/** * \file ecjpake.h * * \brief Elliptic curve J-PAKE */ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later * * This file is provided under the Apache License 2.0, or the * GNU General Public License v2.0 or later. * * ********** * Apache License 2.0: * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * ********** * * ********** * GNU General Public License v2.0 or later: * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * ********** */ #ifndef MBEDTLS_ECJPAKE_H #define MBEDTLS_ECJPAKE_H /* * J-PAKE is a password-authenticated key exchange that allows deriving a * strong shared secret from a (potentially low entropy) pre-shared * passphrase, with forward secrecy and mutual authentication. * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling * * This file implements the Elliptic Curve variant of J-PAKE, * as defined in Chapter 7.4 of the Thread v1.0 Specification, * available to members of the Thread Group http://threadgroup.org/ * * As the J-PAKE algorithm is inherently symmetric, so is our API. * Each party needs to send its first round message, in any order, to the * other party, then each sends its second round message, in any order. * The payloads are serialized in a way suitable for use in TLS, but could * also be use outside TLS. */ #if !defined(MBEDTLS_CONFIG_FILE) #include "config.h" #else #include MBEDTLS_CONFIG_FILE #endif #include "ecp.h" #include "md.h" #ifdef __cplusplus extern "C" { #endif /** * Roles in the EC J-PAKE exchange */ typedef enum { MBEDTLS_ECJPAKE_CLIENT = 0, /**< Client */ MBEDTLS_ECJPAKE_SERVER, /**< Server */ } mbedtls_ecjpake_role; #if !defined(MBEDTLS_ECJPAKE_ALT) /** * EC J-PAKE context structure. * * J-PAKE is a symmetric protocol, except for the identifiers used in * Zero-Knowledge Proofs, and the serialization of the second message * (KeyExchange) as defined by the Thread spec. * * In order to benefit from this symmetry, we choose a different naming * convetion from the Thread v1.0 spec. Correspondance is indicated in the * description as a pair C: client name, S: server name */ typedef struct mbedtls_ecjpake_context { const mbedtls_md_info_t *md_info; /**< Hash to use */ mbedtls_ecp_group grp; /**< Elliptic curve */ mbedtls_ecjpake_role role; /**< Are we client or server? */ int point_format; /**< Format for point export */ mbedtls_ecp_point Xm1; /**< My public key 1 C: X1, S: X3 */ mbedtls_ecp_point Xm2; /**< My public key 2 C: X2, S: X4 */ mbedtls_ecp_point Xp1; /**< Peer public key 1 C: X3, S: X1 */ mbedtls_ecp_point Xp2; /**< Peer public key 2 C: X4, S: X2 */ mbedtls_ecp_point Xp; /**< Peer public key C: Xs, S: Xc */ mbedtls_mpi xm1; /**< My private key 1 C: x1, S: x3 */ mbedtls_mpi xm2; /**< My private key 2 C: x2, S: x4 */ mbedtls_mpi s; /**< Pre-shared secret (passphrase) */ } mbedtls_ecjpake_context; #else /* MBEDTLS_ECJPAKE_ALT */ #include "ecjpake_alt.h" #endif /* MBEDTLS_ECJPAKE_ALT */ /** * \brief Initialize an ECJPAKE context. * * \param ctx The ECJPAKE context to initialize. * This must not be \c NULL. */ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); /** * \brief Set up an ECJPAKE context for use. * * \note Currently the only values for hash/curve allowed by the * standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. * * \param ctx The ECJPAKE context to set up. This must be initialized. * \param role The role of the caller. This must be either * #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. * \param hash The identifier of the hash function to use, * for example #MBEDTLS_MD_SHA256. * \param curve The identifier of the elliptic curve to use, * for example #MBEDTLS_ECP_DP_SECP256R1. * \param secret The pre-shared secret (passphrase). This must be * a readable buffer of length \p len Bytes. It need * only be valid for the duration of this call. * \param len The length of the pre-shared secret \p secret. * * \return \c 0 if successful. * \return A negative error code on failure. */ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, mbedtls_ecjpake_role role, mbedtls_md_type_t hash, mbedtls_ecp_group_id curve, const unsigned char *secret, size_t len ); /** * \brief Check if an ECJPAKE context is ready for use. * * \param ctx The ECJPAKE context to