TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / df598abbd3908d4ec7b1fec2a1b0c2aff290ca1c / . / library / psa_crypto_pake.c
blob: 7288cacf642ddcdc1befe026b1b3b55eadaec6db [file] [log] [blame]
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]1/*
2 * PSA PAKE layer on top of Mbed TLS software crypto
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
23#if defined(MBEDTLS_PSA_CRYPTO_C)
24
25#include <psa/crypto.h>
26#include "psa_crypto_core.h"
27#include "psa_crypto_slot_management.h"
28
29#include <mbedtls/ecjpake.h>
30#include <mbedtls/psa_util.h>
31
32#include <mbedtls/platform.h>
33#include <mbedtls/error.h>
34#include <string.h>
35
36#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
37#define PSA_PAKE_BUFFER_SIZE ( ( 69 + 66 + 33 ) * 2 )
38#endif
39
40/*
41 * State sequence:
42 *
43 * psa_pake_setup()
44 * |
45 * |-- In any order:
46 * | | psa_pake_set_password_key()
47 * | | psa_pake_set_user()
48 * | | psa_pake_set_peer()
Neil Armstrongc29f8472022-06-08 13:34:49 +0200[diff] [blame]49 * | | psa_pake_set_role()
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]50 * |
51 * |--- In any order: (First round input before or after first round output)
52 * | |
53 * | |------ In Order
54 * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
55 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
56 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
57 * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
58 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
59 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
60 * | |
61 * | |------ In Order:
62 * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
63 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
64 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
65 * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
66 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
67 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
68 * |
69 * |--- In any order: (Second round input before or after second round output)
70 * | |
71 * | |------ In Order
72 * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
73 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
74 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
75 * | |
76 * | |------ In Order:
77 * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
78 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
79 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
80 * |
81 * psa_pake_get_implicit_key()
82 * psa_pake_abort()
83 */
84
85enum psa_pake_step
86{
87 PSA_PAKE_STEP_INVALID = 0,
88 PSA_PAKE_STEP_X1_X2 = 1,
89 PSA_PAKE_STEP_X2S = 2,
90 PSA_PAKE_STEP_DERIVE = 3,
91};
92
93enum psa_pake_state
94{
95 PSA_PAKE_STATE_INVALID = 0,
96 PSA_PAKE_STATE_SETUP = 1,
97 PSA_PAKE_STATE_READY = 2,
98 PSA_PAKE_OUTPUT_X1_X2 = 3,
99 PSA_PAKE_OUTPUT_X2S = 4,
100 PSA_PAKE_INPUT_X1_X2 = 5,
101 PSA_PAKE_INPUT_X4S = 6,
102};
103
104enum psa_pake_sequence
105{
106 PSA_PAKE_SEQ_INVALID = 0,
107 PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */
108 PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */
109 PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */
110 PSA_PAKE_X2_STEP_KEY_SHARE = 4,
111 PSA_PAKE_X2_STEP_ZK_PUBLIC = 5,
112 PSA_PAKE_X2_STEP_ZK_PROOF = 6,
113 PSA_PAKE_SEQ_END = 7,
114};
115
116#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
117psa_status_t psa_pake_setup( psa_pake_operation_t *operation,
118 const psa_pake_cipher_suite_t *cipher_suite)
