
1669  * material in the key derivation operation.
1670  *
1671  * The exact sequence of calls to perform a password-authenticated key
1672  * exchange depends on the algorithm in use.  Refer to the documentation of
1673  * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
1674  * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
1675  * information.
1676  *
1677  * When this function returns successfully, \p operation becomes inactive.
1678  * If this function returns an error status, both \p operation
1679  * and \p key_derivation operations enter an error state and must be aborted by
1680  * calling psa_pake_abort() and psa_key_derivation_abort() respectively.
1681  *
1682  * \param[in,out] operation    Active PAKE operation.
1683  * \param[out] output          A key derivation operation that is ready
1684  *                             for an input step of type
1685  *                             #PSA_KEY_DERIVATION_INPUT_SECRET.
1686  *
1687  * \retval #PSA_SUCCESS
1688  *         Success.
1689  * \retval #PSA_ERROR_INVALID_ARGUMENT
1690  *         #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the
1691  *         algorithm in the \p output key derivation operation.
1692  * \retval #PSA_ERROR_NOT_SUPPORTED
1693  *         Input from a PAKE is not supported by the algorithm in the \p output
1694  *         key derivation operation.
1695  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1696  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1697  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1698  * \retval #PSA_ERROR_STORAGE_FAILURE
1699  * \retval #PSA_ERROR_DATA_CORRUPT
1700  * \retval #PSA_ERROR_DATA_INVALID
1701  * \retval #PSA_ERROR_BAD_STATE
1702  *         The PAKE operation state is not valid (it must be active, but beyond
1703  *         that validity is specific to the algorithm), or
1704  *         the library has not been previously initialized by psa_crypto_init(),
1705  *         or the state of \p output is not valid for
1706  *         the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the
1707  *         step is out of order or the application has done this step already
1708  *         and it may not be repeated.
1709  *         It is implementation-dependent whether a failure to initialize
1710  *         results in this error code.
1711  */
1712 psa_status_t psa_pake_get_implicit_key( psa_pake_operation_t *operation,
1713                                         psa_key_derivation_operation_t *output );
1714 
1715 /** Abort a PAKE operation.
1716  *
1717  * Aborting an operation frees all associated resources except for the \c
1718  * operation structure itself. Once aborted, the operation object can be reused
1719  * for another operation by calling psa_pake_setup() again.
1720  *
1721  * This function may be called at any time after the operation
1722  * object has been initialized as described in #psa_pake_operation_t.
1723  *
1724  * In particular, calling psa_pake_abort() after the operation has been
1725  * terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key()
1726  * is safe and has no effect.
1727  *
1728  * \param[in,out] operation    The operation to abort.
1729  *
1730  * \retval #PSA_SUCCESS
1731  *         Success.
1732  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1733  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1734  * \retval #PSA_ERROR_BAD_STATE
1735  *         The library has not been previously initialized by psa_crypto_init().
1736  *         It is implementation-dependent whether a failure to initialize
1737  *         results in this error code.
1738  */
1739 psa_status_t psa_pake_abort( psa_pake_operation_t * operation );
1740 
1741 /**@}*/
1742 
1743 /** A sufficient output buffer size for psa_pake_output().
1744  *
1745  * If the size of the output buffer is at least this large, it is guaranteed
1746  * that psa_pake_output() will not fail due to an insufficient output buffer
1747  * size. The actual size of the output might be smaller in any given call.
1748  *
1749  * See also #PSA_PAKE_OUTPUT_MAX_SIZE
1750  *
1751  * \param alg           A PAKE algorithm (\c PSA_ALG_XXX value such that
1752  *                      #PSA_ALG_IS_PAKE(\p alg) is true).
1753  * \param primitive     A primitive of type ::psa_pake_primitive_t that is
1754  *                      compatible with algorithm \p alg.
1755  * \param output_step   A value of type ::psa_pake_step_t that is valid for the
1756  *                      algorithm \p alg.
1757  * \return              A sufficient output buffer size for the specified
1758  *                      PAKE algorithm, primitive, and output step. If the
1759  *                      PAKE algorithm, primitive, or output step is not
1760  *                      recognized, or the parameters are incompatible,
1761  *                      return 0.
