Coverage Report

Created: 2024-11-21 07:03

/src/mbedtls/library/psa_crypto_pake.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  PSA PAKE layer on top of Mbed TLS software crypto
3
 */
4
/*
5
 *  Copyright The Mbed TLS Contributors
6
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7
 */
8
9
#include "common.h"
10
11
#if defined(MBEDTLS_PSA_CRYPTO_C)
12
13
#include <psa/crypto.h>
14
#include "psa_crypto_core.h"
15
#include "psa_crypto_pake.h"
16
#include "psa_crypto_slot_management.h"
17
18
#include <mbedtls/ecjpake.h>
19
#include "psa_util_internal.h"
20
21
#include <mbedtls/platform.h>
22
#include <mbedtls/error.h>
23
#include <string.h>
24
25
/*
26
 * State sequence:
27
 *
28
 *   psa_pake_setup()
29
 *   |
30
 *   |-- In any order:
31
 *   |   | psa_pake_set_password_key()
32
 *   |   | psa_pake_set_user()
33
 *   |   | psa_pake_set_peer()
34
 *   |   | psa_pake_set_role()
35
 *   |
36
 *   |--- In any order: (First round input before or after first round output)
37
 *   |   |
38
 *   |   |------ In Order
39
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
40
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
41
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
42
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
43
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
44
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
45
 *   |   |
46
 *   |   |------ In Order:
47
 *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
48
 *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
49
 *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
50
 *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
51
 *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
52
 *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
53
 *   |
54
 *   |--- In any order: (Second round input before or after second round output)
55
 *   |   |
56
 *   |   |------ In Order
57
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
58
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
59
 *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
60
 *   |   |
61
 *   |   |------ In Order:
62
 *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
63
 *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
64
 *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
65
 *   |
66
 *   psa_pake_get_implicit_key()
67
 *   psa_pake_abort()
68
 */
69
70
/*
71
 * Possible sequence of calls to implementation:
72
 *
73
 * |--- In any order:
74
 * |   |
75
 * |   |------ In Order
76
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE)
77
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
78
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF)
79
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE)
80
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
81
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF)
82
 * |   |
83
 * |   |------ In Order:
84
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE)
85
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
86
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF)
87
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE)
88
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
89
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF)
90
 * |
91
 * |--- In any order:
92
 * |   |
93
 * |   |------ In Order
94
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE)
95
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC)
96
 * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF)
97
 * |   |
98
 * |   |------ In Order:
99
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE)
100
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC)
101
 * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF)
102
 */
103
104
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
105
static psa_status_t mbedtls_ecjpake_to_psa_error(int ret)
106
0
{
107
0
    switch (ret) {
108
0
        case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
109
0
        case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
110
0
        case MBEDTLS_ERR_ECP_INVALID_KEY:
111
0
        case MBEDTLS_ERR_ECP_VERIFY_FAILED:
112
0
            return PSA_ERROR_DATA_INVALID;
113
0
        case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
114
0
        case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
115
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
116
0
        case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
117
0
            return PSA_ERROR_NOT_SUPPORTED;
118
0
        case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
119
0
            return PSA_ERROR_CORRUPTION_DETECTED;
