1*62c56f98SSadaf Ebrahimi /**
2*62c56f98SSadaf Ebrahimi * \file psa/crypto_extra.h
3*62c56f98SSadaf Ebrahimi *
4*62c56f98SSadaf Ebrahimi * \brief PSA cryptography module: Mbed TLS vendor extensions
5*62c56f98SSadaf Ebrahimi *
6*62c56f98SSadaf Ebrahimi * \note This file may not be included directly. Applications must
7*62c56f98SSadaf Ebrahimi * include psa/crypto.h.
8*62c56f98SSadaf Ebrahimi *
9*62c56f98SSadaf Ebrahimi * This file is reserved for vendor-specific definitions.
10*62c56f98SSadaf Ebrahimi */
11*62c56f98SSadaf Ebrahimi /*
12*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors
13*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
14*62c56f98SSadaf Ebrahimi */
15*62c56f98SSadaf Ebrahimi
16*62c56f98SSadaf Ebrahimi #ifndef PSA_CRYPTO_EXTRA_H
17*62c56f98SSadaf Ebrahimi #define PSA_CRYPTO_EXTRA_H
18*62c56f98SSadaf Ebrahimi #include "mbedtls/private_access.h"
19*62c56f98SSadaf Ebrahimi
20*62c56f98SSadaf Ebrahimi #include "crypto_types.h"
21*62c56f98SSadaf Ebrahimi #include "crypto_compat.h"
22*62c56f98SSadaf Ebrahimi
23*62c56f98SSadaf Ebrahimi #ifdef __cplusplus
24*62c56f98SSadaf Ebrahimi extern "C" {
25*62c56f98SSadaf Ebrahimi #endif
26*62c56f98SSadaf Ebrahimi
27*62c56f98SSadaf Ebrahimi /* UID for secure storage seed */
28*62c56f98SSadaf Ebrahimi #define PSA_CRYPTO_ITS_RANDOM_SEED_UID 0xFFFFFF52
29*62c56f98SSadaf Ebrahimi
30*62c56f98SSadaf Ebrahimi /* See mbedtls_config.h for definition */
31*62c56f98SSadaf Ebrahimi #if !defined(MBEDTLS_PSA_KEY_SLOT_COUNT)
32*62c56f98SSadaf Ebrahimi #define MBEDTLS_PSA_KEY_SLOT_COUNT 32
33*62c56f98SSadaf Ebrahimi #endif
34*62c56f98SSadaf Ebrahimi
35*62c56f98SSadaf Ebrahimi /** \addtogroup attributes
36*62c56f98SSadaf Ebrahimi * @{
37*62c56f98SSadaf Ebrahimi */
38*62c56f98SSadaf Ebrahimi
39*62c56f98SSadaf Ebrahimi /** \brief Declare the enrollment algorithm for a key.
40*62c56f98SSadaf Ebrahimi *
41*62c56f98SSadaf Ebrahimi * An operation on a key may indifferently use the algorithm set with
42*62c56f98SSadaf Ebrahimi * psa_set_key_algorithm() or with this function.
43*62c56f98SSadaf Ebrahimi *
44*62c56f98SSadaf Ebrahimi * \param[out] attributes The attribute structure to write to.
45*62c56f98SSadaf Ebrahimi * \param alg2 A second algorithm that the key may be used
46*62c56f98SSadaf Ebrahimi * for, in addition to the algorithm set with
47*62c56f98SSadaf Ebrahimi * psa_set_key_algorithm().
48*62c56f98SSadaf Ebrahimi *
49*62c56f98SSadaf Ebrahimi * \warning Setting an enrollment algorithm is not recommended, because
50*62c56f98SSadaf Ebrahimi * using the same key with different algorithms can allow some
51*62c56f98SSadaf Ebrahimi * attacks based on arithmetic relations between different
52*62c56f98SSadaf Ebrahimi * computations made with the same key, or can escalate harmless
53*62c56f98SSadaf Ebrahimi * side channels into exploitable ones. Use this function only
54*62c56f98SSadaf Ebrahimi * if it is necessary to support a protocol for which it has been
55*62c56f98SSadaf Ebrahimi * verified that the usage of the key with multiple algorithms
56*62c56f98SSadaf Ebrahimi * is safe.
57*62c56f98SSadaf Ebrahimi */
psa_set_key_enrollment_algorithm(psa_key_attributes_t * attributes,psa_algorithm_t alg2)58*62c56f98SSadaf Ebrahimi static inline void psa_set_key_enrollment_algorithm(
59*62c56f98SSadaf Ebrahimi psa_key_attributes_t *attributes,
60*62c56f98SSadaf Ebrahimi psa_algorithm_t alg2)
61*62c56f98SSadaf Ebrahimi {
62*62c56f98SSadaf Ebrahimi attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) = alg2;
63*62c56f98SSadaf Ebrahimi }
64*62c56f98SSadaf Ebrahimi
65*62c56f98SSadaf Ebrahimi /** Retrieve the enrollment algorithm policy from key attributes.
66*62c56f98SSadaf Ebrahimi *
67*62c56f98SSadaf Ebrahimi * \param[in] attributes The key attribute structure to query.
68*62c56f98SSadaf Ebrahimi *
69*62c56f98SSadaf Ebrahimi * \return The enrollment algorithm stored in the attribute structure.
70*62c56f98SSadaf Ebrahimi */
psa_get_key_enrollment_algorithm(const psa_key_attributes_t * attributes)71*62c56f98SSadaf Ebrahimi static inline psa_algorithm_t psa_get_key_enrollment_algorithm(
72*62c56f98SSadaf Ebrahimi const psa_key_attributes_t *attributes)
73*62c56f98SSadaf Ebrahimi {
74*62c56f98SSadaf Ebrahimi return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2);
75*62c56f98SSadaf Ebrahimi }
76*62c56f98SSadaf Ebrahimi
77*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
78*62c56f98SSadaf Ebrahimi
79*62c56f98SSadaf Ebrahimi /** Retrieve the slot number where a key is stored.
80*62c56f98SSadaf Ebrahimi *
81*62c56f98SSadaf Ebrahimi * A slot number is only defined for keys that are stored in a secure
82*62c56f98SSadaf Ebrahimi * element.
83*62c56f98SSadaf Ebrahimi *
84*62c56f98SSadaf Ebrahimi * This information is only useful if the secure element is not entirely
85*62c56f98SSadaf Ebrahimi * managed through the PSA Cryptography API. It is up to the secure
86*62c56f98SSadaf Ebrahimi * element driver to decide how PSA slot numbers map to any other interface
87*62c56f98SSadaf Ebrahimi * that the secure element may have.
88*62c56f98SSadaf Ebrahimi *
89*62c56f98SSadaf Ebrahimi * \param[in] attributes The key attribute structure to query.
90*62c56f98SSadaf Ebrahimi * \param[out] slot_number On success, the slot number containing the key.
91*62c56f98SSadaf Ebrahimi *
92*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
93*62c56f98SSadaf Ebrahimi * The key is located in a secure element, and \p *slot_number
94*62c56f98SSadaf Ebrahimi * indicates the slot number that contains it.
95*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_PERMITTED
96*62c56f98SSadaf Ebrahimi * The caller is not permitted to query the slot number.
97*62c56f98SSadaf Ebrahimi * Mbed TLS currently does not return this error.
98*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
99*62c56f98SSadaf Ebrahimi * The key is not located in a secure element.
100*62c56f98SSadaf Ebrahimi */
101*62c56f98SSadaf Ebrahimi psa_status_t psa_get_key_slot_number(
102*62c56f98SSadaf Ebrahimi const psa_key_attributes_t *attributes,
103*62c56f98SSadaf Ebrahimi psa_key_slot_number_t *slot_number);
104*62c56f98SSadaf Ebrahimi
105*62c56f98SSadaf Ebrahimi /** Choose the slot number where a key is stored.
106*62c56f98SSadaf Ebrahimi *
107*62c56f98SSadaf Ebrahimi * This function declares a slot number in the specified attribute
108*62c56f98SSadaf Ebrahimi * structure.
109*62c56f98SSadaf Ebrahimi *
110*62c56f98SSadaf Ebrahimi * A slot number is only meaningful for keys that are stored in a secure
111*62c56f98SSadaf Ebrahimi * element. It is up to the secure element driver to decide how PSA slot
112*62c56f98SSadaf Ebrahimi * numbers map to any other interface that the secure element may have.
113*62c56f98SSadaf Ebrahimi *
114*62c56f98SSadaf Ebrahimi * \note Setting a slot number in key attributes for a key creation can
115*62c56f98SSadaf Ebrahimi * cause the following errors when creating the key:
116*62c56f98SSadaf Ebrahimi * - #PSA_ERROR_NOT_SUPPORTED if the selected secure element does
117*62c56f98SSadaf Ebrahimi * not support choosing a specific slot number.
118*62c56f98SSadaf Ebrahimi * - #PSA_ERROR_NOT_PERMITTED if the caller is not permitted to
119*62c56f98SSadaf Ebrahimi * choose slot numbers in general or to choose this specific slot.
120*62c56f98SSadaf Ebrahimi * - #PSA_ERROR_INVALID_ARGUMENT if the chosen slot number is not
121*62c56f98SSadaf Ebrahimi * valid in general or not valid for this specific key.
122*62c56f98SSadaf Ebrahimi * - #PSA_ERROR_ALREADY_EXISTS if there is already a key in the
123*62c56f98SSadaf Ebrahimi * selected slot.
124*62c56f98SSadaf Ebrahimi *
125*62c56f98SSadaf Ebrahimi * \param[out] attributes The attribute structure to write to.
126*62c56f98SSadaf Ebrahimi * \param slot_number The slot number to set.
127*62c56f98SSadaf Ebrahimi */
psa_set_key_slot_number(psa_key_attributes_t * attributes,psa_key_slot_number_t slot_number)128*62c56f98SSadaf Ebrahimi static inline void psa_set_key_slot_number(
129*62c56f98SSadaf Ebrahimi psa_key_attributes_t *attributes,
130*62c56f98SSadaf Ebrahimi psa_key_slot_number_t slot_number)
131*62c56f98SSadaf Ebrahimi {
132*62c56f98SSadaf Ebrahimi attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
133*62c56f98SSadaf Ebrahimi attributes->MBEDTLS_PRIVATE(slot_number) = slot_number;
134*62c56f98SSadaf Ebrahimi }
135*62c56f98SSadaf Ebrahimi
136*62c56f98SSadaf Ebrahimi /** Remove the slot number attribute from a key attribute structure.
137*62c56f98SSadaf Ebrahimi *
138*62c56f98SSadaf Ebrahimi * This function undoes the action of psa_set_key_slot_number().
139*62c56f98SSadaf Ebrahimi *
140*62c56f98SSadaf Ebrahimi * \param[out] attributes The attribute structure to write to.
141*62c56f98SSadaf Ebrahimi */
psa_clear_key_slot_number(psa_key_attributes_t * attributes)142*62c56f98SSadaf Ebrahimi static inline void psa_clear_key_slot_number(
143*62c56f98SSadaf Ebrahimi psa_key_attributes_t *attributes)
144*62c56f98SSadaf Ebrahimi {
145*62c56f98SSadaf Ebrahimi attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) &=
146*62c56f98SSadaf Ebrahimi ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
147*62c56f98SSadaf Ebrahimi }
148*62c56f98SSadaf Ebrahimi
149*62c56f98SSadaf Ebrahimi /** Register a key that is already present in a secure element.
150*62c56f98SSadaf Ebrahimi *
151*62c56f98SSadaf Ebrahimi * The key must be located in a secure element designated by the
152*62c56f98SSadaf Ebrahimi * lifetime field in \p attributes, in the slot set with
153*62c56f98SSadaf Ebrahimi * psa_set_key_slot_number() in the attribute structure.
154*62c56f98SSadaf Ebrahimi * This function makes the key available through the key identifier
155*62c56f98SSadaf Ebrahimi * specified in \p attributes.
156*62c56f98SSadaf Ebrahimi *
157*62c56f98SSadaf Ebrahimi * \param[in] attributes The attributes of the existing key.
158*62c56f98SSadaf Ebrahimi *
159*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
160*62c56f98SSadaf Ebrahimi * The key was successfully registered.
161*62c56f98SSadaf Ebrahimi * Note that depending on the design of the driver, this may or may
162*62c56f98SSadaf Ebrahimi * not guarantee that a key actually exists in the designated slot
163*62c56f98SSadaf Ebrahimi * and is compatible with the specified attributes.
164*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_ALREADY_EXISTS
165*62c56f98SSadaf Ebrahimi * There is already a key with the identifier specified in
166*62c56f98SSadaf Ebrahimi * \p attributes.
167*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
168*62c56f98SSadaf Ebrahimi * The secure element driver for the specified lifetime does not
169*62c56f98SSadaf Ebrahimi * support registering a key.
170*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
171*62c56f98SSadaf Ebrahimi * The identifier in \p attributes is invalid, namely the identifier is
172*62c56f98SSadaf Ebrahimi * not in the user range, or
173*62c56f98SSadaf Ebrahimi * \p attributes specifies a lifetime which is not located
174*62c56f98SSadaf Ebrahimi * in a secure element, or no slot number is specified in \p attributes,
175*62c56f98SSadaf Ebrahimi * or the specified slot number is not valid.
176*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_PERMITTED
177*62c56f98SSadaf Ebrahimi * The caller is not authorized to register the specified key slot.
178*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
179*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
180*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
181*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_INVALID \emptydescription
182*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
183*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
184*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
185*62c56f98SSadaf Ebrahimi * The library has not been previously initialized by psa_crypto_init().
186*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
187*62c56f98SSadaf Ebrahimi * results in this error code.
188*62c56f98SSadaf Ebrahimi */
189*62c56f98SSadaf Ebrahimi psa_status_t mbedtls_psa_register_se_key(
190*62c56f98SSadaf Ebrahimi const psa_key_attributes_t *attributes);
191*62c56f98SSadaf Ebrahimi
192*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
193*62c56f98SSadaf Ebrahimi
194*62c56f98SSadaf Ebrahimi /**@}*/
195*62c56f98SSadaf Ebrahimi
196*62c56f98SSadaf Ebrahimi /**
197*62c56f98SSadaf Ebrahimi * \brief Library deinitialization.
198*62c56f98SSadaf Ebrahimi *
199*62c56f98SSadaf Ebrahimi * This function clears all data associated with the PSA layer,
200*62c56f98SSadaf Ebrahimi * including the whole key store.
201*62c56f98SSadaf Ebrahimi *
202*62c56f98SSadaf Ebrahimi * This is an Mbed TLS extension.
203*62c56f98SSadaf Ebrahimi */
204*62c56f98SSadaf Ebrahimi void mbedtls_psa_crypto_free(void);
205*62c56f98SSadaf Ebrahimi
206*62c56f98SSadaf Ebrahimi /** \brief Statistics about
207*62c56f98SSadaf Ebrahimi * resource consumption related to the PSA keystore.
208*62c56f98SSadaf Ebrahimi *
209*62c56f98SSadaf Ebrahimi * \note The content of this structure is not part of the stable API and ABI
210*62c56f98SSadaf Ebrahimi * of Mbed TLS and may change arbitrarily from version to version.
211*62c56f98SSadaf Ebrahimi */
212*62c56f98SSadaf Ebrahimi typedef struct mbedtls_psa_stats_s {
213*62c56f98SSadaf Ebrahimi /** Number of slots containing key material for a volatile key. */
214*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(volatile_slots);
215*62c56f98SSadaf Ebrahimi /** Number of slots containing key material for a key which is in
216*62c56f98SSadaf Ebrahimi * internal persistent storage. */
217*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(persistent_slots);
218*62c56f98SSadaf Ebrahimi /** Number of slots containing a reference to a key in a
219*62c56f98SSadaf Ebrahimi * secure element. */
220*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(external_slots);
221*62c56f98SSadaf Ebrahimi /** Number of slots which are occupied, but do not contain
222*62c56f98SSadaf Ebrahimi * key material yet. */
223*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(half_filled_slots);
224*62c56f98SSadaf Ebrahimi /** Number of slots that contain cache data. */
225*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(cache_slots);
226*62c56f98SSadaf Ebrahimi /** Number of slots that are not used for anything. */
227*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(empty_slots);
228*62c56f98SSadaf Ebrahimi /** Number of slots that are locked. */
229*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(locked_slots);
230*62c56f98SSadaf Ebrahimi /** Largest key id value among open keys in internal persistent storage. */
231*62c56f98SSadaf Ebrahimi psa_key_id_t MBEDTLS_PRIVATE(max_open_internal_key_id);
232*62c56f98SSadaf Ebrahimi /** Largest key id value among open keys in secure elements. */
233*62c56f98SSadaf Ebrahimi psa_key_id_t MBEDTLS_PRIVATE(max_open_external_key_id);
234*62c56f98SSadaf Ebrahimi } mbedtls_psa_stats_t;
235*62c56f98SSadaf Ebrahimi
236*62c56f98SSadaf Ebrahimi /** \brief Get statistics about
237*62c56f98SSadaf Ebrahimi * resource consumption related to the PSA keystore.
238*62c56f98SSadaf Ebrahimi *
239*62c56f98SSadaf Ebrahimi * \note When Mbed TLS is built as part of a service, with isolation
240*62c56f98SSadaf Ebrahimi * between the application and the keystore, the service may or
241*62c56f98SSadaf Ebrahimi * may not expose this function.
242*62c56f98SSadaf Ebrahimi */
243*62c56f98SSadaf Ebrahimi void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats);
244*62c56f98SSadaf Ebrahimi
245*62c56f98SSadaf Ebrahimi /**
246*62c56f98SSadaf Ebrahimi * \brief Inject an initial entropy seed for the random generator into
247*62c56f98SSadaf Ebrahimi * secure storage.
248*62c56f98SSadaf Ebrahimi *
249*62c56f98SSadaf Ebrahimi * This function injects data to be used as a seed for the random generator
250*62c56f98SSadaf Ebrahimi * used by the PSA Crypto implementation. On devices that lack a trusted
251*62c56f98SSadaf Ebrahimi * entropy source (preferably a hardware random number generator),
252*62c56f98SSadaf Ebrahimi * the Mbed PSA Crypto implementation uses this value to seed its
253*62c56f98SSadaf Ebrahimi * random generator.
254*62c56f98SSadaf Ebrahimi *
255*62c56f98SSadaf Ebrahimi * On devices without a trusted entropy source, this function must be
256*62c56f98SSadaf Ebrahimi * called exactly once in the lifetime of the device. On devices with
257*62c56f98SSadaf Ebrahimi * a trusted entropy source, calling this function is optional.
258*62c56f98SSadaf Ebrahimi * In all cases, this function may only be called before calling any
259*62c56f98SSadaf Ebrahimi * other function in the PSA Crypto API, including psa_crypto_init().
260*62c56f98SSadaf Ebrahimi *
261*62c56f98SSadaf Ebrahimi * When this function returns successfully, it populates a file in
262*62c56f98SSadaf Ebrahimi * persistent storage. Once the file has been created, this function
263*62c56f98SSadaf Ebrahimi * can no longer succeed.
264*62c56f98SSadaf Ebrahimi *
265*62c56f98SSadaf Ebrahimi * If any error occurs, this function does not change the system state.
266*62c56f98SSadaf Ebrahimi * You can call this function again after correcting the reason for the
267*62c56f98SSadaf Ebrahimi * error if possible.
268*62c56f98SSadaf Ebrahimi *
269*62c56f98SSadaf Ebrahimi * \warning This function **can** fail! Callers MUST check the return status.
