1/* 2 * PSA PAKE layer on top of Mbed TLS software crypto 3 */ 4/* 5 * Copyright The Mbed TLS Contributors 6 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 7 */ 8 9#include "common.h" 10 11#if defined(MBEDTLS_PSA_CRYPTO_C) 12 13#include <psa/crypto.h> 14#include "psa_crypto_core.h" 15#include "psa_crypto_pake.h" 16#include "psa_crypto_slot_management.h" 17 18#include <mbedtls/ecjpake.h> 19#include "psa_util_internal.h" 20 21#include <mbedtls/platform.h> 22#include <mbedtls/error.h> 23#include <string.h> 24 25/* 26 * State sequence: 27 * 28 * psa_pake_setup() 29 * | 30 * |-- In any order: 31 * | | psa_pake_set_password_key() 32 * | | psa_pake_set_user() 33 * | | psa_pake_set_peer() 34 * | | psa_pake_set_role() 35 * | 36 * |--- In any order: (First round input before or after first round output) 37 * | | 38 * | |------ In Order 39 * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) 40 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) 41 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) 42 * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) 43 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) 44 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) 45 * | | 46 * | |------ In Order: 47 * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) 48 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) 49 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) 50 * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) 51 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) 52 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) 53 * | 54 * |--- In any order: (Second round input before or after second round output) 55 * | | 56 * | |------ In Order 57 * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) 58 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) 59 * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) 60 * | | 61 * | |------ In Order: 62 * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) 63 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) 64 * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) 65 * | 66 * psa_pake_get_implicit_key() 67 * psa_pake_abort() 68 */ 69 70/* 71 * Possible sequence of calls to implementation: 72 * 73 * |--- In any order: 74 * | | 75 * | |------ In Order 76 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE) 77 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC) 78 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF) 79 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE) 80 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC) 81 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF) 82 * | | 83 * | |------ In Order: 84 * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE) 85 * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC) 86 * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF) 87 * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE) 88 * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC) 89 * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF) 90 * | 91 * |--- In any order: 92 * | | 93 * | |------ In Order 94 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE) 95 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC) 96 * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF) 97 * | | 98 * | |------ In Order: 99 * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE) 100 * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC) 101 * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF) 102 */ 103 104#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) 105static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) 106{ 107 switch (ret) { 108 case MBEDTLS_ERR_MPI_BAD_INPUT_DATA: 109 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: 110 case MBEDTLS_ERR_ECP_INVALID_KEY: 111 case MBEDTLS_ERR_ECP_VERIFY_FAILED: 112 return PSA_ERROR_DATA_INVALID; 113 case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL: 114 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: 115 return PSA_ERROR_BUFFER_TOO_SMALL; 116 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: 117 return PSA_ERROR_NOT_SUPPORTED; 118 case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: 119 return PSA_ERROR_CORRUPTION_DETECTED; 120 default: 121 return PSA_ERROR_GENERIC_ERROR; 122 } 123} 124#endif 125 126#if defined(MBEDTLS_PSA_BUILTIN_PAKE) 127#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) 128static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) 129{ 130 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 131 132 mbedtls_ecjpake_init(&operation->ctx.jpake); 133 134 ret = mbedtls_ecjpake_setup(&operation->ctx.jpake, 135 operation->role, 136 MBEDTLS_MD_SHA256, 137 MBEDTLS_ECP_DP_SECP256R1, 138 operation->password, 139 operation->password_len); 140 141 mbedtls_platform_zeroize(operation->password, operation->password_len); 142 143 if (ret != 0) { 144 return mbedtls_ecjpake_to_psa_error(ret); 145 } 146 147 return PSA_SUCCESS; 148} 149#endif 150 151/* The only two JPAKE user/peer identifiers supported in built-in implementation. */ 152static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 153static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 154 155psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, 156 const psa_crypto_driver_pake_inputs_t *inputs) 157{ 158 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 159 size_t user_len = 0, peer_len = 0, password_len = 0; 160 uint8_t *peer = NULL, *user = NULL; 161 size_t actual_user_len = 0, actual_peer_len = 0, actual_password_len = 0; 162 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 163 164 status = psa_crypto_driver_pake_get_password_len(inputs, &password_len); 165 if (status != PSA_SUCCESS) { 166 return status; 167 } 168 169 status = psa_crypto_driver_pake_get_user_len(inputs, &user_len); 170 if (status != PSA_SUCCESS) { 171 return status; 172 } 173 174 status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len); 175 if (status != PSA_SUCCESS) { 176 return status; 177 } 178 179 status = psa_crypto_driver_pake_get_cipher_suite(inputs, &cipher_suite); 180 if (status != PSA_SUCCESS) { 181 return status; 182 } 183 184 operation->password = mbedtls_calloc(1, password_len); 185 if (operation->password == NULL) { 186 status = PSA_ERROR_INSUFFICIENT_MEMORY; 187 goto error; 188 } 189 190 user = mbedtls_calloc(1, user_len); 191 if (user == NULL) { 192 status = PSA_ERROR_INSUFFICIENT_MEMORY; 193 goto error; 194 } 195 196 peer = mbedtls_calloc(1, peer_len); 197 if (peer == NULL) { 198 status = PSA_ERROR_INSUFFICIENT_MEMORY; 199 goto error; 200 } 201 202 status = psa_crypto_driver_pake_get_password(inputs, operation->password, 203 password_len, &actual_password_len); 204 if (status != PSA_SUCCESS) { 205 goto error; 206 } 207 208 status = psa_crypto_driver_pake_get_user(inputs, user, 209 user_len, &actual_user_len); 210 if (status != PSA_SUCCESS) { 211 goto error; 212 } 213 214 status = psa_crypto_driver_pake_get_peer(inputs, peer, 215 peer_len, &actual_peer_len); 216 if (status != PSA_SUCCESS) { 217 goto error; 218 } 219 220 operation->password_len = actual_password_len; 221 operation->alg = cipher_suite.algorithm; 222 223#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) 224 if (cipher_suite.algorithm == PSA_ALG_JPAKE) { 225 if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || 226 cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || 227 cipher_suite.bits != 256 || 228 cipher_suite.hash != PSA_ALG_SHA_256) { 229 status = PSA_ERROR_NOT_SUPPORTED; 230 goto error; 231 } 232 233 const size_t user_peer_len = sizeof(jpake_client_id); // client and server have the same length 234 if (actual_user_len != user_peer_len || 235 actual_peer_len != user_peer_len) { 236 status = PSA_ERROR_NOT_SUPPORTED; 237 goto error; 238 } 239 240 if (memcmp(user, jpake_client_id, actual_user_len) == 0 && 241 memcmp(peer, jpake_server_id, actual_peer_len) == 0) { 242 operation->role = MBEDTLS_ECJPAKE_CLIENT; 243 } else 244 if (memcmp(user, jpake_server_id, actual_user_len) == 0 && 245 memcmp(peer, jpake_client_id, actual_peer_len) == 0) { 246 operation->role = MBEDTLS_ECJPAKE_SERVER; 247 } else { 248 status = PSA_ERROR_NOT_SUPPORTED; 249 goto error; 250 } 251 252 operation->buffer_length = 0; 253 operation->buffer_offset = 0; 254 255 status = psa_pake_ecjpake_setup(operation); 256 if (status != PSA_SUCCESS) { 257 goto error; 258 } 259 260 /* Role has been set, release user/peer buffers. */ 261 mbedtls_free(user); mbedtls_free(peer); 262 263 return PSA_SUCCESS; 264 } else 265#else 266 (void) operation; 267 (void) inputs; 268#endif 269 { status = PSA_ERROR_NOT_SUPPORTED; } 270 271error: 272 mbedtls_free(user); mbedtls_free(peer); 273 /* In case of failure of the setup of a multipart operation, the PSA driver interface 274 * specifies that the core does not call any other driver entry point thus does not 275 * call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean 276 * up like freeing the memory that may have been allocated to store the password. 