120
0
        default:
121
0
            return PSA_ERROR_GENERIC_ERROR;
122
0
    }
123
0
}
124
#endif
125
126
#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
127
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
128
static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation)
129
0
{
130
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
131
132
0
    mbedtls_ecjpake_init(&operation->ctx.jpake);
133
134
0
    ret = mbedtls_ecjpake_setup(&operation->ctx.jpake,
135
0
                                operation->role,
136
0
                                MBEDTLS_MD_SHA256,
137
0
                                MBEDTLS_ECP_DP_SECP256R1,
138
0
                                operation->password,
139
0
                                operation->password_len);
140
141
0
    mbedtls_platform_zeroize(operation->password, operation->password_len);
142
143
0
    if (ret != 0) {
144
0
        return mbedtls_ecjpake_to_psa_error(ret);
145
0
    }
146
147
0
    return PSA_SUCCESS;
148
0
}
149
#endif
150
151
/* The only two JPAKE user/peer identifiers supported in built-in implementation. */
152
static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
153
static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
154
155
psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
156
                                    const psa_crypto_driver_pake_inputs_t *inputs)
157
0
{
158
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
159
0
    size_t user_len = 0, peer_len = 0, password_len = 0;
160
0
    uint8_t *peer = NULL, *user = NULL;
161
0
    size_t actual_user_len = 0, actual_peer_len = 0, actual_password_len = 0;
162
0
    psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
163
164
0
    status = psa_crypto_driver_pake_get_password_len(inputs, &password_len);
165
0
    if (status != PSA_SUCCESS) {
166
0
        return status;
167
0
    }
168
169
0
    status = psa_crypto_driver_pake_get_user_len(inputs, &user_len);
170
0
    if (status != PSA_SUCCESS) {
171
0
        return status;
172
0
    }
173
174
0
    status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len);
175
0
    if (status != PSA_SUCCESS) {
176
0
        return status;
177
0
    }
178
179
0
    status = psa_crypto_driver_pake_get_cipher_suite(inputs, &cipher_suite);
180
0
    if (status != PSA_SUCCESS) {
181
0
        return status;
182
0
    }
183
184
0
    operation->password = mbedtls_calloc(1, password_len);
185
0
    if (operation->password == NULL) {
186
0
        status = PSA_ERROR_INSUFFICIENT_MEMORY;
187
0
        goto error;
188
0
    }
189
190
0
    user = mbedtls_calloc(1, user_len);
191
0
    if (user == NULL) {
192
0
        status = PSA_ERROR_INSUFFICIENT_MEMORY;
193
0
        goto error;
194
0
    }
195
196
0
    peer = mbedtls_calloc(1, peer_len);
197
0
    if (peer == NULL) {
198
0
        status = PSA_ERROR_INSUFFICIENT_MEMORY;
199
0
        goto error;
200
0
    }
201
202
0
    status = psa_crypto_driver_pake_get_password(inputs, operation->password,
203
0
                                                 password_len, &actual_password_len);
204
0
    if (status != PSA_SUCCESS) {
205
0
        goto error;
206
0
    }
207
208
0
    status = psa_crypto_driver_pake_get_user(inputs, user,
209
0
                                             user_len, &actual_user_len);
210
0
    if (status != PSA_SUCCESS) {
211
0
        goto error;
212
0
    }
213
214
0
    status = psa_crypto_driver_pake_get_peer(inputs, peer,
215
0
                                             peer_len, &actual_peer_len);
216
0
    if (status != PSA_SUCCESS) {
217
0
        goto error;
218
0
    }
219
220
0
    operation->password_len = actual_password_len;
221
0
    operation->alg = cipher_suite.algorithm;
222
223
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
224
0
    if (cipher_suite.algorithm == PSA_ALG_JPAKE) {
225
0
        if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
226
0
            cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 ||
227
0
            cipher_suite.bits != 256 ||
228
0
            cipher_suite.hash != PSA_ALG_SHA_256) {
229
0
            status = PSA_ERROR_NOT_SUPPORTED;
230
0
            goto error;
231
0
        }
232
233
0
        const size_t user_peer_len = sizeof(jpake_client_id); // client and server have the same length
234
0
        if (actual_user_len != user_peer_len ||
235
0
            actual_peer_len != user_peer_len) {
236
0
            status = PSA_ERROR_NOT_SUPPORTED;
237
0
            goto error;
238
0
        }
239
240
0
        if (memcmp(user, jpake_client_id, actual_user_len) == 0 &&
241
