• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Elliptic curve J-PAKE
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 /*
21  * References in the code are to the Thread v1.0 Specification,
22  * available to members of the Thread Group http://threadgroup.org/
23  */
24 
25 #include "common.h"
26 
27 #if defined(MBEDTLS_ECJPAKE_C)
28 
29 #include "mbedtls/ecjpake.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 
33 /* We use MD first if it's available (for compatibility reasons)
34  * and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
35 #if !defined(MBEDTLS_MD_C)
36 #include "psa/crypto.h"
37 #include "mbedtls/psa_util.h"
38 #if !defined(MBEDTLS_ECJPAKE_ALT)
39 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
40                                                            psa_to_md_errors,              \
41                                                            psa_generic_status_to_mbedtls)
42 #endif /* !MBEDTLS_ECJPAKE_ALT */
43 #endif /* !MBEDTLS_MD_C */
44 
45 #include "hash_info.h"
46 
47 #include <string.h>
48 
49 #if !defined(MBEDTLS_ECJPAKE_ALT)
50 
51 /*
52  * Convert a mbedtls_ecjpake_role to identifier string
53  */
54 static const char * const ecjpake_id[] = {
55     "client",
56     "server"
57 };
58 
59 #define ID_MINE     (ecjpake_id[ctx->role])
60 #define ID_PEER     (ecjpake_id[1 - ctx->role])
61 
62 /**
63  * Helper to Compute a hash from md_type
64  */
mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type,const unsigned char * input,size_t ilen,unsigned char * output)65 static int mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type,
66                                         const unsigned char *input, size_t ilen,
67                                         unsigned char *output)
68 {
69 #if defined(MBEDTLS_MD_C)
70     return mbedtls_md(mbedtls_md_info_from_type(md_type),
71                       input, ilen, output);
72 #else
73     psa_algorithm_t alg = mbedtls_psa_translate_md(md_type);
74     psa_status_t status;
75     size_t out_size = PSA_HASH_LENGTH(alg);
76     size_t out_len;
77 
78     status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len);
79 
80     return PSA_TO_MBEDTLS_ERR(status);
81 #endif /* !MBEDTLS_MD_C */
82 }
83 
84 /*
85  * Initialize context
86  */
mbedtls_ecjpake_init(mbedtls_ecjpake_context * ctx)87 void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx)
88 {
89     ctx->md_type = MBEDTLS_MD_NONE;
90     mbedtls_ecp_group_init(&ctx->grp);
91     ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
92 
93     mbedtls_ecp_point_init(&ctx->Xm1);
94     mbedtls_ecp_point_init(&ctx->Xm2);
95     mbedtls_ecp_point_init(&ctx->Xp1);
96     mbedtls_ecp_point_init(&ctx->Xp2);
97     mbedtls_ecp_point_init(&ctx->Xp);
98 
99     mbedtls_mpi_init(&ctx->xm1);
100     mbedtls_mpi_init(&ctx->xm2);
101     mbedtls_mpi_init(&ctx->s);
102 }
103 
104 /*
105  * Free context
106  */
mbedtls_ecjpake_free(mbedtls_ecjpake_context * ctx)107 void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx)
108 {
109     if (ctx == NULL) {
110         return;
111     }
112 
113     ctx->md_type = MBEDTLS_MD_NONE;
114     mbedtls_ecp_group_free(&ctx->grp);
115 
116     mbedtls_ecp_point_free(&ctx->Xm1);
117     mbedtls_ecp_point_free(&ctx->Xm2);
118     mbedtls_ecp_point_free(&ctx->Xp1);
119     mbedtls_ecp_point_free(&ctx->Xp2);
120     mbedtls_ecp_point_free(&ctx->Xp);
121 
122     mbedtls_mpi_free(&ctx->xm1);
123     mbedtls_mpi_free(&ctx->xm2);
124     mbedtls_mpi_free(&ctx->s);
125 }
126 
127 /*
128  * Setup context
129  */
mbedtls_ecjpake_setup(mbedtls_ecjpake_context * ctx,mbedtls_ecjpake_role role,mbedtls_md_type_t hash,mbedtls_ecp_group_id curve,const unsigned char * secret,size_t len)130 int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
131                           mbedtls_ecjpake_role role,
132                           mbedtls_md_type_t hash,
133                           mbedtls_ecp_group_id curve,
134                           const unsigned char *secret,
135                           size_t len)
136 {
137     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
138 
139     if (role != MBEDTLS_ECJPAKE_CLIENT && role != MBEDTLS_ECJPAKE_SERVER) {
140         return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
141     }
142 
143     ctx->role = role;
144 
145 #if defined(MBEDTLS_MD_C)
146     if ((mbedtls_md_info_from_type(hash)) == NULL) {
147         return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
148     }
149 #else
150     if (mbedtls_psa_translate_md(hash) == MBEDTLS_MD_NONE) {
151         return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
152     }
153 #endif
154 
155     ctx->md_type = hash;
156 
157     MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ctx->grp, curve));
158 
159     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->s, secret, len));
160 
161 cleanup:
162     if (ret != 0) {
163         mbedtls_ecjpake_free(ctx);
164     }
165 
166     return ret;
167 }
168 
mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context * ctx,int point_format)169 int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
170                                      int point_format)
171 {
172     switch (point_format) {
173         case MBEDTLS_ECP_PF_UNCOMPRESSED:
174         case MBEDTLS_ECP_PF_COMPRESSED:
175             ctx->point_format = point_format;
176             return 0;
177         default:
178             return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
179     }
180 }
181 
182 /*
183  * Check if context is ready for use
184  */
mbedtls_ecjpake_check(const mbedtls_ecjpake_context * ctx)185 int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx)
186 {
187     if (ctx->md_type == MBEDTLS_MD_NONE ||
188         ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
189         ctx->s.p == NULL) {
190         return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
191     }
192 
193     return 0;
194 }
195 
196 /*
197  * Write a point plus its length to a buffer
198  */
ecjpake_write_len_point(unsigned char ** p,const unsigned char * end,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * P)199 static int ecjpake_write_len_point(unsigned char **p,
200                                    const unsigned char *end,
201                                    const mbedtls_ecp_group *grp,
202                                    const int pf,
