1 /** 2 * \file ecjpake.h 3 * 4 * \brief Elliptic curve J-PAKE 5 */ 6 /* 7 * Copyright The Mbed TLS Contributors 8 * SPDX-License-Identifier: Apache-2.0 9 * 10 * Licensed under the Apache License, Version 2.0 (the "License"); you may 11 * not use this file except in compliance with the License. 12 * You may obtain a copy of the License at 13 * 14 * http://www.apache.org/licenses/LICENSE-2.0 15 * 16 * Unless required by applicable law or agreed to in writing, software 17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 * See the License for the specific language governing permissions and 20 * limitations under the License. 21 */ 22 #ifndef MBEDTLS_ECJPAKE_H 23 #define MBEDTLS_ECJPAKE_H 24 #include "mbedtls/private_access.h" 25 26 /* 27 * J-PAKE is a password-authenticated key exchange that allows deriving a 28 * strong shared secret from a (potentially low entropy) pre-shared 29 * passphrase, with forward secrecy and mutual authentication. 30 * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling 31 * 32 * This file implements the Elliptic Curve variant of J-PAKE, 33 * as defined in Chapter 7.4 of the Thread v1.0 Specification, 34 * available to members of the Thread Group http://threadgroup.org/ 35 * 36 * As the J-PAKE algorithm is inherently symmetric, so is our API. 37 * Each party needs to send its first round message, in any order, to the 38 * other party, then each sends its second round message, in any order. 39 * The payloads are serialized in a way suitable for use in TLS, but could 40 * also be use outside TLS. 41 */ 42 #include "mbedtls/build_info.h" 43 44 #include "mbedtls/ecp.h" 45 #include "mbedtls/md.h" 46 47 #ifdef __cplusplus 48 extern "C" { 49 #endif 50 51 /** 52 * Roles in the EC J-PAKE exchange 53 */ 54 typedef enum { 55 MBEDTLS_ECJPAKE_CLIENT = 0, /**< Client */ 56 MBEDTLS_ECJPAKE_SERVER, /**< Server */ 57 } mbedtls_ecjpake_role; 58 59 #if !defined(MBEDTLS_ECJPAKE_ALT) 60 /** 61 * EC J-PAKE context structure. 62 * 63 * J-PAKE is a symmetric protocol, except for the identifiers used in 64 * Zero-Knowledge Proofs, and the serialization of the second message 65 * (KeyExchange) as defined by the Thread spec. 66 * 67 * In order to benefit from this symmetry, we choose a different naming 68 * convention from the Thread v1.0 spec. Correspondence is indicated in the 69 * description as a pair C: client name, S: server name 70 */ 71 typedef struct mbedtls_ecjpake_context { 72 mbedtls_md_type_t MBEDTLS_PRIVATE(md_type); /**< Hash to use */ 73 mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /**< Elliptic curve */ 74 mbedtls_ecjpake_role MBEDTLS_PRIVATE(role); /**< Are we client or server? */ 75 int MBEDTLS_PRIVATE(point_format); /**< Format for point export */ 76 77 mbedtls_ecp_point MBEDTLS_PRIVATE(Xm1); /**< My public key 1 C: X1, S: X3 */ 78 mbedtls_ecp_point MBEDTLS_PRIVATE(Xm2); /**< My public key 2 C: X2, S: X4 */ 79 mbedtls_ecp_point MBEDTLS_PRIVATE(Xp1); /**< Peer public key 1 C: X3, S: X1 */ 80 mbedtls_ecp_point MBEDTLS_PRIVATE(Xp2); /**< Peer public key 2 C: X4, S: X2 */ 81 mbedtls_ecp_point MBEDTLS_PRIVATE(Xp); /**< Peer public key C: Xs, S: Xc */ 82 83 mbedtls_mpi MBEDTLS_PRIVATE(xm1); /**< My private key 1 C: x1, S: x3 */ 84 mbedtls_mpi MBEDTLS_PRIVATE(xm2); /**< My private key 2 C: x2, S: x4 */ 85 86 mbedtls_mpi MBEDTLS_PRIVATE(s); /**< Pre-shared secret (passphrase) */ 87 } mbedtls_ecjpake_context; 88 89 #else /* MBEDTLS_ECJPAKE_ALT */ 90 #include "ecjpake_alt.h" 91 #endif /* MBEDTLS_ECJPAKE_ALT */ 92 93 /** 94 * \brief Initialize an ECJPAKE context. 95 * 96 * \param ctx The ECJPAKE context to initialize. 97 * This must not be \c NULL. 98 */ 99 void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx); 100 101 /** 102 * \brief Set up an ECJPAKE context for use. 103 * 104 * \note Currently the only values for hash/curve allowed by the 105 * standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. 