277 */ 278 mbedtls_psa_pake_abort(operation); 279 return status; 280} 281 282static psa_status_t mbedtls_psa_pake_output_internal( 283 mbedtls_psa_pake_operation_t *operation, 284 psa_crypto_driver_pake_step_t step, 285 uint8_t *output, 286 size_t output_size, 287 size_t *output_length) 288{ 289 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 290 size_t length; 291 (void) step; // Unused parameter 292 293#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) 294 /* 295 * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different 296 * handling of output sequencing. 297 * 298 * The Mbed TLS JPAKE API outputs the whole X1+X2 and X2S steps data 299 * at once, on the other side the PSA CRYPTO PAKE api requires 300 * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be 301 * retrieved in sequence. 302 * 303 * In order to achieve API compatibility, the whole X1+X2 or X2S steps 304 * data is stored in an intermediate buffer at first step output call, 305 * and data is sliced down by parsing the ECPoint records in order 306 * to return the right parts on each step. 307 */ 308 if (operation->alg == PSA_ALG_JPAKE) { 309 /* Initialize & write round on KEY_SHARE sequences */ 310 if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) { 311 ret = mbedtls_ecjpake_write_round_one(&operation->ctx.jpake, 312 operation->buffer, 313 sizeof(operation->buffer), 314 &operation->buffer_length, 315 mbedtls_psa_get_random, 316 MBEDTLS_PSA_RANDOM_STATE); 317 if (ret != 0) { 318 return mbedtls_ecjpake_to_psa_error(ret); 319 } 320 321 operation->buffer_offset = 0; 322 } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) { 323 ret = mbedtls_ecjpake_write_round_two(&operation->ctx.jpake, 324 operation->buffer, 325 sizeof(operation->buffer), 326 &operation->buffer_length, 327 mbedtls_psa_get_random, 328 MBEDTLS_PSA_RANDOM_STATE); 329 if (ret != 0) { 330 return mbedtls_ecjpake_to_psa_error(ret); 331 } 332 333 operation->buffer_offset = 0; 334 } 335 336 /* 337 * mbedtls_ecjpake_write_round_xxx() outputs thing in the format 338 * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is 339 * that the data for each step is prepended with a length byte, and 340 * then they're concatenated. Additionally, the server's second round 341 * output is prepended with a 3-bytes ECParameters structure. 342 * 343 * In PSA, we output each step separately, and don't prepend the 344 * output with a length byte, even less a curve identifier, as that 345 * information is already available. 346 */ 347 if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE && 348 operation->role == MBEDTLS_ECJPAKE_SERVER) { 349 /* Skip ECParameters, with is 3 bytes (RFC 8422) */ 350 operation->buffer_offset += 3; 351 } 352 353 /* Read the length byte then move past it to the data */ 354 length = operation->buffer[operation->buffer_offset]; 355 operation->buffer_offset += 1; 356 357 if (operation->buffer_offset + length > operation->buffer_length) { 358 return PSA_ERROR_DATA_CORRUPT; 359 } 360 361 if (output_size < length) { 362 return PSA_ERROR_BUFFER_TOO_SMALL; 363 } 364 365 memcpy(output, 366 operation->buffer + operation->buffer_offset, 367 length); 368 *output_length = length; 369 370 operation->buffer_offset += length; 371 372 /* Reset buffer after ZK_PROOF sequence */ 373 if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) || 374 (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) { 375 mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); 376 operation->buffer_length = 0; 377 operation->buffer_offset = 0; 378 } 379 380 return PSA_SUCCESS; 381 } else 382#else 383 (void) step; 384 (void) output; 385 (void) output_size; 386 (void) output_length; 387#endif 388 { return PSA_ERROR_NOT_SUPPORTED; } 389} 390 391psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, 392 psa_crypto_driver_pake_step_t step, 393 uint8_t *output, 394 size_t output_size, 395 size_t *output_length) 396{ 397 psa_status_t status = mbedtls_psa_pake_output_internal( 398 operation, step, output, output_size, output_length); 399 400 return status; 401} 402 403static psa_status_t mbedtls_psa_pake_input_internal( 404 mbedtls_psa_pake_operation_t *operation, 405 psa_crypto_driver_pake_step_t step, 406 const uint8_t *input, 407 size_t input_length) 408{ 409 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 410 (void) step; // Unused parameter 411 412#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) 413 /* 414 * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different 415 * handling of input sequencing. 416 * 417 * The Mbed TLS JPAKE API takes the whole X1+X2 or X4S steps data 418 * at once as input, on the other side the PSA CRYPTO PAKE api requires 419 * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be 420 * given in sequence. 