0
            memcmp(peer, jpake_server_id, actual_peer_len) == 0) {
242
0
            operation->role = MBEDTLS_ECJPAKE_CLIENT;
243
0
        } else
244
0
        if (memcmp(user, jpake_server_id, actual_user_len) == 0 &&
245
0
            memcmp(peer, jpake_client_id, actual_peer_len) == 0) {
246
0
            operation->role = MBEDTLS_ECJPAKE_SERVER;
247
0
        } else {
248
0
            status = PSA_ERROR_NOT_SUPPORTED;
249
0
            goto error;
250
0
        }
251
252
0
        operation->buffer_length = 0;
253
0
        operation->buffer_offset = 0;
254
255
0
        status = psa_pake_ecjpake_setup(operation);
256
0
        if (status != PSA_SUCCESS) {
257
0
            goto error;
258
0
        }
259
260
        /* Role has been set, release user/peer buffers. */
261
0
        mbedtls_free(user); mbedtls_free(peer);
262
263
0
        return PSA_SUCCESS;
264
0
    } else
265
#else
266
    (void) operation;
267
    (void) inputs;
268
#endif
269
0
    { status = PSA_ERROR_NOT_SUPPORTED; }
270
271
0
error:
272
0
    mbedtls_free(user); mbedtls_free(peer);
273
    /* In case of failure of the setup of a multipart operation, the PSA driver interface
274
     * specifies that the core does not call any other driver entry point thus does not
275
     * call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean
276
     * up like freeing the memory that may have been allocated to store the password.
277
     */
278
0
    mbedtls_psa_pake_abort(operation);
279
0
    return status;
280
0
}
281
282
static psa_status_t mbedtls_psa_pake_output_internal(
283
    mbedtls_psa_pake_operation_t *operation,
284
    psa_crypto_driver_pake_step_t step,
285
    uint8_t *output,
286
    size_t output_size,
287
    size_t *output_length)
288
0
{
289
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
290
0
    size_t length;
291
0
    (void) step; // Unused parameter
292
293
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
294
    /*
295
     * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
296
     * handling of output sequencing.
297
     *
298
     * The Mbed TLS JPAKE API outputs the whole X1+X2 and X2S steps data
299
     * at once, on the other side the PSA CRYPTO PAKE api requires
300
     * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be
301
     * retrieved in sequence.
302
     *
303
     * In order to achieve API compatibility, the whole X1+X2 or X2S steps
304
     * data is stored in an intermediate buffer at first step output call,
305
     * and data is sliced down by parsing the ECPoint records in order
306
     * to return the right parts on each step.
307
     */
308
0
    if (operation->alg == PSA_ALG_JPAKE) {
309
        /* Initialize & write round on KEY_SHARE sequences */
310
0
        if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) {
311
0
            ret = mbedtls_ecjpake_write_round_one(&operation->ctx.jpake,
312
0
                                                  operation->buffer,
313
0
                                                  sizeof(operation->buffer),
314
0
                                                  &operation->buffer_length,
315
0
                                                  mbedtls_psa_get_random,
316
0
                                                  MBEDTLS_PSA_RANDOM_STATE);
317
0
            if (ret != 0) {
318
0
                return mbedtls_ecjpake_to_psa_error(ret);
319
0
            }
320
321
0
            operation->buffer_offset = 0;
322
0
        } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) {
323
0
            ret = mbedtls_ecjpake_write_round_two(&operation->ctx.jpake,
324
0
                                                  operation->buffer,
325
0
                                                  sizeof(operation->buffer),
326
0
                                                  &operation->buffer_length,
327
0
                                                  mbedtls_psa_get_random,
328
0
                                                  MBEDTLS_PSA_RANDOM_STATE);
329
0
            if (ret != 0) {
330
0
                return mbedtls_ecjpake_to_psa_error(ret);
331
0
            }
332
333
0
            operation->buffer_offset = 0;
334
0
        }
335
336
        /*
337
         * mbedtls_ecjpake_write_round_xxx() outputs thing in the format
338
         * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is
339
         * that the data for each step is prepended with a length byte, and
340
         * then they're concatenated. Additionally, the server's second round
341
         * output is prepended with a 3-bytes ECParameters structure.