270*62c56f98SSadaf Ebrahimi *
271*62c56f98SSadaf Ebrahimi * \warning If you use this function, you should use it as part of a
272*62c56f98SSadaf Ebrahimi * factory provisioning process. The value of the injected seed
273*62c56f98SSadaf Ebrahimi * is critical to the security of the device. It must be
274*62c56f98SSadaf Ebrahimi * *secret*, *unpredictable* and (statistically) *unique per device*.
275*62c56f98SSadaf Ebrahimi * You should be generate it randomly using a cryptographically
276*62c56f98SSadaf Ebrahimi * secure random generator seeded from trusted entropy sources.
277*62c56f98SSadaf Ebrahimi * You should transmit it securely to the device and ensure
278*62c56f98SSadaf Ebrahimi * that its value is not leaked or stored anywhere beyond the
279*62c56f98SSadaf Ebrahimi * needs of transmitting it from the point of generation to
280*62c56f98SSadaf Ebrahimi * the call of this function, and erase all copies of the value
281*62c56f98SSadaf Ebrahimi * once this function returns.
282*62c56f98SSadaf Ebrahimi *
283*62c56f98SSadaf Ebrahimi * This is an Mbed TLS extension.
284*62c56f98SSadaf Ebrahimi *
285*62c56f98SSadaf Ebrahimi * \note This function is only available on the following platforms:
286*62c56f98SSadaf Ebrahimi * * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled.
287*62c56f98SSadaf Ebrahimi * Note that you must provide compatible implementations of
288*62c56f98SSadaf Ebrahimi * mbedtls_nv_seed_read and mbedtls_nv_seed_write.
289*62c56f98SSadaf Ebrahimi * * In a client-server integration of PSA Cryptography, on the client side,
290*62c56f98SSadaf Ebrahimi * if the server supports this feature.
291*62c56f98SSadaf Ebrahimi * \param[in] seed Buffer containing the seed value to inject.
292*62c56f98SSadaf Ebrahimi * \param[in] seed_size Size of the \p seed buffer.
293*62c56f98SSadaf Ebrahimi * The size of the seed in bytes must be greater
294*62c56f98SSadaf Ebrahimi * or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE
295*62c56f98SSadaf Ebrahimi * and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM
296*62c56f98SSadaf Ebrahimi * in `library/entropy_poll.h` in the Mbed TLS source
297*62c56f98SSadaf Ebrahimi * code.
298*62c56f98SSadaf Ebrahimi * It must be less or equal to
299*62c56f98SSadaf Ebrahimi * #MBEDTLS_ENTROPY_MAX_SEED_SIZE.
300*62c56f98SSadaf Ebrahimi *
301*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
302*62c56f98SSadaf Ebrahimi * The seed value was injected successfully. The random generator
303*62c56f98SSadaf Ebrahimi * of the PSA Crypto implementation is now ready for use.
304*62c56f98SSadaf Ebrahimi * You may now call psa_crypto_init() and use the PSA Crypto
305*62c56f98SSadaf Ebrahimi * implementation.
306*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
307*62c56f98SSadaf Ebrahimi * \p seed_size is out of range.
308*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_STORAGE_FAILURE
309*62c56f98SSadaf Ebrahimi * There was a failure reading or writing from storage.
310*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_PERMITTED
311*62c56f98SSadaf Ebrahimi * The library has already been initialized. It is no longer
312*62c56f98SSadaf Ebrahimi * possible to call this function.
313*62c56f98SSadaf Ebrahimi */
314*62c56f98SSadaf Ebrahimi psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
315*62c56f98SSadaf Ebrahimi size_t seed_size);
316*62c56f98SSadaf Ebrahimi
317*62c56f98SSadaf Ebrahimi /** \addtogroup crypto_types
318*62c56f98SSadaf Ebrahimi * @{
319*62c56f98SSadaf Ebrahimi */
320*62c56f98SSadaf Ebrahimi
321*62c56f98SSadaf Ebrahimi /** DSA public key.
322*62c56f98SSadaf Ebrahimi *
323*62c56f98SSadaf Ebrahimi * The import and export format is the
324*62c56f98SSadaf Ebrahimi * representation of the public key `y = g^x mod p` as a big-endian byte
325*62c56f98SSadaf Ebrahimi * string. The length of the byte string is the length of the base prime `p`
326*62c56f98SSadaf Ebrahimi * in bytes.
327*62c56f98SSadaf Ebrahimi */
328*62c56f98SSadaf Ebrahimi #define PSA_KEY_TYPE_DSA_PUBLIC_KEY ((psa_key_type_t) 0x4002)
329*62c56f98SSadaf Ebrahimi
330*62c56f98SSadaf Ebrahimi /** DSA key pair (private and public key).
331*62c56f98SSadaf Ebrahimi *
332*62c56f98SSadaf Ebrahimi * The import and export format is the
333*62c56f98SSadaf Ebrahimi * representation of the private key `x` as a big-endian byte string. The
334*62c56f98SSadaf Ebrahimi * length of the byte string is the private key size in bytes (leading zeroes
335*62c56f98SSadaf Ebrahimi * are not stripped).
336*62c56f98SSadaf Ebrahimi *
337*62c56f98SSadaf Ebrahimi * Deterministic DSA key derivation with psa_generate_derived_key follows
338*62c56f98SSadaf Ebrahimi * FIPS 186-4 §B.1.2: interpret the byte string as integer
339*62c56f98SSadaf Ebrahimi * in big-endian order. Discard it if it is not in the range
340*62c56f98SSadaf Ebrahimi * [0, *N* - 2] where *N* is the boundary of the private key domain
341*62c56f98SSadaf Ebrahimi * (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
342*62c56f98SSadaf Ebrahimi * or the order of the curve's base point for ECC).
343*62c56f98SSadaf Ebrahimi * Add 1 to the resulting integer and use this as the private key *x*.
344*62c56f98SSadaf Ebrahimi *
345*62c56f98SSadaf Ebrahimi */
346*62c56f98SSadaf Ebrahimi #define PSA_KEY_TYPE_DSA_KEY_PAIR ((psa_key_type_t) 0x7002)
347*62c56f98SSadaf Ebrahimi
348*62c56f98SSadaf Ebrahimi /** Whether a key type is a DSA key (pair or public-only). */
349*62c56f98SSadaf Ebrahimi #define PSA_KEY_TYPE_IS_DSA(type) \
350*62c56f98SSadaf Ebrahimi (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY)
351*62c56f98SSadaf Ebrahimi
352*62c56f98SSadaf Ebrahimi #define PSA_ALG_DSA_BASE ((psa_algorithm_t) 0x06000400)
353*62c56f98SSadaf Ebrahimi /** DSA signature with hashing.
354*62c56f98SSadaf Ebrahimi *
355*62c56f98SSadaf Ebrahimi * This is the signature scheme defined by FIPS 186-4,
356*62c56f98SSadaf Ebrahimi * with a random per-message secret number (*k*).
357*62c56f98SSadaf Ebrahimi *
358*62c56f98SSadaf Ebrahimi * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
359*62c56f98SSadaf Ebrahimi * #PSA_ALG_IS_HASH(\p hash_alg) is true).
360*62c56f98SSadaf Ebrahimi * This includes #PSA_ALG_ANY_HASH
361*62c56f98SSadaf Ebrahimi * when specifying the algorithm in a usage policy.
362*62c56f98SSadaf Ebrahimi *
363*62c56f98SSadaf Ebrahimi * \return The corresponding DSA signature algorithm.
364*62c56f98SSadaf Ebrahimi * \return Unspecified if \p hash_alg is not a supported
365*62c56f98SSadaf Ebrahimi * hash algorithm.
366*62c56f98SSadaf Ebrahimi */
367*62c56f98SSadaf Ebrahimi #define PSA_ALG_DSA(hash_alg) \
368*62c56f98SSadaf Ebrahimi (PSA_ALG_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
369*62c56f98SSadaf Ebrahimi #define PSA_ALG_DETERMINISTIC_DSA_BASE ((psa_algorithm_t) 0x06000500)
370*62c56f98SSadaf Ebrahimi #define PSA_ALG_DSA_DETERMINISTIC_FLAG PSA_ALG_ECDSA_DETERMINISTIC_FLAG
371*62c56f98SSadaf Ebrahimi /** Deterministic DSA signature with hashing.
372*62c56f98SSadaf Ebrahimi *
373*62c56f98SSadaf Ebrahimi * This is the deterministic variant defined by RFC 6979 of
374*62c56f98SSadaf Ebrahimi * the signature scheme defined by FIPS 186-4.
375*62c56f98SSadaf Ebrahimi *
376*62c56f98SSadaf Ebrahimi * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
377*62c56f98SSadaf Ebrahimi * #PSA_ALG_IS_HASH(\p hash_alg) is true).
378*62c56f98SSadaf Ebrahimi * This includes #PSA_ALG_ANY_HASH
379*62c56f98SSadaf Ebrahimi * when specifying the algorithm in a usage policy.
380*62c56f98SSadaf Ebrahimi *
381*62c56f98SSadaf Ebrahimi * \return The corresponding DSA signature algorithm.
382*62c56f98SSadaf Ebrahimi * \return Unspecified if \p hash_alg is not a supported
383*62c56f98SSadaf Ebrahimi * hash algorithm.
384*62c56f98SSadaf Ebrahimi */
385*62c56f98SSadaf Ebrahimi #define PSA_ALG_DETERMINISTIC_DSA(hash_alg) \
386*62c56f98SSadaf Ebrahimi (PSA_ALG_DETERMINISTIC_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
387*62c56f98SSadaf Ebrahimi #define PSA_ALG_IS_DSA(alg) \
388*62c56f98SSadaf Ebrahimi (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_DSA_DETERMINISTIC_FLAG) == \
389*62c56f98SSadaf Ebrahimi PSA_ALG_DSA_BASE)
390*62c56f98SSadaf Ebrahimi #define PSA_ALG_DSA_IS_DETERMINISTIC(alg) \
391*62c56f98SSadaf Ebrahimi (((alg) & PSA_ALG_DSA_DETERMINISTIC_FLAG) != 0)
392*62c56f98SSadaf Ebrahimi #define PSA_ALG_IS_DETERMINISTIC_DSA(alg) \
393*62c56f98SSadaf Ebrahimi (PSA_ALG_IS_DSA(alg) && PSA_ALG_DSA_IS_DETERMINISTIC(alg))
394*62c56f98SSadaf Ebrahimi #define PSA_ALG_IS_RANDOMIZED_DSA(alg) \
395*62c56f98SSadaf Ebrahimi (PSA_ALG_IS_DSA(alg) && !PSA_ALG_DSA_IS_DETERMINISTIC(alg))
396*62c56f98SSadaf Ebrahimi
397*62c56f98SSadaf Ebrahimi
398*62c56f98SSadaf Ebrahimi /* We need to expand the sample definition of this macro from
399*62c56f98SSadaf Ebrahimi * the API definition. */
400*62c56f98SSadaf Ebrahimi #undef PSA_ALG_IS_VENDOR_HASH_AND_SIGN
401*62c56f98SSadaf Ebrahimi #define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) \
402*62c56f98SSadaf Ebrahimi PSA_ALG_IS_DSA(alg)
403*62c56f98SSadaf Ebrahimi
404*62c56f98SSadaf Ebrahimi /**@}*/
405*62c56f98SSadaf Ebrahimi
406*62c56f98SSadaf Ebrahimi /** \addtogroup attributes
407*62c56f98SSadaf Ebrahimi * @{
408*62c56f98SSadaf Ebrahimi */
409*62c56f98SSadaf Ebrahimi
410*62c56f98SSadaf Ebrahimi /** Custom Diffie-Hellman group.
411*62c56f98SSadaf Ebrahimi *
412*62c56f98SSadaf Ebrahimi * For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
413*62c56f98SSadaf Ebrahimi * #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM), the group data comes
414*62c56f98SSadaf Ebrahimi * from domain parameters set by psa_set_key_domain_parameters().
415*62c56f98SSadaf Ebrahimi */
416*62c56f98SSadaf Ebrahimi #define PSA_DH_FAMILY_CUSTOM ((psa_dh_family_t) 0x7e)
417*62c56f98SSadaf Ebrahimi
418*62c56f98SSadaf Ebrahimi /** PAKE operation stages. */
419*62c56f98SSadaf Ebrahimi #define PSA_PAKE_OPERATION_STAGE_SETUP 0
420*62c56f98SSadaf Ebrahimi #define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 1
421*62c56f98SSadaf Ebrahimi #define PSA_PAKE_OPERATION_STAGE_COMPUTATION 2
422*62c56f98SSadaf Ebrahimi
423*62c56f98SSadaf Ebrahimi /**
424*62c56f98SSadaf Ebrahimi * \brief Set domain parameters for a key.
425*62c56f98SSadaf Ebrahimi *
426*62c56f98SSadaf Ebrahimi * Some key types require additional domain parameters in addition to
427*62c56f98SSadaf Ebrahimi * the key type identifier and the key size. Use this function instead
428*62c56f98SSadaf Ebrahimi * of psa_set_key_type() when you need to specify domain parameters.
429*62c56f98SSadaf Ebrahimi *
430*62c56f98SSadaf Ebrahimi * The format for the required domain parameters varies based on the key type.
431*62c56f98SSadaf Ebrahimi *
432*62c56f98SSadaf Ebrahimi * - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR),
433*62c56f98SSadaf Ebrahimi * the domain parameter data consists of the public exponent,
434*62c56f98SSadaf Ebrahimi * represented as a big-endian integer with no leading zeros.
435*62c56f98SSadaf Ebrahimi * This information is used when generating an RSA key pair.
436*62c56f98SSadaf Ebrahimi * When importing a key, the public exponent is read from the imported
437*62c56f98SSadaf Ebrahimi * key data and the exponent recorded in the attribute structure is ignored.
438*62c56f98SSadaf Ebrahimi * As an exception, the public exponent 65537 is represented by an empty
439*62c56f98SSadaf Ebrahimi * byte string.
440*62c56f98SSadaf Ebrahimi * - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR),
441*62c56f98SSadaf Ebrahimi * the `Dss-Params` format as defined by RFC 3279 §2.3.2.
442*62c56f98SSadaf Ebrahimi * ```
443*62c56f98SSadaf Ebrahimi * Dss-Params ::= SEQUENCE {
444*62c56f98SSadaf Ebrahimi * p INTEGER,
445*62c56f98SSadaf Ebrahimi * q INTEGER,
446*62c56f98SSadaf Ebrahimi * g INTEGER
447*62c56f98SSadaf Ebrahimi * }
448*62c56f98SSadaf Ebrahimi * ```
449*62c56f98SSadaf Ebrahimi * - For Diffie-Hellman key exchange keys
450*62c56f98SSadaf Ebrahimi * (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
451*62c56f98SSadaf Ebrahimi * #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the
452*62c56f98SSadaf Ebrahimi * `DomainParameters` format as defined by RFC 3279 §2.3.3.
453*62c56f98SSadaf Ebrahimi * ```
454*62c56f98SSadaf Ebrahimi * DomainParameters ::= SEQUENCE {
455*62c56f98SSadaf Ebrahimi * p INTEGER, -- odd prime, p=jq +1
456*62c56f98SSadaf Ebrahimi * g INTEGER, -- generator, g
457*62c56f98SSadaf Ebrahimi * q INTEGER, -- factor of p-1
458*62c56f98SSadaf Ebrahimi * j INTEGER OPTIONAL, -- subgroup factor
459*62c56f98SSadaf Ebrahimi * validationParams ValidationParams OPTIONAL
460*62c56f98SSadaf Ebrahimi * }
461*62c56f98SSadaf Ebrahimi * ValidationParams ::= SEQUENCE {
462*62c56f98SSadaf Ebrahimi * seed BIT STRING,
463*62c56f98SSadaf Ebrahimi * pgenCounter INTEGER
464*62c56f98SSadaf Ebrahimi * }
465*62c56f98SSadaf Ebrahimi * ```
466*62c56f98SSadaf Ebrahimi *
467*62c56f98SSadaf Ebrahimi * \note This function may allocate memory or other resources.
468*62c56f98SSadaf Ebrahimi * Once you have called this function on an attribute structure,
469*62c56f98SSadaf Ebrahimi * you must call psa_reset_key_attributes() to free these resources.
470*62c56f98SSadaf Ebrahimi *
471*62c56f98SSadaf Ebrahimi * \note This is an experimental extension to the interface. It may change
472*62c56f98SSadaf Ebrahimi * in future versions of the library.
473*62c56f98SSadaf Ebrahimi *
474*62c56f98SSadaf Ebrahimi * \param[in,out] attributes Attribute structure where the specified domain
475*62c56f98SSadaf Ebrahimi * parameters will be stored.
476*62c56f98SSadaf Ebrahimi * If this function fails, the content of
477*62c56f98SSadaf Ebrahimi * \p attributes is not modified.
478*62c56f98SSadaf Ebrahimi * \param type Key type (a \c PSA_KEY_TYPE_XXX value).
479*62c56f98SSadaf Ebrahimi * \param[in] data Buffer containing the key domain parameters.
480*62c56f98SSadaf Ebrahimi * The content of this buffer is interpreted
481*62c56f98SSadaf Ebrahimi * according to \p type as described above.
482*62c56f98SSadaf Ebrahimi * \param data_length Size of the \p data buffer in bytes.
483*62c56f98SSadaf Ebrahimi *
484*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS \emptydescription
485*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
486*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
487*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
488*62c56f98SSadaf Ebrahimi */
489*62c56f98SSadaf Ebrahimi psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
490*62c56f98SSadaf Ebrahimi psa_key_type_t type,
491*62c56f98SSadaf Ebrahimi const uint8_t *data,
492*62c56f98SSadaf Ebrahimi size_t data_length);
493*62c56f98SSadaf Ebrahimi
494*62c56f98SSadaf Ebrahimi /**
495*62c56f98SSadaf Ebrahimi * \brief Get domain parameters for a key.
496*62c56f98SSadaf Ebrahimi *
497*62c56f98SSadaf Ebrahimi * Get the domain parameters for a key with this function, if any. The format
498*62c56f98SSadaf Ebrahimi * of the domain parameters written to \p data is specified in the
499*62c56f98SSadaf Ebrahimi * documentation for psa_set_key_domain_parameters().
500*62c56f98SSadaf Ebrahimi *
501*62c56f98SSadaf Ebrahimi * \note This is an experimental extension to the interface. It may change
502*62c56f98SSadaf Ebrahimi * in future versions of the library.
503*62c56f98SSadaf Ebrahimi *
504*62c56f98SSadaf Ebrahimi * \param[in] attributes The key attribute structure to query.
505*62c56f98SSadaf Ebrahimi * \param[out] data On success, the key domain parameters.
506*62c56f98SSadaf Ebrahimi * \param data_size Size of the \p data buffer in bytes.
507*62c56f98SSadaf Ebrahimi * The buffer is guaranteed to be large
508*62c56f98SSadaf Ebrahimi * enough if its size in bytes is at least
509*62c56f98SSadaf Ebrahimi * the value given by
510*62c56f98SSadaf Ebrahimi * PSA_KEY_DOMAIN_PARAMETERS_SIZE().
511*62c56f98SSadaf Ebrahimi * \param[out] data_length On success, the number of bytes
512*62c56f98SSadaf Ebrahimi * that make up the key domain parameters data.
513*62c56f98SSadaf Ebrahimi *
514*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS \emptydescription
515*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
516*62c56f98SSadaf Ebrahimi */
517*62c56f98SSadaf Ebrahimi psa_status_t psa_get_key_domain_parameters(
518*62c56f98SSadaf Ebrahimi const psa_key_attributes_t *attributes,
519*62c56f98SSadaf Ebrahimi uint8_t *data,
520*62c56f98SSadaf Ebrahimi size_t data_size,
521*62c56f98SSadaf Ebrahimi size_t *data_length);
522*62c56f98SSadaf Ebrahimi
523*62c56f98SSadaf Ebrahimi /** Safe output buffer size for psa_get_key_domain_parameters().