421 * 422 * In order to achieve API compatibility, each X1+X2 or X4S step data 423 * is stored sequentially in an intermediate buffer and given to the 424 * Mbed TLS JPAKE API on the last step. 425 * 426 * This causes any input error to be only detected on the last step. 427 */ 428 if (operation->alg == PSA_ALG_JPAKE) { 429 /* 430 * Copy input to local buffer and format it as the Mbed TLS API 431 * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. 432 * The summary is that the data for each step is prepended with a 433 * length byte, and then they're concatenated. Additionally, the 434 * server's second round output is prepended with a 3-bytes 435 * ECParameters structure - which means we have to prepend that when 436 * we're a client. 437 */ 438 if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE && 439 operation->role == MBEDTLS_ECJPAKE_CLIENT) { 440 /* We only support secp256r1. */ 441 /* This is the ECParameters structure defined by RFC 8422. */ 442 unsigned char ecparameters[3] = { 443 3, /* named_curve */ 444 0, 23 /* secp256r1 */ 445 }; 446 447 if (operation->buffer_length + sizeof(ecparameters) > 448 sizeof(operation->buffer)) { 449 return PSA_ERROR_BUFFER_TOO_SMALL; 450 } 451 452 memcpy(operation->buffer + operation->buffer_length, 453 ecparameters, sizeof(ecparameters)); 454 operation->buffer_length += sizeof(ecparameters); 455 } 456 457 /* 458 * The core checks that input_length is smaller than 459 * PSA_PAKE_INPUT_MAX_SIZE. 460 * Thus no risk of integer overflow here. 461 */ 462 if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) { 463 return PSA_ERROR_BUFFER_TOO_SMALL; 464 } 465 466 /* Write the length byte */ 467 operation->buffer[operation->buffer_length] = (uint8_t) input_length; 468 operation->buffer_length += 1; 469 470 /* Finally copy the data */ 471 memcpy(operation->buffer + operation->buffer_length, 472 input, input_length); 473 operation->buffer_length += input_length; 474 475 /* Load buffer at each last round ZK_PROOF */ 476 if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) { 477 ret = mbedtls_ecjpake_read_round_one(&operation->ctx.jpake, 478 operation->buffer, 479 operation->buffer_length); 480 481 mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); 482 operation->buffer_length = 0; 483 484 if (ret != 0) { 485 return mbedtls_ecjpake_to_psa_error(ret); 486 } 487 } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) { 488 ret = mbedtls_ecjpake_read_round_two(&operation->ctx.jpake, 489 operation->buffer, 490 operation->buffer_length); 491 492 mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); 493 operation->buffer_length = 0; 494 495 if (ret != 0) { 496 return mbedtls_ecjpake_to_psa_error(ret); 497 } 498 } 499 500 return PSA_SUCCESS; 501 } else 502#else 503 (void) step; 504 (void) input; 505 (void) input_length; 506#endif 507 { return PSA_ERROR_NOT_SUPPORTED; } 508} 509 510psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, 511 psa_crypto_driver_pake_step_t step, 512 const uint8_t *input, 513 size_t input_length) 514{ 515 psa_status_t status = mbedtls_psa_pake_input_internal( 516 operation, step, input, input_length); 517 518 return status; 519} 520 521psa_status_t mbedtls_psa_pake_get_implicit_key( 522 mbedtls_psa_pake_operation_t *operation, 523 uint8_t *output, size_t output_size, 524 size_t *output_length) 525{ 526 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 527 528#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) 529 if (operation->alg == PSA_ALG_JPAKE) { 530 ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.jpake, 531 output, 532 output_size, 533 output_length, 534 mbedtls_psa_get_random, 535 MBEDTLS_PSA_RANDOM_STATE); 536 if (ret != 0) { 537 return mbedtls_ecjpake_to_psa_error(ret); 538 } 539 540 return PSA_SUCCESS; 541 } else 542#else 543 (void) output; 544#endif 545 { return PSA_ERROR_NOT_SUPPORTED; } 546} 547 548psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) 549{ 550 mbedtls_zeroize_and_free(operation->password, operation->password_len); 551 operation->password = NULL; 552 operation->password_len = 0; 553 554#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) 555 if (operation->alg == PSA_ALG_JPAKE) { 556 operation->role = MBEDTLS_ECJPAKE_NONE; 557 mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); 558 operation->buffer_length = 0; 559 operation->buffer_offset = 0; 560 mbedtls_ecjpake_free(&operation->ctx.jpake); 561 } 562#endif 563 564 operation->alg = PSA_ALG_NONE; 565 566 return PSA_SUCCESS; 567} 568 569#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ 570 571#endif /* MBEDTLS_PSA_CRYPTO_C */ 572