119{
120 /* A context must be freshly initialized before it can be set up. */
121 if( operation->alg != 0 || operation->state != PSA_PAKE_STATE_INVALID )
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]122 return( PSA_ERROR_BAD_STATE );
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]123
124 if( cipher_suite == NULL ||
125 PSA_ALG_IS_PAKE(cipher_suite->algorithm ) == 0 ||
126 ( cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC &&
127 cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH ) ||
128 PSA_ALG_IS_HASH( cipher_suite->hash ) == 0 )
129 {
130 return( PSA_ERROR_INVALID_ARGUMENT );
131 }
132
133#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
134 if( cipher_suite->algorithm != PSA_ALG_JPAKE ||
135 cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
136 cipher_suite->family != PSA_ECC_FAMILY_SECP_R1 ||
137 cipher_suite->bits != 256 ||
138 cipher_suite->hash != PSA_ALG_SHA_256 )
139 {
140 return( PSA_ERROR_NOT_SUPPORTED );
141 }
142
143 operation->alg = cipher_suite->algorithm;
144
145 mbedtls_ecjpake_init( &operation->ctx.ecjpake );
146
147 operation->state = PSA_PAKE_STATE_SETUP;
148 operation->sequence = PSA_PAKE_SEQ_INVALID;
149 operation->input_step = PSA_PAKE_STEP_X1_X2;
150 operation->output_step = PSA_PAKE_STEP_X1_X2;
151
152 operation->buffer = NULL;
153 operation->buffer_length = 0;
154 operation->buffer_offset = 0;
155
156 return( PSA_SUCCESS );
157#else
158 return( PSA_ERROR_NOT_SUPPORTED );
159#endif
160}
161
162psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
163 mbedtls_svc_key_id_t password )
164{
165 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
166 psa_key_attributes_t attributes = psa_key_attributes_init();
167 psa_key_type_t type;
168 psa_key_usage_t usage;
169
170 if( operation->alg == 0 ||
171 operation->state != PSA_PAKE_STATE_SETUP )
172 {
173 return( PSA_ERROR_BAD_STATE );
174 }
175
176 status = psa_get_key_attributes( password, &attributes );
177 if( status != PSA_SUCCESS )
178 return status;
179
180 type = psa_get_key_type( &attributes );
181 usage = psa_get_key_usage_flags( &attributes );
182
183 psa_reset_key_attributes( &attributes );
184
185 if( type != PSA_KEY_TYPE_PASSWORD &&
186 type != PSA_KEY_TYPE_PASSWORD_HASH )
187 {
188 return PSA_ERROR_INVALID_ARGUMENT;
189 }
190
Neil Armstrongdf598ab2022-06-08 17:17:08 +0200[diff] [blame^]191 if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 )
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]192 return PSA_ERROR_NOT_PERMITTED;
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]193
194 operation->password = password;
195
196 return( PSA_SUCCESS );
197}
198
199psa_status_t psa_pake_set_user( psa_pake_operation_t *operation,
200 const uint8_t *user_id,
201 size_t user_id_len )
202{
203 if( operation->alg == 0 ||
204 operation->state != PSA_PAKE_STATE_SETUP )
205 {
206 return( PSA_ERROR_BAD_STATE );
207 }
208
209 if( user_id_len == 0 || user_id == NULL )
210 return PSA_ERROR_INVALID_ARGUMENT;
211
212 return( PSA_ERROR_NOT_SUPPORTED );
213}
214
215psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation,
216 const uint8_t *peer_id,
217 size_t peer_id_len )
218{
219 if( operation->alg == 0 ||
220 operation->state != PSA_PAKE_STATE_SETUP )
221 {
222 return( PSA_ERROR_BAD_STATE );
223 }
224
225 if( peer_id_len == 0 || peer_id == NULL )
226 return PSA_ERROR_INVALID_ARGUMENT;
227
228 return( PSA_ERROR_NOT_SUPPORTED );
229}
230