203                                    const mbedtls_ecp_point *P)
204 {
205     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
206     size_t len;
207 
208     /* Need at least 4 for length plus 1 for point */
209     if (end < *p || end - *p < 5) {
210         return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
211     }
212 
213     ret = mbedtls_ecp_point_write_binary(grp, P, pf,
214                                          &len, *p + 4, end - (*p + 4));
215     if (ret != 0) {
216         return ret;
217     }
218 
219     MBEDTLS_PUT_UINT32_BE(len, *p, 0);
220 
221     *p += 4 + len;
222 
223     return 0;
224 }
225 
226 /*
227  * Size of the temporary buffer for ecjpake_hash:
228  * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
229  */
230 #define ECJPAKE_HASH_BUF_LEN    (3 * (4 + MBEDTLS_ECP_MAX_PT_LEN) + 4 + 6)
231 
232 /*
233  * Compute hash for ZKP (7.4.2.2.2.1)
234  */
ecjpake_hash(const mbedtls_md_type_t md_type,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * G,const mbedtls_ecp_point * V,const mbedtls_ecp_point * X,const char * id,mbedtls_mpi * h)235 static int ecjpake_hash(const mbedtls_md_type_t md_type,
236                         const mbedtls_ecp_group *grp,
237                         const int pf,
238                         const mbedtls_ecp_point *G,
239                         const mbedtls_ecp_point *V,
240                         const mbedtls_ecp_point *X,
241                         const char *id,
242                         mbedtls_mpi *h)
243 {
244     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
245     unsigned char buf[ECJPAKE_HASH_BUF_LEN];
246     unsigned char *p = buf;
247     const unsigned char *end = buf + sizeof(buf);
248     const size_t id_len = strlen(id);
249     unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
250 
251     /* Write things to temporary buffer */
252     MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, G));
253     MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, V));
254     MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, X));
255 
256     if (end - p < 4) {
257         return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
258     }
259 
260     MBEDTLS_PUT_UINT32_BE(id_len, p, 0);
261     p += 4;
262 
263     if (end < p || (size_t) (end - p) < id_len) {
264         return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
265     }
266 
267     memcpy(p, id, id_len);
268     p += id_len;
269 
270     /* Compute hash */
271     MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(md_type,
272                                                  buf, p - buf, hash));
273 
274     /* Turn it into an integer mod n */
275     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(h, hash,
276                                             mbedtls_hash_info_get_size(md_type)));
277     MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(h, h, &grp->N));
278 
279 cleanup:
280     return ret;
281 }
282 
283 /*
284  * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
285  */
ecjpake_zkp_read(const mbedtls_md_type_t md_type,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * G,const mbedtls_ecp_point * X,const char * id,const unsigned char ** p,const unsigned char * end)286 static int ecjpake_zkp_read(const mbedtls_md_type_t md_type,
287                             const mbedtls_ecp_group *grp,
288                             const int pf,
289                             const mbedtls_ecp_point *G,
290                             const mbedtls_ecp_point *X,
291                             const char *id,
292                             const unsigned char **p,
293                             const unsigned char *end)
294 {
295     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
296     mbedtls_ecp_point V, VV;
297     mbedtls_mpi r, h;
298     size_t r_len;
299 
300     mbedtls_ecp_point_init(&V);
301     mbedtls_ecp_point_init(&VV);
302     mbedtls_mpi_init(&r);
303     mbedtls_mpi_init(&h);
304 
305     /*
306      * struct {
307      *     ECPoint V;
308      *     opaque r<1..2^8-1>;
309      * } ECSchnorrZKP;
310      */
311     if (end < *p) {
312         return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
313     }
314 
315     MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, &V, p, end - *p));
316 
317     if (end < *p || (size_t) (end - *p) < 1) {
318         ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
319         goto cleanup;
320     }
321 
322     r_len = *(*p)++;
323 
324     if (end < *p || (size_t) (end - *p) < r_len || r_len == 0) {
325         ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
326         goto cleanup;
327     }
328 
329     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r, *p, r_len));
330     *p += r_len;
331 
332     /*
333      * Verification
334      */
335     MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
336     MBEDTLS_MPI_CHK(mbedtls_ecp_muladd((mbedtls_ecp_group *) grp,
337                                        &VV, &h, X, &r, G));
338 
339     if (mbedtls_ecp_point_cmp(&VV, &V) != 0) {
340         ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
341         goto cleanup;
342     }
343 
344 cleanup:
345     mbedtls_ecp_point_free(&V);
346     mbedtls_ecp_point_free(&VV);
347     mbedtls_mpi_free(&r);
348     mbedtls_mpi_free(&h);
349 
350     return ret;
351 }
352 
353 /*
354  * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
355  */
ecjpake_zkp_write(const mbedtls_md_type_t md_type,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * G,const mbedtls_mpi * x,const mbedtls_ecp_point * X,const char * id,unsigned char ** p,const unsigned char * end,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)356 static int ecjpake_zkp_write(const mbedtls_md_type_t md_type,
357                              const mbedtls_ecp_group *grp,
358                              const int pf,
359                              const mbedtls_ecp_point *G,
360                              const mbedtls_mpi *x,
361                              const mbedtls_ecp_point *X,
362                              const char *id,
363                              unsigned char **p,
364                              const unsigned char *end,
365                              int (*f_rng)(void *, unsigned char *, size_t),
366                              void *p_rng)
367 {
