Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
ecjpake.h
00001 /** 00002 * \file ecjpake.h 00003 * 00004 * \brief Elliptic curve J-PAKE 00005 */ 00006 /* 00007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00008 * SPDX-License-Identifier: Apache-2.0 00009 * 00010 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00011 * not use this file except in compliance with the License. 00012 * You may obtain a copy of the License at 00013 * 00014 * http://www.apache.org/licenses/LICENSE-2.0 00015 * 00016 * Unless required by applicable law or agreed to in writing, software 00017 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00018 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00019 * See the License for the specific language governing permissions and 00020 * limitations under the License. 00021 * 00022 * This file is part of mbed TLS (https://tls.mbed.org) 00023 */ 00024 #ifndef MBEDTLS_ECJPAKE_H 00025 #define MBEDTLS_ECJPAKE_H 00026 00027 /* 00028 * J-PAKE is a password-authenticated key exchange that allows deriving a 00029 * strong shared secret from a (potentially low entropy) pre-shared 00030 * passphrase, with forward secrecy and mutual authentication. 00031 * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling 00032 * 00033 * This file implements the Elliptic Curve variant of J-PAKE, 00034 * as defined in Chapter 7.4 of the Thread v1.0 Specification, 00035 * available to members of the Thread Group http://threadgroup.org/ 00036 * 00037 * As the J-PAKE algorithm is inherently symmetric, so is our API. 00038 * Each party needs to send its first round message, in any order, to the 00039 * other party, then each sends its second round message, in any order. 00040 * The payloads are serialized in a way suitable for use in TLS, but could 00041 * also be use outside TLS. 00042 */ 00043 #if !defined(MBEDTLS_CONFIG_FILE) 00044 #include "mbedtls/config.h" 00045 #else 00046 #include MBEDTLS_CONFIG_FILE 00047 #endif 00048 00049 #include "mbedtls/ecp.h" 00050 #include "mbedtls/md.h" 00051 00052 #ifdef __cplusplus 00053 extern "C" { 00054 #endif 00055 00056 /** 00057 * Roles in the EC J-PAKE exchange 00058 */ 00059 typedef enum { 00060 MBEDTLS_ECJPAKE_CLIENT = 0, /**< Client */ 00061 MBEDTLS_ECJPAKE_SERVER, /**< Server */ 00062 } mbedtls_ecjpake_role; 00063 00064 #if !defined(MBEDTLS_ECJPAKE_ALT) 00065 /** 00066 * EC J-PAKE context structure. 00067 * 00068 * J-PAKE is a symmetric protocol, except for the identifiers used in 00069 * Zero-Knowledge Proofs, and the serialization of the second message 00070 * (KeyExchange) as defined by the Thread spec. 00071 * 00072 * In order to benefit from this symmetry, we choose a different naming 00073 * convetion from the Thread v1.0 spec. Correspondance is indicated in the 00074 * description as a pair C: client name, S: server name 00075 */ 00076 typedef struct mbedtls_ecjpake_context 00077 { 00078 const mbedtls_md_info_t *md_info; /**< Hash to use */ 00079 mbedtls_ecp_group grp; /**< Elliptic curve */ 00080 mbedtls_ecjpake_role role; /**< Are we client or server? */ 00081 int point_format; /**< Format for point export */ 00082 00083 mbedtls_ecp_point Xm1; /**< My public key 1 C: X1, S: X3 */ 00084 mbedtls_ecp_point Xm2; /**< My public key 2 C: X2, S: X4 */ 00085 mbedtls_ecp_point Xp1; /**< Peer public key 1 C: X3, S: X1 */ 00086 mbedtls_ecp_point Xp2; /**< Peer public key 2 C: X4, S: X2 */ 00087 mbedtls_ecp_point Xp; /**< Peer public key C: Xs, S: Xc */ 00088 00089 mbedtls_mpi xm1; /**< My private key 1 C: x1, S: x3 */ 00090 mbedtls_mpi xm2; /**< My private key 2 C: x2, S: x4 */ 00091 00092 mbedtls_mpi s; /**< Pre-shared secret (passphrase) */ 00093 } mbedtls_ecjpake_context; 00094 00095 #else /* MBEDTLS_ECJPAKE_ALT */ 00096 #include "ecjpake_alt.h" 00097 #endif /* MBEDTLS_ECJPAKE_ALT */ 00098 00099 /** 00100 * \brief Initialize an ECJPAKE context. 00101 * 00102 * \param ctx The ECJPAKE context to initialize. 00103 * This must not be \c NULL. 00104 */ 00105 void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); 00106 00107 /** 00108 * \brief Set up an ECJPAKE context for use. 00109 * 00110 * \note Currently the only values for hash/curve allowed by the 00111 * standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1. 00112 * 00113 * \param ctx The ECJPAKE context to set up. This must be initialized. 00114 * \param role The role of the caller. This must be either 00115 * #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER. 00116 * \param hash The identifier of the hash function to use, 00117 * for example #MBEDTLS_MD_SHA256. 00118 * \param curve The identifier of the elliptic curve to use, 00119 * for example #MBEDTLS_ECP_DP_SECP256R1. 00120 * \param secret The pre-shared secret (passphrase). This must be 00121 * a readable buffer of length \p len Bytes. It need 00122 * only be valid for the duration of this call. 00123 * \param len The length of the pre-shared secret \p secret. 00124 * 00125 * \return \c 0 if successful. 00126 * \return A negative error code on failure. 00127 */ 00128 int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, 00129 mbedtls_ecjpake_role role, 00130 mbedtls_md_type_t hash, 00131 mbedtls_ecp_group_id curve, 00132 const unsigned char *secret, 00133 size_t len ); 00134 00135 /** 00136 * \brief Check if an ECJPAKE context is ready for use. 00137 * 00138 * \param ctx The ECJPAKE context to check. This must be 00139 * initialized. 