• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file ecjpake.h
3  *
4  * \brief Elliptic curve J-PAKE
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 #ifndef MBEDTLS_ECJPAKE_H
23 #define MBEDTLS_ECJPAKE_H
24 #include "mbedtls/private_access.h"
25 
26 /*
27  * J-PAKE is a password-authenticated key exchange that allows deriving a
28  * strong shared secret from a (potentially low entropy) pre-shared
29  * passphrase, with forward secrecy and mutual authentication.
30  * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
31  *
32  * This file implements the Elliptic Curve variant of J-PAKE,
33  * as defined in Chapter 7.4 of the Thread v1.0 Specification,
34  * available to members of the Thread Group http://threadgroup.org/
35  *
36  * As the J-PAKE algorithm is inherently symmetric, so is our API.
37  * Each party needs to send its first round message, in any order, to the
38  * other party, then each sends its second round message, in any order.
39  * The payloads are serialized in a way suitable for use in TLS, but could
40  * also be use outside TLS.
41  */
42 #include "mbedtls/build_info.h"
43 
44 #include "mbedtls/ecp.h"
45 #include "mbedtls/md.h"
46 
47 #ifdef __cplusplus
48 extern "C" {
49 #endif
50 
51 /**
52  * Roles in the EC J-PAKE exchange
53  */
54 typedef enum {
55     MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
56     MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
57 } mbedtls_ecjpake_role;
58 
59 #if !defined(MBEDTLS_ECJPAKE_ALT)
60 /**
61  * EC J-PAKE context structure.
62  *
63  * J-PAKE is a symmetric protocol, except for the identifiers used in
64  * Zero-Knowledge Proofs, and the serialization of the second message
65  * (KeyExchange) as defined by the Thread spec.
66  *
67  * In order to benefit from this symmetry, we choose a different naming
68  * convention from the Thread v1.0 spec. Correspondence is indicated in the
69  * description as a pair C: client name, S: server name
70  */
71 typedef struct mbedtls_ecjpake_context {
72     mbedtls_md_type_t MBEDTLS_PRIVATE(md_type);          /**< Hash to use                    */
73     mbedtls_ecp_group MBEDTLS_PRIVATE(grp);              /**< Elliptic curve                 */
74     mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);          /**< Are we client or server?       */
75     int MBEDTLS_PRIVATE(point_format);                   /**< Format for point export        */
76 
77     mbedtls_ecp_point MBEDTLS_PRIVATE(Xm1);              /**< My public key 1   C: X1, S: X3 */
78     mbedtls_ecp_point MBEDTLS_PRIVATE(Xm2);              /**< My public key 2   C: X2, S: X4 */
79     mbedtls_ecp_point MBEDTLS_PRIVATE(Xp1);              /**< Peer public key 1 C: X3, S: X1 */
80     mbedtls_ecp_point MBEDTLS_PRIVATE(Xp2);              /**< Peer public key 2 C: X4, S: X2 */
81     mbedtls_ecp_point MBEDTLS_PRIVATE(Xp);               /**< Peer public key   C: Xs, S: Xc */
82 
83     mbedtls_mpi MBEDTLS_PRIVATE(xm1);                    /**< My private key 1  C: x1, S: x3 */
84     mbedtls_mpi MBEDTLS_PRIVATE(xm2);                    /**< My private key 2  C: x2, S: x4 */
85 
86     mbedtls_mpi MBEDTLS_PRIVATE(s);                      /**< Pre-shared secret (passphrase) */
87 } mbedtls_ecjpake_context;
88 
89 #else  /* MBEDTLS_ECJPAKE_ALT */
90 #include "ecjpake_alt.h"
91 #endif /* MBEDTLS_ECJPAKE_ALT */
92 
93 /**
94  * \brief           Initialize an ECJPAKE context.
95  *
96  * \param ctx       The ECJPAKE context to initialize.
97  *                  This must not be \c NULL.
