Kenji Arai / mbed-os_TYBLE16

Dependents:   TYBLE16_simple_data_logger TYBLE16_MP3_Air

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ecjpake.h Source File

ecjpake.h

Go to the documentation of this file.
00001 /**
00002  * \file ecjpake.h
00003  *
00004  * \brief Elliptic curve J-PAKE
00005  */
00006 /*
00007  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00008  *  SPDX-License-Identifier: Apache-2.0
00009  *
00010  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00011  *  not use this file except in compliance with the License.
00012  *  You may obtain a copy of the License at
00013  *
00014  *  http://www.apache.org/licenses/LICENSE-2.0
00015  *
00016  *  Unless required by applicable law or agreed to in writing, software
00017  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00018  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00019  *  See the License for the specific language governing permissions and
00020  *  limitations under the License.
00021  *
00022  *  This file is part of mbed TLS (https://tls.mbed.org)
00023  */
00024 #ifndef MBEDTLS_ECJPAKE_H
00025 #define MBEDTLS_ECJPAKE_H
00026 
00027 /*
00028  * J-PAKE is a password-authenticated key exchange that allows deriving a
00029  * strong shared secret from a (potentially low entropy) pre-shared
00030  * passphrase, with forward secrecy and mutual authentication.
00031  * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
00032  *
00033  * This file implements the Elliptic Curve variant of J-PAKE,
00034  * as defined in Chapter 7.4 of the Thread v1.0 Specification,
00035  * available to members of the Thread Group http://threadgroup.org/
00036  *
00037  * As the J-PAKE algorithm is inherently symmetric, so is our API.
00038  * Each party needs to send its first round message, in any order, to the
00039  * other party, then each sends its second round message, in any order.
00040  * The payloads are serialized in a way suitable for use in TLS, but could
00041  * also be use outside TLS.
00042  */
00043 #if !defined(MBEDTLS_CONFIG_FILE)
00044 #include "mbedtls/config.h"
00045 #else
00046 #include MBEDTLS_CONFIG_FILE
00047 #endif
00048 
00049 #include "mbedtls/ecp.h"
00050 #include "mbedtls/md.h"
00051 
00052 #ifdef __cplusplus
00053 extern "C" {
00054 #endif
00055 
00056 /**
00057  * Roles in the EC J-PAKE exchange
00058  */
00059 typedef enum {
00060     MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
00061     MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
00062 } mbedtls_ecjpake_role;
00063 
00064 #if !defined(MBEDTLS_ECJPAKE_ALT)
00065 /**
00066  * EC J-PAKE context structure.
00067  *
00068  * J-PAKE is a symmetric protocol, except for the identifiers used in
00069  * Zero-Knowledge Proofs, and the serialization of the second message
00070  * (KeyExchange) as defined by the Thread spec.
00071  *
00072  * In order to benefit from this symmetry, we choose a different naming
00073  * convetion from the Thread v1.0 spec. Correspondance is indicated in the
00074  * description as a pair C: client name, S: server name
00075  */
00076 typedef struct mbedtls_ecjpake_context
00077 {
00078     const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
00079     mbedtls_ecp_group grp;              /**< Elliptic curve                 */
00080     mbedtls_ecjpake_role role;          /**< Are we client or server?       */
00081     int point_format;                   /**< Format for point export        */
00082 
00083     mbedtls_ecp_point Xm1;              /**< My public key 1   C: X1, S: X3 */
00084     mbedtls_ecp_point Xm2;              /**< My public key 2   C: X2, S: X4 */
00085     mbedtls_ecp_point Xp1;              /**< Peer public key 1 C: X3, S: X1 */
00086     mbedtls_ecp_point Xp2;              /**< Peer public key 2 C: X4, S: X2 */
00087     mbedtls_ecp_point Xp;               /**< Peer public key   C: Xs, S: Xc */
00088 
00089     mbedtls_mpi xm1;                    /**< My private key 1  C: x1, S: x3 */
00090     mbedtls_mpi xm2;                    /**< My private key 2  C: x2, S: x4 */
00091 
00092     mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
00093 } mbedtls_ecjpake_context;
00094 
00095 #else  /* MBEDTLS_ECJPAKE_ALT */
00096 #include "ecjpake_alt.h"
00097 #endif /* MBEDTLS_ECJPAKE_ALT */
00098 
00099 /**
00100  * \brief           Initialize an ECJPAKE context.
00101  *
00102  * \param ctx       The ECJPAKE context to initialize.
00103  *                  This must not be \c NULL.
00104  */
00105 void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
00106 
00107 /**
00108  * \brief           Set up an ECJPAKE context for use.
00109  *
00110  * \note            Currently the only values for hash/curve allowed by the
00111  *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
00112  *
00113  * \param ctx       The ECJPAKE context to set up. This must be initialized.
00114  * \param role      The role of the caller. This must be either
00115  *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
00116  * \param hash      The identifier of the hash function to use,
00117  *                  for example #MBEDTLS_MD_SHA256.
00118  * \param curve     The identifier of the elliptic curve to use,
00119  *                  for example #MBEDTLS_ECP_DP_SECP256R1.
00120  * \param secret    The pre-shared secret (passphrase). This must be
00121  *                  a readable buffer of length \p len Bytes. It need
00122  *                  only be valid for the duration of this call.
00123  * \param len       The length of the pre-shared secret \p secret.
00124  *
00125  * \return          \c 0 if successful.
00126  * \return          A negative error code on failure.
00127  */
00128 int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
00129                            mbedtls_ecjpake_role role,
00130                            mbedtls_md_type_t hash,
00131                            mbedtls_ecp_group_id curve,
00132                            const unsigned char *secret,
00133                            size_t len );
00134 
00135 /**
00136  * \brief           Check if an ECJPAKE context is ready for use.
00137  *
00138  * \param ctx       The ECJPAKE context to check. This must be
00139  *                  initialized.
00140  *
00141  * \return          \c 0 if the context is ready for use.
00142  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
00143  */
00144 int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