368     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
369     mbedtls_ecp_point V;
370     mbedtls_mpi v;
371     mbedtls_mpi h; /* later recycled to hold r */
372     size_t len;
373 
374     if (end < *p) {
375         return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
376     }
377 
378     mbedtls_ecp_point_init(&V);
379     mbedtls_mpi_init(&v);
380     mbedtls_mpi_init(&h);
381 
382     /* Compute signature */
383     MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp,
384                                                  G, &v, &V, f_rng, p_rng));
385     MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
386     MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&h, &h, x));     /* x*h */
387     MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&h, &v, &h));     /* v - x*h */
388     MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&h, &h, &grp->N));     /* r */
389 
390     /* Write it out */
391     MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, &V,
392                                                 pf, &len, *p, end - *p));
393     *p += len;
394 
395     len = mbedtls_mpi_size(&h);   /* actually r */
396     if (end < *p || (size_t) (end - *p) < 1 + len || len > 255) {
397         ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
398         goto cleanup;
399     }
400 
401     *(*p)++ = MBEDTLS_BYTE_0(len);
402     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, *p, len));     /* r */
403     *p += len;
404 
405 cleanup:
406     mbedtls_ecp_point_free(&V);
407     mbedtls_mpi_free(&v);
408     mbedtls_mpi_free(&h);
409 
410     return ret;
411 }
412 
413 /*
414  * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
415  * Output: verified public key X
416  */
ecjpake_kkp_read(const mbedtls_md_type_t md_type,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * G,mbedtls_ecp_point * X,const char * id,const unsigned char ** p,const unsigned char * end)417 static int ecjpake_kkp_read(const mbedtls_md_type_t md_type,
418                             const mbedtls_ecp_group *grp,
419                             const int pf,
420                             const mbedtls_ecp_point *G,
421                             mbedtls_ecp_point *X,
422                             const char *id,
423                             const unsigned char **p,
424                             const unsigned char *end)
425 {
426     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
427 
428     if (end < *p) {
429         return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
430     }
431 
432     /*
433      * struct {
434      *     ECPoint X;
435      *     ECSchnorrZKP zkp;
436      * } ECJPAKEKeyKP;
437      */
438     MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, X, p, end - *p));
439     if (mbedtls_ecp_is_zero(X)) {
440         ret = MBEDTLS_ERR_ECP_INVALID_KEY;
441         goto cleanup;
442     }
443 
444     MBEDTLS_MPI_CHK(ecjpake_zkp_read(md_type, grp, pf, G, X, id, p, end));
445 
446 cleanup:
447     return ret;
448 }
449 
450 /*
451  * Generate an ECJPAKEKeyKP
452  * Output: the serialized structure, plus private/public key pair
453  */
ecjpake_kkp_write(const mbedtls_md_type_t md_type,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * G,mbedtls_mpi * x,mbedtls_ecp_point * X,const char * id,unsigned char ** p,const unsigned char * end,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)454 static int ecjpake_kkp_write(const mbedtls_md_type_t md_type,
455                              const mbedtls_ecp_group *grp,
456                              const int pf,
457                              const mbedtls_ecp_point *G,
458                              mbedtls_mpi *x,
459                              mbedtls_ecp_point *X,
460                              const char *id,
461                              unsigned char **p,
462                              const unsigned char *end,
463                              int (*f_rng)(void *, unsigned char *, size_t),
464                              void *p_rng)
465 {
466     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
467     size_t len;
468 
469     if (end < *p) {
470         return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
471     }
472 
473     /* Generate key (7.4.2.3.1) and write it out */
474     MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp, G, x, X,
475                                                  f_rng, p_rng));
476     MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, X,
477                                                 pf, &len, *p, end - *p));
478     *p += len;
479 
480     /* Generate and write proof */
481     MBEDTLS_MPI_CHK(ecjpake_zkp_write(md_type, grp, pf, G, x, X, id,
482                                       p, end, f_rng, p_rng));
483 
484 cleanup:
485     return ret;
486 }
487 
488 /*
489  * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
490  * Outputs: verified peer public keys Xa, Xb
491  */
ecjpake_kkpp_read(const mbedtls_md_type_t md_type,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * G,mbedtls_ecp_point * Xa,mbedtls_ecp_point * Xb,const char * id,const unsigned char * buf,size_t len)492 static int ecjpake_kkpp_read(const mbedtls_md_type_t md_type,
493                              const mbedtls_ecp_group *grp,
494                              const int pf,
495                              const mbedtls_ecp_point *G,
496                              mbedtls_ecp_point *Xa,
497                              mbedtls_ecp_point *Xb,
498                              const char *id,
499                              const unsigned char *buf,
500                              size_t len)
501 {
502     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
503     const unsigned char *p = buf;
504     const unsigned char *end = buf + len;
505 
506     /*
507      * struct {
508      *     ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
509      * } ECJPAKEKeyKPPairList;
510      */
511     MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xa, id, &p, end));
512     MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xb, id, &p, end));
513 
514     if (p != end) {
515         ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
516     }
517 
518 cleanup:
519     return ret;
520 }
521 
522 /*
523  * Generate a ECJPAKEKeyKPPairList
524  * Outputs: the serialized structure, plus two private/public key pairs