342
         *
343
         * In PSA, we output each step separately, and don't prepend the
344
         * output with a length byte, even less a curve identifier, as that
345
         * information is already available.
346
         */
347
0
        if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE &&
348
0
            operation->role == MBEDTLS_ECJPAKE_SERVER) {
349
            /* Skip ECParameters, with is 3 bytes (RFC 8422) */
350
0
            operation->buffer_offset += 3;
351
0
        }
352
353
        /* Read the length byte then move past it to the data */
354
0
        length = operation->buffer[operation->buffer_offset];
355
0
        operation->buffer_offset += 1;
356
357
0
        if (operation->buffer_offset + length > operation->buffer_length) {
358
0
            return PSA_ERROR_DATA_CORRUPT;
359
0
        }
360
361
0
        if (output_size < length) {
362
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
363
0
        }
364
365
0
        memcpy(output,
366
0
               operation->buffer + operation->buffer_offset,
367
0
               length);
368
0
        *output_length = length;
369
370
0
        operation->buffer_offset += length;
371
372
        /* Reset buffer after ZK_PROOF sequence */
373
0
        if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) ||
374
0
            (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) {
375
0
            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
376
0
            operation->buffer_length = 0;
377
0
            operation->buffer_offset = 0;
378
0
        }
379
380
0
        return PSA_SUCCESS;
381
0
    } else
382
#else
383
    (void) step;
384
    (void) output;
385
    (void) output_size;
386
    (void) output_length;
387
#endif
388
0
    { return PSA_ERROR_NOT_SUPPORTED; }
389
0
}
390
391
psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
392
                                     psa_crypto_driver_pake_step_t step,
393
                                     uint8_t *output,
394
                                     size_t output_size,
395
                                     size_t *output_length)
396
0
{
397
0
    psa_status_t status = mbedtls_psa_pake_output_internal(
398
0
        operation, step, output, output_size, output_length);
399
400
0
    return status;
401
0
}
402
403
static psa_status_t mbedtls_psa_pake_input_internal(
404
    mbedtls_psa_pake_operation_t *operation,
405
    psa_crypto_driver_pake_step_t step,
406
    const uint8_t *input,
407
    size_t input_length)
408
0
{
409
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
410
0
    (void) step; // Unused parameter
411
412
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
413
    /*
414
     * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
415
     * handling of input sequencing.
416
     *
417
     * The Mbed TLS JPAKE API takes the whole X1+X2 or X4S steps data
418
     * at once as input, on the other side the PSA CRYPTO PAKE api requires
419
     * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be
420
     * given in sequence.
421
     *
422
     * In order to achieve API compatibility, each X1+X2 or X4S step data
423
     * is stored sequentially in an intermediate buffer and given to the
424
     * Mbed TLS JPAKE API on the last step.
425
     *
426
     * This causes any input error to be only detected on the last step.
427
     */
428
0
    if (operation->alg == PSA_ALG_JPAKE) {
429
        /*
430
         * Copy input to local buffer and format it as the Mbed TLS API
431
         * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7.
432
         * The summary is that the data for each step is prepended with a
433
         * length byte, and then they're concatenated. Additionally, the
434
         * server's second round output is prepended with a 3-bytes
435
         * ECParameters structure - which means we have to prepend that when
436
         * we're a client.
437
         */
438
0
        if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE &&
439
0
            operation->role == MBEDTLS_ECJPAKE_CLIENT) {
440
            /* We only support secp256r1. */
441
            /* This is the ECParameters structure defined by RFC 8422. */
442
0
            unsigned char ecparameters[3] = {
443
0
                3, /* named_curve */
444
0
                0, 23 /* secp256r1 */
445
0
            };
446
447
0
            if (operation->buffer_length + sizeof(ecparameters) >
448
0
                sizeof(operation->buffer)) {
449
0
                return PSA_ERROR_BUFFER_TOO_SMALL;
450
0
            }
451
452
0
            memcpy(operation->buffer + operation->buffer_length,
453
0
                   ecparameters, sizeof(ecparameters));
454
0
            operation->buffer_length += sizeof(ecparameters);
455
0
        }
456
457
        /*
458
         * The core checks that input_length is smaller than
459
         * PSA_PAKE_INPUT_MAX_SIZE.
