/src/mbedtls/library/psa_crypto_pake.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * PSA PAKE layer on top of Mbed TLS software crypto |
3 | | */ |
4 | | /* |
5 | | * Copyright The Mbed TLS Contributors |
6 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
7 | | */ |
8 | | |
9 | | #include "common.h" |
10 | | |
11 | | #if defined(MBEDTLS_PSA_CRYPTO_C) |
12 | | |
13 | | #include <psa/crypto.h> |
14 | | #include "psa_crypto_core.h" |
15 | | #include "psa_crypto_pake.h" |
16 | | #include "psa_crypto_slot_management.h" |
17 | | |
18 | | #include <mbedtls/ecjpake.h> |
19 | | #include "psa_util_internal.h" |
20 | | |
21 | | #include <mbedtls/platform.h> |
22 | | #include <mbedtls/error.h> |
23 | | #include <string.h> |
24 | | |
25 | | /* |
26 | | * State sequence: |
27 | | * |
28 | | * psa_pake_setup() |
29 | | * | |
30 | | * |-- In any order: |
31 | | * | | psa_pake_set_password_key() |
32 | | * | | psa_pake_set_user() |
33 | | * | | psa_pake_set_peer() |
34 | | * | | psa_pake_set_role() |
35 | | * | |
36 | | * |--- In any order: (First round input before or after first round output) |
37 | | * | | |
38 | | * | |------ In Order |
39 | | * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) |
40 | | * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) |
41 | | * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) |
42 | | * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) |
43 | | * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) |
44 | | * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) |
45 | | * | | |
46 | | * | |------ In Order: |
47 | | * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) |
48 | | * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) |
49 | | * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) |
50 | | * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) |
51 | | * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) |
52 | | * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) |
53 | | * | |
54 | | * |--- In any order: (Second round input before or after second round output) |
55 | | * | | |
56 | | * | |------ In Order |
57 | | * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) |
58 | | * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) |
59 | | * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) |
60 | | * | | |
61 | | * | |------ In Order: |
62 | | * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) |
63 | | * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) |
64 | | * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) |
65 | | * | |
66 | | * psa_pake_get_implicit_key() |
67 | | * psa_pake_abort() |
68 | | */ |
69 | | |
70 | | /* |
71 | | * Possible sequence of calls to implementation: |
72 | | * |
73 | | * |--- In any order: |
74 | | * | | |
75 | | * | |------ In Order |
76 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE) |
77 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC) |
78 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF) |
79 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE) |
80 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC) |
81 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF) |
82 | | * | | |
83 | | * | |------ In Order: |
84 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE) |
85 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC) |
86 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF) |
87 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE) |
88 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC) |
89 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF) |
90 | | * | |
91 | | * |--- In any order: |
92 | | * | | |
93 | | * | |------ In Order |
94 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE) |
95 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC) |
96 | | * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF) |
97 | | * | | |
98 | | * | |------ In Order: |
99 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE) |
100 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC) |
101 | | * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF) |
102 | | */ |
103 | | |
104 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) |
105 | | static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) |
106 | 0 | { |
107 | 0 | switch (ret) { |
108 | 0 | case MBEDTLS_ERR_MPI_BAD_INPUT_DATA: |
109 | 0 | case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: |
110 | 0 | case MBEDTLS_ERR_ECP_INVALID_KEY: |
111 | 0 | case MBEDTLS_ERR_ECP_VERIFY_FAILED: |