525  */
ecjpake_kkpp_write(const mbedtls_md_type_t md_type,const mbedtls_ecp_group * grp,const int pf,const mbedtls_ecp_point * G,mbedtls_mpi * xm1,mbedtls_ecp_point * Xa,mbedtls_mpi * xm2,mbedtls_ecp_point * Xb,const char * id,unsigned char * buf,size_t len,size_t * olen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)526 static int ecjpake_kkpp_write(const mbedtls_md_type_t md_type,
527                               const mbedtls_ecp_group *grp,
528                               const int pf,
529                               const mbedtls_ecp_point *G,
530                               mbedtls_mpi *xm1,
531                               mbedtls_ecp_point *Xa,
532                               mbedtls_mpi *xm2,
533                               mbedtls_ecp_point *Xb,
534                               const char *id,
535                               unsigned char *buf,
536                               size_t len,
537                               size_t *olen,
538                               int (*f_rng)(void *, unsigned char *, size_t),
539                               void *p_rng)
540 {
541     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
542     unsigned char *p = buf;
543     const unsigned char *end = buf + len;
544 
545     MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm1, Xa, id,
546                                       &p, end, f_rng, p_rng));
547     MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm2, Xb, id,
548                                       &p, end, f_rng, p_rng));
549 
550     *olen = p - buf;
551 
552 cleanup:
553     return ret;
554 }
555 
556 /*
557  * Read and process the first round message
558  */
mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context * ctx,const unsigned char * buf,size_t len)559 int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
560                                    const unsigned char *buf,
561                                    size_t len)
562 {
563     return ecjpake_kkpp_read(ctx->md_type, &ctx->grp, ctx->point_format,
564                              &ctx->grp.G,
565                              &ctx->Xp1, &ctx->Xp2, ID_PEER,
566                              buf, len);
567 }
568 
569 /*
570  * Generate and write the first round message
571  */
mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context * ctx,unsigned char * buf,size_t len,size_t * olen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)572 int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
573                                     unsigned char *buf, size_t len, size_t *olen,
574                                     int (*f_rng)(void *, unsigned char *, size_t),
575                                     void *p_rng)
576 {
577     return ecjpake_kkpp_write(ctx->md_type, &ctx->grp, ctx->point_format,
578                               &ctx->grp.G,
579                               &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
580                               ID_MINE, buf, len, olen, f_rng, p_rng);
581 }
582 
583 /*
584  * Compute the sum of three points R = A + B + C
585  */
ecjpake_ecp_add3(mbedtls_ecp_group * grp,mbedtls_ecp_point * R,const mbedtls_ecp_point * A,const mbedtls_ecp_point * B,const mbedtls_ecp_point * C)586 static int ecjpake_ecp_add3(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
587                             const mbedtls_ecp_point *A,
588                             const mbedtls_ecp_point *B,
589                             const mbedtls_ecp_point *C)
590 {
591     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
592     mbedtls_mpi one;
593 
594     mbedtls_mpi_init(&one);
595 
596     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
597     MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, A, &one, B));
598     MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, R, &one, C));
599 
600 cleanup:
601     mbedtls_mpi_free(&one);
602 
603     return ret;
604 }
605 
606 /*
607  * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
608  */
mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context * ctx,const unsigned char * buf,size_t len)609 int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
610                                    const unsigned char *buf,
611                                    size_t len)
612 {
613     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
614     const unsigned char *p = buf;
615     const unsigned char *end = buf + len;
616     mbedtls_ecp_group grp;
617     mbedtls_ecp_point G;    /* C: GB, S: GA */
618 
619     mbedtls_ecp_group_init(&grp);
620     mbedtls_ecp_point_init(&G);
621 
622     /*
623      * Server: GA = X3  + X4  + X1      (7.4.2.6.1)
624      * Client: GB = X1  + X2  + X3      (7.4.2.5.1)
625      * Unified: G = Xm1 + Xm2 + Xp1
626      * We need that before parsing in order to check Xp as we read it
627      */
628     MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
629                                      &ctx->Xm1, &ctx->Xm2, &ctx->Xp1));
630 
631     /*
632      * struct {
633      *     ECParameters curve_params;   // only client reading server msg
634      *     ECJPAKEKeyKP ecjpake_key_kp;
635      * } Client/ServerECJPAKEParams;
636      */
637     if (ctx->role == MBEDTLS_ECJPAKE_CLIENT) {
638         MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_group(&grp, &p, len));
639         if (grp.id != ctx->grp.id) {
640             ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
641             goto cleanup;
642         }
643     }
644 
645     MBEDTLS_MPI_CHK(ecjpake_kkp_read(ctx->md_type, &ctx->grp,
646                                      ctx->point_format,
647                                      &G, &ctx->Xp, ID_PEER, &p, end));
648 
649     if (p != end) {
650         ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
651         goto cleanup;
652     }
653 
654 cleanup:
655     mbedtls_ecp_group_free(&grp);
656     mbedtls_ecp_point_free(&G);
657 
658     return ret;
659 }
660 
661 /*
662  * Compute R = +/- X * S mod N, taking care not to leak S
663  */
ecjpake_mul_secret(mbedtls_mpi * R,int sign,const mbedtls_mpi * X,const mbedtls_mpi * S,const mbedtls_mpi * N,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)664 static int ecjpake_mul_secret(mbedtls_mpi *R, int sign,
665                               const mbedtls_mpi *X,
666                               const mbedtls_mpi *S,