00145 
00146 /**
00147  * \brief           Generate and write the first round message
00148  *                  (TLS: contents of the Client/ServerHello extension,
00149  *                  excluding extension type and length bytes).
00150  *
00151  * \param ctx       The ECJPAKE context to use. This must be
00152  *                  initialized and set up.
00153  * \param buf       The buffer to write the contents to. This must be a
00154  *                  writable buffer of length \p len Bytes.
00155  * \param len       The length of \p buf in Bytes.
00156  * \param olen      The address at which to store the total number
00157  *                  of Bytes written to \p buf. This must not be \c NULL.
00158  * \param f_rng     The RNG function to use. This must not be \c NULL.
00159  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
00160  *                  may be \c NULL if \p f_rng doesn't use a context.
00161  *
00162  * \return          \c 0 if successful.
00163  * \return          A negative error code on failure.
00164  */
00165 int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
00166                             unsigned char *buf, size_t len, size_t *olen,
00167                             int (*f_rng)(void *, unsigned char *, size_t),
00168                             void *p_rng );
00169 
00170 /**
00171  * \brief           Read and process the first round message
00172  *                  (TLS: contents of the Client/ServerHello extension,
00173  *                  excluding extension type and length bytes).
00174  *
00175  * \param ctx       The ECJPAKE context to use. This must be initialized
00176  *                  and set up.
00177  * \param buf       The buffer holding the first round message. This must
00178  *                  be a readable buffer of length \p len Bytes.
00179  * \param len       The length in Bytes of \p buf.
00180  *
00181  * \return          \c 0 if successful.
00182  * \return          A negative error code on failure.
00183  */
00184 int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
00185                                     const unsigned char *buf,
00186                                     size_t len );
00187 
00188 /**
00189  * \brief           Generate and write the second round message
00190  *                  (TLS: contents of the Client/ServerKeyExchange).
00191  *
00192  * \param ctx       The ECJPAKE context to use. This must be initialized,
00193  *                  set up, and already have performed round one.
00194  * \param buf       The buffer to write the round two contents to.
00195  *                  This must be a writable buffer of length \p len Bytes.
00196  * \param len       The size of \p buf in Bytes.
00197  * \param olen      The address at which to store the total number of Bytes
00198  *                  written to \p buf. This must not be \c NULL.
00199  * \param f_rng     The RNG function to use. This must not be \c NULL.
00200  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
00201  *                  may be \c NULL if \p f_rng doesn't use a context.
00202  *
00203  * \return          \c 0 if successful.
00204  * \return          A negative error code on failure.
00205  */
00206 int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
00207                             unsigned char *buf, size_t len, size_t *olen,
00208                             int (*f_rng)(void *, unsigned char *, size_t),
00209                             void *p_rng );
00210 
00211 /**
00212  * \brief           Read and process the second round message
00213  *                  (TLS: contents of the Client/ServerKeyExchange).
00214  *
00215  * \param ctx       The ECJPAKE context to use. This must be initialized
00216  *                  and set up and already have performed round one.
00217  * \param buf       The buffer holding the second round message. This must
00218  *                  be a readable buffer of length \p len Bytes.
00219  * \param len       The length in Bytes of \p buf.
00220  *
00221  * \return          \c 0 if successful.
00222  * \return          A negative error code on failure.
00223  */
00224 int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
00225                                     const unsigned char *buf,
00226                                     size_t len );
00227 
00228 /**
00229  * \brief           Derive the shared secret
00230  *                  (TLS: Pre-Master Secret).
00231  *
00232  * \param ctx       The ECJPAKE context to use. This must be initialized,
00233  *                  set up and have performed both round one and two.
00234  * \param buf       The buffer to write the derived secret to. This must
00235  *                  be a writable buffer of length \p len Bytes.
00236  * \param len       The length of \p buf in Bytes.
00237  * \param olen      The address at which to store the total number of Bytes
00238  *                  written to \p buf. This must not be \c NULL.
00239  * \param f_rng     The RNG function to use. This must not be \c NULL.
00240  * \param p_rng     The RNG parameter to be passed to \p f_rng. This
00241  *                  may be \c NULL if \p f_rng doesn't use a context.
00242  *
00243  * \return          \c 0 if successful.
00244  * \return          A negative error code on failure.
00245  */
00246 int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
00247                             unsigned char *buf, size_t len, size_t *olen,
00248                             int (*f_rng)(void *, unsigned char *, size_t),
00249                             void *p_rng );
00250 
00251 /**
00252  * \brief           This clears an ECJPAKE context and frees any
00253  *                  embedded data structure.
00254  *
00255  * \param ctx       The ECJPAKE context to free. This may be \c NULL,
00256  *                  in which case this function does nothing. If it is not
00257  *                  \c NULL, it must point to an initialized ECJPAKE context.
00258  */
00259 void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
00260 
00261 #if defined(MBEDTLS_SELF_TEST)
00262 
00263 /**
00264  * \brief          Checkup routine
00265  *
00266  * \return         0 if successful, or 1 if a test failed
00267  */
00268 int mbedtls_ecjpake_self_test( int verbose );
00269 
00270 #endif /* MBEDTLS_SELF_TEST */
00271 
00272 #ifdef __cplusplus
00273 }
00274 #endif
00275 
00276 
00277 #endif /* ecjpake.h */