524*62c56f98SSadaf Ebrahimi *
525*62c56f98SSadaf Ebrahimi * This macro returns a compile-time constant if its arguments are
526*62c56f98SSadaf Ebrahimi * compile-time constants.
527*62c56f98SSadaf Ebrahimi *
528*62c56f98SSadaf Ebrahimi * \warning This function may call its arguments multiple times or
529*62c56f98SSadaf Ebrahimi * zero times, so you should not pass arguments that contain
530*62c56f98SSadaf Ebrahimi * side effects.
531*62c56f98SSadaf Ebrahimi *
532*62c56f98SSadaf Ebrahimi * \note This is an experimental extension to the interface. It may change
533*62c56f98SSadaf Ebrahimi * in future versions of the library.
534*62c56f98SSadaf Ebrahimi *
535*62c56f98SSadaf Ebrahimi * \param key_type A supported key type.
536*62c56f98SSadaf Ebrahimi * \param key_bits The size of the key in bits.
537*62c56f98SSadaf Ebrahimi *
538*62c56f98SSadaf Ebrahimi * \return If the parameters are valid and supported, return
539*62c56f98SSadaf Ebrahimi * a buffer size in bytes that guarantees that
540*62c56f98SSadaf Ebrahimi * psa_get_key_domain_parameters() will not fail with
541*62c56f98SSadaf Ebrahimi * #PSA_ERROR_BUFFER_TOO_SMALL.
542*62c56f98SSadaf Ebrahimi * If the parameters are a valid combination that is not supported
543*62c56f98SSadaf Ebrahimi * by the implementation, this macro shall return either a
544*62c56f98SSadaf Ebrahimi * sensible size or 0.
545*62c56f98SSadaf Ebrahimi * If the parameters are not valid, the
546*62c56f98SSadaf Ebrahimi * return value is unspecified.
547*62c56f98SSadaf Ebrahimi */
548*62c56f98SSadaf Ebrahimi #define PSA_KEY_DOMAIN_PARAMETERS_SIZE(key_type, key_bits) \
549*62c56f98SSadaf Ebrahimi (PSA_KEY_TYPE_IS_RSA(key_type) ? sizeof(int) : \
550*62c56f98SSadaf Ebrahimi PSA_KEY_TYPE_IS_DH(key_type) ? PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \
551*62c56f98SSadaf Ebrahimi PSA_KEY_TYPE_IS_DSA(key_type) ? PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \
552*62c56f98SSadaf Ebrahimi 0)
553*62c56f98SSadaf Ebrahimi #define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) \
554*62c56f98SSadaf Ebrahimi (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 3 /*without optional parts*/)
555*62c56f98SSadaf Ebrahimi #define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) \
556*62c56f98SSadaf Ebrahimi (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 2 /*p, g*/ + 34 /*q*/)
557*62c56f98SSadaf Ebrahimi
558*62c56f98SSadaf Ebrahimi /**@}*/
559*62c56f98SSadaf Ebrahimi
560*62c56f98SSadaf Ebrahimi /** \defgroup psa_tls_helpers TLS helper functions
561*62c56f98SSadaf Ebrahimi * @{
562*62c56f98SSadaf Ebrahimi */
563*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
564*62c56f98SSadaf Ebrahimi #include <mbedtls/ecp.h>
565*62c56f98SSadaf Ebrahimi
566*62c56f98SSadaf Ebrahimi /** Convert an ECC curve identifier from the Mbed TLS encoding to PSA.
567*62c56f98SSadaf Ebrahimi *
568*62c56f98SSadaf Ebrahimi * \note This function is provided solely for the convenience of
569*62c56f98SSadaf Ebrahimi * Mbed TLS and may be removed at any time without notice.
570*62c56f98SSadaf Ebrahimi *
571*62c56f98SSadaf Ebrahimi * \param grpid An Mbed TLS elliptic curve identifier
572*62c56f98SSadaf Ebrahimi * (`MBEDTLS_ECP_DP_xxx`).
573*62c56f98SSadaf Ebrahimi * \param[out] bits On success, the bit size of the curve.
574*62c56f98SSadaf Ebrahimi *
575*62c56f98SSadaf Ebrahimi * \return The corresponding PSA elliptic curve identifier
576*62c56f98SSadaf Ebrahimi * (`PSA_ECC_FAMILY_xxx`).
577*62c56f98SSadaf Ebrahimi * \return \c 0 on failure (\p grpid is not recognized).
578*62c56f98SSadaf Ebrahimi */
579*62c56f98SSadaf Ebrahimi psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
580*62c56f98SSadaf Ebrahimi size_t *bits);
581*62c56f98SSadaf Ebrahimi
582*62c56f98SSadaf Ebrahimi /** Convert an ECC curve identifier from the PSA encoding to Mbed TLS.
583*62c56f98SSadaf Ebrahimi *
584*62c56f98SSadaf Ebrahimi * \note This function is provided solely for the convenience of
585*62c56f98SSadaf Ebrahimi * Mbed TLS and may be removed at any time without notice.
586*62c56f98SSadaf Ebrahimi *
587*62c56f98SSadaf Ebrahimi * \param curve A PSA elliptic curve identifier
588*62c56f98SSadaf Ebrahimi * (`PSA_ECC_FAMILY_xxx`).
589*62c56f98SSadaf Ebrahimi * \param bits The bit-length of a private key on \p curve.
590*62c56f98SSadaf Ebrahimi * \param bits_is_sloppy If true, \p bits may be the bit-length rounded up
591*62c56f98SSadaf Ebrahimi * to the nearest multiple of 8. This allows the caller
592*62c56f98SSadaf Ebrahimi * to infer the exact curve from the length of a key
593*62c56f98SSadaf Ebrahimi * which is supplied as a byte string.
594*62c56f98SSadaf Ebrahimi *
595*62c56f98SSadaf Ebrahimi * \return The corresponding Mbed TLS elliptic curve identifier
596*62c56f98SSadaf Ebrahimi * (`MBEDTLS_ECP_DP_xxx`).
597*62c56f98SSadaf Ebrahimi * \return #MBEDTLS_ECP_DP_NONE if \c curve is not recognized.
598*62c56f98SSadaf Ebrahimi * \return #MBEDTLS_ECP_DP_NONE if \p bits is not
599*62c56f98SSadaf Ebrahimi * correct for \p curve.
600*62c56f98SSadaf Ebrahimi */
601*62c56f98SSadaf Ebrahimi mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
602*62c56f98SSadaf Ebrahimi size_t bits,
603*62c56f98SSadaf Ebrahimi int bits_is_sloppy);
604*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
605*62c56f98SSadaf Ebrahimi
606*62c56f98SSadaf Ebrahimi /**@}*/
607*62c56f98SSadaf Ebrahimi
608*62c56f98SSadaf Ebrahimi /** \defgroup psa_external_rng External random generator
609*62c56f98SSadaf Ebrahimi * @{
610*62c56f98SSadaf Ebrahimi */
611*62c56f98SSadaf Ebrahimi
612*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
613*62c56f98SSadaf Ebrahimi /** External random generator function, implemented by the platform.
614*62c56f98SSadaf Ebrahimi *
615*62c56f98SSadaf Ebrahimi * When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled,
616*62c56f98SSadaf Ebrahimi * this function replaces Mbed TLS's entropy and DRBG modules for all
617*62c56f98SSadaf Ebrahimi * random generation triggered via PSA crypto interfaces.
618*62c56f98SSadaf Ebrahimi *
619*62c56f98SSadaf Ebrahimi * \note This random generator must deliver random numbers with cryptographic
620*62c56f98SSadaf Ebrahimi * quality and high performance. It must supply unpredictable numbers
621*62c56f98SSadaf Ebrahimi * with a uniform distribution. The implementation of this function
622*62c56f98SSadaf Ebrahimi * is responsible for ensuring that the random generator is seeded
623*62c56f98SSadaf Ebrahimi * with sufficient entropy. If you have a hardware TRNG which is slow
624*62c56f98SSadaf Ebrahimi * or delivers non-uniform output, declare it as an entropy source
625*62c56f98SSadaf Ebrahimi * with mbedtls_entropy_add_source() instead of enabling this option.
626*62c56f98SSadaf Ebrahimi *
627*62c56f98SSadaf Ebrahimi * \param[in,out] context Pointer to the random generator context.
628*62c56f98SSadaf Ebrahimi * This is all-bits-zero on the first call
629*62c56f98SSadaf Ebrahimi * and preserved between successive calls.
630*62c56f98SSadaf Ebrahimi * \param[out] output Output buffer. On success, this buffer
631*62c56f98SSadaf Ebrahimi * contains random data with a uniform
632*62c56f98SSadaf Ebrahimi * distribution.
633*62c56f98SSadaf Ebrahimi * \param output_size The size of the \p output buffer in bytes.
634*62c56f98SSadaf Ebrahimi * \param[out] output_length On success, set this value to \p output_size.
635*62c56f98SSadaf Ebrahimi *
636*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
637*62c56f98SSadaf Ebrahimi * Success. The output buffer contains \p output_size bytes of
638*62c56f98SSadaf Ebrahimi * cryptographic-quality random data, and \c *output_length is
639*62c56f98SSadaf Ebrahimi * set to \p output_size.
640*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
641*62c56f98SSadaf Ebrahimi * The random generator requires extra entropy and there is no
642*62c56f98SSadaf Ebrahimi * way to obtain entropy under current environment conditions.
643*62c56f98SSadaf Ebrahimi * This error should not happen under normal circumstances since
644*62c56f98SSadaf Ebrahimi * this function is responsible for obtaining as much entropy as
645*62c56f98SSadaf Ebrahimi * it needs. However implementations of this function may return
646*62c56f98SSadaf Ebrahimi * #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain
647*62c56f98SSadaf Ebrahimi * entropy without blocking indefinitely.
648*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_HARDWARE_FAILURE
649*62c56f98SSadaf Ebrahimi * A failure of the random generator hardware that isn't covered
650*62c56f98SSadaf Ebrahimi * by #PSA_ERROR_INSUFFICIENT_ENTROPY.
651*62c56f98SSadaf Ebrahimi */
652*62c56f98SSadaf Ebrahimi psa_status_t mbedtls_psa_external_get_random(
653*62c56f98SSadaf Ebrahimi mbedtls_psa_external_random_context_t *context,
654*62c56f98SSadaf Ebrahimi uint8_t *output, size_t output_size, size_t *output_length);
655*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
656*62c56f98SSadaf Ebrahimi
657*62c56f98SSadaf Ebrahimi /**@}*/
658*62c56f98SSadaf Ebrahimi
659*62c56f98SSadaf Ebrahimi /** \defgroup psa_builtin_keys Built-in keys
660*62c56f98SSadaf Ebrahimi * @{
661*62c56f98SSadaf Ebrahimi */
662*62c56f98SSadaf Ebrahimi
663*62c56f98SSadaf Ebrahimi /** The minimum value for a key identifier that is built into the
664*62c56f98SSadaf Ebrahimi * implementation.
665*62c56f98SSadaf Ebrahimi *
666*62c56f98SSadaf Ebrahimi * The range of key identifiers from #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN
667*62c56f98SSadaf Ebrahimi * to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX within the range from
668*62c56f98SSadaf Ebrahimi * #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect
669*62c56f98SSadaf Ebrahimi * with any other set of implementation-chosen key identifiers.
670*62c56f98SSadaf Ebrahimi *
671*62c56f98SSadaf Ebrahimi * This value is part of the library's ABI since changing it would invalidate
672*62c56f98SSadaf Ebrahimi * the values of built-in key identifiers in applications.
673*62c56f98SSadaf Ebrahimi */
674*62c56f98SSadaf Ebrahimi #define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ((psa_key_id_t) 0x7fff0000)
675*62c56f98SSadaf Ebrahimi
676*62c56f98SSadaf Ebrahimi /** The maximum value for a key identifier that is built into the
677*62c56f98SSadaf Ebrahimi * implementation.
678*62c56f98SSadaf Ebrahimi *
679*62c56f98SSadaf Ebrahimi * See #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN for more information.
680*62c56f98SSadaf Ebrahimi */
681*62c56f98SSadaf Ebrahimi #define MBEDTLS_PSA_KEY_ID_BUILTIN_MAX ((psa_key_id_t) 0x7fffefff)
682*62c56f98SSadaf Ebrahimi
683*62c56f98SSadaf Ebrahimi /** A slot number identifying a key in a driver.
684*62c56f98SSadaf Ebrahimi *
685*62c56f98SSadaf Ebrahimi * Values of this type are used to identify built-in keys.
686*62c56f98SSadaf Ebrahimi */
687*62c56f98SSadaf Ebrahimi typedef uint64_t psa_drv_slot_number_t;
688*62c56f98SSadaf Ebrahimi
689*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
690*62c56f98SSadaf Ebrahimi /** Test whether a key identifier belongs to the builtin key range.
691*62c56f98SSadaf Ebrahimi *
692*62c56f98SSadaf Ebrahimi * \param key_id Key identifier to test.
693*62c56f98SSadaf Ebrahimi *
694*62c56f98SSadaf Ebrahimi * \retval 1
695*62c56f98SSadaf Ebrahimi * The key identifier is a builtin key identifier.
696*62c56f98SSadaf Ebrahimi * \retval 0
697*62c56f98SSadaf Ebrahimi * The key identifier is not a builtin key identifier.
698*62c56f98SSadaf Ebrahimi */
psa_key_id_is_builtin(psa_key_id_t key_id)699*62c56f98SSadaf Ebrahimi static inline int psa_key_id_is_builtin(psa_key_id_t key_id)
700*62c56f98SSadaf Ebrahimi {
701*62c56f98SSadaf Ebrahimi return (key_id >= MBEDTLS_PSA_KEY_ID_BUILTIN_MIN) &&
702*62c56f98SSadaf Ebrahimi (key_id <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX);
703*62c56f98SSadaf Ebrahimi }
704*62c56f98SSadaf Ebrahimi
705*62c56f98SSadaf Ebrahimi /** Platform function to obtain the location and slot number of a built-in key.
706*62c56f98SSadaf Ebrahimi *
707*62c56f98SSadaf Ebrahimi * An application-specific implementation of this function must be provided if
708*62c56f98SSadaf Ebrahimi * #MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled. This would typically be provided
709*62c56f98SSadaf Ebrahimi * as part of a platform's system image.
710*62c56f98SSadaf Ebrahimi *
711*62c56f98SSadaf Ebrahimi * #MBEDTLS_SVC_KEY_ID_GET_KEY_ID(\p key_id) needs to be in the range from
712*62c56f98SSadaf Ebrahimi * #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX.
713*62c56f98SSadaf Ebrahimi *
714*62c56f98SSadaf Ebrahimi * In a multi-application configuration
715*62c56f98SSadaf Ebrahimi * (\c MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined),
716*62c56f98SSadaf Ebrahimi * this function should check that #MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(\p key_id)
717*62c56f98SSadaf Ebrahimi * is allowed to use the given key.
718*62c56f98SSadaf Ebrahimi *
719*62c56f98SSadaf Ebrahimi * \param key_id The key ID for which to retrieve the
720*62c56f98SSadaf Ebrahimi * location and slot attributes.
721*62c56f98SSadaf Ebrahimi * \param[out] lifetime On success, the lifetime associated with the key
722*62c56f98SSadaf Ebrahimi * corresponding to \p key_id. Lifetime is a
723*62c56f98SSadaf Ebrahimi * combination of which driver contains the key,
724*62c56f98SSadaf Ebrahimi * and with what persistence level the key is
725*62c56f98SSadaf Ebrahimi * intended to be used. If the platform
726*62c56f98SSadaf Ebrahimi * implementation does not contain specific
727*62c56f98SSadaf Ebrahimi * information about the intended key persistence
728*62c56f98SSadaf Ebrahimi * level, the persistence level may be reported as
729*62c56f98SSadaf Ebrahimi * #PSA_KEY_PERSISTENCE_DEFAULT.
730*62c56f98SSadaf Ebrahimi * \param[out] slot_number On success, the slot number known to the driver
731*62c56f98SSadaf Ebrahimi * registered at the lifetime location reported
732*62c56f98SSadaf Ebrahimi * through \p lifetime which corresponds to the
733*62c56f98SSadaf Ebrahimi * requested built-in key.
734*62c56f98SSadaf Ebrahimi *
735*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
736*62c56f98SSadaf Ebrahimi * The requested key identifier designates a built-in key.
737*62c56f98SSadaf Ebrahimi * In a multi-application configuration, the requested owner
738*62c56f98SSadaf Ebrahimi * is allowed to access it.
739*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DOES_NOT_EXIST
740*62c56f98SSadaf Ebrahimi * The requested key identifier is not a built-in key which is known
741*62c56f98SSadaf Ebrahimi * to this function. If a key exists in the key storage with this
742*62c56f98SSadaf Ebrahimi * identifier, the data from the storage will be used.
743*62c56f98SSadaf Ebrahimi * \return (any other error)
744*62c56f98SSadaf Ebrahimi * Any other error is propagated to the function that requested the key.
745*62c56f98SSadaf Ebrahimi * Common errors include:
746*62c56f98SSadaf Ebrahimi * - #PSA_ERROR_NOT_PERMITTED: the key exists but the requested owner
747*62c56f98SSadaf Ebrahimi * is not allowed to access it.
748*62c56f98SSadaf Ebrahimi */
749*62c56f98SSadaf Ebrahimi psa_status_t mbedtls_psa_platform_get_builtin_key(
750*62c56f98SSadaf Ebrahimi mbedtls_svc_key_id_t key_id,
751*62c56f98SSadaf Ebrahimi psa_key_lifetime_t *lifetime,
752*62c56f98SSadaf Ebrahimi psa_drv_slot_number_t *slot_number);
753*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
754*62c56f98SSadaf Ebrahimi
755*62c56f98SSadaf Ebrahimi /** @} */
756*62c56f98SSadaf Ebrahimi
757*62c56f98SSadaf Ebrahimi /** \addtogroup crypto_types
758*62c56f98SSadaf Ebrahimi * @{
759*62c56f98SSadaf Ebrahimi */
760*62c56f98SSadaf Ebrahimi
761*62c56f98SSadaf Ebrahimi #define PSA_ALG_CATEGORY_PAKE ((psa_algorithm_t) 0x0a000000)
762*62c56f98SSadaf Ebrahimi
763*62c56f98SSadaf Ebrahimi /** Whether the specified algorithm is a password-authenticated key exchange.
764*62c56f98SSadaf Ebrahimi *
765*62c56f98SSadaf Ebrahimi * \param alg An algorithm identifier (value of type #psa_algorithm_t).
766*62c56f98SSadaf Ebrahimi *
767*62c56f98SSadaf Ebrahimi * \return 1 if \p alg is a password-authenticated key exchange (PAKE)
768*62c56f98SSadaf Ebrahimi * algorithm, 0 otherwise.
769*62c56f98SSadaf Ebrahimi * This macro may return either 0 or 1 if \p alg is not a supported
770*62c56f98SSadaf Ebrahimi * algorithm identifier.
771*62c56f98SSadaf Ebrahimi */
772*62c56f98SSadaf Ebrahimi #define PSA_ALG_IS_PAKE(alg) \
773*62c56f98SSadaf Ebrahimi (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_PAKE)
774*62c56f98SSadaf Ebrahimi
775*62c56f98SSadaf Ebrahimi /** The Password-authenticated key exchange by juggling (J-PAKE) algorithm.