667                               const mbedtls_mpi *N,
668                               int (*f_rng)(void *, unsigned char *, size_t),
669                               void *p_rng)
670 {
671     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
672     mbedtls_mpi b; /* Blinding value, then s + N * blinding */
673 
674     mbedtls_mpi_init(&b);
675 
676     /* b = s + rnd-128-bit * N */
677     MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&b, 16, f_rng, p_rng));
678     MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&b, &b, N));
679     MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&b, &b, S));
680 
681     /* R = sign * X * b mod N */
682     MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(R, X, &b));
683     R->s *= sign;
684     MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(R, R, N));
685 
686 cleanup:
687     mbedtls_mpi_free(&b);
688 
689     return ret;
690 }
691 
692 /*
693  * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
694  */
mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context * ctx,unsigned char * buf,size_t len,size_t * olen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)695 int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
696                                     unsigned char *buf, size_t len, size_t *olen,
697                                     int (*f_rng)(void *, unsigned char *, size_t),
698                                     void *p_rng)
699 {
700     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
701     mbedtls_ecp_point G;    /* C: GA, S: GB */
702     mbedtls_ecp_point Xm;   /* C: Xc, S: Xs */
703     mbedtls_mpi xm;         /* C: xc, S: xs */
704     unsigned char *p = buf;
705     const unsigned char *end = buf + len;
706     size_t ec_len;
707 
708     mbedtls_ecp_point_init(&G);
709     mbedtls_ecp_point_init(&Xm);
710     mbedtls_mpi_init(&xm);
711 
712     /*
713      * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
714      *
715      * Client:  GA = X1  + X3  + X4  | xs = x2  * s | Xc = xc * GA
716      * Server:  GB = X3  + X1  + X2  | xs = x4  * s | Xs = xs * GB
717      * Unified: G  = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
718      */
719     MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
720                                      &ctx->Xp1, &ctx->Xp2, &ctx->Xm1));
721     MBEDTLS_MPI_CHK(ecjpake_mul_secret(&xm, 1, &ctx->xm2, &ctx->s,
722                                        &ctx->grp.N, f_rng, p_rng));
723     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &Xm, &xm, &G, f_rng, p_rng));
724 
725     /*
726      * Now write things out
727      *
728      * struct {
729      *     ECParameters curve_params;   // only server writing its message
730      *     ECJPAKEKeyKP ecjpake_key_kp;
731      * } Client/ServerECJPAKEParams;
732      */
733     if (ctx->role == MBEDTLS_ECJPAKE_SERVER) {
734         if (end < p) {
735             ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
736             goto cleanup;
737         }
738         MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_group(&ctx->grp, &ec_len,
739                                                     p, end - p));
740         p += ec_len;
741     }
742 
743     if (end < p) {
744         ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
745         goto cleanup;
746     }
747     MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(&ctx->grp, &Xm,
748                                                 ctx->point_format, &ec_len, p, end - p));
749     p += ec_len;
750 
751     MBEDTLS_MPI_CHK(ecjpake_zkp_write(ctx->md_type, &ctx->grp,
752                                       ctx->point_format,
753                                       &G, &xm, &Xm, ID_MINE,
754                                       &p, end, f_rng, p_rng));
755 
756     *olen = p - buf;
757 
758 cleanup:
759     mbedtls_ecp_point_free(&G);
760     mbedtls_ecp_point_free(&Xm);
761     mbedtls_mpi_free(&xm);
762 
763     return ret;
764 }
765 
766 /*
767  * Derive PMS (7.4.2.7 / 7.4.2.8)
768  */
mbedtls_ecjpake_derive_k(mbedtls_ecjpake_context * ctx,mbedtls_ecp_point * K,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)769 static int mbedtls_ecjpake_derive_k(mbedtls_ecjpake_context *ctx,
770                                     mbedtls_ecp_point *K,
771                                     int (*f_rng)(void *, unsigned char *, size_t),
772                                     void *p_rng)
773 {
774     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
775     mbedtls_mpi m_xm2_s, one;
776 
777     mbedtls_mpi_init(&m_xm2_s);
778     mbedtls_mpi_init(&one);
779 
780     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
781 
782     /*
783      * Client:  K = ( Xs - X4  * x2  * s ) * x2
784      * Server:  K = ( Xc - X2  * x4  * s ) * x4
785      * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
786      */
787     MBEDTLS_MPI_CHK(ecjpake_mul_secret(&m_xm2_s, -1, &ctx->xm2, &ctx->s,
788                                        &ctx->grp.N, f_rng, p_rng));
789     MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(&ctx->grp, K,
790                                        &one, &ctx->Xp,
791                                        &m_xm2_s, &ctx->Xp2));
792     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, K, &ctx->xm2, K,
793                                     f_rng, p_rng));
794 
795 cleanup:
796     mbedtls_mpi_free(&m_xm2_s);
797     mbedtls_mpi_free(&one);
798 
799     return ret;
800 }
801 
mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context * ctx,unsigned char * buf,size_t len,size_t * olen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)802 int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
803                                   unsigned char *buf, size_t len, size_t *olen,
804                                   int (*f_rng)(void *, unsigned char *, size_t),
805                                   void *p_rng)
806 {
807     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
808     mbedtls_ecp_point K;
809     unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
810     size_t x_bytes;
811 
812     *olen = mbedtls_hash_info_get_size(ctx->md_type);
813     if (len < *olen) {
814         return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
815     }
816 
817     mbedtls_ecp_point_init(&K);
818 