106 * 107 * \param ctx The ECJPAKE context to set up. This must be initialized. 108 * \param role The role of the caller. This must be either 109 * #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. 110 * \param hash The identifier of the hash function to use, 111 * for example #MBEDTLS_MD_SHA256. 112 * \param curve The identifier of the elliptic curve to use, 113 * for example #MBEDTLS_ECP_DP_SECP256R1. 114 * \param secret The pre-shared secret (passphrase). This must be 115 * a readable not empty buffer of length \p len Bytes. It need 116 * only be valid for the duration of this call. 117 * \param len The length of the pre-shared secret \p secret. 118 * 119 * \return \c 0 if successful. 120 * \return A negative error code on failure. 121 */ 122 int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx, 123 mbedtls_ecjpake_role role, 124 mbedtls_md_type_t hash, 125 mbedtls_ecp_group_id curve, 126 const unsigned char *secret, 127 size_t len); 128 129 /** 130 * \brief Set the point format for future reads and writes. 131 * 132 * \param ctx The ECJPAKE context to configure. 133 * \param point_format The point format to use: 134 * #MBEDTLS_ECP_PF_UNCOMPRESSED (default) 135 * or #MBEDTLS_ECP_PF_COMPRESSED. 136 * 137 * \return \c 0 if successful. 138 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format 139 * is invalid. 140 */ 141 int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx, 142 int point_format); 143 144 /** 145 * \brief Check if an ECJPAKE context is ready for use. 146 * 147 * \param ctx The ECJPAKE context to check. This must be 148 * initialized. 149 * 150 * \return \c 0 if the context is ready for use. 151 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. 152 */ 153 int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx); 154 155 /** 156 * \brief Generate and write the first round message 157 * (TLS: contents of the Client/ServerHello extension, 158 * excluding extension type and length bytes). 159 * 160 * \param ctx The ECJPAKE context to use. This must be 161 * initialized and set up. 162 * \param buf The buffer to write the contents to. This must be a 163 * writable buffer of length \p len Bytes. 164 * \param len The length of \p buf in Bytes. 165 * \param olen The address at which to store the total number 166 * of Bytes written to \p buf. This must not be \c NULL. 167 * \param f_rng The RNG function to use. This must not be \c NULL. 168 * \param p_rng The RNG parameter to be passed to \p f_rng. This 169 * may be \c NULL if \p f_rng doesn't use a context. 170 * 171 * \return \c 0 if successful. 172 * \return A negative error code on failure. 173 */ 174 int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx, 175 unsigned char *buf, size_t len, size_t *olen, 176 int (*f_rng)(void *, unsigned char *, size_t), 177 void *p_rng); 178 179 /** 180 * \brief Read and process the first round message 181 * (TLS: contents of the Client/ServerHello extension, 182 * excluding extension type and length bytes). 183 * 184 * \param ctx The ECJPAKE context to use. This must be initialized 185 * and set up. 186 * \param buf The buffer holding the first round message. This must 187 * be a readable buffer of length \p len Bytes. 188 * \param len The length in Bytes of \p buf. 189 * 190 * \return \c 0 if successful. 191 * \return A negative error code on failure. 192 */ 193 int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx, 194 const unsigned char *buf, 195 size_t len); 196 197 /** 198 * \brief Generate and write the second round message 199 * (TLS: contents of the Client/ServerKeyExchange). 200 * 201 * \param ctx The ECJPAKE context to use. This must be initialized, 202 * set up, and already have performed round one. 203 * \param buf The buffer to write the round two contents to. 204 * This must be a writable buffer of length \p len Bytes. 205 * \param len The size of \p buf in Bytes. 