776*62c56f98SSadaf Ebrahimi *
777*62c56f98SSadaf Ebrahimi * This is J-PAKE as defined by RFC 8236, instantiated with the following
778*62c56f98SSadaf Ebrahimi * parameters:
779*62c56f98SSadaf Ebrahimi *
780*62c56f98SSadaf Ebrahimi * - The group can be either an elliptic curve or defined over a finite field.
781*62c56f98SSadaf Ebrahimi * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the
782*62c56f98SSadaf Ebrahimi * J-PAKE algorithm.
783*62c56f98SSadaf Ebrahimi * - A cryptographic hash function.
784*62c56f98SSadaf Ebrahimi *
785*62c56f98SSadaf Ebrahimi * To select these parameters and set up the cipher suite, call these functions
786*62c56f98SSadaf Ebrahimi * in any order:
787*62c56f98SSadaf Ebrahimi *
788*62c56f98SSadaf Ebrahimi * \code
789*62c56f98SSadaf Ebrahimi * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE);
790*62c56f98SSadaf Ebrahimi * psa_pake_cs_set_primitive(cipher_suite,
791*62c56f98SSadaf Ebrahimi * PSA_PAKE_PRIMITIVE(type, family, bits));
792*62c56f98SSadaf Ebrahimi * psa_pake_cs_set_hash(cipher_suite, hash);
793*62c56f98SSadaf Ebrahimi * \endcode
794*62c56f98SSadaf Ebrahimi *
795*62c56f98SSadaf Ebrahimi * For more information on how to set a specific curve or field, refer to the
796*62c56f98SSadaf Ebrahimi * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
797*62c56f98SSadaf Ebrahimi *
798*62c56f98SSadaf Ebrahimi * After initializing a J-PAKE operation, call
799*62c56f98SSadaf Ebrahimi *
800*62c56f98SSadaf Ebrahimi * \code
801*62c56f98SSadaf Ebrahimi * psa_pake_setup(operation, cipher_suite);
802*62c56f98SSadaf Ebrahimi * psa_pake_set_user(operation, ...);
803*62c56f98SSadaf Ebrahimi * psa_pake_set_peer(operation, ...);
804*62c56f98SSadaf Ebrahimi * psa_pake_set_password_key(operation, ...);
805*62c56f98SSadaf Ebrahimi * \endcode
806*62c56f98SSadaf Ebrahimi *
807*62c56f98SSadaf Ebrahimi * The password is provided as a key. This can be the password text itself,
808*62c56f98SSadaf Ebrahimi * in an agreed character encoding, or some value derived from the password
809*62c56f98SSadaf Ebrahimi * as required by a higher level protocol.
810*62c56f98SSadaf Ebrahimi *
811*62c56f98SSadaf Ebrahimi * (The implementation converts the key material to a number as described in
812*62c56f98SSadaf Ebrahimi * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_
813*62c56f98SSadaf Ebrahimi * (https://www.secg.org/sec1-v2.pdf), before reducing it modulo \c q. Here
814*62c56f98SSadaf Ebrahimi * \c q is order of the group defined by the primitive set in the cipher suite.
815*62c56f98SSadaf Ebrahimi * The \c psa_pake_set_password_key() function returns an error if the result
816*62c56f98SSadaf Ebrahimi * of the reduction is 0.)
817*62c56f98SSadaf Ebrahimi *
818*62c56f98SSadaf Ebrahimi * The key exchange flow for J-PAKE is as follows:
819*62c56f98SSadaf Ebrahimi * -# To get the first round data that needs to be sent to the peer, call
820*62c56f98SSadaf Ebrahimi * \code
821*62c56f98SSadaf Ebrahimi * // Get g1
822*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
823*62c56f98SSadaf Ebrahimi * // Get the ZKP public key for x1
824*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
825*62c56f98SSadaf Ebrahimi * // Get the ZKP proof for x1
826*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
827*62c56f98SSadaf Ebrahimi * // Get g2
828*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
829*62c56f98SSadaf Ebrahimi * // Get the ZKP public key for x2
830*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
831*62c56f98SSadaf Ebrahimi * // Get the ZKP proof for x2
832*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
833*62c56f98SSadaf Ebrahimi * \endcode
834*62c56f98SSadaf Ebrahimi * -# To provide the first round data received from the peer to the operation,
835*62c56f98SSadaf Ebrahimi * call
836*62c56f98SSadaf Ebrahimi * \code
837*62c56f98SSadaf Ebrahimi * // Set g3
838*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
839*62c56f98SSadaf Ebrahimi * // Set the ZKP public key for x3
840*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
841*62c56f98SSadaf Ebrahimi * // Set the ZKP proof for x3
842*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
843*62c56f98SSadaf Ebrahimi * // Set g4
844*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
845*62c56f98SSadaf Ebrahimi * // Set the ZKP public key for x4
846*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
847*62c56f98SSadaf Ebrahimi * // Set the ZKP proof for x4
848*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
849*62c56f98SSadaf Ebrahimi * \endcode
850*62c56f98SSadaf Ebrahimi * -# To get the second round data that needs to be sent to the peer, call
851*62c56f98SSadaf Ebrahimi * \code
852*62c56f98SSadaf Ebrahimi * // Get A
853*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
854*62c56f98SSadaf Ebrahimi * // Get ZKP public key for x2*s
855*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
856*62c56f98SSadaf Ebrahimi * // Get ZKP proof for x2*s
857*62c56f98SSadaf Ebrahimi * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
858*62c56f98SSadaf Ebrahimi * \endcode
859*62c56f98SSadaf Ebrahimi * -# To provide the second round data received from the peer to the operation,
860*62c56f98SSadaf Ebrahimi * call
861*62c56f98SSadaf Ebrahimi * \code
862*62c56f98SSadaf Ebrahimi * // Set B
863*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
864*62c56f98SSadaf Ebrahimi * // Set ZKP public key for x4*s
865*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
866*62c56f98SSadaf Ebrahimi * // Set ZKP proof for x4*s
867*62c56f98SSadaf Ebrahimi * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
868*62c56f98SSadaf Ebrahimi * \endcode
869*62c56f98SSadaf Ebrahimi * -# To access the shared secret call
870*62c56f98SSadaf Ebrahimi * \code
871*62c56f98SSadaf Ebrahimi * // Get Ka=Kb=K
872*62c56f98SSadaf Ebrahimi * psa_pake_get_implicit_key()
873*62c56f98SSadaf Ebrahimi * \endcode
874*62c56f98SSadaf Ebrahimi *
875*62c56f98SSadaf Ebrahimi * For more information consult the documentation of the individual
876*62c56f98SSadaf Ebrahimi * \c PSA_PAKE_STEP_XXX constants.
877*62c56f98SSadaf Ebrahimi *
878*62c56f98SSadaf Ebrahimi * At this point there is a cryptographic guarantee that only the authenticated
879*62c56f98SSadaf Ebrahimi * party who used the same password is able to compute the key. But there is no
880*62c56f98SSadaf Ebrahimi * guarantee that the peer is the party it claims to be and was able to do so.
881*62c56f98SSadaf Ebrahimi *
882*62c56f98SSadaf Ebrahimi * That is, the authentication is only implicit (the peer is not authenticated
883*62c56f98SSadaf Ebrahimi * at this point, and no action should be taken that assume that they are - like
884*62c56f98SSadaf Ebrahimi * for example accessing restricted files).
885*62c56f98SSadaf Ebrahimi *
886*62c56f98SSadaf Ebrahimi * To make the authentication explicit there are various methods, see Section 5
887*62c56f98SSadaf Ebrahimi * of RFC 8236 for two examples.
888*62c56f98SSadaf Ebrahimi *
889*62c56f98SSadaf Ebrahimi */
890*62c56f98SSadaf Ebrahimi #define PSA_ALG_JPAKE ((psa_algorithm_t) 0x0a000100)
891*62c56f98SSadaf Ebrahimi
892*62c56f98SSadaf Ebrahimi /** @} */
893*62c56f98SSadaf Ebrahimi
894*62c56f98SSadaf Ebrahimi /** \defgroup pake Password-authenticated key exchange (PAKE)
895*62c56f98SSadaf Ebrahimi *
896*62c56f98SSadaf Ebrahimi * This is a proposed PAKE interface for the PSA Crypto API. It is not part of
897*62c56f98SSadaf Ebrahimi * the official PSA Crypto API yet.
898*62c56f98SSadaf Ebrahimi *
899*62c56f98SSadaf Ebrahimi * \note The content of this section is not part of the stable API and ABI
900*62c56f98SSadaf Ebrahimi * of Mbed TLS and may change arbitrarily from version to version.
901*62c56f98SSadaf Ebrahimi * Same holds for the corresponding macros #PSA_ALG_CATEGORY_PAKE and
902*62c56f98SSadaf Ebrahimi * #PSA_ALG_JPAKE.
903*62c56f98SSadaf Ebrahimi * @{
904*62c56f98SSadaf Ebrahimi */
905*62c56f98SSadaf Ebrahimi
906*62c56f98SSadaf Ebrahimi /** \brief Encoding of the application role of PAKE
907*62c56f98SSadaf Ebrahimi *
908*62c56f98SSadaf Ebrahimi * Encodes the application's role in the algorithm is being executed. For more
909*62c56f98SSadaf Ebrahimi * information see the documentation of individual \c PSA_PAKE_ROLE_XXX
910*62c56f98SSadaf Ebrahimi * constants.
911*62c56f98SSadaf Ebrahimi */
912*62c56f98SSadaf Ebrahimi typedef uint8_t psa_pake_role_t;
913*62c56f98SSadaf Ebrahimi
914*62c56f98SSadaf Ebrahimi /** Encoding of input and output indicators for PAKE.
915*62c56f98SSadaf Ebrahimi *
916*62c56f98SSadaf Ebrahimi * Some PAKE algorithms need to exchange more data than just a single key share.
917*62c56f98SSadaf Ebrahimi * This type is for encoding additional input and output data for such
918*62c56f98SSadaf Ebrahimi * algorithms.
919*62c56f98SSadaf Ebrahimi */
920*62c56f98SSadaf Ebrahimi typedef uint8_t psa_pake_step_t;
921*62c56f98SSadaf Ebrahimi
922*62c56f98SSadaf Ebrahimi /** Encoding of the type of the PAKE's primitive.
923*62c56f98SSadaf Ebrahimi *
924*62c56f98SSadaf Ebrahimi * Values defined by this standard will never be in the range 0x80-0xff.
925*62c56f98SSadaf Ebrahimi * Vendors who define additional types must use an encoding in this range.
926*62c56f98SSadaf Ebrahimi *
927*62c56f98SSadaf Ebrahimi * For more information see the documentation of individual
928*62c56f98SSadaf Ebrahimi * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
929*62c56f98SSadaf Ebrahimi */
930*62c56f98SSadaf Ebrahimi typedef uint8_t psa_pake_primitive_type_t;
931*62c56f98SSadaf Ebrahimi
932*62c56f98SSadaf Ebrahimi /** \brief Encoding of the family of the primitive associated with the PAKE.
933*62c56f98SSadaf Ebrahimi *
934*62c56f98SSadaf Ebrahimi * For more information see the documentation of individual
935*62c56f98SSadaf Ebrahimi * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
936*62c56f98SSadaf Ebrahimi */
937*62c56f98SSadaf Ebrahimi typedef uint8_t psa_pake_family_t;
938*62c56f98SSadaf Ebrahimi
939*62c56f98SSadaf Ebrahimi /** \brief Encoding of the primitive associated with the PAKE.
940*62c56f98SSadaf Ebrahimi *
941*62c56f98SSadaf Ebrahimi * For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro.
942*62c56f98SSadaf Ebrahimi */
943*62c56f98SSadaf Ebrahimi typedef uint32_t psa_pake_primitive_t;
944*62c56f98SSadaf Ebrahimi
945*62c56f98SSadaf Ebrahimi /** A value to indicate no role in a PAKE algorithm.
946*62c56f98SSadaf Ebrahimi * This value can be used in a call to psa_pake_set_role() for symmetric PAKE
947*62c56f98SSadaf Ebrahimi * algorithms which do not assign roles.
948*62c56f98SSadaf Ebrahimi */
949*62c56f98SSadaf Ebrahimi #define PSA_PAKE_ROLE_NONE ((psa_pake_role_t) 0x00)
950*62c56f98SSadaf Ebrahimi
951*62c56f98SSadaf Ebrahimi /** The first peer in a balanced PAKE.
952*62c56f98SSadaf Ebrahimi *
953*62c56f98SSadaf Ebrahimi * Although balanced PAKE algorithms are symmetric, some of them needs an
954*62c56f98SSadaf Ebrahimi * ordering of peers for the transcript calculations. If the algorithm does not
955*62c56f98SSadaf Ebrahimi * need this, both #PSA_PAKE_ROLE_FIRST and #PSA_PAKE_ROLE_SECOND are
956*62c56f98SSadaf Ebrahimi * accepted.
957*62c56f98SSadaf Ebrahimi */
958*62c56f98SSadaf Ebrahimi #define PSA_PAKE_ROLE_FIRST ((psa_pake_role_t) 0x01)
959*62c56f98SSadaf Ebrahimi
960*62c56f98SSadaf Ebrahimi /** The second peer in a balanced PAKE.
961*62c56f98SSadaf Ebrahimi *
962*62c56f98SSadaf Ebrahimi * Although balanced PAKE algorithms are symmetric, some of them needs an
963*62c56f98SSadaf Ebrahimi * ordering of peers for the transcript calculations. If the algorithm does not
964*62c56f98SSadaf Ebrahimi * need this, either #PSA_PAKE_ROLE_FIRST or #PSA_PAKE_ROLE_SECOND are
965*62c56f98SSadaf Ebrahimi * accepted.
966*62c56f98SSadaf Ebrahimi */
967*62c56f98SSadaf Ebrahimi #define PSA_PAKE_ROLE_SECOND ((psa_pake_role_t) 0x02)
968*62c56f98SSadaf Ebrahimi
969*62c56f98SSadaf Ebrahimi /** The client in an augmented PAKE.
970*62c56f98SSadaf Ebrahimi *
971*62c56f98SSadaf Ebrahimi * Augmented PAKE algorithms need to differentiate between client and server.
972*62c56f98SSadaf Ebrahimi */
973*62c56f98SSadaf Ebrahimi #define PSA_PAKE_ROLE_CLIENT ((psa_pake_role_t) 0x11)
974*62c56f98SSadaf Ebrahimi
975*62c56f98SSadaf Ebrahimi /** The server in an augmented PAKE.
976*62c56f98SSadaf Ebrahimi *
977*62c56f98SSadaf Ebrahimi * Augmented PAKE algorithms need to differentiate between client and server.
978*62c56f98SSadaf Ebrahimi */
979*62c56f98SSadaf Ebrahimi #define PSA_PAKE_ROLE_SERVER ((psa_pake_role_t) 0x12)
980*62c56f98SSadaf Ebrahimi
981*62c56f98SSadaf Ebrahimi /** The PAKE primitive type indicating the use of elliptic curves.
982*62c56f98SSadaf Ebrahimi *
983*62c56f98SSadaf Ebrahimi * The values of the \c family and \c bits fields of the cipher suite identify a
984*62c56f98SSadaf Ebrahimi * specific elliptic curve, using the same mapping that is used for ECC
985*62c56f98SSadaf Ebrahimi * (::psa_ecc_family_t) keys.
986*62c56f98SSadaf Ebrahimi *
987*62c56f98SSadaf Ebrahimi * (Here \c family means the value returned by psa_pake_cs_get_family() and
988*62c56f98SSadaf Ebrahimi * \c bits means the value returned by psa_pake_cs_get_bits().)
989*62c56f98SSadaf Ebrahimi *
990*62c56f98SSadaf Ebrahimi * Input and output during the operation can involve group elements and scalar
991*62c56f98SSadaf Ebrahimi * values:
992*62c56f98SSadaf Ebrahimi * -# The format for group elements is the same as for public keys on the
993*62c56f98SSadaf Ebrahimi * specific curve would be. For more information, consult the documentation of
994*62c56f98SSadaf Ebrahimi * psa_export_public_key().
995*62c56f98SSadaf Ebrahimi * -# The format for scalars is the same as for private keys on the specific
996*62c56f98SSadaf Ebrahimi * curve would be. For more information, consult the documentation of
997*62c56f98SSadaf Ebrahimi * psa_export_key().
998*62c56f98SSadaf Ebrahimi */
999*62c56f98SSadaf Ebrahimi #define PSA_PAKE_PRIMITIVE_TYPE_ECC ((psa_pake_primitive_type_t) 0x01)
1000*62c56f98SSadaf Ebrahimi
1001*62c56f98SSadaf Ebrahimi /** The PAKE primitive type indicating the use of Diffie-Hellman groups.
1002*62c56f98SSadaf Ebrahimi *
1003*62c56f98SSadaf Ebrahimi * The values of the \c family and \c bits fields of the cipher suite identify
1004*62c56f98SSadaf Ebrahimi * a specific Diffie-Hellman group, using the same mapping that is used for
1005*62c56f98SSadaf Ebrahimi * Diffie-Hellman (::psa_dh_family_t) keys.
1006*62c56f98SSadaf Ebrahimi *
1007*62c56f98SSadaf Ebrahimi * (Here \c family means the value returned by psa_pake_cs_get_family() and
1008*62c56f98SSadaf Ebrahimi * \c bits means the value returned by psa_pake_cs_get_bits().)
1009*62c56f98SSadaf Ebrahimi *
1010*62c56f98SSadaf Ebrahimi * Input and output during the operation can involve group elements and scalar
1011*62c56f98SSadaf Ebrahimi * values:
1012*62c56f98SSadaf Ebrahimi * -# The format for group elements is the same as for public keys on the
1013*62c56f98SSadaf Ebrahimi * specific group would be. For more information, consult the documentation of
1014*62c56f98SSadaf Ebrahimi * psa_export_public_key().
1015*62c56f98SSadaf Ebrahimi * -# The format for scalars is the same as for private keys on the specific
1016*62c56f98SSadaf Ebrahimi * group would be. For more information, consult the documentation of
1017*62c56f98SSadaf Ebrahimi * psa_export_key().
1018*62c56f98SSadaf Ebrahimi */
1019*62c56f98SSadaf Ebrahimi #define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t) 0x02)
1020*62c56f98SSadaf Ebrahimi
1021*62c56f98SSadaf Ebrahimi /** Construct a PAKE primitive from type, family and bit-size.
1022*62c56f98SSadaf Ebrahimi *
1023*62c56f98SSadaf Ebrahimi * \param pake_type The type of the primitive
1024*62c56f98SSadaf Ebrahimi * (value of type ::psa_pake_primitive_type_t).
1025*62c56f98SSadaf Ebrahimi * \param pake_family The family of the primitive
1026*62c56f98SSadaf Ebrahimi * (the type and interpretation of this parameter depends
1027*62c56f98SSadaf Ebrahimi * on \p pake_type, for more information consult the
1028*62c56f98SSadaf Ebrahimi * documentation of individual ::psa_pake_primitive_type_t
1029*62c56f98SSadaf Ebrahimi * constants).
1030*62c56f98SSadaf Ebrahimi * \param pake_bits The bit-size of the primitive
1031*62c56f98SSadaf Ebrahimi * (Value of type \c size_t. The interpretation
1032*62c56f98SSadaf Ebrahimi * of this parameter depends on \p pake_family, for more
1033*62c56f98SSadaf Ebrahimi * information consult the documentation of individual
1034*62c56f98SSadaf Ebrahimi * ::psa_pake_primitive_type_t constants).
1035*62c56f98SSadaf Ebrahimi *
1036*62c56f98SSadaf Ebrahimi * \return The constructed primitive value of type ::psa_pake_primitive_t.