231psa_status_t psa_pake_set_role( psa_pake_operation_t *operation,
232 psa_pake_role_t role )
233{
234 if( operation->alg == 0 ||
235 operation->state != PSA_PAKE_STATE_SETUP )
236 {
237 return( PSA_ERROR_BAD_STATE );
238 }
239
240 if( role != PSA_PAKE_ROLE_NONE &&
241 role != PSA_PAKE_ROLE_FIRST &&
242 role != PSA_PAKE_ROLE_SECOND &&
243 role != PSA_PAKE_ROLE_CLIENT &&
244 role != PSA_PAKE_ROLE_SERVER )
245 {
246 return PSA_ERROR_INVALID_ARGUMENT;
247 }
248
249#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
250 if( operation->alg == PSA_ALG_JPAKE )
251 {
252 if( role != PSA_PAKE_ROLE_CLIENT &&
253 role != PSA_PAKE_ROLE_SERVER )
254 return PSA_ERROR_NOT_SUPPORTED;
255
256 operation->role = role;
257
258 return( PSA_SUCCESS );
259 }
260 else
261#endif
262 return( PSA_ERROR_NOT_SUPPORTED );
263}
264
265#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
266static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
267{
268 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
269 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
270 mbedtls_ecjpake_role role;
271 psa_key_slot_t *slot = NULL;
272
273 if( operation->role == PSA_PAKE_ROLE_CLIENT )
274 role = MBEDTLS_ECJPAKE_CLIENT;
275 else if( operation->role == PSA_PAKE_ROLE_SERVER )
276 role = MBEDTLS_ECJPAKE_SERVER;
277 else
278 return( PSA_ERROR_BAD_STATE );
279
280 if( psa_is_valid_key_id( operation->password, 1 ) == 0 )
281 return( PSA_ERROR_BAD_STATE );
282
283 status = psa_get_and_lock_key_slot( operation->password, &slot );
284 if( status != PSA_SUCCESS )
285 return( status );
286
287
288 ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake,
289 role,
290 MBEDTLS_MD_SHA256,
291 MBEDTLS_ECP_DP_SECP256R1,
292 slot->key.data, slot->key.bytes );
293
294 psa_unlock_key_slot( slot );
295 slot = NULL;
296
297 if( ret != 0 )
298 return( mbedtls_to_psa_error( ret ) );
299
Neil Armstrong6b1f99f2022-06-08 13:37:37 +0200[diff] [blame]300 operation->buffer = mbedtls_calloc( 1, PSA_PAKE_BUFFER_SIZE );
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]301 if( operation->buffer == NULL )
302 return( PSA_ERROR_INSUFFICIENT_MEMORY );
303
304 operation->state = PSA_PAKE_STATE_READY;
305
306 return( PSA_SUCCESS );
307}
308#endif
309
310psa_status_t psa_pake_output( psa_pake_operation_t *operation,
311 psa_pake_step_t step,
312 uint8_t *output,
313 size_t output_size,
314 size_t *output_length )
315{
316 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
317 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
318 size_t length;
319
320 if( operation->alg == 0 ||
321 operation->state == PSA_PAKE_STATE_INVALID )
322 return( PSA_ERROR_BAD_STATE );
323
324 if( step != PSA_PAKE_STEP_KEY_SHARE &&
325 step != PSA_PAKE_STEP_ZK_PUBLIC &&
326 step != PSA_PAKE_STEP_ZK_PROOF )
327 return( PSA_ERROR_INVALID_ARGUMENT );
328
329#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
330 if( operation->state == PSA_PAKE_STATE_SETUP ) {
331 status = psa_pake_ecjpake_setup( operation );
332 if( status != PSA_SUCCESS )
333 {
334 psa_pake_abort( operation );
335 return( status );
336 }
337 }
338
339 if( operation->state >= PSA_PAKE_STATE_READY &&
340 ( mbedtls_ecjpake_check( &operation->ctx.ecjpake ) != 0 ||
341 operation->buffer == NULL ) )
342 {
343 return( PSA_ERROR_BAD_STATE );
344 }
345
346 if( operation->state != PSA_PAKE_STATE_READY &&
347 operation->state != PSA_PAKE_OUTPUT_X1_X2 &&
348 operation->state != PSA_PAKE_OUTPUT_X2S )