check. This must be * initialized. * * \return \c 0 if the context is ready for use. * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. */ int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx ); /** * \brief Generate and write the first round message * (TLS: contents of the Client/ServerHello extension, * excluding extension type and length bytes). * * \param ctx The ECJPAKE context to use. This must be * initialized and set up. * \param buf The buffer to write the contents to. This must be a * writable buffer of length \p len Bytes. * \param len The length of \p buf in Bytes. * \param olen The address at which to store the total number * of Bytes written to \p buf. This must not be \c NULL. * \param f_rng The RNG function to use. This must not be \c NULL. * \param p_rng The RNG parameter to be passed to \p f_rng. This * may be \c NULL if \p f_rng doesn't use a context. * * \return \c 0 if successful. * \return A negative error code on failure. */ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** * \brief Read and process the first round message * (TLS: contents of the Client/ServerHello extension, * excluding extension type and length bytes). * * \param ctx The ECJPAKE context to use. This must be initialized * and set up. * \param buf The buffer holding the first round message. This must * be a readable buffer of length \p len Bytes. * \param len The length in Bytes of \p buf. * * \return \c 0 if successful. * \return A negative error code on failure. */ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); /** * \brief Generate and write the second round message * (TLS: contents of the Client/ServerKeyExchange). * * \param ctx The ECJPAKE context to use. This must be initialized, * set up, and already have performed round one. * \param buf The buffer to write the round two contents to. * This must be a writable buffer of length \p len Bytes. * \param len The size of \p buf in Bytes. * \param olen The address at which to store the total number of Bytes * written to \p buf. This must not be \c NULL. * \param f_rng The RNG function to use. This must not be \c NULL. * \param p_rng The RNG parameter to be passed to \p f_rng. This * may be \c NULL if \p f_rng doesn't use a context. * * \return \c 0 if successful. * \return A negative error code on failure. */ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** * \brief Read and process the second round message * (TLS: contents of the Client/ServerKeyExchange). * * \param ctx The ECJPAKE context to use. This must be initialized * and set up and already have performed round one. * \param buf The buffer holding the second round message. This must * be a readable buffer of length \p len Bytes. * \param len The length in Bytes of \p buf. * * \return \c 0 if successful. * \return A negative error code on failure. */ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); /** * \brief Derive the shared secret * (TLS: Pre-Master Secret). * * \param ctx The ECJPAKE context to use. This must be initialized, * set up and have performed both round one and two. * \param buf The buffer to write the derived secret to. This must * be a writable buffer of length \p len Bytes. * \param len The length of \p buf in Bytes. * \param olen The address at which to store the total number of Bytes * written to \p buf. This must not be \c NULL. * \param f_rng The RNG function to use. This must not be \c NULL. * \param p_rng The RNG parameter to be passed to \p f_rng. This * may be \c NULL if \p f_rng doesn't use a context. * * \return \c 0 if successful. * \return A negative error code on failure. */ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** * \brief This clears an ECJPAKE context and frees any * embedded data structure. * * \param ctx The ECJPAKE context to free. This may be \c NULL, * in which case this function does nothing. If it is not * \c NULL, it must point to an initialized ECJPAKE context. */ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ); #if defined(MBEDTLS_SELF_TEST) /** * \brief Checkup routine * * \return 0 if successful, or 1 if a test failed */ int mbedtls_ecjpake_self_test( int verbose ); #endif /* MBEDTLS_SELF_TEST */ #ifdef __cplusplus } #endif #endif /* ecjpake.h */