1037*62c56f98SSadaf Ebrahimi * Return 0 if the requested primitive can't be encoded as
1038*62c56f98SSadaf Ebrahimi * ::psa_pake_primitive_t.
1039*62c56f98SSadaf Ebrahimi */
1040*62c56f98SSadaf Ebrahimi #define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \
1041*62c56f98SSadaf Ebrahimi ((pake_bits & 0xFFFF) != pake_bits) ? 0 : \
1042*62c56f98SSadaf Ebrahimi ((psa_pake_primitive_t) (((pake_type) << 24 | \
1043*62c56f98SSadaf Ebrahimi (pake_family) << 16) | (pake_bits)))
1044*62c56f98SSadaf Ebrahimi
1045*62c56f98SSadaf Ebrahimi /** The key share being sent to or received from the peer.
1046*62c56f98SSadaf Ebrahimi *
1047*62c56f98SSadaf Ebrahimi * The format for both input and output at this step is the same as for public
1048*62c56f98SSadaf Ebrahimi * keys on the group determined by the primitive (::psa_pake_primitive_t) would
1049*62c56f98SSadaf Ebrahimi * be.
1050*62c56f98SSadaf Ebrahimi *
1051*62c56f98SSadaf Ebrahimi * For more information on the format, consult the documentation of
1052*62c56f98SSadaf Ebrahimi * psa_export_public_key().
1053*62c56f98SSadaf Ebrahimi *
1054*62c56f98SSadaf Ebrahimi * For information regarding how the group is determined, consult the
1055*62c56f98SSadaf Ebrahimi * documentation #PSA_PAKE_PRIMITIVE.
1056*62c56f98SSadaf Ebrahimi */
1057*62c56f98SSadaf Ebrahimi #define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t) 0x01)
1058*62c56f98SSadaf Ebrahimi
1059*62c56f98SSadaf Ebrahimi /** A Schnorr NIZKP public key.
1060*62c56f98SSadaf Ebrahimi *
1061*62c56f98SSadaf Ebrahimi * This is the ephemeral public key in the Schnorr Non-Interactive
1062*62c56f98SSadaf Ebrahimi * Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235).
1063*62c56f98SSadaf Ebrahimi *
1064*62c56f98SSadaf Ebrahimi * The format for both input and output at this step is the same as for public
1065*62c56f98SSadaf Ebrahimi * keys on the group determined by the primitive (::psa_pake_primitive_t) would
1066*62c56f98SSadaf Ebrahimi * be.
1067*62c56f98SSadaf Ebrahimi *
1068*62c56f98SSadaf Ebrahimi * For more information on the format, consult the documentation of
1069*62c56f98SSadaf Ebrahimi * psa_export_public_key().
1070*62c56f98SSadaf Ebrahimi *
1071*62c56f98SSadaf Ebrahimi * For information regarding how the group is determined, consult the
1072*62c56f98SSadaf Ebrahimi * documentation #PSA_PAKE_PRIMITIVE.
1073*62c56f98SSadaf Ebrahimi */
1074*62c56f98SSadaf Ebrahimi #define PSA_PAKE_STEP_ZK_PUBLIC ((psa_pake_step_t) 0x02)
1075*62c56f98SSadaf Ebrahimi
1076*62c56f98SSadaf Ebrahimi /** A Schnorr NIZKP proof.
1077*62c56f98SSadaf Ebrahimi *
1078*62c56f98SSadaf Ebrahimi * This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the
1079*62c56f98SSadaf Ebrahimi * value denoted by the letter 'r' in RFC 8235).
1080*62c56f98SSadaf Ebrahimi *
1081*62c56f98SSadaf Ebrahimi * Both for input and output, the value at this step is an integer less than
1082*62c56f98SSadaf Ebrahimi * the order of the group selected in the cipher suite. The format depends on
1083*62c56f98SSadaf Ebrahimi * the group as well:
1084*62c56f98SSadaf Ebrahimi *
1085*62c56f98SSadaf Ebrahimi * - For Montgomery curves, the encoding is little endian.
1086*62c56f98SSadaf Ebrahimi * - For everything else the encoding is big endian (see Section 2.3.8 of
1087*62c56f98SSadaf Ebrahimi * _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf).
1088*62c56f98SSadaf Ebrahimi *
1089*62c56f98SSadaf Ebrahimi * In both cases leading zeroes are allowed as long as the length in bytes does
1090*62c56f98SSadaf Ebrahimi * not exceed the byte length of the group order.
1091*62c56f98SSadaf Ebrahimi *
1092*62c56f98SSadaf Ebrahimi * For information regarding how the group is determined, consult the
1093*62c56f98SSadaf Ebrahimi * documentation #PSA_PAKE_PRIMITIVE.
1094*62c56f98SSadaf Ebrahimi */
1095*62c56f98SSadaf Ebrahimi #define PSA_PAKE_STEP_ZK_PROOF ((psa_pake_step_t) 0x03)
1096*62c56f98SSadaf Ebrahimi
1097*62c56f98SSadaf Ebrahimi /** The type of the data structure for PAKE cipher suites.
1098*62c56f98SSadaf Ebrahimi *
1099*62c56f98SSadaf Ebrahimi * This is an implementation-defined \c struct. Applications should not
1100*62c56f98SSadaf Ebrahimi * make any assumptions about the content of this structure.
1101*62c56f98SSadaf Ebrahimi * Implementation details can change in future versions without notice.
1102*62c56f98SSadaf Ebrahimi */
1103*62c56f98SSadaf Ebrahimi typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t;
1104*62c56f98SSadaf Ebrahimi
1105*62c56f98SSadaf Ebrahimi /** Return an initial value for a PAKE cipher suite object.
1106*62c56f98SSadaf Ebrahimi */
1107*62c56f98SSadaf Ebrahimi static psa_pake_cipher_suite_t psa_pake_cipher_suite_init(void);
1108*62c56f98SSadaf Ebrahimi
1109*62c56f98SSadaf Ebrahimi /** Retrieve the PAKE algorithm from a PAKE cipher suite.
1110*62c56f98SSadaf Ebrahimi *
1111*62c56f98SSadaf Ebrahimi * \param[in] cipher_suite The cipher suite structure to query.
1112*62c56f98SSadaf Ebrahimi *
1113*62c56f98SSadaf Ebrahimi * \return The PAKE algorithm stored in the cipher suite structure.
1114*62c56f98SSadaf Ebrahimi */
1115*62c56f98SSadaf Ebrahimi static psa_algorithm_t psa_pake_cs_get_algorithm(
1116*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite);
1117*62c56f98SSadaf Ebrahimi
1118*62c56f98SSadaf Ebrahimi /** Declare the PAKE algorithm for the cipher suite.
1119*62c56f98SSadaf Ebrahimi *
1120*62c56f98SSadaf Ebrahimi * This function overwrites any PAKE algorithm
1121*62c56f98SSadaf Ebrahimi * previously set in \p cipher_suite.
1122*62c56f98SSadaf Ebrahimi *
1123*62c56f98SSadaf Ebrahimi * \param[out] cipher_suite The cipher suite structure to write to.
1124*62c56f98SSadaf Ebrahimi * \param algorithm The PAKE algorithm to write.
1125*62c56f98SSadaf Ebrahimi * (`PSA_ALG_XXX` values of type ::psa_algorithm_t
1126*62c56f98SSadaf Ebrahimi * such that #PSA_ALG_IS_PAKE(\c alg) is true.)
1127*62c56f98SSadaf Ebrahimi * If this is 0, the PAKE algorithm in
1128*62c56f98SSadaf Ebrahimi * \p cipher_suite becomes unspecified.
1129*62c56f98SSadaf Ebrahimi */
1130*62c56f98SSadaf Ebrahimi static void psa_pake_cs_set_algorithm(psa_pake_cipher_suite_t *cipher_suite,
1131*62c56f98SSadaf Ebrahimi psa_algorithm_t algorithm);
1132*62c56f98SSadaf Ebrahimi
1133*62c56f98SSadaf Ebrahimi /** Retrieve the primitive from a PAKE cipher suite.
1134*62c56f98SSadaf Ebrahimi *
1135*62c56f98SSadaf Ebrahimi * \param[in] cipher_suite The cipher suite structure to query.
1136*62c56f98SSadaf Ebrahimi *
1137*62c56f98SSadaf Ebrahimi * \return The primitive stored in the cipher suite structure.
1138*62c56f98SSadaf Ebrahimi */
1139*62c56f98SSadaf Ebrahimi static psa_pake_primitive_t psa_pake_cs_get_primitive(
1140*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite);
1141*62c56f98SSadaf Ebrahimi
1142*62c56f98SSadaf Ebrahimi /** Declare the primitive for a PAKE cipher suite.
1143*62c56f98SSadaf Ebrahimi *
1144*62c56f98SSadaf Ebrahimi * This function overwrites any primitive previously set in \p cipher_suite.
1145*62c56f98SSadaf Ebrahimi *
1146*62c56f98SSadaf Ebrahimi * \param[out] cipher_suite The cipher suite structure to write to.
1147*62c56f98SSadaf Ebrahimi * \param primitive The primitive to write. If this is 0, the
1148*62c56f98SSadaf Ebrahimi * primitive type in \p cipher_suite becomes
1149*62c56f98SSadaf Ebrahimi * unspecified.
1150*62c56f98SSadaf Ebrahimi */
1151*62c56f98SSadaf Ebrahimi static void psa_pake_cs_set_primitive(psa_pake_cipher_suite_t *cipher_suite,
1152*62c56f98SSadaf Ebrahimi psa_pake_primitive_t primitive);
1153*62c56f98SSadaf Ebrahimi
1154*62c56f98SSadaf Ebrahimi /** Retrieve the PAKE family from a PAKE cipher suite.
1155*62c56f98SSadaf Ebrahimi *
1156*62c56f98SSadaf Ebrahimi * \param[in] cipher_suite The cipher suite structure to query.
1157*62c56f98SSadaf Ebrahimi *
1158*62c56f98SSadaf Ebrahimi * \return The PAKE family stored in the cipher suite structure.
1159*62c56f98SSadaf Ebrahimi */
1160*62c56f98SSadaf Ebrahimi static psa_pake_family_t psa_pake_cs_get_family(
1161*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite);
1162*62c56f98SSadaf Ebrahimi
1163*62c56f98SSadaf Ebrahimi /** Retrieve the PAKE primitive bit-size from a PAKE cipher suite.
1164*62c56f98SSadaf Ebrahimi *
1165*62c56f98SSadaf Ebrahimi * \param[in] cipher_suite The cipher suite structure to query.
1166*62c56f98SSadaf Ebrahimi *
1167*62c56f98SSadaf Ebrahimi * \return The PAKE primitive bit-size stored in the cipher suite structure.
1168*62c56f98SSadaf Ebrahimi */
1169*62c56f98SSadaf Ebrahimi static uint16_t psa_pake_cs_get_bits(
1170*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite);
1171*62c56f98SSadaf Ebrahimi
1172*62c56f98SSadaf Ebrahimi /** Retrieve the hash algorithm from a PAKE cipher suite.
1173*62c56f98SSadaf Ebrahimi *
1174*62c56f98SSadaf Ebrahimi * \param[in] cipher_suite The cipher suite structure to query.
1175*62c56f98SSadaf Ebrahimi *
1176*62c56f98SSadaf Ebrahimi * \return The hash algorithm stored in the cipher suite structure. The return
1177*62c56f98SSadaf Ebrahimi * value is 0 if the PAKE is not parametrised by a hash algorithm or if
1178*62c56f98SSadaf Ebrahimi * the hash algorithm is not set.
1179*62c56f98SSadaf Ebrahimi */
1180*62c56f98SSadaf Ebrahimi static psa_algorithm_t psa_pake_cs_get_hash(
1181*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite);
1182*62c56f98SSadaf Ebrahimi
1183*62c56f98SSadaf Ebrahimi /** Declare the hash algorithm for a PAKE cipher suite.
1184*62c56f98SSadaf Ebrahimi *
1185*62c56f98SSadaf Ebrahimi * This function overwrites any hash algorithm
1186*62c56f98SSadaf Ebrahimi * previously set in \p cipher_suite.
1187*62c56f98SSadaf Ebrahimi *
1188*62c56f98SSadaf Ebrahimi * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1189*62c56f98SSadaf Ebrahimi * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1190*62c56f98SSadaf Ebrahimi * for more information.
1191*62c56f98SSadaf Ebrahimi *
1192*62c56f98SSadaf Ebrahimi * \param[out] cipher_suite The cipher suite structure to write to.
1193*62c56f98SSadaf Ebrahimi * \param hash The hash involved in the cipher suite.
1194*62c56f98SSadaf Ebrahimi * (`PSA_ALG_XXX` values of type ::psa_algorithm_t
1195*62c56f98SSadaf Ebrahimi * such that #PSA_ALG_IS_HASH(\c alg) is true.)
1196*62c56f98SSadaf Ebrahimi * If this is 0, the hash algorithm in
1197*62c56f98SSadaf Ebrahimi * \p cipher_suite becomes unspecified.
1198*62c56f98SSadaf Ebrahimi */
1199*62c56f98SSadaf Ebrahimi static void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite,
1200*62c56f98SSadaf Ebrahimi psa_algorithm_t hash);
1201*62c56f98SSadaf Ebrahimi
1202*62c56f98SSadaf Ebrahimi /** The type of the state data structure for PAKE operations.
1203*62c56f98SSadaf Ebrahimi *
1204*62c56f98SSadaf Ebrahimi * Before calling any function on a PAKE operation object, the application
1205*62c56f98SSadaf Ebrahimi * must initialize it by any of the following means:
1206*62c56f98SSadaf Ebrahimi * - Set the structure to all-bits-zero, for example:
1207*62c56f98SSadaf Ebrahimi * \code
1208*62c56f98SSadaf Ebrahimi * psa_pake_operation_t operation;
1209*62c56f98SSadaf Ebrahimi * memset(&operation, 0, sizeof(operation));
1210*62c56f98SSadaf Ebrahimi * \endcode
1211*62c56f98SSadaf Ebrahimi * - Initialize the structure to logical zero values, for example:
1212*62c56f98SSadaf Ebrahimi * \code
1213*62c56f98SSadaf Ebrahimi * psa_pake_operation_t operation = {0};
1214*62c56f98SSadaf Ebrahimi * \endcode
1215*62c56f98SSadaf Ebrahimi * - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT,
1216*62c56f98SSadaf Ebrahimi * for example:
1217*62c56f98SSadaf Ebrahimi * \code
1218*62c56f98SSadaf Ebrahimi * psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT;
1219*62c56f98SSadaf Ebrahimi * \endcode
1220*62c56f98SSadaf Ebrahimi * - Assign the result of the function psa_pake_operation_init()
1221*62c56f98SSadaf Ebrahimi * to the structure, for example:
1222*62c56f98SSadaf Ebrahimi * \code
1223*62c56f98SSadaf Ebrahimi * psa_pake_operation_t operation;
1224*62c56f98SSadaf Ebrahimi * operation = psa_pake_operation_init();
1225*62c56f98SSadaf Ebrahimi * \endcode
1226*62c56f98SSadaf Ebrahimi *
1227*62c56f98SSadaf Ebrahimi * This is an implementation-defined \c struct. Applications should not
1228*62c56f98SSadaf Ebrahimi * make any assumptions about the content of this structure.
1229*62c56f98SSadaf Ebrahimi * Implementation details can change in future versions without notice. */
1230*62c56f98SSadaf Ebrahimi typedef struct psa_pake_operation_s psa_pake_operation_t;
1231*62c56f98SSadaf Ebrahimi
1232*62c56f98SSadaf Ebrahimi /** The type of input values for PAKE operations. */
1233*62c56f98SSadaf Ebrahimi typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t;
1234*62c56f98SSadaf Ebrahimi
1235*62c56f98SSadaf Ebrahimi /** The type of computation stage for J-PAKE operations. */
1236*62c56f98SSadaf Ebrahimi typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t;
1237*62c56f98SSadaf Ebrahimi
1238*62c56f98SSadaf Ebrahimi /** Return an initial value for a PAKE operation object.
1239*62c56f98SSadaf Ebrahimi */
1240*62c56f98SSadaf Ebrahimi static psa_pake_operation_t psa_pake_operation_init(void);
1241*62c56f98SSadaf Ebrahimi
1242*62c56f98SSadaf Ebrahimi /** Get the length of the password in bytes from given inputs.
1243*62c56f98SSadaf Ebrahimi *
1244*62c56f98SSadaf Ebrahimi * \param[in] inputs Operation inputs.
1245*62c56f98SSadaf Ebrahimi * \param[out] password_len Password length.
1246*62c56f98SSadaf Ebrahimi *
1247*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1248*62c56f98SSadaf Ebrahimi * Success.
1249*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1250*62c56f98SSadaf Ebrahimi * Password hasn't been set yet.
1251*62c56f98SSadaf Ebrahimi */
1252*62c56f98SSadaf Ebrahimi psa_status_t psa_crypto_driver_pake_get_password_len(
1253*62c56f98SSadaf Ebrahimi const psa_crypto_driver_pake_inputs_t *inputs,
1254*62c56f98SSadaf Ebrahimi size_t *password_len);
1255*62c56f98SSadaf Ebrahimi
1256*62c56f98SSadaf Ebrahimi /** Get the password from given inputs.
1257*62c56f98SSadaf Ebrahimi *
1258*62c56f98SSadaf Ebrahimi * \param[in] inputs Operation inputs.
1259*62c56f98SSadaf Ebrahimi * \param[out] buffer Return buffer for password.
1260*62c56f98SSadaf Ebrahimi * \param buffer_size Size of the return buffer in bytes.
1261*62c56f98SSadaf Ebrahimi * \param[out] buffer_length Actual size of the password in bytes.
1262*62c56f98SSadaf Ebrahimi *
1263*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1264*62c56f98SSadaf Ebrahimi * Success.
1265*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1266*62c56f98SSadaf Ebrahimi * Password hasn't been set yet.
1267*62c56f98SSadaf Ebrahimi */
1268*62c56f98SSadaf Ebrahimi psa_status_t psa_crypto_driver_pake_get_password(
1269*62c56f98SSadaf Ebrahimi const psa_crypto_driver_pake_inputs_t *inputs,
1270*62c56f98SSadaf Ebrahimi uint8_t *buffer, size_t buffer_size, size_t *buffer_length);
1271*62c56f98SSadaf Ebrahimi
1272*62c56f98SSadaf Ebrahimi /** Get the length of the user id in bytes from given inputs.
1273*62c56f98SSadaf Ebrahimi *
1274*62c56f98SSadaf Ebrahimi * \param[in] inputs Operation inputs.
1275*62c56f98SSadaf Ebrahimi * \param[out] user_len User id length.
1276*62c56f98SSadaf Ebrahimi *
1277*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1278*62c56f98SSadaf Ebrahimi * Success.
1279*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1280*62c56f98SSadaf Ebrahimi * User id hasn't been set yet.
1281*62c56f98SSadaf Ebrahimi */
1282*62c56f98SSadaf Ebrahimi psa_status_t psa_crypto_driver_pake_get_user_len(
1283*62c56f98SSadaf Ebrahimi const psa_crypto_driver_pake_inputs_t *inputs,
1284*62c56f98SSadaf Ebrahimi size_t *user_len);
1285*62c56f98SSadaf Ebrahimi
1286*62c56f98SSadaf Ebrahimi /** Get the length of the peer id in bytes from given inputs.
1287*62c56f98SSadaf Ebrahimi *
1288*62c56f98SSadaf Ebrahimi * \param[in] inputs Operation inputs.
