Add the Labs projects provided in the V10.2.1_191129 zip file.

[freertos] / FreeRTOS-Labs / Source / mbedtls / include / mbedtls / ecjpake.h

/**\r
 * \file ecjpake.h\r
 *\r
 * \brief Elliptic curve J-PAKE\r
 */\r
/*\r
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved\r
 *  SPDX-License-Identifier: Apache-2.0\r
 *\r
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may\r
 *  not use this file except in compliance with the License.\r
 *  You may obtain a copy of the License at\r
 *\r
 *  http://www.apache.org/licenses/LICENSE-2.0\r
 *\r
 *  Unless required by applicable law or agreed to in writing, software\r
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\r
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 *  See the License for the specific language governing permissions and\r
 *  limitations under the License.\r
 *\r
 *  This file is part of mbed TLS (https://tls.mbed.org)\r
 */\r
#ifndef MBEDTLS_ECJPAKE_H\r
#define MBEDTLS_ECJPAKE_H\r
\r
/*\r
 * J-PAKE is a password-authenticated key exchange that allows deriving a\r
 * strong shared secret from a (potentially low entropy) pre-shared\r
 * passphrase, with forward secrecy and mutual authentication.\r
 * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling\r
 *\r
 * This file implements the Elliptic Curve variant of J-PAKE,\r
 * as defined in Chapter 7.4 of the Thread v1.0 Specification,\r
 * available to members of the Thread Group http://threadgroup.org/\r
 *\r
 * As the J-PAKE algorithm is inherently symmetric, so is our API.\r
 * Each party needs to send its first round message, in any order, to the\r
 * other party, then each sends its second round message, in any order.\r
 * The payloads are serialized in a way suitable for use in TLS, but could\r
 * also be use outside TLS.\r
 */\r
#if !defined(MBEDTLS_CONFIG_FILE)\r
#include "config.h"\r
#else\r
#include MBEDTLS_CONFIG_FILE\r
#endif\r
\r
#include "ecp.h"\r
#include "md.h"\r
\r
#ifdef __cplusplus\r
extern "C" {\r
#endif\r
\r
/**\r
 * Roles in the EC J-PAKE exchange\r
 */\r
typedef enum {\r
    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */\r
    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */\r
} mbedtls_ecjpake_role;\r
\r
#if !defined(MBEDTLS_ECJPAKE_ALT)\r
/**\r
 * EC J-PAKE context structure.\r
 *\r
 * J-PAKE is a symmetric protocol, except for the identifiers used in\r
 * Zero-Knowledge Proofs, and the serialization of the second message\r
 * (KeyExchange) as defined by the Thread spec.\r
 *\r
 * In order to benefit from this symmetry, we choose a different naming\r
 * convetion from the Thread v1.0 spec. Correspondance is indicated in the\r
 * description as a pair C: client name, S: server name\r
 */\r
typedef struct mbedtls_ecjpake_context\r
{\r
    const mbedtls_md_info_t *md_info;   /**< Hash to use                    */\r
    mbedtls_ecp_group grp;              /**< Elliptic curve                 */\r
    mbedtls_ecjpake_role role;          /**< Are we client or server?       */\r
    int point_format;                   /**< Format for point export        */\r
\r
    mbedtls_ecp_point Xm1;              /**< My public key 1   C: X1, S: X3 */\r
    mbedtls_ecp_point Xm2;              /**< My public key 2   C: X2, S: X4 */\r
    mbedtls_ecp_point Xp1;              /**< Peer public key 1 C: X3, S: X1 */\r
    mbedtls_ecp_point Xp2;              /**< Peer public key 2 C: X4, S: X2 */\r
    mbedtls_ecp_point Xp;               /**< Peer public key   C: Xs, S: Xc */\r
\r
    mbedtls_mpi xm1;                    /**< My private key 1  C: x1, S: x3 */\r
    mbedtls_mpi xm2;                    /**< My private key 2  C: x2, S: x4 */\r
\r
    mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */\r
} mbedtls_ecjpake_context;\r
\r
#else  /* MBEDTLS_ECJPAKE_ALT */\r
#include "ecjpake_alt.h"\r
#endif /* MBEDTLS_ECJPAKE_ALT */\r
\r
/**\r
 * \brief           Initialize an ECJPAKE context.\r
 *\r
 * \param ctx       The ECJPAKE context to initialize.\r
 *                  This must not be \c NULL.\r
 */\r
void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );\r
\r
/**\r
 * \brief           Set up an ECJPAKE context for use.\r
 *\r
 * \note            Currently the only values for hash/curve allowed by the\r
 *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.\r
 *\r
 * \param ctx       The ECJPAKE context to set up. This must be initialized.\r
 * \param role      The role of the caller. This must be either\r
 *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.\r
 * \param hash      The identifier of the hash function to use,\r
 *                  for example #MBEDTLS_MD_SHA256.\r
 * \param curve     The identifier of the elliptic curve to use,\r
 *                  for example #MBEDTLS_ECP_DP_SECP256R1.\r
 * \param secret    The pre-shared secret (passphrase). This must be\r
 *                  a readable buffer of length \p len Bytes. It need\r
 *                  only be valid for the duration of this call.\r
 * \param len       The length of the pre-shared secret \p secret.\r
 *\r
 * \return          \c 0 if successful.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,\r
                           mbedtls_ecjpake_role role,\r
                           mbedtls_md_type_t hash,\r
                           mbedtls_ecp_group_id curve,\r
                           const unsigned char *secret,\r
                           size_t len );\r
\r
/**\r
 * \brief           Check if an ECJPAKE context is ready for use.\r
 *\r
 * \param ctx       The ECJPAKE context to check. This must be\r
 *                  initialized.\r
 *\r
 * \return          \c 0 if the context is ready for use.\r
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.\r