819     ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
820     if (ret) {
821         goto cleanup;
822     }
823 
824     /* PMS = SHA-256( K.X ) */
825     x_bytes = (ctx->grp.pbits + 7) / 8;
826     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K.X, kx, x_bytes));
827     MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(ctx->md_type,
828                                                  kx, x_bytes, buf));
829 
830 cleanup:
831     mbedtls_ecp_point_free(&K);
832 
833     return ret;
834 }
835 
mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context * ctx,unsigned char * buf,size_t len,size_t * olen,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)836 int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
837                                      unsigned char *buf, size_t len, size_t *olen,
838                                      int (*f_rng)(void *, unsigned char *, size_t),
839                                      void *p_rng)
840 {
841     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
842     mbedtls_ecp_point K;
843 
844     mbedtls_ecp_point_init(&K);
845 
846     ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
847     if (ret) {
848         goto cleanup;
849     }
850 
851     ret = mbedtls_ecp_point_write_binary(&ctx->grp, &K, ctx->point_format,
852                                          olen, buf, len);
853     if (ret != 0) {
854         goto cleanup;
855     }
856 
857 cleanup:
858     mbedtls_ecp_point_free(&K);
859 
860     return ret;
861 }
862 
863 #undef ID_MINE
864 #undef ID_PEER
865 
866 #endif /* ! MBEDTLS_ECJPAKE_ALT */
867 
868 #if defined(MBEDTLS_SELF_TEST)
869 
870 #include "mbedtls/platform.h"
871 
872 #if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
873     !defined(MBEDTLS_SHA256_C)
mbedtls_ecjpake_self_test(int verbose)874 int mbedtls_ecjpake_self_test(int verbose)
875 {
876     (void) verbose;
877     return 0;
878 }
879 #else
880 
881 static const unsigned char ecjpake_test_password[] = {
882     0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
883     0x65, 0x73, 0x74
884 };
885 
886 #if !defined(MBEDTLS_ECJPAKE_ALT)
887 
888 static const unsigned char ecjpake_test_x1[] = {
889     0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
890     0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
891     0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
892 };
893 
894 static const unsigned char ecjpake_test_x2[] = {
895     0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
896     0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
897     0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
898 };
899 
900 static const unsigned char ecjpake_test_x3[] = {
901     0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
902     0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
903     0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
904 };
905 
906 static const unsigned char ecjpake_test_x4[] = {
907     0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
908     0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
909     0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
910 };
911 
912 static const unsigned char ecjpake_test_cli_one[] = {
913     0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
914     0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
915     0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
916     0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
917     0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
918     0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
919     0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
920     0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
921     0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
922     0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
923     0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
924     0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
925     0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
926     0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
927     0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
928     0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
929     0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
930     0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
931     0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
932     0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
933     0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
934     0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
935     0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
936     0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
937     0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
938     0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
939     0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
940     0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
941 };
942 
943 static const unsigned char ecjpake_test_srv_one[] = {
944     0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
945     0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
946     0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
947     0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
948     0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
949     0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
950     0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
951     0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
952     0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
953     0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
954     0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
955     0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
956     0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
957     0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
958     0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
959     0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
960     0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
961     0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
962     0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
963     0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
964     0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
965     0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