1289*62c56f98SSadaf Ebrahimi * \param[out] peer_len Peer id length.
1290*62c56f98SSadaf Ebrahimi *
1291*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1292*62c56f98SSadaf Ebrahimi * Success.
1293*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1294*62c56f98SSadaf Ebrahimi * Peer id hasn't been set yet.
1295*62c56f98SSadaf Ebrahimi */
1296*62c56f98SSadaf Ebrahimi psa_status_t psa_crypto_driver_pake_get_peer_len(
1297*62c56f98SSadaf Ebrahimi const psa_crypto_driver_pake_inputs_t *inputs,
1298*62c56f98SSadaf Ebrahimi size_t *peer_len);
1299*62c56f98SSadaf Ebrahimi
1300*62c56f98SSadaf Ebrahimi /** Get the user id from given inputs.
1301*62c56f98SSadaf Ebrahimi *
1302*62c56f98SSadaf Ebrahimi * \param[in] inputs Operation inputs.
1303*62c56f98SSadaf Ebrahimi * \param[out] user_id User id.
1304*62c56f98SSadaf Ebrahimi * \param user_id_size Size of \p user_id in bytes.
1305*62c56f98SSadaf Ebrahimi * \param[out] user_id_len Size of the user id in bytes.
1306*62c56f98SSadaf Ebrahimi *
1307*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1308*62c56f98SSadaf Ebrahimi * Success.
1309*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1310*62c56f98SSadaf Ebrahimi * User id hasn't been set yet.
1311*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1312*62c56f98SSadaf Ebrahimi * The size of the \p user_id is too small.
1313*62c56f98SSadaf Ebrahimi */
1314*62c56f98SSadaf Ebrahimi psa_status_t psa_crypto_driver_pake_get_user(
1315*62c56f98SSadaf Ebrahimi const psa_crypto_driver_pake_inputs_t *inputs,
1316*62c56f98SSadaf Ebrahimi uint8_t *user_id, size_t user_id_size, size_t *user_id_len);
1317*62c56f98SSadaf Ebrahimi
1318*62c56f98SSadaf Ebrahimi /** Get the peer id from given inputs.
1319*62c56f98SSadaf Ebrahimi *
1320*62c56f98SSadaf Ebrahimi * \param[in] inputs Operation inputs.
1321*62c56f98SSadaf Ebrahimi * \param[out] peer_id Peer id.
1322*62c56f98SSadaf Ebrahimi * \param peer_id_size Size of \p peer_id in bytes.
1323*62c56f98SSadaf Ebrahimi * \param[out] peer_id_length Size of the peer id in bytes.
1324*62c56f98SSadaf Ebrahimi *
1325*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1326*62c56f98SSadaf Ebrahimi * Success.
1327*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1328*62c56f98SSadaf Ebrahimi * Peer id hasn't been set yet.
1329*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1330*62c56f98SSadaf Ebrahimi * The size of the \p peer_id is too small.
1331*62c56f98SSadaf Ebrahimi */
1332*62c56f98SSadaf Ebrahimi psa_status_t psa_crypto_driver_pake_get_peer(
1333*62c56f98SSadaf Ebrahimi const psa_crypto_driver_pake_inputs_t *inputs,
1334*62c56f98SSadaf Ebrahimi uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length);
1335*62c56f98SSadaf Ebrahimi
1336*62c56f98SSadaf Ebrahimi /** Get the cipher suite from given inputs.
1337*62c56f98SSadaf Ebrahimi *
1338*62c56f98SSadaf Ebrahimi * \param[in] inputs Operation inputs.
1339*62c56f98SSadaf Ebrahimi * \param[out] cipher_suite Return buffer for role.
1340*62c56f98SSadaf Ebrahimi *
1341*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1342*62c56f98SSadaf Ebrahimi * Success.
1343*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1344*62c56f98SSadaf Ebrahimi * Cipher_suite hasn't been set yet.
1345*62c56f98SSadaf Ebrahimi */
1346*62c56f98SSadaf Ebrahimi psa_status_t psa_crypto_driver_pake_get_cipher_suite(
1347*62c56f98SSadaf Ebrahimi const psa_crypto_driver_pake_inputs_t *inputs,
1348*62c56f98SSadaf Ebrahimi psa_pake_cipher_suite_t *cipher_suite);
1349*62c56f98SSadaf Ebrahimi
1350*62c56f98SSadaf Ebrahimi /** Set the session information for a password-authenticated key exchange.
1351*62c56f98SSadaf Ebrahimi *
1352*62c56f98SSadaf Ebrahimi * The sequence of operations to set up a password-authenticated key exchange
1353*62c56f98SSadaf Ebrahimi * is as follows:
1354*62c56f98SSadaf Ebrahimi * -# Allocate an operation object which will be passed to all the functions
1355*62c56f98SSadaf Ebrahimi * listed here.
1356*62c56f98SSadaf Ebrahimi * -# Initialize the operation object with one of the methods described in the
1357*62c56f98SSadaf Ebrahimi * documentation for #psa_pake_operation_t, e.g.
1358*62c56f98SSadaf Ebrahimi * #PSA_PAKE_OPERATION_INIT.
1359*62c56f98SSadaf Ebrahimi * -# Call psa_pake_setup() to specify the cipher suite.
1360*62c56f98SSadaf Ebrahimi * -# Call \c psa_pake_set_xxx() functions on the operation to complete the
1361*62c56f98SSadaf Ebrahimi * setup. The exact sequence of \c psa_pake_set_xxx() functions that needs
1362*62c56f98SSadaf Ebrahimi * to be called depends on the algorithm in use.
1363*62c56f98SSadaf Ebrahimi *
1364*62c56f98SSadaf Ebrahimi * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1365*62c56f98SSadaf Ebrahimi * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1366*62c56f98SSadaf Ebrahimi * for more information.
1367*62c56f98SSadaf Ebrahimi *
1368*62c56f98SSadaf Ebrahimi * A typical sequence of calls to perform a password-authenticated key
1369*62c56f98SSadaf Ebrahimi * exchange:
1370*62c56f98SSadaf Ebrahimi * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the
1371*62c56f98SSadaf Ebrahimi * key share that needs to be sent to the peer.
1372*62c56f98SSadaf Ebrahimi * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide
1373*62c56f98SSadaf Ebrahimi * the key share that was received from the peer.
1374*62c56f98SSadaf Ebrahimi * -# Depending on the algorithm additional calls to psa_pake_output() and
1375*62c56f98SSadaf Ebrahimi * psa_pake_input() might be necessary.
1376*62c56f98SSadaf Ebrahimi * -# Call psa_pake_get_implicit_key() for accessing the shared secret.
1377*62c56f98SSadaf Ebrahimi *
1378*62c56f98SSadaf Ebrahimi * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1379*62c56f98SSadaf Ebrahimi * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1380*62c56f98SSadaf Ebrahimi * for more information.
1381*62c56f98SSadaf Ebrahimi *
1382*62c56f98SSadaf Ebrahimi * If an error occurs at any step after a call to psa_pake_setup(),
1383*62c56f98SSadaf Ebrahimi * the operation will need to be reset by a call to psa_pake_abort(). The
1384*62c56f98SSadaf Ebrahimi * application may call psa_pake_abort() at any time after the operation
1385*62c56f98SSadaf Ebrahimi * has been initialized.
1386*62c56f98SSadaf Ebrahimi *
1387*62c56f98SSadaf Ebrahimi * After a successful call to psa_pake_setup(), the application must
1388*62c56f98SSadaf Ebrahimi * eventually terminate the operation. The following events terminate an
1389*62c56f98SSadaf Ebrahimi * operation:
1390*62c56f98SSadaf Ebrahimi * - A call to psa_pake_abort().
1391*62c56f98SSadaf Ebrahimi * - A successful call to psa_pake_get_implicit_key().
1392*62c56f98SSadaf Ebrahimi *
1393*62c56f98SSadaf Ebrahimi * \param[in,out] operation The operation object to set up. It must have
1394*62c56f98SSadaf Ebrahimi * been initialized but not set up yet.
1395*62c56f98SSadaf Ebrahimi * \param[in] cipher_suite The cipher suite to use. (A cipher suite fully
1396*62c56f98SSadaf Ebrahimi * characterizes a PAKE algorithm and determines
1397*62c56f98SSadaf Ebrahimi * the algorithm as well.)
1398*62c56f98SSadaf Ebrahimi *
1399*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1400*62c56f98SSadaf Ebrahimi * Success.
1401*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1402*62c56f98SSadaf Ebrahimi * The algorithm in \p cipher_suite is not a PAKE algorithm, or the
1403*62c56f98SSadaf Ebrahimi * PAKE primitive in \p cipher_suite is not compatible with the
1404*62c56f98SSadaf Ebrahimi * PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid
1405*62c56f98SSadaf Ebrahimi * or not compatible with the PAKE algorithm and primitive.
1406*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1407*62c56f98SSadaf Ebrahimi * The algorithm in \p cipher_suite is not a supported PAKE algorithm,
1408*62c56f98SSadaf Ebrahimi * or the PAKE primitive in \p cipher_suite is not supported or not
1409*62c56f98SSadaf Ebrahimi * compatible with the PAKE algorithm, or the hash algorithm in
1410*62c56f98SSadaf Ebrahimi * \p cipher_suite is not supported or not compatible with the PAKE
1411*62c56f98SSadaf Ebrahimi * algorithm and primitive.
1412*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1413*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1414*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1415*62c56f98SSadaf Ebrahimi * The operation state is not valid, or
1416*62c56f98SSadaf Ebrahimi * the library has not been previously initialized by psa_crypto_init().
1417*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1418*62c56f98SSadaf Ebrahimi * results in this error code.
1419*62c56f98SSadaf Ebrahimi */
1420*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_setup(psa_pake_operation_t *operation,
1421*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite);
1422*62c56f98SSadaf Ebrahimi
1423*62c56f98SSadaf Ebrahimi /** Set the password for a password-authenticated key exchange from key ID.
1424*62c56f98SSadaf Ebrahimi *
1425*62c56f98SSadaf Ebrahimi * Call this function when the password, or a value derived from the password,
1426*62c56f98SSadaf Ebrahimi * is already present in the key store.
1427*62c56f98SSadaf Ebrahimi *
1428*62c56f98SSadaf Ebrahimi * \param[in,out] operation The operation object to set the password for. It
1429*62c56f98SSadaf Ebrahimi * must have been set up by psa_pake_setup() and
1430*62c56f98SSadaf Ebrahimi * not yet in use (neither psa_pake_output() nor
1431*62c56f98SSadaf Ebrahimi * psa_pake_input() has been called yet). It must
1432*62c56f98SSadaf Ebrahimi * be on operation for which the password hasn't
1433*62c56f98SSadaf Ebrahimi * been set yet (psa_pake_set_password_key()
1434*62c56f98SSadaf Ebrahimi * hasn't been called yet).
1435*62c56f98SSadaf Ebrahimi * \param password Identifier of the key holding the password or a
1436*62c56f98SSadaf Ebrahimi * value derived from the password (eg. by a
1437*62c56f98SSadaf Ebrahimi * memory-hard function). It must remain valid
1438*62c56f98SSadaf Ebrahimi * until the operation terminates. It must be of
1439*62c56f98SSadaf Ebrahimi * type #PSA_KEY_TYPE_PASSWORD or
1440*62c56f98SSadaf Ebrahimi * #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow
1441*62c56f98SSadaf Ebrahimi * the usage #PSA_KEY_USAGE_DERIVE.
1442*62c56f98SSadaf Ebrahimi *
1443*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1444*62c56f98SSadaf Ebrahimi * Success.
1445*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_HANDLE
1446*62c56f98SSadaf Ebrahimi * \p password is not a valid key identifier.
1447*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_PERMITTED
1448*62c56f98SSadaf Ebrahimi * The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not
1449*62c56f98SSadaf Ebrahimi * permit the \p operation's algorithm.
1450*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1451*62c56f98SSadaf Ebrahimi * The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or
1452*62c56f98SSadaf Ebrahimi * #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with
1453*62c56f98SSadaf Ebrahimi * the \p operation's cipher suite.
1454*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1455*62c56f98SSadaf Ebrahimi * The key type or key size of \p password is not supported with the
1456*62c56f98SSadaf Ebrahimi * \p operation's cipher suite.
1457*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1458*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1459*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1460*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
1461*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_INVALID \emptydescription
1462*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1463*62c56f98SSadaf Ebrahimi * The operation state is not valid (it must have been set up.), or
1464*62c56f98SSadaf Ebrahimi * the library has not been previously initialized by psa_crypto_init().
1465*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1466*62c56f98SSadaf Ebrahimi * results in this error code.
1467*62c56f98SSadaf Ebrahimi */
1468*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation,
1469*62c56f98SSadaf Ebrahimi mbedtls_svc_key_id_t password);
1470*62c56f98SSadaf Ebrahimi
1471*62c56f98SSadaf Ebrahimi /** Set the user ID for a password-authenticated key exchange.
1472*62c56f98SSadaf Ebrahimi *
1473*62c56f98SSadaf Ebrahimi * Call this function to set the user ID. For PAKE algorithms that associate a
1474*62c56f98SSadaf Ebrahimi * user identifier with each side of the session you need to call
1475*62c56f98SSadaf Ebrahimi * psa_pake_set_peer() as well. For PAKE algorithms that associate a single
1476*62c56f98SSadaf Ebrahimi * user identifier with the session, call psa_pake_set_user() only.
1477*62c56f98SSadaf Ebrahimi *
1478*62c56f98SSadaf Ebrahimi * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1479*62c56f98SSadaf Ebrahimi * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1480*62c56f98SSadaf Ebrahimi * for more information.
1481*62c56f98SSadaf Ebrahimi *
1482*62c56f98SSadaf Ebrahimi * \param[in,out] operation The operation object to set the user ID for. It
1483*62c56f98SSadaf Ebrahimi * must have been set up by psa_pake_setup() and
1484*62c56f98SSadaf Ebrahimi * not yet in use (neither psa_pake_output() nor
1485*62c56f98SSadaf Ebrahimi * psa_pake_input() has been called yet). It must
1486*62c56f98SSadaf Ebrahimi * be on operation for which the user ID hasn't
1487*62c56f98SSadaf Ebrahimi * been set (psa_pake_set_user() hasn't been
1488*62c56f98SSadaf Ebrahimi * called yet).
1489*62c56f98SSadaf Ebrahimi * \param[in] user_id The user ID to authenticate with.
1490*62c56f98SSadaf Ebrahimi * \param user_id_len Size of the \p user_id buffer in bytes.
1491*62c56f98SSadaf Ebrahimi *
1492*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1493*62c56f98SSadaf Ebrahimi * Success.
1494*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1495*62c56f98SSadaf Ebrahimi * \p user_id is not valid for the \p operation's algorithm and cipher
1496*62c56f98SSadaf Ebrahimi * suite.
1497*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1498*62c56f98SSadaf Ebrahimi * The value of \p user_id is not supported by the implementation.
1499*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1500*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1501*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1502*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1503*62c56f98SSadaf Ebrahimi * The operation state is not valid, or
1504*62c56f98SSadaf Ebrahimi * the library has not been previously initialized by psa_crypto_init().
1505*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1506*62c56f98SSadaf Ebrahimi * results in this error code.
1507*62c56f98SSadaf Ebrahimi */
1508*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_set_user(psa_pake_operation_t *operation,
1509*62c56f98SSadaf Ebrahimi const uint8_t *user_id,
1510*62c56f98SSadaf Ebrahimi size_t user_id_len);
1511*62c56f98SSadaf Ebrahimi
1512*62c56f98SSadaf Ebrahimi /** Set the peer ID for a password-authenticated key exchange.
1513*62c56f98SSadaf Ebrahimi *
1514*62c56f98SSadaf Ebrahimi * Call this function in addition to psa_pake_set_user() for PAKE algorithms
1515*62c56f98SSadaf Ebrahimi * that associate a user identifier with each side of the session. For PAKE
1516*62c56f98SSadaf Ebrahimi * algorithms that associate a single user identifier with the session, call
1517*62c56f98SSadaf Ebrahimi * psa_pake_set_user() only.
1518*62c56f98SSadaf Ebrahimi *
1519*62c56f98SSadaf Ebrahimi * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1520*62c56f98SSadaf Ebrahimi * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1521*62c56f98SSadaf Ebrahimi * for more information.
1522*62c56f98SSadaf Ebrahimi *
1523*62c56f98SSadaf Ebrahimi * \param[in,out] operation The operation object to set the peer ID for. It
1524*62c56f98SSadaf Ebrahimi * must have been set up by psa_pake_setup() and
1525*62c56f98SSadaf Ebrahimi * not yet in use (neither psa_pake_output() nor
1526*62c56f98SSadaf Ebrahimi * psa_pake_input() has been called yet). It must
1527*62c56f98SSadaf Ebrahimi * be on operation for which the peer ID hasn't
1528*62c56f98SSadaf Ebrahimi * been set (psa_pake_set_peer() hasn't been
1529*62c56f98SSadaf Ebrahimi * called yet).
1530*62c56f98SSadaf Ebrahimi * \param[in] peer_id The peer's ID to authenticate.
1531*62c56f98SSadaf Ebrahimi * \param peer_id_len Size of the \p peer_id buffer in bytes.
1532*62c56f98SSadaf Ebrahimi *
1533*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1534*62c56f98SSadaf Ebrahimi * Success.
1535*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1536*62c56f98SSadaf Ebrahimi * \p peer_id is not valid for the \p operation's algorithm and cipher
1537*62c56f98SSadaf Ebrahimi * suite.
1538*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1539*62c56f98SSadaf Ebrahimi * The algorithm doesn't associate a second identity with the session.
1540*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1541*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1542*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1543*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1544*62c56f98SSadaf Ebrahimi * Calling psa_pake_set_peer() is invalid with the \p operation's
1545*62c56f98SSadaf Ebrahimi * algorithm, the operation state is not valid, or the library has not
1546*62c56f98SSadaf Ebrahimi * been previously initialized by psa_crypto_init().
1547*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1548*62c56f98SSadaf Ebrahimi * results in this error code.
1549*62c56f98SSadaf Ebrahimi */
1550*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation,
1551*62c56f98SSadaf Ebrahimi const uint8_t *peer_id,
1552*62c56f98SSadaf Ebrahimi size_t peer_id_len);
1553*62c56f98SSadaf Ebrahimi
1554*62c56f98SSadaf Ebrahimi /** Set the application role for a password-authenticated key exchange.
1555*62c56f98SSadaf Ebrahimi *
1556*62c56f98SSadaf Ebrahimi * Not all PAKE algorithms need to differentiate the communicating entities.
1557*62c56f98SSadaf Ebrahimi * It is optional to call this function for PAKEs that don't require a role
1558*62c56f98SSadaf Ebrahimi * to be specified. For such PAKEs the application role parameter is ignored,
1559*62c56f98SSadaf Ebrahimi * or #PSA_PAKE_ROLE_NONE can be passed as \c role.
1560*62c56f98SSadaf Ebrahimi *
1561*62c56f98SSadaf Ebrahimi * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
1562*62c56f98SSadaf Ebrahimi * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
1563*62c56f98SSadaf Ebrahimi * for more information.
1564*62c56f98SSadaf Ebrahimi *
1565*62c56f98SSadaf Ebrahimi * \param[in,out] operation The operation object to specify the
1566*62c56f98SSadaf Ebrahimi * application's role for. It must have been set up
1567*62c56f98SSadaf Ebrahimi * by psa_pake_setup() and not yet in use (neither
1568*62c56f98SSadaf Ebrahimi * psa_pake_output() nor psa_pake_input() has been
1569*62c56f98SSadaf Ebrahimi * called yet). It must be on operation for which
1570*62c56f98SSadaf Ebrahimi * the application's role hasn't been specified
1571*62c56f98SSadaf Ebrahimi * (psa_pake_set_role() hasn't been called yet).