112 | 0 | return PSA_ERROR_DATA_INVALID; |
113 | 0 | case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL: |
114 | 0 | case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: |
115 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
116 | 0 | case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: |
117 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
118 | 0 | case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: |
119 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
120 | 0 | default: |
121 | 0 | return PSA_ERROR_GENERIC_ERROR; |
122 | 0 | } |
123 | 0 | } |
124 | | #endif |
125 | | |
126 | | #if defined(MBEDTLS_PSA_BUILTIN_PAKE) |
127 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) |
128 | | static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) |
129 | 0 | { |
130 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
131 | |
|
132 | 0 | mbedtls_ecjpake_init(&operation->ctx.jpake); |
133 | |
|
134 | 0 | ret = mbedtls_ecjpake_setup(&operation->ctx.jpake, |
135 | 0 | operation->role, |
136 | 0 | MBEDTLS_MD_SHA256, |
137 | 0 | MBEDTLS_ECP_DP_SECP256R1, |
138 | 0 | operation->password, |
139 | 0 | operation->password_len); |
140 | |
|
141 | 0 | mbedtls_platform_zeroize(operation->password, operation->password_len); |
142 | |
|
143 | 0 | if (ret != 0) { |
144 | 0 | return mbedtls_ecjpake_to_psa_error(ret); |
145 | 0 | } |
146 | | |
147 | 0 | return PSA_SUCCESS; |
148 | 0 | } |
149 | | #endif |
150 | | |
151 | | /* The only two JPAKE user/peer identifiers supported in built-in implementation. */ |
152 | | static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; |
153 | | static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; |
154 | | |
155 | | psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, |
156 | | const psa_crypto_driver_pake_inputs_t *inputs) |
157 | 0 | { |
158 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
159 | 0 | size_t user_len = 0, peer_len = 0, password_len = 0; |
160 | 0 | uint8_t *peer = NULL, *user = NULL; |
161 | 0 | size_t actual_user_len = 0, actual_peer_len = 0, actual_password_len = 0; |
162 | 0 | psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); |
163 | |
|
164 | 0 | status = psa_crypto_driver_pake_get_password_len(inputs, &password_len); |
165 | 0 | if (status != PSA_SUCCESS) { |
166 | 0 | return status; |
167 | 0 | } |
168 | | |
169 | 0 | status = psa_crypto_driver_pake_get_user_len(inputs, &user_len); |
170 | 0 | if (status != PSA_SUCCESS) { |
171 | 0 | return status; |
172 | 0 | } |
173 | | |
174 | 0 | status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len); |
175 | 0 | if (status != PSA_SUCCESS) { |
176 | 0 | return status; |
177 | 0 | } |
178 | | |
179 | 0 | status = psa_crypto_driver_pake_get_cipher_suite(inputs, &cipher_suite); |
180 | 0 | if (status != PSA_SUCCESS) { |
181 | 0 | return status; |
182 | 0 | } |
183 | | |
184 | 0 | operation->password = mbedtls_calloc(1, password_len); |
185 | 0 | if (operation->password == NULL) { |
186 | 0 | status = PSA_ERROR_INSUFFICIENT_MEMORY; |
187 | 0 | goto error; |
188 | 0 | } |
189 | | |
190 | 0 | user = mbedtls_calloc(1, user_len); |
191 | 0 | if (user == NULL) { |
192 | 0 | status = PSA_ERROR_INSUFFICIENT_MEMORY; |
193 | 0 | goto error; |
194 | 0 | } |
195 | | |
196 | 0 | peer = mbedtls_calloc(1, peer_len); |
197 | 0 | if (peer == NULL) { |
198 | 0 | status = PSA_ERROR_INSUFFICIENT_MEMORY; |
199 | 0 | goto error; |
200 | 0 | } |
201 | | |
202 | 0 | status = psa_crypto_driver_pake_get_password(inputs, operation->password, |
203 | 0 | password_len, &actual_password_len); |
204 | 0 | if (status != PSA_SUCCESS) { |
205 | 0 | goto error; |
206 | 0 | } |
207 | | |
208 | 0 | status = psa_crypto_driver_pake_get_user(inputs, user, |
209 | 0 | user_len, &actual_user_len); |
210 | 0 | if (status != PSA_SUCCESS) { |
211 | 0 | goto error; |
212 | 0 | } |
213 | | |
214 | 0 | status = psa_crypto_driver_pake_get_peer(inputs, peer, |
215 | 0 | peer_len, &actual_peer_len); |
216 | 0 | if (status != PSA_SUCCESS) { |
217 | 0 | goto error; |
218 | 0 | } |
219 | | |
220 | 0 | operation->password_len = actual_password_len; |
221 | 0 | operation->alg = cipher_suite.algorithm; |
222 | |
|
223 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) |
224 | 0 | if (cipher_suite.algorithm == PSA_ALG_JPAKE) { |
225 | 0 | if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || |
226 | 0 | cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || |
227 | 0 | cipher_suite.bits != 256 || |
228 | 0 | cipher_suite.hash != PSA_ALG_SHA_256) { |
229 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
230 | 0 | goto error; |
231 | 0 | } |
232 | | |
233 | 0 | const size_t user_peer_len = sizeof(jpake_client_id); // client and server have the same length |
234 | 0 | if (actual_user_len != user_peer_len || |
235 | 0 | actual_peer_len != user_peer_len) { |
236 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
237 | 0 | goto error; |
238 | 0 | } |
239 | | |
240 | 0 | if (memcmp(user, jpake_client_id, actual_user_len) == 0 && |
241 | 0 | memcmp(peer, jpake_server_id, actual_peer_len) == 0) { |
242 | 0 | operation->role = MBEDTLS_ECJPAKE_CLIENT; |
243 | 0 | } else |
244 | 0 | if (memcmp(user, jpake_server_id, actual_user_len) == 0 && |
245 | 0 | memcmp(peer, jpake_client_id, actual_peer_len) == 0) { |
246 | 0 | operation->role = MBEDTLS_ECJPAKE_SERVER; |
247 | 0 | } else { |
248 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
249 | 0 | goto error; |
250 | 0 | } |
251 | | |
252 | 0 | operation->buffer_length = 0; |
253 | 0 | operation->buffer_offset = 0; |
254 | |
|
255 | 0 | status = psa_pake_ecjpake_setup(operation); |
256 | 0 | if (status != PSA_SUCCESS) { |
257 | 0 | goto error; |
258 | 0 | } |
259 | | |
260 | | /* Role has been set, release user/peer buffers. */ |
261 | 0 | mbedtls_free(user); mbedtls_free(peer); |
262 | |
|
263 | 0 | return PSA_SUCCESS; |
264 | 0 | } else |
265 | | #else |
266 | | (void) operation; |
267 | | (void) inputs; |
268 | | #endif |
269 | 0 | { status = PSA_ERROR_NOT_SUPPORTED; } |
270 | | |
271 | 0 | error: |
272 | 0 | mbedtls_free(user); mbedtls_free(peer); |
273 | | /* In case of failure of the setup of a multipart operation, the PSA driver interface |
274 | | * specifies that the core does not call any other driver entry point thus does not |
275 | | * call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean |
276 | | * up like freeing the memory that may have been allocated to store the password. |
277 | | */ |
278 | 0 | mbedtls_psa_pake_abort(operation); |
279 | 0 | return status; |
280 | 0 | } |
281 | | |
282 | | static psa_status_t mbedtls_psa_pake_output_internal( |
283 | | mbedtls_psa_pake_operation_t *operation, |
284 | | psa_crypto_driver_pake_step_t step, |
285 | | uint8_t *output, |
286 | | size_t output_size, |
287 | | size_t *output_length) |
288 | 0 | { |
289 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
290 | 0 | size_t length; |
291 | 0 | (void) step; // Unused parameter |
292 | |
|
293 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) |
294 | | /* |
295 | | * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different |
296 | | * handling of output sequencing. |
297 | | * |
298 | | * The Mbed TLS JPAKE API outputs the whole X1+X2 and X2S steps data |
299 | | * at once, on the other side the PSA CRYPTO PAKE api requires |
300 | | * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be |
301 | | * retrieved in sequence. |
302 | | * |
303 | | * In order to achieve API compatibility, the whole X1+X2 or X2S steps |
304 | | * data is stored in an intermediate buffer at first step output call, |
305 | | * and data is sliced down by parsing the ECPoint records in order |
306 | | * to return the right parts on each step. |
307 | | */ |
308 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
309 | | /* Initialize & write round on KEY_SHARE sequences */ |
310 | 0 | if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) { |
311 | 0 | ret = mbedtls_ecjpake_write_round_one(&operation->ctx.jpake, |
312 | 0 | operation->buffer, |
313 | 0 | sizeof(operation->buffer), |
314 | 0 | &operation->buffer_length, |
315 | 0 | mbedtls_psa_get_random, |
316 | 0 | MBEDTLS_PSA_RANDOM_STATE); |
317 | 0 | if (ret != 0) { |
318 | 0 | return mbedtls_ecjpake_to_psa_error(ret); |
319 | 0 | } |
320 | | |
321 | 0 | operation->buffer_offset = 0; |
322 | 0 | } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) { |
323 | 0 | ret = mbedtls_ecjpake_write_round_two(&operation->ctx.jpake, |
324 | 0 | operation->buffer, |
325 | 0 | sizeof(operation->buffer), |
326 | 0 | &operation->buffer_length, |
327 | 0 | mbedtls_psa_get_random, |
328 | 0 | MBEDTLS_PSA_RANDOM_STATE); |
329 | 0 | if (ret != 0) { |
330 | 0 | return mbedtls_ecjpake_to_psa_error(ret); |
331 | 0 | } |
332 | | |
333 | 0 | operation->buffer_offset = 0; |
334 | 0 | } |
335 | | |
336 | | /* |
337 | | * mbedtls_ecjpake_write_round_xxx() outputs thing in the format |