98  */
99 void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx);
100 
101 /**
102  * \brief           Set up an ECJPAKE context for use.
103  *
104  * \note            Currently the only values for hash/curve allowed by the
105  *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
106  *
107  * \param ctx       The ECJPAKE context to set up. This must be initialized.
108  * \param role      The role of the caller. This must be either
109  *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
110  * \param hash      The identifier of the hash function to use,
111  *                  for example #MBEDTLS_MD_SHA256.
112  * \param curve     The identifier of the elliptic curve to use,
113  *                  for example #MBEDTLS_ECP_DP_SECP256R1.
114  * \param secret    The pre-shared secret (passphrase). This must be
115  *                  a readable not empty buffer of length \p len Bytes. It need
116  *                  only be valid for the duration of this call.
117  * \param len       The length of the pre-shared secret \p secret.
118  *
119  * \return          \c 0 if successful.
120  * \return          A negative error code on failure.
121  */
122 int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
123                           mbedtls_ecjpake_role role,
124                           mbedtls_md_type_t hash,
125                           mbedtls_ecp_group_id curve,
126                           const unsigned char *secret,
127                           size_t len);
128 
129 /**
130  * \brief               Set the point format for future reads and writes.
131  *
132  * \param ctx           The ECJPAKE context to configure.
133  * \param point_format  The point format to use:
134  *                      #MBEDTLS_ECP_PF_UNCOMPRESSED (default)
135  *                      or #MBEDTLS_ECP_PF_COMPRESSED.
136  *
137  * \return              \c 0 if successful.
138  * \return              #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format
139  *                      is invalid.
140  */
141 int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
142                                      int point_format);
143 
144 /**
145  * \brief           Check if an ECJPAKE context is ready for use.
146  *
147  * \param ctx       The ECJPAKE context to check. This must be
148  *                  initialized.
149  *
150  * \return          \c 0 if the context is ready for use.
151  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
152  */
153 int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx);
154 
155 /**
156  * \brief           Generate and write the first round message
157  *                  (TLS: contents of the Client/ServerHello extension,
158  *                  excluding extension type and length bytes).
159  *
160  * \param ctx       The ECJPAKE context to use. This must be
161  *                  initialized and set up.
162  * \param buf       The buffer to write the contents to. This must be a
163  *                  writable buffer of length \p len Bytes.
164  * \param len       The length of \p buf in Bytes.
165  * \param olen      The address at which to store the total number
166  *                  of Bytes written to \p buf. This must not be \c NULL.
167  * \param f_rng     The RNG function to use. This must not be \c NULL.
168  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
169  *                  may be \c NULL if \p f_rng doesn't use a context.
170  *
171  * \return          \c 0 if successful.
172  * \return          A negative error code on failure.
173  */
174 int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
175                                     unsigned char *buf, size_t len, size_t *olen,
176                                     int (*f_rng)(void *, unsigned char *, size_t),
177                                     void *p_rng);
178 
179 /**
180  * \brief           Read and process the first round message
181  *                  (TLS: contents of the Client/ServerHello extension,
182  *                  excluding extension type and length bytes).
183  *
184  * \param ctx       The ECJPAKE context to use. This must be initialized
185  *                  and set up.
186  * \param buf       The buffer holding the first round message. This must
187  *                  be a readable buffer of length \p len Bytes.
188  * \param len       The length in Bytes of \p buf.
189  *
190  * \return          \c 0 if successful.
191  * \return          A negative error code on failure.
192  */
193 int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
194                                    const unsigned char *buf,
195                                    size_t len);
196 
197 /**
198  * \brief           Generate and write the second round message
199  *                  (TLS: contents of the Client/ServerKeyExchange).
200  *
201  * \param ctx       The ECJPAKE context to use. This must be initialized,
202  *                  set up, and already have performed round one.
203  * \param buf       The buffer to write the round two contents to.
204  *                  This must be a writable buffer of length \p len Bytes.