1572*62c56f98SSadaf Ebrahimi * \param role A value of type ::psa_pake_role_t indicating the
1573*62c56f98SSadaf Ebrahimi * application's role in the PAKE the algorithm
1574*62c56f98SSadaf Ebrahimi * that is being set up. For more information see
1575*62c56f98SSadaf Ebrahimi * the documentation of \c PSA_PAKE_ROLE_XXX
1576*62c56f98SSadaf Ebrahimi * constants.
1577*62c56f98SSadaf Ebrahimi *
1578*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1579*62c56f98SSadaf Ebrahimi * Success.
1580*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1581*62c56f98SSadaf Ebrahimi * The \p role is not a valid PAKE role in the \p operation’s algorithm.
1582*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1583*62c56f98SSadaf Ebrahimi * The \p role for this algorithm is not supported or is not valid.
1584*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1585*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1586*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1587*62c56f98SSadaf Ebrahimi * The operation state is not valid, or
1588*62c56f98SSadaf Ebrahimi * the library has not been previously initialized by psa_crypto_init().
1589*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1590*62c56f98SSadaf Ebrahimi * results in this error code.
1591*62c56f98SSadaf Ebrahimi */
1592*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_set_role(psa_pake_operation_t *operation,
1593*62c56f98SSadaf Ebrahimi psa_pake_role_t role);
1594*62c56f98SSadaf Ebrahimi
1595*62c56f98SSadaf Ebrahimi /** Get output for a step of a password-authenticated key exchange.
1596*62c56f98SSadaf Ebrahimi *
1597*62c56f98SSadaf Ebrahimi * Depending on the algorithm being executed, you might need to call this
1598*62c56f98SSadaf Ebrahimi * function several times or you might not need to call this at all.
1599*62c56f98SSadaf Ebrahimi *
1600*62c56f98SSadaf Ebrahimi * The exact sequence of calls to perform a password-authenticated key
1601*62c56f98SSadaf Ebrahimi * exchange depends on the algorithm in use. Refer to the documentation of
1602*62c56f98SSadaf Ebrahimi * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
1603*62c56f98SSadaf Ebrahimi * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
1604*62c56f98SSadaf Ebrahimi * information.
1605*62c56f98SSadaf Ebrahimi *
1606*62c56f98SSadaf Ebrahimi * If this function returns an error status, the operation enters an error
1607*62c56f98SSadaf Ebrahimi * state and must be aborted by calling psa_pake_abort().
1608*62c56f98SSadaf Ebrahimi *
1609*62c56f98SSadaf Ebrahimi * \param[in,out] operation Active PAKE operation.
1610*62c56f98SSadaf Ebrahimi * \param step The step of the algorithm for which the output is
1611*62c56f98SSadaf Ebrahimi * requested.
1612*62c56f98SSadaf Ebrahimi * \param[out] output Buffer where the output is to be written in the
1613*62c56f98SSadaf Ebrahimi * format appropriate for this \p step. Refer to
1614*62c56f98SSadaf Ebrahimi * the documentation of the individual
1615*62c56f98SSadaf Ebrahimi * \c PSA_PAKE_STEP_XXX constants for more
1616*62c56f98SSadaf Ebrahimi * information.
1617*62c56f98SSadaf Ebrahimi * \param output_size Size of the \p output buffer in bytes. This must
1618*62c56f98SSadaf Ebrahimi * be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c
1619*62c56f98SSadaf Ebrahimi * primitive, \p output_step) where \c alg and
1620*62c56f98SSadaf Ebrahimi * \p primitive are the PAKE algorithm and primitive
1621*62c56f98SSadaf Ebrahimi * in the operation's cipher suite, and \p step is
1622*62c56f98SSadaf Ebrahimi * the output step.
1623*62c56f98SSadaf Ebrahimi *
1624*62c56f98SSadaf Ebrahimi * \param[out] output_length On success, the number of bytes of the returned
1625*62c56f98SSadaf Ebrahimi * output.
1626*62c56f98SSadaf Ebrahimi *
1627*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1628*62c56f98SSadaf Ebrahimi * Success.
1629*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1630*62c56f98SSadaf Ebrahimi * The size of the \p output buffer is too small.
1631*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1632*62c56f98SSadaf Ebrahimi * \p step is not compatible with the operation's algorithm.
1633*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1634*62c56f98SSadaf Ebrahimi * \p step is not supported with the operation's algorithm.
1635*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
1636*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1637*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1638*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1639*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1640*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
1641*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_INVALID \emptydescription
1642*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1643*62c56f98SSadaf Ebrahimi * The operation state is not valid (it must be active, and fully set
1644*62c56f98SSadaf Ebrahimi * up, and this call must conform to the algorithm's requirements
1645*62c56f98SSadaf Ebrahimi * for ordering of input and output steps), or
1646*62c56f98SSadaf Ebrahimi * the library has not been previously initialized by psa_crypto_init().
1647*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1648*62c56f98SSadaf Ebrahimi * results in this error code.
1649*62c56f98SSadaf Ebrahimi */
1650*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_output(psa_pake_operation_t *operation,
1651*62c56f98SSadaf Ebrahimi psa_pake_step_t step,
1652*62c56f98SSadaf Ebrahimi uint8_t *output,
1653*62c56f98SSadaf Ebrahimi size_t output_size,
1654*62c56f98SSadaf Ebrahimi size_t *output_length);
1655*62c56f98SSadaf Ebrahimi
1656*62c56f98SSadaf Ebrahimi /** Provide input for a step of a password-authenticated key exchange.
1657*62c56f98SSadaf Ebrahimi *
1658*62c56f98SSadaf Ebrahimi * Depending on the algorithm being executed, you might need to call this
1659*62c56f98SSadaf Ebrahimi * function several times or you might not need to call this at all.
1660*62c56f98SSadaf Ebrahimi *
1661*62c56f98SSadaf Ebrahimi * The exact sequence of calls to perform a password-authenticated key
1662*62c56f98SSadaf Ebrahimi * exchange depends on the algorithm in use. Refer to the documentation of
1663*62c56f98SSadaf Ebrahimi * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
1664*62c56f98SSadaf Ebrahimi * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
1665*62c56f98SSadaf Ebrahimi * information.
1666*62c56f98SSadaf Ebrahimi *
1667*62c56f98SSadaf Ebrahimi * If this function returns an error status, the operation enters an error
1668*62c56f98SSadaf Ebrahimi * state and must be aborted by calling psa_pake_abort().
1669*62c56f98SSadaf Ebrahimi *
1670*62c56f98SSadaf Ebrahimi * \param[in,out] operation Active PAKE operation.
1671*62c56f98SSadaf Ebrahimi * \param step The step for which the input is provided.
1672*62c56f98SSadaf Ebrahimi * \param[in] input Buffer containing the input in the format
1673*62c56f98SSadaf Ebrahimi * appropriate for this \p step. Refer to the
1674*62c56f98SSadaf Ebrahimi * documentation of the individual
1675*62c56f98SSadaf Ebrahimi * \c PSA_PAKE_STEP_XXX constants for more
1676*62c56f98SSadaf Ebrahimi * information.
1677*62c56f98SSadaf Ebrahimi * \param input_length Size of the \p input buffer in bytes.
1678*62c56f98SSadaf Ebrahimi *
1679*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1680*62c56f98SSadaf Ebrahimi * Success.
1681*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_SIGNATURE
1682*62c56f98SSadaf Ebrahimi * The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step.
1683*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1684*62c56f98SSadaf Ebrahimi * \p input_length is not compatible with the \p operation’s algorithm,
1685*62c56f98SSadaf Ebrahimi * or the \p input is not valid for the \p operation's algorithm,
1686*62c56f98SSadaf Ebrahimi * cipher suite or \p step.
1687*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1688*62c56f98SSadaf Ebrahimi * \p step p is not supported with the \p operation's algorithm, or the
1689*62c56f98SSadaf Ebrahimi * \p input is not supported for the \p operation's algorithm, cipher
1690*62c56f98SSadaf Ebrahimi * suite or \p step.
1691*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1692*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1693*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1694*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1695*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
1696*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_INVALID \emptydescription
1697*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1698*62c56f98SSadaf Ebrahimi * The operation state is not valid (it must be active, and fully set
1699*62c56f98SSadaf Ebrahimi * up, and this call must conform to the algorithm's requirements
1700*62c56f98SSadaf Ebrahimi * for ordering of input and output steps), or
1701*62c56f98SSadaf Ebrahimi * the library has not been previously initialized by psa_crypto_init().
1702*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1703*62c56f98SSadaf Ebrahimi * results in this error code.
1704*62c56f98SSadaf Ebrahimi */
1705*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_input(psa_pake_operation_t *operation,
1706*62c56f98SSadaf Ebrahimi psa_pake_step_t step,
1707*62c56f98SSadaf Ebrahimi const uint8_t *input,
1708*62c56f98SSadaf Ebrahimi size_t input_length);
1709*62c56f98SSadaf Ebrahimi
1710*62c56f98SSadaf Ebrahimi /** Get implicitly confirmed shared secret from a PAKE.
1711*62c56f98SSadaf Ebrahimi *
1712*62c56f98SSadaf Ebrahimi * At this point there is a cryptographic guarantee that only the authenticated
1713*62c56f98SSadaf Ebrahimi * party who used the same password is able to compute the key. But there is no
1714*62c56f98SSadaf Ebrahimi * guarantee that the peer is the party it claims to be and was able to do so.
1715*62c56f98SSadaf Ebrahimi *
1716*62c56f98SSadaf Ebrahimi * That is, the authentication is only implicit. Since the peer is not
1717*62c56f98SSadaf Ebrahimi * authenticated yet, no action should be taken yet that assumes that the peer
1718*62c56f98SSadaf Ebrahimi * is who it claims to be. For example, do not access restricted files on the
1719*62c56f98SSadaf Ebrahimi * peer's behalf until an explicit authentication has succeeded.
1720*62c56f98SSadaf Ebrahimi *
1721*62c56f98SSadaf Ebrahimi * This function can be called after the key exchange phase of the operation
1722*62c56f98SSadaf Ebrahimi * has completed. It imports the shared secret output of the PAKE into the
1723*62c56f98SSadaf Ebrahimi * provided derivation operation. The input step
1724*62c56f98SSadaf Ebrahimi * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key
1725*62c56f98SSadaf Ebrahimi * material in the key derivation operation.
1726*62c56f98SSadaf Ebrahimi *
1727*62c56f98SSadaf Ebrahimi * The exact sequence of calls to perform a password-authenticated key
1728*62c56f98SSadaf Ebrahimi * exchange depends on the algorithm in use. Refer to the documentation of
1729*62c56f98SSadaf Ebrahimi * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
1730*62c56f98SSadaf Ebrahimi * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
1731*62c56f98SSadaf Ebrahimi * information.
1732*62c56f98SSadaf Ebrahimi *
1733*62c56f98SSadaf Ebrahimi * When this function returns successfully, \p operation becomes inactive.
1734*62c56f98SSadaf Ebrahimi * If this function returns an error status, both \p operation
1735*62c56f98SSadaf Ebrahimi * and \c key_derivation operations enter an error state and must be aborted by
1736*62c56f98SSadaf Ebrahimi * calling psa_pake_abort() and psa_key_derivation_abort() respectively.
1737*62c56f98SSadaf Ebrahimi *
1738*62c56f98SSadaf Ebrahimi * \param[in,out] operation Active PAKE operation.
1739*62c56f98SSadaf Ebrahimi * \param[out] output A key derivation operation that is ready
1740*62c56f98SSadaf Ebrahimi * for an input step of type
1741*62c56f98SSadaf Ebrahimi * #PSA_KEY_DERIVATION_INPUT_SECRET.
1742*62c56f98SSadaf Ebrahimi *
1743*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1744*62c56f98SSadaf Ebrahimi * Success.
1745*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INVALID_ARGUMENT
1746*62c56f98SSadaf Ebrahimi * #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the
1747*62c56f98SSadaf Ebrahimi * algorithm in the \p output key derivation operation.
1748*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_NOT_SUPPORTED
1749*62c56f98SSadaf Ebrahimi * Input from a PAKE is not supported by the algorithm in the \p output
1750*62c56f98SSadaf Ebrahimi * key derivation operation.
1751*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1752*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1753*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1754*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1755*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
1756*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_DATA_INVALID \emptydescription
1757*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1758*62c56f98SSadaf Ebrahimi * The PAKE operation state is not valid (it must be active, but beyond
1759*62c56f98SSadaf Ebrahimi * that validity is specific to the algorithm), or
1760*62c56f98SSadaf Ebrahimi * the library has not been previously initialized by psa_crypto_init(),
1761*62c56f98SSadaf Ebrahimi * or the state of \p output is not valid for
1762*62c56f98SSadaf Ebrahimi * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the
1763*62c56f98SSadaf Ebrahimi * step is out of order or the application has done this step already
1764*62c56f98SSadaf Ebrahimi * and it may not be repeated.
1765*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1766*62c56f98SSadaf Ebrahimi * results in this error code.
1767*62c56f98SSadaf Ebrahimi */
1768*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation,
1769*62c56f98SSadaf Ebrahimi psa_key_derivation_operation_t *output);
1770*62c56f98SSadaf Ebrahimi
1771*62c56f98SSadaf Ebrahimi /** Abort a PAKE operation.
1772*62c56f98SSadaf Ebrahimi *
1773*62c56f98SSadaf Ebrahimi * Aborting an operation frees all associated resources except for the \c
1774*62c56f98SSadaf Ebrahimi * operation structure itself. Once aborted, the operation object can be reused
1775*62c56f98SSadaf Ebrahimi * for another operation by calling psa_pake_setup() again.
1776*62c56f98SSadaf Ebrahimi *
1777*62c56f98SSadaf Ebrahimi * This function may be called at any time after the operation
1778*62c56f98SSadaf Ebrahimi * object has been initialized as described in #psa_pake_operation_t.
1779*62c56f98SSadaf Ebrahimi *
1780*62c56f98SSadaf Ebrahimi * In particular, calling psa_pake_abort() after the operation has been
1781*62c56f98SSadaf Ebrahimi * terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key()
1782*62c56f98SSadaf Ebrahimi * is safe and has no effect.
1783*62c56f98SSadaf Ebrahimi *
1784*62c56f98SSadaf Ebrahimi * \param[in,out] operation The operation to abort.
1785*62c56f98SSadaf Ebrahimi *
1786*62c56f98SSadaf Ebrahimi * \retval #PSA_SUCCESS
1787*62c56f98SSadaf Ebrahimi * Success.
1788*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1789*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1790*62c56f98SSadaf Ebrahimi * \retval #PSA_ERROR_BAD_STATE
1791*62c56f98SSadaf Ebrahimi * The library has not been previously initialized by psa_crypto_init().
1792*62c56f98SSadaf Ebrahimi * It is implementation-dependent whether a failure to initialize
1793*62c56f98SSadaf Ebrahimi * results in this error code.
1794*62c56f98SSadaf Ebrahimi */
1795*62c56f98SSadaf Ebrahimi psa_status_t psa_pake_abort(psa_pake_operation_t *operation);
1796*62c56f98SSadaf Ebrahimi
1797*62c56f98SSadaf Ebrahimi /**@}*/
1798*62c56f98SSadaf Ebrahimi
1799*62c56f98SSadaf Ebrahimi /** A sufficient output buffer size for psa_pake_output().
1800*62c56f98SSadaf Ebrahimi *
1801*62c56f98SSadaf Ebrahimi * If the size of the output buffer is at least this large, it is guaranteed
1802*62c56f98SSadaf Ebrahimi * that psa_pake_output() will not fail due to an insufficient output buffer
1803*62c56f98SSadaf Ebrahimi * size. The actual size of the output might be smaller in any given call.
1804*62c56f98SSadaf Ebrahimi *
1805*62c56f98SSadaf Ebrahimi * See also #PSA_PAKE_OUTPUT_MAX_SIZE
1806*62c56f98SSadaf Ebrahimi *
1807*62c56f98SSadaf Ebrahimi * \param alg A PAKE algorithm (\c PSA_ALG_XXX value such that
1808*62c56f98SSadaf Ebrahimi * #PSA_ALG_IS_PAKE(\p alg) is true).
1809*62c56f98SSadaf Ebrahimi * \param primitive A primitive of type ::psa_pake_primitive_t that is
1810*62c56f98SSadaf Ebrahimi * compatible with algorithm \p alg.
1811*62c56f98SSadaf Ebrahimi * \param output_step A value of type ::psa_pake_step_t that is valid for the
1812*62c56f98SSadaf Ebrahimi * algorithm \p alg.
1813*62c56f98SSadaf Ebrahimi * \return A sufficient output buffer size for the specified
1814*62c56f98SSadaf Ebrahimi * PAKE algorithm, primitive, and output step. If the
1815*62c56f98SSadaf Ebrahimi * PAKE algorithm, primitive, or output step is not
1816*62c56f98SSadaf Ebrahimi * recognized, or the parameters are incompatible,
1817*62c56f98SSadaf Ebrahimi * return 0.
1818*62c56f98SSadaf Ebrahimi */
1819*62c56f98SSadaf Ebrahimi #define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) \
1820*62c56f98SSadaf Ebrahimi (alg == PSA_ALG_JPAKE && \
1821*62c56f98SSadaf Ebrahimi primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \
1822*62c56f98SSadaf Ebrahimi PSA_ECC_FAMILY_SECP_R1, 256) ? \
1823*62c56f98SSadaf Ebrahimi ( \
1824*62c56f98SSadaf Ebrahimi output_step == PSA_PAKE_STEP_KEY_SHARE ? 65 : \
1825*62c56f98SSadaf Ebrahimi output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 : \
1826*62c56f98SSadaf Ebrahimi 32 \
1827*62c56f98SSadaf Ebrahimi ) : \
1828*62c56f98SSadaf Ebrahimi 0)
1829*62c56f98SSadaf Ebrahimi
1830*62c56f98SSadaf Ebrahimi /** A sufficient input buffer size for psa_pake_input().
1831*62c56f98SSadaf Ebrahimi *
1832*62c56f98SSadaf Ebrahimi * The value returned by this macro is guaranteed to be large enough for any
1833*62c56f98SSadaf Ebrahimi * valid input to psa_pake_input() in an operation with the specified
1834*62c56f98SSadaf Ebrahimi * parameters.
1835*62c56f98SSadaf Ebrahimi *
1836*62c56f98SSadaf Ebrahimi * See also #PSA_PAKE_INPUT_MAX_SIZE
1837*62c56f98SSadaf Ebrahimi *
1838*62c56f98SSadaf Ebrahimi * \param alg A PAKE algorithm (\c PSA_ALG_XXX value such that
1839*62c56f98SSadaf Ebrahimi * #PSA_ALG_IS_PAKE(\p alg) is true).
1840*62c56f98SSadaf Ebrahimi * \param primitive A primitive of type ::psa_pake_primitive_t that is
1841*62c56f98SSadaf Ebrahimi * compatible with algorithm \p alg.
1842*62c56f98SSadaf Ebrahimi * \param input_step A value of type ::psa_pake_step_t that is valid for the
1843*62c56f98SSadaf Ebrahimi * algorithm \p alg.
1844*62c56f98SSadaf Ebrahimi * \return A sufficient input buffer size for the specified
1845*62c56f98SSadaf Ebrahimi * input, cipher suite and algorithm. If the cipher suite,
1846*62c56f98SSadaf Ebrahimi * the input type or PAKE algorithm is not recognized, or
1847*62c56f98SSadaf Ebrahimi * the parameters are incompatible, return 0.