00140 * 00141 * \return \c 0 if the context is ready for use. 00142 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise. 00143 */ 00144 int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx ); 00145 00146 /** 00147 * \brief Generate and write the first round message 00148 * (TLS: contents of the Client/ServerHello extension, 00149 * excluding extension type and length bytes). 00150 * 00151 * \param ctx The ECJPAKE context to use. This must be 00152 * initialized and set up. 00153 * \param buf The buffer to write the contents to. This must be a 00154 * writable buffer of length \p len Bytes. 00155 * \param len The length of \p buf in Bytes. 00156 * \param olen The address at which to store the total number 00157 * of Bytes written to \p buf. This must not be \c NULL. 00158 * \param f_rng The RNG function to use. This must not be \c NULL. 00159 * \param p_rng The RNG parameter to be passed to \p f_rng. This 00160 * may be \c NULL if \p f_rng doesn't use a context. 00161 * 00162 * \return \c 0 if successful. 00163 * \return A negative error code on failure. 00164 */ 00165 int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx, 00166 unsigned char *buf, size_t len, size_t *olen, 00167 int (*f_rng)(void *, unsigned char *, size_t), 00168 void *p_rng ); 00169 00170 /** 00171 * \brief Read and process the first round message 00172 * (TLS: contents of the Client/ServerHello extension, 00173 * excluding extension type and length bytes). 00174 * 00175 * \param ctx The ECJPAKE context to use. This must be initialized 00176 * and set up. 00177 * \param buf The buffer holding the first round message. This must 00178 * be a readable buffer of length \p len Bytes. 00179 * \param len The length in Bytes of \p buf. 00180 * 00181 * \return \c 0 if successful. 00182 * \return A negative error code on failure. 00183 */ 00184 int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, 00185 const unsigned char *buf, 00186 size_t len ); 00187 00188 /** 00189 * \brief Generate and write the second round message 00190 * (TLS: contents of the Client/ServerKeyExchange). 00191 * 00192 * \param ctx The ECJPAKE context to use. This must be initialized, 00193 * set up, and already have performed round one. 00194 * \param buf The buffer to write the round two contents to. 00195 * This must be a writable buffer of length \p len Bytes. 00196 * \param len The size of \p buf in Bytes. 00197 * \param olen The address at which to store the total number of Bytes 00198 * written to \p buf. This must not be \c NULL. 00199 * \param f_rng The RNG function to use. This must not be \c NULL. 00200 * \param p_rng The RNG parameter to be passed to \p f_rng. This 00201 * may be \c NULL if \p f_rng doesn't use a context. 00202 * 00203 * \return \c 0 if successful. 00204 * \return A negative error code on failure. 00205 */ 00206 int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, 00207 unsigned char *buf, size_t len, size_t *olen, 00208 int (*f_rng)(void *, unsigned char *, size_t), 00209 void *p_rng ); 00210 00211 /** 00212 * \brief Read and process the second round message 00213 * (TLS: contents of the Client/ServerKeyExchange). 00214 * 00215 * \param ctx The ECJPAKE context to use. This must be initialized 00216 * and set up and already have performed round one. 00217 * \param buf The buffer holding the second round message. This must 00218 * be a readable buffer of length \p len Bytes. 00219 * \param len The length in Bytes of \p buf. 00220 * 00221 * \return \c 0 if successful. 00222 * \return A negative error code on failure. 00223 */ 00224 int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, 00225 const unsigned char *buf, 00226 size_t len ); 00227 00228 /** 00229 * \brief Derive the shared secret 00230 * (TLS: Pre-Master Secret). 00231 * 00232 * \param ctx The ECJPAKE context to use. This must be initialized, 00233 * set up and have performed both round one and two. 00234 * \param buf The buffer to write the derived secret to. This must 00235 * be a writable buffer of length \p len Bytes. 00236 * \param len The length of \p buf in Bytes. 00237 * \param olen The address at which to store the total number of Bytes 00238 * written to \p buf. This must not be \c NULL. 00239 * \param f_rng The RNG function to use. This must not be \c NULL. 00240 * \param p_rng The RNG parameter to be passed to \p f_rng. This 00241 * may be \c NULL if \p f_rng doesn't use a context. 00242 * 00243 * \return \c 0 if successful. 00244 * \return A negative error code on failure. 00245 */ 00246 int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, 00247 unsigned char *buf, size_t len, size_t *olen, 00248 int (*f_rng)(void *, unsigned char *, size_t), 00249 void *p_rng ); 00250 00251 /** 00252 * \brief This clears an ECJPAKE context and frees any 00253 * embedded data structure. 00254 * 00255 * \param ctx The ECJPAKE context to free. This may be \c NULL, 00256 * in which case this function does nothing. If it is not 00257 * \c NULL, it must point to an initialized ECJPAKE context. 00258 */ 00259 void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ); 00260 00261 #if defined(MBEDTLS_SELF_TEST) 00262 00263 /** 00264 * \brief Checkup routine 00265 * 00266 * \return 0 if successful, or 1 if a test failed 00267 */ 00268 int mbedtls_ecjpake_self_test( int verbose ); 00269 00270 #endif /* MBEDTLS_SELF_TEST */ 00271 00272 #ifdef __cplusplus 00273 } 00274 #endif 00275 00276 00277 #endif /* ecjpake.h */
Generated on Tue Jul 12 2022 13:54:17 by