206 * \param olen The address at which to store the total number of Bytes 207 * written to \p buf. This must not be \c NULL. 208 * \param f_rng The RNG function to use. This must not be \c NULL. 209 * \param p_rng The RNG parameter to be passed to \p f_rng. This 210 * may be \c NULL if \p f_rng doesn't use a context. 211 * 212 * \return \c 0 if successful. 213 * \return A negative error code on failure. 214 */ 215 int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx, 216 unsigned char *buf, size_t len, size_t *olen, 217 int (*f_rng)(void *, unsigned char *, size_t), 218 void *p_rng); 219 220 /** 221 * \brief Read and process the second round message 222 * (TLS: contents of the Client/ServerKeyExchange). 223 * 224 * \param ctx The ECJPAKE context to use. This must be initialized 225 * and set up and already have performed round one. 226 * \param buf The buffer holding the second round message. This must 227 * be a readable buffer of length \p len Bytes. 228 * \param len The length in Bytes of \p buf. 229 * 230 * \return \c 0 if successful. 231 * \return A negative error code on failure. 232 */ 233 int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx, 234 const unsigned char *buf, 235 size_t len); 236 237 /** 238 * \brief Derive the shared secret 239 * (TLS: Pre-Master Secret). 240 * 241 * \param ctx The ECJPAKE context to use. This must be initialized, 242 * set up and have performed both round one and two. 243 * \param buf The buffer to write the derived secret to. This must 244 * be a writable buffer of length \p len Bytes. 245 * \param len The length of \p buf in Bytes. 246 * \param olen The address at which to store the total number of Bytes 247 * written to \p buf. This must not be \c NULL. 248 * \param f_rng The RNG function to use. This must not be \c NULL. 249 * \param p_rng The RNG parameter to be passed to \p f_rng. This 250 * may be \c NULL if \p f_rng doesn't use a context. 251 * 252 * \return \c 0 if successful. 253 * \return A negative error code on failure. 254 */ 255 int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx, 256 unsigned char *buf, size_t len, size_t *olen, 257 int (*f_rng)(void *, unsigned char *, size_t), 258 void *p_rng); 259 260 /** 261 * \brief Write the shared key material to be passed to a Key 262 * Derivation Function as described in RFC8236. 263 * 264 * \param ctx The ECJPAKE context to use. This must be initialized, 265 * set up and have performed both round one and two. 266 * \param buf The buffer to write the derived secret to. This must 267 * be a writable buffer of length \p len Bytes. 268 * \param len The length of \p buf in Bytes. 269 * \param olen The address at which to store the total number of bytes 270 * written to \p buf. This must not be \c NULL. 271 * \param f_rng The RNG function to use. This must not be \c NULL. 272 * \param p_rng The RNG parameter to be passed to \p f_rng. This 273 * may be \c NULL if \p f_rng doesn't use a context. 274 * 275 * \return \c 0 if successful. 276 * \return A negative error code on failure. 277 */ 278 int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx, 279 unsigned char *buf, size_t len, size_t *olen, 280 int (*f_rng)(void *, unsigned char *, size_t), 281 void *p_rng); 282 283 /** 284 * \brief This clears an ECJPAKE context and frees any 285 * embedded data structure. 286 * 287 * \param ctx The ECJPAKE context to free. This may be \c NULL, 288 * in which case this function does nothing. If it is not 289 * \c NULL, it must point to an initialized ECJPAKE context. 290 */ 291 void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx); 292 293 #if defined(MBEDTLS_SELF_TEST) 294 295 /** 296 * \brief Checkup routine 297 * 298 * \return 0 if successful, or 1 if a test failed 299 */ 300 int mbedtls_ecjpake_self_test(int verbose); 301 302 #endif /* MBEDTLS_SELF_TEST */ 303 304 #ifdef __cplusplus 305 } 306 #endif 307 308 309 #endif /* ecjpake.h */ 310