966     0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
967     0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
968     0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
969     0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
970     0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
971     0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
972 };
973 
974 static const unsigned char ecjpake_test_srv_two[] = {
975     0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
976     0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
977     0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
978     0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
979     0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
980     0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
981     0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
982     0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
983     0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
984     0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
985     0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
986     0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
987     0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
988     0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
989 };
990 
991 static const unsigned char ecjpake_test_cli_two[] = {
992     0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
993     0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
994     0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
995     0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
996     0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
997     0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
998     0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
999     0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
1000     0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
1001     0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
1002     0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
1003     0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
1004     0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
1005     0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
1006 };
1007 
1008 static const unsigned char ecjpake_test_shared_key[] = {
1009     0x04, 0x01, 0xab, 0xe9, 0xf2, 0xc7, 0x3a, 0x99, 0x14, 0xcb, 0x1f, 0x80,
1010     0xfb, 0x9d, 0xdb, 0x7e, 0x00, 0x12, 0xa8, 0x9c, 0x2f, 0x39, 0x27, 0x79,
1011     0xf9, 0x64, 0x40, 0x14, 0x75, 0xea, 0xc1, 0x31, 0x28, 0x43, 0x8f, 0xe1,
1012     0x12, 0x41, 0xd6, 0xc1, 0xe5, 0x5f, 0x7b, 0x80, 0x88, 0x94, 0xc9, 0xc0,
1013     0x27, 0xa3, 0x34, 0x41, 0xf5, 0xcb, 0xa1, 0xfe, 0x6c, 0xc7, 0xe6, 0x12,
1014     0x17, 0xc3, 0xde, 0x27, 0xb4,
1015 };
1016 
1017 static const unsigned char ecjpake_test_pms[] = {
1018     0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
1019     0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
1020     0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
1021 };
1022 
1023 /*
1024  * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
1025  *
1026  * This is the linear congruential generator from numerical recipes,
1027  * except we only use the low byte as the output. See
1028  * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
1029  */
self_test_rng(void * ctx,unsigned char * out,size_t len)1030 static int self_test_rng(void *ctx, unsigned char *out, size_t len)
1031 {
1032     static uint32_t state = 42;
1033 
1034     (void) ctx;
1035 
1036     for (size_t i = 0; i < len; i++) {
1037         state = state * 1664525u + 1013904223u;
1038         out[i] = (unsigned char) state;
1039     }
1040 
1041     return 0;
1042 }
1043 
1044 /* Load my private keys and generate the corresponding public keys */
ecjpake_test_load(mbedtls_ecjpake_context * ctx,const unsigned char * xm1,size_t len1,const unsigned char * xm2,size_t len2)1045 static int ecjpake_test_load(mbedtls_ecjpake_context *ctx,
1046                              const unsigned char *xm1, size_t len1,
1047                              const unsigned char *xm2, size_t len2)
1048 {
1049     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1050 
1051     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm1, xm1, len1));
1052     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm2, xm2, len2));
1053     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm1, &ctx->xm1,
1054                                     &ctx->grp.G, self_test_rng, NULL));
1055     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm2, &ctx->xm2,
1056                                     &ctx->grp.G, self_test_rng, NULL));
1057 
1058 cleanup:
1059     return ret;
1060 }
1061 
1062 #endif /* ! MBEDTLS_ECJPAKE_ALT */
1063 
1064 /* For tests we don't need a secure RNG;
1065  * use the LGC from Numerical Recipes for simplicity */
ecjpake_lgc(void * p,unsigned char * out,size_t len)1066 static int ecjpake_lgc(void *p, unsigned char *out, size_t len)
1067 {
1068     static uint32_t x = 42;
1069     (void) p;
1070 
1071     while (len > 0) {
1072         size_t use_len = len > 4 ? 4 : len;
1073         x = 1664525 * x + 1013904223;
1074         memcpy(out, &x, use_len);
1075         out += use_len;
1076         len -= use_len;
1077     }
1078 
1079     return 0;
1080 }
1081 
1082 #define TEST_ASSERT(x)    \
1083     do {                    \
1084         if (x)             \
1085         ret = 0;        \
1086         else                \
1087         {                   \
1088             ret = 1;        \
1089             goto cleanup;   \
1090         }                   \
1091     } while (0)
1092 
1093 /*
1094  * Checkup routine
1095  */
mbedtls_ecjpake_self_test(int verbose)1096 int mbedtls_ecjpake_self_test(int verbose)
1097 {
1098     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1099     mbedtls_ecjpake_context cli;
1100     mbedtls_ecjpake_context srv;
1101     unsigned char buf[512], pms[32];
1102     size_t len, pmslen;
1103 
1104     mbedtls_ecjpake_init(&cli);
1105     mbedtls_ecjpake_init(&srv);
1106 
1107     if (verbose != 0) {
1108         mbedtls_printf("  ECJPAKE test #0 (setup): ");
1109     }
1110 
1111     TEST_ASSERT(mbedtls_ecjpake_setup(&cli, MBEDTLS_ECJPAKE_CLIENT,
1112                                       MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