338 | | * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is |
339 | | * that the data for each step is prepended with a length byte, and |
340 | | * then they're concatenated. Additionally, the server's second round |
341 | | * output is prepended with a 3-bytes ECParameters structure. |
342 | | * |
343 | | * In PSA, we output each step separately, and don't prepend the |
344 | | * output with a length byte, even less a curve identifier, as that |
345 | | * information is already available. |
346 | | */ |
347 | 0 | if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE && |
348 | 0 | operation->role == MBEDTLS_ECJPAKE_SERVER) { |
349 | | /* Skip ECParameters, with is 3 bytes (RFC 8422) */ |
350 | 0 | operation->buffer_offset += 3; |
351 | 0 | } |
352 | | |
353 | | /* Read the length byte then move past it to the data */ |
354 | 0 | length = operation->buffer[operation->buffer_offset]; |
355 | 0 | operation->buffer_offset += 1; |
356 | |
|
357 | 0 | if (operation->buffer_offset + length > operation->buffer_length) { |
358 | 0 | return PSA_ERROR_DATA_CORRUPT; |
359 | 0 | } |
360 | | |
361 | 0 | if (output_size < length) { |
362 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
363 | 0 | } |
364 | | |
365 | 0 | memcpy(output, |
366 | 0 | operation->buffer + operation->buffer_offset, |
367 | 0 | length); |
368 | 0 | *output_length = length; |
369 | |
|
370 | 0 | operation->buffer_offset += length; |
371 | | |
372 | | /* Reset buffer after ZK_PROOF sequence */ |
373 | 0 | if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) || |
374 | 0 | (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) { |
375 | 0 | mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); |
376 | 0 | operation->buffer_length = 0; |
377 | 0 | operation->buffer_offset = 0; |
378 | 0 | } |
379 | |
|
380 | 0 | return PSA_SUCCESS; |
381 | 0 | } else |
382 | | #else |
383 | | (void) step; |
384 | | (void) output; |
385 | | (void) output_size; |
386 | | (void) output_length; |
387 | | #endif |
388 | 0 | { return PSA_ERROR_NOT_SUPPORTED; } |
389 | 0 | } |
390 | | |
391 | | psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, |
392 | | psa_crypto_driver_pake_step_t step, |
393 | | uint8_t *output, |
394 | | size_t output_size, |
395 | | size_t *output_length) |
396 | 0 | { |
397 | 0 | psa_status_t status = mbedtls_psa_pake_output_internal( |
398 | 0 | operation, step, output, output_size, output_length); |
399 | |
|
400 | 0 | return status; |
401 | 0 | } |
402 | | |
403 | | static psa_status_t mbedtls_psa_pake_input_internal( |
404 | | mbedtls_psa_pake_operation_t *operation, |
405 | | psa_crypto_driver_pake_step_t step, |
406 | | const uint8_t *input, |
407 | | size_t input_length) |
408 | 0 | { |
409 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
410 | 0 | (void) step; // Unused parameter |
411 | |
|
412 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) |
413 | | /* |
414 | | * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different |
415 | | * handling of input sequencing. |
416 | | * |
417 | | * The Mbed TLS JPAKE API takes the whole X1+X2 or X4S steps data |
418 | | * at once as input, on the other side the PSA CRYPTO PAKE api requires |
419 | | * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be |
420 | | * given in sequence. |
421 | | * |
422 | | * In order to achieve API compatibility, each X1+X2 or X4S step data |
423 | | * is stored sequentially in an intermediate buffer and given to the |
424 | | * Mbed TLS JPAKE API on the last step. |
425 | | * |
426 | | * This causes any input error to be only detected on the last step. |
427 | | */ |
428 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
429 | | /* |
430 | | * Copy input to local buffer and format it as the Mbed TLS API |
431 | | * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. |
432 | | * The summary is that the data for each step is prepended with a |
433 | | * length byte, and then they're concatenated. Additionally, the |
434 | | * server's second round output is prepended with a 3-bytes |
435 | | * ECParameters structure - which means we have to prepend that when |
436 | | * we're a client. |
437 | | */ |
438 | 0 | if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE && |
439 | 0 | operation->role == MBEDTLS_ECJPAKE_CLIENT) { |
440 | | /* We only support secp256r1. */ |
441 | | /* This is the ECParameters structure defined by RFC 8422. */ |
442 | 0 | unsigned char ecparameters[3] = { |
443 | 0 | 3, /* named_curve */ |
444 | 0 | 0, 23 /* secp256r1 */ |