 */\r
int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );\r
\r
/**\r
 * \brief           Generate and write the first round message\r
 *                  (TLS: contents of the Client/ServerHello extension,\r
 *                  excluding extension type and length bytes).\r
 *\r
 * \param ctx       The ECJPAKE context to use. This must be\r
 *                  initialized and set up.\r
 * \param buf       The buffer to write the contents to. This must be a\r
 *                  writable buffer of length \p len Bytes.\r
 * \param len       The length of \p buf in Bytes.\r
 * \param olen      The address at which to store the total number\r
 *                  of Bytes written to \p buf. This must not be \c NULL.\r
 * \param f_rng     The RNG function to use. This must not be \c NULL.\r
 * \param p_rng     The RNG parameter to be passed to \p f_rng. This\r
 *                  may be \c NULL if \p f_rng doesn't use a context.\r
 *\r
 * \return          \c 0 if successful.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,\r
                            unsigned char *buf, size_t len, size_t *olen,\r
                            int (*f_rng)(void *, unsigned char *, size_t),\r
                            void *p_rng );\r
\r
/**\r
 * \brief           Read and process the first round message\r
 *                  (TLS: contents of the Client/ServerHello extension,\r
 *                  excluding extension type and length bytes).\r
 *\r
 * \param ctx       The ECJPAKE context to use. This must be initialized\r
 *                  and set up.\r
 * \param buf       The buffer holding the first round message. This must\r
 *                  be a readable buffer of length \p len Bytes.\r
 * \param len       The length in Bytes of \p buf.\r
 *\r
 * \return          \c 0 if successful.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,\r
                                    const unsigned char *buf,\r
                                    size_t len );\r
\r
/**\r
 * \brief           Generate and write the second round message\r
 *                  (TLS: contents of the Client/ServerKeyExchange).\r
 *\r
 * \param ctx       The ECJPAKE context to use. This must be initialized,\r
 *                  set up, and already have performed round one.\r
 * \param buf       The buffer to write the round two contents to.\r
 *                  This must be a writable buffer of length \p len Bytes.\r
 * \param len       The size of \p buf in Bytes.\r
 * \param olen      The address at which to store the total number of Bytes\r
 *                  written to \p buf. This must not be \c NULL.\r
 * \param f_rng     The RNG function to use. This must not be \c NULL.\r
 * \param p_rng     The RNG parameter to be passed to \p f_rng. This\r
 *                  may be \c NULL if \p f_rng doesn't use a context.\r
 *\r
 * \return          \c 0 if successful.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,\r
                            unsigned char *buf, size_t len, size_t *olen,\r
                            int (*f_rng)(void *, unsigned char *, size_t),\r
                            void *p_rng );\r
\r
/**\r
 * \brief           Read and process the second round message\r
 *                  (TLS: contents of the Client/ServerKeyExchange).\r
 *\r
 * \param ctx       The ECJPAKE context to use. This must be initialized\r
 *                  and set up and already have performed round one.\r
 * \param buf       The buffer holding the second round message. This must\r
 *                  be a readable buffer of length \p len Bytes.\r
 * \param len       The length in Bytes of \p buf.\r
 *\r
 * \return          \c 0 if successful.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,\r
                                    const unsigned char *buf,\r
                                    size_t len );\r
\r
/**\r
 * \brief           Derive the shared secret\r
 *                  (TLS: Pre-Master Secret).\r
 *\r
 * \param ctx       The ECJPAKE context to use. This must be initialized,\r
 *                  set up and have performed both round one and two.\r
 * \param buf       The buffer to write the derived secret to. This must\r
 *                  be a writable buffer of length \p len Bytes.\r
 * \param len       The length of \p buf in Bytes.\r
 * \param olen      The address at which to store the total number of Bytes\r
 *                  written to \p buf. This must not be \c NULL.\r
 * \param f_rng     The RNG function to use. This must not be \c NULL.\r
 * \param p_rng     The RNG parameter to be passed to \p f_rng. This\r
 *                  may be \c NULL if \p f_rng doesn't use a context.\r
 *\r
 * \return          \c 0 if successful.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,\r
                            unsigned char *buf, size_t len, size_t *olen,\r
                            int (*f_rng)(void *, unsigned char *, size_t),\r
                            void *p_rng );\r
\r
/**\r
 * \brief           This clears an ECJPAKE context and frees any\r
 *                  embedded data structure.\r
 *\r
 * \param ctx       The ECJPAKE context to free. This may be \c NULL,\r
 *                  in which case this function does nothing. If it is not\r
 *                  \c NULL, it must point to an initialized ECJPAKE context.\r
 */\r
void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );\r
\r
#if defined(MBEDTLS_SELF_TEST)\r
\r
/**\r
 * \brief          Checkup routine\r
 *\r
 * \return         0 if successful, or 1 if a test failed\r
 */\r
int mbedtls_ecjpake_self_test( int verbose );\r
\r
#endif /* MBEDTLS_SELF_TEST */\r
\r
#ifdef __cplusplus\r
}\r
#endif\r
\r
\r
#endif /* ecjpake.h */\r