349 {
350 return( PSA_ERROR_BAD_STATE );
351 }
352
353 if( operation->state == PSA_PAKE_STATE_READY )
354 {
355 if( step != PSA_PAKE_STEP_KEY_SHARE )
356 return( PSA_ERROR_BAD_STATE );
357
358 switch( operation->output_step )
359 {
360 case PSA_PAKE_STEP_X1_X2:
361 operation->state = PSA_PAKE_OUTPUT_X1_X2;
362 break;
363 case PSA_PAKE_STEP_X2S:
364 operation->state = PSA_PAKE_OUTPUT_X2S;
365 break;
366 default:
367 return( PSA_ERROR_BAD_STATE );
368 }
369
370 operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
371 }
372
373 /* Check if step matches current sequence */
374 switch( operation->sequence )
375 {
376 case PSA_PAKE_X1_STEP_KEY_SHARE:
377 case PSA_PAKE_X2_STEP_KEY_SHARE:
378 if( step != PSA_PAKE_STEP_KEY_SHARE )
379 return( PSA_ERROR_BAD_STATE );
380 break;
381
382 case PSA_PAKE_X1_STEP_ZK_PUBLIC:
383 case PSA_PAKE_X2_STEP_ZK_PUBLIC:
384 if( step != PSA_PAKE_STEP_ZK_PUBLIC )
385 return( PSA_ERROR_BAD_STATE );
386 break;
387
388 case PSA_PAKE_X1_STEP_ZK_PROOF:
389 case PSA_PAKE_X2_STEP_ZK_PROOF:
390 if( step != PSA_PAKE_STEP_ZK_PROOF )
391 return( PSA_ERROR_BAD_STATE );
392 break;
393
394 default:
395 return( PSA_ERROR_BAD_STATE );
396 }
397
398 /* Initialize & write round on KEY_SHARE sequences */
399 if( operation->state == PSA_PAKE_OUTPUT_X1_X2 &&
400 operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE )
401 {
402 ret = mbedtls_ecjpake_write_round_one( &operation->ctx.ecjpake,
403 operation->buffer,
404 PSA_PAKE_BUFFER_SIZE,
405 &operation->buffer_length,
406 mbedtls_psa_get_random,
407 MBEDTLS_PSA_RANDOM_STATE );
408 if( ret != 0 )
409 {
410 psa_pake_abort( operation );
411 return( mbedtls_to_psa_error( ret ) );
412 }
413
414 operation->buffer_offset = 0;
415 }
416 else if( operation->state == PSA_PAKE_OUTPUT_X2S &&
417 operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE )
418 {
419 ret = mbedtls_ecjpake_write_round_two( &operation->ctx.ecjpake,
420 operation->buffer,
421 PSA_PAKE_BUFFER_SIZE,
422 &operation->buffer_length,
423 mbedtls_psa_get_random,
424 MBEDTLS_PSA_RANDOM_STATE );
425 if( ret != 0 )
426 {
427 psa_pake_abort( operation );
428 return( mbedtls_to_psa_error( ret ) );
429 }
430
431 operation->buffer_offset = 0;
432 }
433
434 /* Load output sequence length */
435 if( operation->state == PSA_PAKE_OUTPUT_X2S &&
436 operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE )
437 {
438 if( operation->role == PSA_PAKE_ROLE_SERVER )
439 /* Length is stored after 3bytes curve */
440 length = 3 + operation->buffer[3] + 1;
441 else
442 /* Length is stored at the first byte */
443 length = operation->buffer[0] + 1;
444 }
445 else
Neil Armstrongc29f8472022-06-08 13:34:49 +0200[diff] [blame]446 /* Length is stored at the first byte of the next chunk */
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]447 length = operation->buffer[operation->buffer_offset] + 1;
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]448
449 if( length > operation->buffer_length )
450 return( PSA_ERROR_DATA_CORRUPT );
451
452 if( output_size < length )
453 {
454 psa_pake_abort( operation );
455 return( PSA_ERROR_BUFFER_TOO_SMALL );
456 }
457
458 memcpy( output,
459 operation->buffer + operation->buffer_offset,
460 length );
461 *output_length = length;
462
463 operation->buffer_offset += length;
464
465 /* Reset buffer after ZK_PROOF sequence */
466 if( ( operation->state == PSA_PAKE_OUTPUT_X1_X2 &&
467 operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) ||