205  * \param len       The size of \p buf in Bytes.
206  * \param olen      The address at which to store the total number of Bytes
207  *                  written to \p buf. This must not be \c NULL.
208  * \param f_rng     The RNG function to use. This must not be \c NULL.
209  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
210  *                  may be \c NULL if \p f_rng doesn't use a context.
211  *
212  * \return          \c 0 if successful.
213  * \return          A negative error code on failure.
214  */
215 int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
216                                     unsigned char *buf, size_t len, size_t *olen,
217                                     int (*f_rng)(void *, unsigned char *, size_t),
218                                     void *p_rng);
219 
220 /**
221  * \brief           Read and process the second round message
222  *                  (TLS: contents of the Client/ServerKeyExchange).
223  *
224  * \param ctx       The ECJPAKE context to use. This must be initialized
225  *                  and set up and already have performed round one.
226  * \param buf       The buffer holding the second round message. This must
227  *                  be a readable buffer of length \p len Bytes.
228  * \param len       The length in Bytes of \p buf.
229  *
230  * \return          \c 0 if successful.
231  * \return          A negative error code on failure.
232  */
233 int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
234                                    const unsigned char *buf,
235                                    size_t len);
236 
237 /**
238  * \brief           Derive the shared secret
239  *                  (TLS: Pre-Master Secret).
240  *
241  * \param ctx       The ECJPAKE context to use. This must be initialized,
242  *                  set up and have performed both round one and two.
243  * \param buf       The buffer to write the derived secret to. This must
244  *                  be a writable buffer of length \p len Bytes.
245  * \param len       The length of \p buf in Bytes.
246  * \param olen      The address at which to store the total number of Bytes
247  *                  written to \p buf. This must not be \c NULL.
248  * \param f_rng     The RNG function to use. This must not be \c NULL.
249  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
250  *                  may be \c NULL if \p f_rng doesn't use a context.
251  *
252  * \return          \c 0 if successful.
253  * \return          A negative error code on failure.
254  */
255 int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
256                                   unsigned char *buf, size_t len, size_t *olen,
257                                   int (*f_rng)(void *, unsigned char *, size_t),
258                                   void *p_rng);
259 
260 /**
261  * \brief           Write the shared key material to be passed to a Key
262  *                  Derivation Function as described in RFC8236.
263  *
264  * \param ctx       The ECJPAKE context to use. This must be initialized,
265  *                  set up and have performed both round one and two.
266  * \param buf       The buffer to write the derived secret to. This must
267  *                  be a writable buffer of length \p len Bytes.
268  * \param len       The length of \p buf in Bytes.
269  * \param olen      The address at which to store the total number of bytes
270  *                  written to \p buf. This must not be \c NULL.
271  * \param f_rng     The RNG function to use. This must not be \c NULL.
272  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
273  *                  may be \c NULL if \p f_rng doesn't use a context.
274  *
275  * \return          \c 0 if successful.
276  * \return          A negative error code on failure.
277  */
278 int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
279                                      unsigned char *buf, size_t len, size_t *olen,
280                                      int (*f_rng)(void *, unsigned char *, size_t),
281                                      void *p_rng);
282 
283 /**
284  * \brief           This clears an ECJPAKE context and frees any
285  *                  embedded data structure.
286  *
287  * \param ctx       The ECJPAKE context to free. This may be \c NULL,
288  *                  in which case this function does nothing. If it is not
289  *                  \c NULL, it must point to an initialized ECJPAKE context.
290  */
291 void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx);
292 
293 #if defined(MBEDTLS_SELF_TEST)
294 
295 /**
296  * \brief          Checkup routine
297  *
298  * \return         0 if successful, or 1 if a test failed
299  */
300 int mbedtls_ecjpake_self_test(int verbose);
301 
302 #endif /* MBEDTLS_SELF_TEST */
303 
304 #ifdef __cplusplus
305 }
306 #endif
307 
308 
309 #endif /* ecjpake.h */
310