445 | 0 | }; |
446 | |
|
447 | 0 | if (operation->buffer_length + sizeof(ecparameters) > |
448 | 0 | sizeof(operation->buffer)) { |
449 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
450 | 0 | } |
451 | | |
452 | 0 | memcpy(operation->buffer + operation->buffer_length, |
453 | 0 | ecparameters, sizeof(ecparameters)); |
454 | 0 | operation->buffer_length += sizeof(ecparameters); |
455 | 0 | } |
456 | | |
457 | | /* |
458 | | * The core checks that input_length is smaller than |
459 | | * PSA_PAKE_INPUT_MAX_SIZE. |
460 | | * Thus no risk of integer overflow here. |
461 | | */ |
462 | 0 | if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) { |
463 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
464 | 0 | } |
465 | | |
466 | | /* Write the length byte */ |
467 | 0 | operation->buffer[operation->buffer_length] = (uint8_t) input_length; |
468 | 0 | operation->buffer_length += 1; |
469 | | |
470 | | /* Finally copy the data */ |
471 | 0 | memcpy(operation->buffer + operation->buffer_length, |
472 | 0 | input, input_length); |
473 | 0 | operation->buffer_length += input_length; |
474 | | |
475 | | /* Load buffer at each last round ZK_PROOF */ |
476 | 0 | if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) { |
477 | 0 | ret = mbedtls_ecjpake_read_round_one(&operation->ctx.jpake, |
478 | 0 | operation->buffer, |
479 | 0 | operation->buffer_length); |
480 | |
|
481 | 0 | mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); |
482 | 0 | operation->buffer_length = 0; |
483 | |
|
484 | 0 | if (ret != 0) { |
485 | 0 | return mbedtls_ecjpake_to_psa_error(ret); |
486 | 0 | } |
487 | 0 | } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) { |
488 | 0 | ret = mbedtls_ecjpake_read_round_two(&operation->ctx.jpake, |
489 | 0 | operation->buffer, |
490 | 0 | operation->buffer_length); |
491 | |
|
492 | 0 | mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); |
493 | 0 | operation->buffer_length = 0; |
494 | |
|
495 | 0 | if (ret != 0) { |
496 | 0 | return mbedtls_ecjpake_to_psa_error(ret); |
497 | 0 | } |
498 | 0 | } |
499 | | |
500 | 0 | return PSA_SUCCESS; |
501 | 0 | } else |
502 | | #else |
503 | | (void) step; |
504 | | (void) input; |
505 | | (void) input_length; |
506 | | #endif |
507 | 0 | { return PSA_ERROR_NOT_SUPPORTED; } |
508 | 0 | } |
509 | | |
510 | | psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, |
511 | | psa_crypto_driver_pake_step_t step, |
512 | | const uint8_t *input, |
513 | | size_t input_length) |
514 | 0 | { |
515 | 0 | psa_status_t status = mbedtls_psa_pake_input_internal( |
516 | 0 | operation, step, input, input_length); |
517 | |
|
518 | 0 | return status; |
519 | 0 | } |
520 | | |
521 | | psa_status_t mbedtls_psa_pake_get_implicit_key( |
522 | | mbedtls_psa_pake_operation_t *operation, |
523 | | uint8_t *output, size_t output_size, |
524 | | size_t *output_length) |
525 | 0 | { |
526 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
527 | |
|
528 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) |
529 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
530 | 0 | ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.jpake, |
531 | 0 | output, |
532 | 0 | output_size, |
533 | 0 | output_length, |
534 | 0 | mbedtls_psa_get_random, |
535 | 0 | MBEDTLS_PSA_RANDOM_STATE); |
536 | 0 | if (ret != 0) { |
537 | 0 | return mbedtls_ecjpake_to_psa_error(ret); |
538 | 0 | } |
539 | | |
540 | 0 | return PSA_SUCCESS; |
541 | 0 | } else |
542 | | #else |
543 | | (void) output; |
544 | | #endif |
545 | 0 | { return PSA_ERROR_NOT_SUPPORTED; } |
546 | 0 | } |
547 | | |
548 | | psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) |
549 | 0 | { |
550 | 0 | mbedtls_zeroize_and_free(operation->password, operation->password_len); |
551 | 0 | operation->password = NULL; |
552 | 0 | operation->password_len = 0; |
553 | |
|
554 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) |
555 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
556 | 0 | operation->role = MBEDTLS_ECJPAKE_NONE; |
557 | 0 | mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); |
558 | 0 | operation->buffer_length = 0; |
559 | 0 | operation->buffer_offset = 0; |
560 | 0 | mbedtls_ecjpake_free(&operation->ctx.jpake); |
561 | 0 | } |
562 | 0 | #endif |
563 | |
|
564 | 0 | operation->alg = PSA_ALG_NONE; |
565 | |
|
566 | 0 | return PSA_SUCCESS; |
567 | 0 | } |
568 | | |
569 | | #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ |
570 | | |
571 | | #endif /* MBEDTLS_PSA_CRYPTO_C */ |