1848*62c56f98SSadaf Ebrahimi */
1849*62c56f98SSadaf Ebrahimi #define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) \
1850*62c56f98SSadaf Ebrahimi (alg == PSA_ALG_JPAKE && \
1851*62c56f98SSadaf Ebrahimi primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \
1852*62c56f98SSadaf Ebrahimi PSA_ECC_FAMILY_SECP_R1, 256) ? \
1853*62c56f98SSadaf Ebrahimi ( \
1854*62c56f98SSadaf Ebrahimi input_step == PSA_PAKE_STEP_KEY_SHARE ? 65 : \
1855*62c56f98SSadaf Ebrahimi input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 : \
1856*62c56f98SSadaf Ebrahimi 32 \
1857*62c56f98SSadaf Ebrahimi ) : \
1858*62c56f98SSadaf Ebrahimi 0)
1859*62c56f98SSadaf Ebrahimi
1860*62c56f98SSadaf Ebrahimi /** Output buffer size for psa_pake_output() for any of the supported PAKE
1861*62c56f98SSadaf Ebrahimi * algorithm and primitive suites and output step.
1862*62c56f98SSadaf Ebrahimi *
1863*62c56f98SSadaf Ebrahimi * This macro must expand to a compile-time constant integer.
1864*62c56f98SSadaf Ebrahimi *
1865*62c56f98SSadaf Ebrahimi * The value of this macro must be at least as large as the largest value
1866*62c56f98SSadaf Ebrahimi * returned by PSA_PAKE_OUTPUT_SIZE()
1867*62c56f98SSadaf Ebrahimi *
1868*62c56f98SSadaf Ebrahimi * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p output_step).
1869*62c56f98SSadaf Ebrahimi */
1870*62c56f98SSadaf Ebrahimi #define PSA_PAKE_OUTPUT_MAX_SIZE 65
1871*62c56f98SSadaf Ebrahimi
1872*62c56f98SSadaf Ebrahimi /** Input buffer size for psa_pake_input() for any of the supported PAKE
1873*62c56f98SSadaf Ebrahimi * algorithm and primitive suites and input step.
1874*62c56f98SSadaf Ebrahimi *
1875*62c56f98SSadaf Ebrahimi * This macro must expand to a compile-time constant integer.
1876*62c56f98SSadaf Ebrahimi *
1877*62c56f98SSadaf Ebrahimi * The value of this macro must be at least as large as the largest value
1878*62c56f98SSadaf Ebrahimi * returned by PSA_PAKE_INPUT_SIZE()
1879*62c56f98SSadaf Ebrahimi *
1880*62c56f98SSadaf Ebrahimi * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p output_step).
1881*62c56f98SSadaf Ebrahimi */
1882*62c56f98SSadaf Ebrahimi #define PSA_PAKE_INPUT_MAX_SIZE 65
1883*62c56f98SSadaf Ebrahimi
1884*62c56f98SSadaf Ebrahimi /** Returns a suitable initializer for a PAKE cipher suite object of type
1885*62c56f98SSadaf Ebrahimi * psa_pake_cipher_suite_t.
1886*62c56f98SSadaf Ebrahimi */
1887*62c56f98SSadaf Ebrahimi #define PSA_PAKE_CIPHER_SUITE_INIT { PSA_ALG_NONE, 0, 0, 0, PSA_ALG_NONE }
1888*62c56f98SSadaf Ebrahimi
1889*62c56f98SSadaf Ebrahimi /** Returns a suitable initializer for a PAKE operation object of type
1890*62c56f98SSadaf Ebrahimi * psa_pake_operation_t.
1891*62c56f98SSadaf Ebrahimi */
1892*62c56f98SSadaf Ebrahimi #define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, 0, PSA_PAKE_OPERATION_STAGE_SETUP, \
1893*62c56f98SSadaf Ebrahimi { 0 }, { { 0 } } }
1894*62c56f98SSadaf Ebrahimi
1895*62c56f98SSadaf Ebrahimi struct psa_pake_cipher_suite_s {
1896*62c56f98SSadaf Ebrahimi psa_algorithm_t algorithm;
1897*62c56f98SSadaf Ebrahimi psa_pake_primitive_type_t type;
1898*62c56f98SSadaf Ebrahimi psa_pake_family_t family;
1899*62c56f98SSadaf Ebrahimi uint16_t bits;
1900*62c56f98SSadaf Ebrahimi psa_algorithm_t hash;
1901*62c56f98SSadaf Ebrahimi };
1902*62c56f98SSadaf Ebrahimi
psa_pake_cs_get_algorithm(const psa_pake_cipher_suite_t * cipher_suite)1903*62c56f98SSadaf Ebrahimi static inline psa_algorithm_t psa_pake_cs_get_algorithm(
1904*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite)
1905*62c56f98SSadaf Ebrahimi {
1906*62c56f98SSadaf Ebrahimi return cipher_suite->algorithm;
1907*62c56f98SSadaf Ebrahimi }
1908*62c56f98SSadaf Ebrahimi
psa_pake_cs_set_algorithm(psa_pake_cipher_suite_t * cipher_suite,psa_algorithm_t algorithm)1909*62c56f98SSadaf Ebrahimi static inline void psa_pake_cs_set_algorithm(
1910*62c56f98SSadaf Ebrahimi psa_pake_cipher_suite_t *cipher_suite,
1911*62c56f98SSadaf Ebrahimi psa_algorithm_t algorithm)
1912*62c56f98SSadaf Ebrahimi {
1913*62c56f98SSadaf Ebrahimi if (!PSA_ALG_IS_PAKE(algorithm)) {
1914*62c56f98SSadaf Ebrahimi cipher_suite->algorithm = 0;
1915*62c56f98SSadaf Ebrahimi } else {
1916*62c56f98SSadaf Ebrahimi cipher_suite->algorithm = algorithm;
1917*62c56f98SSadaf Ebrahimi }
1918*62c56f98SSadaf Ebrahimi }
1919*62c56f98SSadaf Ebrahimi
psa_pake_cs_get_primitive(const psa_pake_cipher_suite_t * cipher_suite)1920*62c56f98SSadaf Ebrahimi static inline psa_pake_primitive_t psa_pake_cs_get_primitive(
1921*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite)
1922*62c56f98SSadaf Ebrahimi {
1923*62c56f98SSadaf Ebrahimi return PSA_PAKE_PRIMITIVE(cipher_suite->type, cipher_suite->family,
1924*62c56f98SSadaf Ebrahimi cipher_suite->bits);
1925*62c56f98SSadaf Ebrahimi }
1926*62c56f98SSadaf Ebrahimi
psa_pake_cs_set_primitive(psa_pake_cipher_suite_t * cipher_suite,psa_pake_primitive_t primitive)1927*62c56f98SSadaf Ebrahimi static inline void psa_pake_cs_set_primitive(
1928*62c56f98SSadaf Ebrahimi psa_pake_cipher_suite_t *cipher_suite,
1929*62c56f98SSadaf Ebrahimi psa_pake_primitive_t primitive)
1930*62c56f98SSadaf Ebrahimi {
1931*62c56f98SSadaf Ebrahimi cipher_suite->type = (psa_pake_primitive_type_t) (primitive >> 24);
1932*62c56f98SSadaf Ebrahimi cipher_suite->family = (psa_pake_family_t) (0xFF & (primitive >> 16));
1933*62c56f98SSadaf Ebrahimi cipher_suite->bits = (uint16_t) (0xFFFF & primitive);
1934*62c56f98SSadaf Ebrahimi }
1935*62c56f98SSadaf Ebrahimi
psa_pake_cs_get_family(const psa_pake_cipher_suite_t * cipher_suite)1936*62c56f98SSadaf Ebrahimi static inline psa_pake_family_t psa_pake_cs_get_family(
1937*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite)
1938*62c56f98SSadaf Ebrahimi {
1939*62c56f98SSadaf Ebrahimi return cipher_suite->family;
1940*62c56f98SSadaf Ebrahimi }
1941*62c56f98SSadaf Ebrahimi
psa_pake_cs_get_bits(const psa_pake_cipher_suite_t * cipher_suite)1942*62c56f98SSadaf Ebrahimi static inline uint16_t psa_pake_cs_get_bits(
1943*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite)
1944*62c56f98SSadaf Ebrahimi {
1945*62c56f98SSadaf Ebrahimi return cipher_suite->bits;
1946*62c56f98SSadaf Ebrahimi }
1947*62c56f98SSadaf Ebrahimi
psa_pake_cs_get_hash(const psa_pake_cipher_suite_t * cipher_suite)1948*62c56f98SSadaf Ebrahimi static inline psa_algorithm_t psa_pake_cs_get_hash(
1949*62c56f98SSadaf Ebrahimi const psa_pake_cipher_suite_t *cipher_suite)
1950*62c56f98SSadaf Ebrahimi {
1951*62c56f98SSadaf Ebrahimi return cipher_suite->hash;
1952*62c56f98SSadaf Ebrahimi }
1953*62c56f98SSadaf Ebrahimi
psa_pake_cs_set_hash(psa_pake_cipher_suite_t * cipher_suite,psa_algorithm_t hash)1954*62c56f98SSadaf Ebrahimi static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite,
1955*62c56f98SSadaf Ebrahimi psa_algorithm_t hash)
1956*62c56f98SSadaf Ebrahimi {
1957*62c56f98SSadaf Ebrahimi if (!PSA_ALG_IS_HASH(hash)) {
1958*62c56f98SSadaf Ebrahimi cipher_suite->hash = 0;
1959*62c56f98SSadaf Ebrahimi } else {
1960*62c56f98SSadaf Ebrahimi cipher_suite->hash = hash;
1961*62c56f98SSadaf Ebrahimi }
1962*62c56f98SSadaf Ebrahimi }
1963*62c56f98SSadaf Ebrahimi
1964*62c56f98SSadaf Ebrahimi struct psa_crypto_driver_pake_inputs_s {
1965*62c56f98SSadaf Ebrahimi uint8_t *MBEDTLS_PRIVATE(password);
1966*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(password_len);
1967*62c56f98SSadaf Ebrahimi uint8_t *MBEDTLS_PRIVATE(user);
1968*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(user_len);
1969*62c56f98SSadaf Ebrahimi uint8_t *MBEDTLS_PRIVATE(peer);
1970*62c56f98SSadaf Ebrahimi size_t MBEDTLS_PRIVATE(peer_len);
1971*62c56f98SSadaf Ebrahimi psa_key_attributes_t MBEDTLS_PRIVATE(attributes);
1972*62c56f98SSadaf Ebrahimi psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite);
1973*62c56f98SSadaf Ebrahimi };
1974*62c56f98SSadaf Ebrahimi
1975*62c56f98SSadaf Ebrahimi typedef enum psa_crypto_driver_pake_step {
1976*62c56f98SSadaf Ebrahimi PSA_JPAKE_STEP_INVALID = 0, /* Invalid step */
1977*62c56f98SSadaf Ebrahimi PSA_JPAKE_X1_STEP_KEY_SHARE = 1, /* Round 1: input/output key share (for ephemeral private key X1).*/
1978*62c56f98SSadaf Ebrahimi PSA_JPAKE_X1_STEP_ZK_PUBLIC = 2, /* Round 1: input/output Schnorr NIZKP public key for the X1 key */
1979*62c56f98SSadaf Ebrahimi PSA_JPAKE_X1_STEP_ZK_PROOF = 3, /* Round 1: input/output Schnorr NIZKP proof for the X1 key */
1980*62c56f98SSadaf Ebrahimi PSA_JPAKE_X2_STEP_KEY_SHARE = 4, /* Round 1: input/output key share (for ephemeral private key X2).*/
1981*62c56f98SSadaf Ebrahimi PSA_JPAKE_X2_STEP_ZK_PUBLIC = 5, /* Round 1: input/output Schnorr NIZKP public key for the X2 key */
1982*62c56f98SSadaf Ebrahimi PSA_JPAKE_X2_STEP_ZK_PROOF = 6, /* Round 1: input/output Schnorr NIZKP proof for the X2 key */
1983*62c56f98SSadaf Ebrahimi PSA_JPAKE_X2S_STEP_KEY_SHARE = 7, /* Round 2: output X2S key (our key) */
1984*62c56f98SSadaf Ebrahimi PSA_JPAKE_X2S_STEP_ZK_PUBLIC = 8, /* Round 2: output Schnorr NIZKP public key for the X2S key (our key) */
1985*62c56f98SSadaf Ebrahimi PSA_JPAKE_X2S_STEP_ZK_PROOF = 9, /* Round 2: output Schnorr NIZKP proof for the X2S key (our key) */
1986*62c56f98SSadaf Ebrahimi PSA_JPAKE_X4S_STEP_KEY_SHARE = 10, /* Round 2: input X4S key (from peer) */
1987*62c56f98SSadaf Ebrahimi PSA_JPAKE_X4S_STEP_ZK_PUBLIC = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */
1988*62c56f98SSadaf Ebrahimi PSA_JPAKE_X4S_STEP_ZK_PROOF = 12 /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */
1989*62c56f98SSadaf Ebrahimi } psa_crypto_driver_pake_step_t;
1990*62c56f98SSadaf Ebrahimi
1991*62c56f98SSadaf Ebrahimi typedef enum psa_jpake_round {
1992*62c56f98SSadaf Ebrahimi PSA_JPAKE_FIRST = 0,
1993*62c56f98SSadaf Ebrahimi PSA_JPAKE_SECOND = 1,
1994*62c56f98SSadaf Ebrahimi PSA_JPAKE_FINISHED = 2
1995*62c56f98SSadaf Ebrahimi } psa_jpake_round_t;
1996*62c56f98SSadaf Ebrahimi
1997*62c56f98SSadaf Ebrahimi typedef enum psa_jpake_io_mode {
1998*62c56f98SSadaf Ebrahimi PSA_JPAKE_INPUT = 0,
1999*62c56f98SSadaf Ebrahimi PSA_JPAKE_OUTPUT = 1
2000*62c56f98SSadaf Ebrahimi } psa_jpake_io_mode_t;
2001*62c56f98SSadaf Ebrahimi
2002*62c56f98SSadaf Ebrahimi struct psa_jpake_computation_stage_s {
2003*62c56f98SSadaf Ebrahimi /* The J-PAKE round we are currently on */
2004*62c56f98SSadaf Ebrahimi psa_jpake_round_t MBEDTLS_PRIVATE(round);
2005*62c56f98SSadaf Ebrahimi /* The 'mode' we are currently in (inputting or outputting) */
2006*62c56f98SSadaf Ebrahimi psa_jpake_io_mode_t MBEDTLS_PRIVATE(io_mode);
2007*62c56f98SSadaf Ebrahimi /* The number of completed inputs so far this round */
2008*62c56f98SSadaf Ebrahimi uint8_t MBEDTLS_PRIVATE(inputs);
2009*62c56f98SSadaf Ebrahimi /* The number of completed outputs so far this round */
2010*62c56f98SSadaf Ebrahimi uint8_t MBEDTLS_PRIVATE(outputs);
2011*62c56f98SSadaf Ebrahimi /* The next expected step (KEY_SHARE, ZK_PUBLIC or ZK_PROOF) */
2012*62c56f98SSadaf Ebrahimi psa_pake_step_t MBEDTLS_PRIVATE(step);
2013*62c56f98SSadaf Ebrahimi };
2014*62c56f98SSadaf Ebrahimi
2015*62c56f98SSadaf Ebrahimi #define PSA_JPAKE_EXPECTED_INPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
2016*62c56f98SSadaf Ebrahimi ((round) == PSA_JPAKE_FIRST ? 2 : 1))
2017*62c56f98SSadaf Ebrahimi #define PSA_JPAKE_EXPECTED_OUTPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
2018*62c56f98SSadaf Ebrahimi ((round) == PSA_JPAKE_FIRST ? 2 : 1))
2019*62c56f98SSadaf Ebrahimi
2020*62c56f98SSadaf Ebrahimi struct psa_pake_operation_s {
2021*62c56f98SSadaf Ebrahimi /** Unique ID indicating which driver got assigned to do the
2022*62c56f98SSadaf Ebrahimi * operation. Since driver contexts are driver-specific, swapping
2023*62c56f98SSadaf Ebrahimi * drivers halfway through the operation is not supported.
2024*62c56f98SSadaf Ebrahimi * ID values are auto-generated in psa_crypto_driver_wrappers.h
2025*62c56f98SSadaf Ebrahimi * ID value zero means the context is not valid or not assigned to
2026*62c56f98SSadaf Ebrahimi * any driver (i.e. none of the driver contexts are active). */
2027*62c56f98SSadaf Ebrahimi unsigned int MBEDTLS_PRIVATE(id);
2028*62c56f98SSadaf Ebrahimi /* Algorithm of the PAKE operation */
2029*62c56f98SSadaf Ebrahimi psa_algorithm_t MBEDTLS_PRIVATE(alg);
2030*62c56f98SSadaf Ebrahimi /* A primitive of type compatible with algorithm */
2031*62c56f98SSadaf Ebrahimi psa_pake_primitive_t MBEDTLS_PRIVATE(primitive);
2032*62c56f98SSadaf Ebrahimi /* Stage of the PAKE operation: waiting for the setup, collecting inputs
2033*62c56f98SSadaf Ebrahimi * or computing. */
2034*62c56f98SSadaf Ebrahimi uint8_t MBEDTLS_PRIVATE(stage);
2035*62c56f98SSadaf Ebrahimi /* Holds computation stage of the PAKE algorithms. */
2036*62c56f98SSadaf Ebrahimi union {
2037*62c56f98SSadaf Ebrahimi uint8_t MBEDTLS_PRIVATE(dummy);
2038*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_JPAKE)
2039*62c56f98SSadaf Ebrahimi psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake);
2040*62c56f98SSadaf Ebrahimi #endif
2041*62c56f98SSadaf Ebrahimi } MBEDTLS_PRIVATE(computation_stage);
2042*62c56f98SSadaf Ebrahimi union {
2043*62c56f98SSadaf Ebrahimi psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx);
2044*62c56f98SSadaf Ebrahimi psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs);
2045*62c56f98SSadaf Ebrahimi } MBEDTLS_PRIVATE(data);
2046*62c56f98SSadaf Ebrahimi };
2047*62c56f98SSadaf Ebrahimi
psa_pake_cipher_suite_init(void)2048*62c56f98SSadaf Ebrahimi static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init(void)
2049*62c56f98SSadaf Ebrahimi {
2050*62c56f98SSadaf Ebrahimi const struct psa_pake_cipher_suite_s v = PSA_PAKE_CIPHER_SUITE_INIT;
2051*62c56f98SSadaf Ebrahimi return v;
2052*62c56f98SSadaf Ebrahimi }
2053*62c56f98SSadaf Ebrahimi
psa_pake_operation_init(void)2054*62c56f98SSadaf Ebrahimi static inline struct psa_pake_operation_s psa_pake_operation_init(void)
2055*62c56f98SSadaf Ebrahimi {
2056*62c56f98SSadaf Ebrahimi const struct psa_pake_operation_s v = PSA_PAKE_OPERATION_INIT;
2057*62c56f98SSadaf Ebrahimi return v;
2058*62c56f98SSadaf Ebrahimi }
2059*62c56f98SSadaf Ebrahimi
2060*62c56f98SSadaf Ebrahimi #ifdef __cplusplus
2061*62c56f98SSadaf Ebrahimi }
2062*62c56f98SSadaf Ebrahimi #endif
2063*62c56f98SSadaf Ebrahimi
2064*62c56f98SSadaf Ebrahimi #endif /* PSA_CRYPTO_EXTRA_H */
2065