1762  */
1763 #define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step)               \
1764     ( alg == PSA_ALG_JPAKE &&                                           \
1765       primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,      \
1766                                       PSA_ECC_FAMILY_SECP_R1, 256) ?    \
1767       (                                                                 \
1768         output_step == PSA_PAKE_STEP_KEY_SHARE ? 65 :                   \
1769         output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 :                   \
1770         32                                                              \
1771       ) :                                                               \
1772       0 )
1773 
1774 /** A sufficient input buffer size for psa_pake_input().
1775  *
1776  * The value returned by this macro is guaranteed to be large enough for any
1777  * valid input to psa_pake_input() in an operation with the specified
1778  * parameters.
1779  *
1780  * See also #PSA_PAKE_INPUT_MAX_SIZE
1781  *
1782  * \param alg           A PAKE algorithm (\c PSA_ALG_XXX value such that
1783  *                      #PSA_ALG_IS_PAKE(\p alg) is true).
1784  * \param primitive     A primitive of type ::psa_pake_primitive_t that is
1785  *                      compatible with algorithm \p alg.
1786  * \param input_step    A value of type ::psa_pake_step_t that is valid for the
1787  *                      algorithm \p alg.
1788  * \return              A sufficient input buffer size for the specified
1789  *                      input, cipher suite and algorithm. If the cipher suite,
1790  *                      the input type or PAKE algorithm is not recognized, or
1791  *                      the parameters are incompatible, return 0.
1792  */
1793 #define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step)                 \
1794     ( alg == PSA_ALG_JPAKE &&                                           \
1795       primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,      \
1796                                       PSA_ECC_FAMILY_SECP_R1, 256) ?    \
1797       (                                                                 \
1798         input_step == PSA_PAKE_STEP_KEY_SHARE ? 65 :                    \
1799         input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 :                    \
1800         32                                                              \
1801       ) :                                                               \
1802       0 )
1803 
1804 /** Output buffer size for psa_pake_output() for any of the supported PAKE
1805  * algorithm and primitive suites and output step.
1806  *
1807  * This macro must expand to a compile-time constant integer.
1808  *
1809  * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p step).
1810  */
1811 #define PSA_PAKE_OUTPUT_MAX_SIZE 65
1812 
1813 /** Input buffer size for psa_pake_input() for any of the supported PAKE
1814  * algorithm and primitive suites and input step.
1815  *
1816  * This macro must expand to a compile-time constant integer.
1817  *
1818  * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p step).
1819  */
1820 #define PSA_PAKE_INPUT_MAX_SIZE 65
1821 
1822 /** Returns a suitable initializer for a PAKE cipher suite object of type
1823  * psa_pake_cipher_suite_t.
1824  */
1825 #define PSA_PAKE_CIPHER_SUITE_INIT {PSA_ALG_NONE, 0, 0, 0, PSA_ALG_NONE}
1826 
1827 /** Returns a suitable initializer for a PAKE operation object of type
1828  * psa_pake_operation_t.
1829  */
1830 #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
1831 #define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, 0, 0,              \
1832                                  NULL, 0                ,               \
1833                                  PSA_PAKE_ROLE_NONE, {0}, 0, 0,         \
1834                                  {.dummy = 0}}
1835 #else
1836 #define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, {0}}
1837 #endif
1838 
1839 struct psa_pake_cipher_suite_s
1840 {
1841     psa_algorithm_t algorithm;
1842     psa_pake_primitive_type_t type;
1843     psa_pake_family_t family;
1844     uint16_t  bits;
1845     psa_algorithm_t hash;
1846 };
1847 
psa_pake_cs_get_algorithm(const psa_pake_cipher_suite_t * cipher_suite)1848 static inline psa_algorithm_t psa_pake_cs_get_algorithm(
1849                         const psa_pake_cipher_suite_t *cipher_suite )