468 ( operation->state == PSA_PAKE_OUTPUT_X2S &&
469 operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) )
470 {
471 mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
472 operation->buffer_length = 0;
473 operation->buffer_offset = 0;
474
475 operation->state = PSA_PAKE_STATE_READY;
476 operation->output_step++;
477 operation->sequence = 0;
478 }
479 else
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]480 operation->sequence++;
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]481
482 return( PSA_SUCCESS );
483#else
484 return( PSA_ERROR_NOT_SUPPORTED );
485#endif
486}
487
488psa_status_t psa_pake_input( psa_pake_operation_t *operation,
489 psa_pake_step_t step,
490 const uint8_t *input,
491 size_t input_length )
492{
493 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
494 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
495 size_t buffer_remain;
496
497 if( operation->alg == 0 ||
498 operation->state == PSA_PAKE_STATE_INVALID )
499 return( PSA_ERROR_BAD_STATE );
500
501 if( step != PSA_PAKE_STEP_KEY_SHARE &&
502 step != PSA_PAKE_STEP_ZK_PUBLIC &&
503 step != PSA_PAKE_STEP_ZK_PROOF )
504 return( PSA_ERROR_INVALID_ARGUMENT );
505
506#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
507 if( operation->state == PSA_PAKE_STATE_SETUP ) {
508 status = psa_pake_ecjpake_setup( operation );
509 if( status != PSA_SUCCESS )
510 {
511 psa_pake_abort( operation );
512 return( status );
513 }
514 }
515
516 if( operation->state >= PSA_PAKE_STATE_READY &&
517 ( mbedtls_ecjpake_check( &operation->ctx.ecjpake ) != 0 ||
518 operation->buffer == NULL ) )
519 {
520 return( PSA_ERROR_BAD_STATE );
521 }
522
523 if( operation->state != PSA_PAKE_STATE_READY &&
524 operation->state != PSA_PAKE_INPUT_X1_X2 &&
525 operation->state != PSA_PAKE_INPUT_X4S )
526 {
527 return( PSA_ERROR_BAD_STATE );
528 }
529
530 if( operation->state == PSA_PAKE_STATE_READY )
531 {
532 if( step != PSA_PAKE_STEP_KEY_SHARE )
533 return( PSA_ERROR_BAD_STATE );
534
535 switch( operation->input_step )
536 {
537 case PSA_PAKE_STEP_X1_X2:
538 operation->state = PSA_PAKE_INPUT_X1_X2;
539 break;
540 case PSA_PAKE_STEP_X2S:
541 operation->state = PSA_PAKE_INPUT_X4S;
542 break;
543 default:
544 return( PSA_ERROR_BAD_STATE );
545 }
546
547 operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
548 }
549
550 buffer_remain = PSA_PAKE_BUFFER_SIZE - operation->buffer_length;
551
552 if( input_length == 0 ||
553 input_length > buffer_remain )
554 {
555 psa_pake_abort( operation );
556 return( PSA_ERROR_INSUFFICIENT_MEMORY );
557 }
558
559 /* Check if step matches current sequence */
560 switch( operation->sequence )
561 {
562 case PSA_PAKE_X1_STEP_KEY_SHARE:
563 case PSA_PAKE_X2_STEP_KEY_SHARE:
564 if( step != PSA_PAKE_STEP_KEY_SHARE )
565 return( PSA_ERROR_BAD_STATE );
566 break;
567
568 case PSA_PAKE_X1_STEP_ZK_PUBLIC:
569 case PSA_PAKE_X2_STEP_ZK_PUBLIC:
570 if( step != PSA_PAKE_STEP_ZK_PUBLIC )
571 return( PSA_ERROR_BAD_STATE );
572 break;
573
574 case PSA_PAKE_X1_STEP_ZK_PROOF:
575 case PSA_PAKE_X2_STEP_ZK_PROOF:
576 if( step != PSA_PAKE_STEP_ZK_PROOF )
577 return( PSA_ERROR_BAD_STATE );
578 break;
579
580 default:
581 return( PSA_ERROR_BAD_STATE );
582 }
583
584 /* Copy input to local buffer */
585 memcpy( operation->buffer + operation->buffer_length,
586 input, input_length );
587 operation->buffer_length += input_length;
588
589 /* Load buffer at each last round ZK_PROOF */