1113                                       ecjpake_test_password,
1114                                       sizeof(ecjpake_test_password)) == 0);
1115 
1116     TEST_ASSERT(mbedtls_ecjpake_setup(&srv, MBEDTLS_ECJPAKE_SERVER,
1117                                       MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
1118                                       ecjpake_test_password,
1119                                       sizeof(ecjpake_test_password)) == 0);
1120 
1121     if (verbose != 0) {
1122         mbedtls_printf("passed\n");
1123     }
1124 
1125     if (verbose != 0) {
1126         mbedtls_printf("  ECJPAKE test #1 (random handshake): ");
1127     }
1128 
1129     TEST_ASSERT(mbedtls_ecjpake_write_round_one(&cli,
1130                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1131 
1132     TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv, buf, len) == 0);
1133 
1134     TEST_ASSERT(mbedtls_ecjpake_write_round_one(&srv,
1135                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1136 
1137     TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli, buf, len) == 0);
1138 
1139     TEST_ASSERT(mbedtls_ecjpake_write_round_two(&srv,
1140                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1141 
1142     TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli, buf, len) == 0);
1143 
1144     TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
1145                                               pms, sizeof(pms), &pmslen, ecjpake_lgc, NULL) == 0);
1146 
1147     TEST_ASSERT(mbedtls_ecjpake_write_round_two(&cli,
1148                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1149 
1150     TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv, buf, len) == 0);
1151 
1152     TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
1153                                               buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1154 
1155     TEST_ASSERT(len == pmslen);
1156     TEST_ASSERT(memcmp(buf, pms, len) == 0);
1157 
1158     if (verbose != 0) {
1159         mbedtls_printf("passed\n");
1160     }
1161 
1162 #if !defined(MBEDTLS_ECJPAKE_ALT)
1163     /* 'reference handshake' tests can only be run against implementations
1164      * for which we have 100% control over how the random ephemeral keys
1165      * are generated. This is only the case for the internal mbed TLS
1166      * implementation, so these tests are skipped in case the internal
1167      * implementation is swapped out for an alternative one. */
1168     if (verbose != 0) {
1169         mbedtls_printf("  ECJPAKE test #2 (reference handshake): ");
1170     }
1171 
1172     /* Simulate generation of round one */
1173     MBEDTLS_MPI_CHK(ecjpake_test_load(&cli,
1174                                       ecjpake_test_x1, sizeof(ecjpake_test_x1),
1175                                       ecjpake_test_x2, sizeof(ecjpake_test_x2)));
1176 
1177     MBEDTLS_MPI_CHK(ecjpake_test_load(&srv,
1178                                       ecjpake_test_x3, sizeof(ecjpake_test_x3),
1179                                       ecjpake_test_x4, sizeof(ecjpake_test_x4)));
1180 
1181     /* Read round one */
1182     TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv,
1183                                                ecjpake_test_cli_one,
1184                                                sizeof(ecjpake_test_cli_one)) == 0);
1185 
1186     TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli,
1187                                                ecjpake_test_srv_one,
1188                                                sizeof(ecjpake_test_srv_one)) == 0);
1189 
1190     /* Skip generation of round two, read round two */
1191     TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli,
1192                                                ecjpake_test_srv_two,
1193                                                sizeof(ecjpake_test_srv_two)) == 0);
1194 
1195     TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv,
1196                                                ecjpake_test_cli_two,
1197                                                sizeof(ecjpake_test_cli_two)) == 0);
1198 
1199     /* Server derives PMS */
1200     TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
1201                                               buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1202 
1203     TEST_ASSERT(len == sizeof(ecjpake_test_pms));
1204     TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
1205 
1206     /* Server derives K as unsigned binary data */
1207     TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&srv,
1208                                                  buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1209 
1210     TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
1211     TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
1212 
1213     memset(buf, 0, len);   /* Avoid interferences with next step */
1214 
1215     /* Client derives PMS */
1216     TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
1217                                               buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1218 
1219     TEST_ASSERT(len == sizeof(ecjpake_test_pms));
1220     TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
1221 
1222     /* Client derives K as unsigned binary data */
1223     TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&cli,
1224                                                  buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
1225 
1226     TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
1227     TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
1228 
1229     if (verbose != 0) {
1230         mbedtls_printf("passed\n");
1231     }
1232 #endif /* ! MBEDTLS_ECJPAKE_ALT */
1233 
1234 cleanup:
1235     mbedtls_ecjpake_free(&cli);
1236     mbedtls_ecjpake_free(&srv);
1237 
1238     if (ret != 0) {
1239         if (verbose != 0) {
1240             mbedtls_printf("failed\n");
1241         }
1242 
1243         ret = 1;
1244     }
1245 
1246     if (verbose != 0) {
1247         mbedtls_printf("\n");
1248     }
1249 
1250     return ret;
1251 }
1252 
1253 #undef TEST_ASSERT
1254 
1255 #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */
1256 
1257 #endif /* MBEDTLS_SELF_TEST */
1258 
1259 #endif /* MBEDTLS_ECJPAKE_C */
1260