1850 {
1851     return( cipher_suite->algorithm );
1852 }
1853 
psa_pake_cs_set_algorithm(psa_pake_cipher_suite_t * cipher_suite,psa_algorithm_t algorithm)1854 static inline void psa_pake_cs_set_algorithm(
1855     psa_pake_cipher_suite_t *cipher_suite,
1856     psa_algorithm_t algorithm)
1857 {
1858     if( !PSA_ALG_IS_PAKE( algorithm ) )
1859         cipher_suite->algorithm = 0;
1860     else
1861         cipher_suite->algorithm = algorithm;
1862 }
1863 
psa_pake_cs_get_primitive(const psa_pake_cipher_suite_t * cipher_suite)1864 static inline psa_pake_primitive_t psa_pake_cs_get_primitive(
1865                         const psa_pake_cipher_suite_t *cipher_suite )
1866 {
1867     return( PSA_PAKE_PRIMITIVE( cipher_suite->type, cipher_suite->family,
1868                                 cipher_suite->bits ) );
1869 }
1870 
psa_pake_cs_set_primitive(psa_pake_cipher_suite_t * cipher_suite,psa_pake_primitive_t primitive)1871 static inline void psa_pake_cs_set_primitive(
1872                         psa_pake_cipher_suite_t *cipher_suite,
1873                         psa_pake_primitive_t primitive )
1874 {
1875     cipher_suite->type = (psa_pake_primitive_type_t) (primitive >> 24);
1876     cipher_suite->family = (psa_pake_family_t) (0xFF & (primitive >> 16));
1877     cipher_suite->bits = (uint16_t) (0xFFFF & primitive);
1878 }
1879 
psa_pake_cs_get_family(const psa_pake_cipher_suite_t * cipher_suite)1880 static inline psa_pake_family_t psa_pake_cs_get_family(
1881                         const psa_pake_cipher_suite_t *cipher_suite )
1882 {
1883     return( cipher_suite->family );
1884 }
1885 
psa_pake_cs_get_bits(const psa_pake_cipher_suite_t * cipher_suite)1886 static inline uint16_t psa_pake_cs_get_bits(
1887                         const psa_pake_cipher_suite_t *cipher_suite )
1888 {
1889     return( cipher_suite->bits );
1890 }
1891 
psa_pake_cs_get_hash(const psa_pake_cipher_suite_t * cipher_suite)1892 static inline psa_algorithm_t psa_pake_cs_get_hash(
1893                         const psa_pake_cipher_suite_t *cipher_suite )
1894 {
1895     return( cipher_suite->hash );
1896 }
1897 
psa_pake_cs_set_hash(psa_pake_cipher_suite_t * cipher_suite,psa_algorithm_t hash)1898 static inline void psa_pake_cs_set_hash( psa_pake_cipher_suite_t *cipher_suite,
1899                                          psa_algorithm_t hash )
1900 {
1901     if( !PSA_ALG_IS_HASH( hash ) )
1902         cipher_suite->hash = 0;
1903     else
1904         cipher_suite->hash = hash;
1905 }
1906 
1907 #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
1908 #include <mbedtls/ecjpake.h>
1909 /* Note: the format for mbedtls_ecjpake_read/write function has an extra
1910  * length byte for each step, plus an extra 3 bytes for ECParameters in the
1911  * server's 2nd round. */
1912 #define MBEDTLS_PSA_PAKE_BUFFER_SIZE ( ( 3 + 1 + 65 + 1 + 65 + 1 + 32 ) * 2 )
1913 #endif
1914 
1915 struct psa_pake_operation_s
1916 {
1917     psa_algorithm_t MBEDTLS_PRIVATE(alg);
1918     unsigned int MBEDTLS_PRIVATE(state);
1919     unsigned int MBEDTLS_PRIVATE(sequence);
1920 #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
1921     unsigned int MBEDTLS_PRIVATE(input_step);
1922     unsigned int MBEDTLS_PRIVATE(output_step);
1923     uint8_t* MBEDTLS_PRIVATE(password);
1924     size_t MBEDTLS_PRIVATE(password_len);
1925     psa_pake_role_t MBEDTLS_PRIVATE(role);
1926     uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]);
1927     size_t MBEDTLS_PRIVATE(buffer_length);
1928     size_t MBEDTLS_PRIVATE(buffer_offset);
1929 #endif
1930     union
1931     {
1932 #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
1933         mbedtls_ecjpake_context ecjpake;
1934 #endif
1935         /* Make the union non-empty even with no supported algorithms. */
1936         uint8_t dummy;
1937     } MBEDTLS_PRIVATE(ctx);
1938 };
1939 
psa_pake_cipher_suite_init(void)1940 static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init( void )
1941 {
1942     const struct psa_pake_cipher_suite_s v = PSA_PAKE_CIPHER_SUITE_INIT;
1943     return( v );
1944 }
1945 
psa_pake_operation_init(void)1946 static inline struct psa_pake_operation_s psa_pake_operation_init( void )
1947 {
1948     const struct psa_pake_operation_s v = PSA_PAKE_OPERATION_INIT;
1949     return( v );
1950 }
1951 
1952 #ifdef __cplusplus
1953 }
1954 #endif
1955 
1956 #endif /* PSA_CRYPTO_EXTRA_H */
1957