590 if( operation->state == PSA_PAKE_INPUT_X1_X2 &&
591 operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF )
592 {
593 ret = mbedtls_ecjpake_read_round_one( &operation->ctx.ecjpake,
594 operation->buffer,
595 operation->buffer_length );
596
597 mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
598 operation->buffer_length = 0;
599
600 if( ret != 0 )
601 {
602 psa_pake_abort( operation );
603 return( mbedtls_to_psa_error( ret ) );
604 }
605 }
606 else if( operation->state == PSA_PAKE_INPUT_X4S &&
607 operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF )
608 {
609 ret = mbedtls_ecjpake_read_round_two( &operation->ctx.ecjpake,
610 operation->buffer,
611 operation->buffer_length );
612
613 mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
614 operation->buffer_length = 0;
615
616 if( ret != 0 )
617 {
618 psa_pake_abort( operation );
619 return( mbedtls_to_psa_error( ret ) );
620 }
621 }
622
623 if( ( operation->state == PSA_PAKE_INPUT_X1_X2 &&
624 operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) ||
625 ( operation->state == PSA_PAKE_INPUT_X4S &&
626 operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) )
627 {
628 operation->state = PSA_PAKE_STATE_READY;
629 operation->input_step++;
630 operation->sequence = 0;
631 }
632 else
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]633 operation->sequence++;
Neil Armstronga4cc7d62022-05-25 11:30:48 +0200[diff] [blame]634
635 return( PSA_SUCCESS );
636#else
637 return( PSA_ERROR_NOT_SUPPORTED );
638#endif
639}
640
641psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation,
642 psa_key_derivation_operation_t *output)
643{
644 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
645 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
646
647 if( operation->alg == 0 ||
648 operation->state != PSA_PAKE_STATE_READY ||
649 ( operation->input_step != PSA_PAKE_STEP_DERIVE &&
650 operation->output_step != PSA_PAKE_STEP_DERIVE ) )
651 return( PSA_ERROR_BAD_STATE );
652
653#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
654 ret = mbedtls_ecjpake_derive_secret( &operation->ctx.ecjpake,
655 operation->buffer,
656 PSA_PAKE_BUFFER_SIZE,
657 &operation->buffer_length,
658 mbedtls_psa_get_random,
659 MBEDTLS_PSA_RANDOM_STATE );
660 if( ret != 0)
661 {
662 psa_pake_abort( operation );
663 return( mbedtls_to_psa_error( ret ) );
664 }
665
666 status = psa_key_derivation_input_bytes( output,
667 PSA_KEY_DERIVATION_INPUT_SECRET,
668 operation->buffer,
669 operation->buffer_length );
670
671 mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
672
673 psa_pake_abort( operation );
674
675 return( status );
676#else
677 return( PSA_ERROR_NOT_SUPPORTED );
678#endif
679}
680
681psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
682{
683 if( operation->alg == 0 )
684 {
685 return( PSA_SUCCESS );
686 }
687
688 operation->alg = 0;
689 operation->state = 0;
690 operation->sequence = 0;
691
692#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECJPAKE)
693 operation->input_step = 0;
694 operation->output_step = 0;
695 operation->password = MBEDTLS_SVC_KEY_ID_INIT;
696 operation->role = 0;
697 mbedtls_free( operation->buffer );
698 operation->buffer = NULL;
699 operation->buffer_length = 0;
700 operation->buffer_offset = 0;
701 mbedtls_ecjpake_free( &operation->ctx.ecjpake );
702#endif
703
704 return( PSA_SUCCESS );
705}
706
707#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
708
709#endif /* MBEDTLS_PSA_CRYPTO_C */