460
         * Thus no risk of integer overflow here.
461
         */
462
0
        if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) {
463
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
464
0
        }
465
466
        /* Write the length byte */
467
0
        operation->buffer[operation->buffer_length] = (uint8_t) input_length;
468
0
        operation->buffer_length += 1;
469
470
        /* Finally copy the data */
471
0
        memcpy(operation->buffer + operation->buffer_length,
472
0
               input, input_length);
473
0
        operation->buffer_length += input_length;
474
475
        /* Load buffer at each last round ZK_PROOF */
476
0
        if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) {
477
0
            ret = mbedtls_ecjpake_read_round_one(&operation->ctx.jpake,
478
0
                                                 operation->buffer,
479
0
                                                 operation->buffer_length);
480
481
0
            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
482
0
            operation->buffer_length = 0;
483
484
0
            if (ret != 0) {
485
0
                return mbedtls_ecjpake_to_psa_error(ret);
486
0
            }
487
0
        } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) {
488
0
            ret = mbedtls_ecjpake_read_round_two(&operation->ctx.jpake,
489
0
                                                 operation->buffer,
490
0
                                                 operation->buffer_length);
491
492
0
            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
493
0
            operation->buffer_length = 0;
494
495
0
            if (ret != 0) {
496
0
                return mbedtls_ecjpake_to_psa_error(ret);
497
0
            }
498
0
        }
499
500
0
        return PSA_SUCCESS;
501
0
    } else
502
#else
503
    (void) step;
504
    (void) input;
505
    (void) input_length;
506
#endif
507
0
    { return PSA_ERROR_NOT_SUPPORTED; }
508
0
}
509
510
psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
511
                                    psa_crypto_driver_pake_step_t step,
512
                                    const uint8_t *input,
513
                                    size_t input_length)
514
0
{
515
0
    psa_status_t status = mbedtls_psa_pake_input_internal(
516
0
        operation, step, input, input_length);
517
518
0
    return status;
519
0
}
520
521
psa_status_t mbedtls_psa_pake_get_implicit_key(
522
    mbedtls_psa_pake_operation_t *operation,
523
    uint8_t *output, size_t output_size,
524
    size_t *output_length)
525
0
{
526
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
527
528
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
529
0
    if (operation->alg == PSA_ALG_JPAKE) {
530
0
        ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.jpake,
531
0
                                               output,
532
0
                                               output_size,
533
0
                                               output_length,
534
0
                                               mbedtls_psa_get_random,
535
0
                                               MBEDTLS_PSA_RANDOM_STATE);
536
0
        if (ret != 0) {
537
0
            return mbedtls_ecjpake_to_psa_error(ret);
538
0
        }
539
540
0
        return PSA_SUCCESS;
541
0
    } else
542
#else
543
    (void) output;
544
#endif
545
0
    { return PSA_ERROR_NOT_SUPPORTED; }
546
0
}
547
548
psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation)
549
0
{
550
0
    mbedtls_zeroize_and_free(operation->password, operation->password_len);
551
0
    operation->password = NULL;
552
0
    operation->password_len = 0;
553
554
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
555
0
    if (operation->alg == PSA_ALG_JPAKE) {
556
0
        operation->role = MBEDTLS_ECJPAKE_NONE;
557
0
        mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
558
0
        operation->buffer_length = 0;
559
0
        operation->buffer_offset = 0;
560
0
        mbedtls_ecjpake_free(&operation->ctx.jpake);
561
0
    }
562
0
#endif
563
564
0
    operation->alg = PSA_ALG_NONE;
565
566
0
    return PSA_SUCCESS;
567
0
}
568
569
#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
570
571
#endif /* MBEDTLS_PSA_CRYPTO_C */