Mbed TLS v3.6.1
|
Macros | |
#define | PSA_PAKE_ROLE_NONE ((psa_pake_role_t) 0x00) |
#define | PSA_PAKE_ROLE_FIRST ((psa_pake_role_t) 0x01) |
#define | PSA_PAKE_ROLE_SECOND ((psa_pake_role_t) 0x02) |
#define | PSA_PAKE_ROLE_CLIENT ((psa_pake_role_t) 0x11) |
#define | PSA_PAKE_ROLE_SERVER ((psa_pake_role_t) 0x12) |
#define | PSA_PAKE_PRIMITIVE_TYPE_ECC ((psa_pake_primitive_type_t) 0x01) |
#define | PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t) 0x02) |
#define | PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) |
#define | PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t) 0x01) |
#define | PSA_PAKE_STEP_ZK_PUBLIC ((psa_pake_step_t) 0x02) |
#define | PSA_PAKE_STEP_ZK_PROOF ((psa_pake_step_t) 0x03) |
Typedefs | |
typedef uint8_t | psa_pake_role_t |
Encoding of the application role of PAKE. | |
typedef uint8_t | psa_pake_step_t |
typedef uint8_t | psa_pake_primitive_type_t |
typedef uint8_t | psa_pake_family_t |
Encoding of the family of the primitive associated with the PAKE. | |
typedef uint32_t | psa_pake_primitive_t |
Encoding of the primitive associated with the PAKE. | |
typedef struct psa_pake_cipher_suite_s | psa_pake_cipher_suite_t |
typedef struct psa_pake_operation_s | psa_pake_operation_t |
typedef struct psa_crypto_driver_pake_inputs_s | psa_crypto_driver_pake_inputs_t |
typedef struct psa_jpake_computation_stage_s | psa_jpake_computation_stage_t |
This is a proposed PAKE interface for the PSA Crypto API. It is not part of the official PSA Crypto API yet.
#define PSA_PAKE_PRIMITIVE | ( | pake_type, | |
pake_family, | |||
pake_bits | |||
) |
Construct a PAKE primitive from type, family and bit-size.
pake_type | The type of the primitive (value of type psa_pake_primitive_type_t). |
pake_family | The family of the primitive (the type and interpretation of this parameter depends on pake_type , for more information consult the documentation of individual psa_pake_primitive_type_t constants). |
pake_bits | The bit-size of the primitive (Value of type size_t . The interpretation of this parameter depends on pake_family , for more information consult the documentation of individual psa_pake_primitive_type_t constants). |
Definition at line 859 of file crypto_extra.h.
#define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t) 0x02) |
The PAKE primitive type indicating the use of Diffie-Hellman groups.
The values of the family
and bits
fields of the cipher suite identify a specific Diffie-Hellman group, using the same mapping that is used for Diffie-Hellman (psa_dh_family_t) keys.
(Here family
means the value returned by psa_pake_cs_get_family() and bits
means the value returned by psa_pake_cs_get_bits().)
Input and output during the operation can involve group elements and scalar values:
Definition at line 838 of file crypto_extra.h.
#define PSA_PAKE_PRIMITIVE_TYPE_ECC ((psa_pake_primitive_type_t) 0x01) |
The PAKE primitive type indicating the use of elliptic curves.
The values of the family
and bits
fields of the cipher suite identify a specific elliptic curve, using the same mapping that is used for ECC (psa_ecc_family_t) keys.
(Here family
means the value returned by psa_pake_cs_get_family() and bits
means the value returned by psa_pake_cs_get_bits().)
Input and output during the operation can involve group elements and scalar values:
Definition at line 818 of file crypto_extra.h.
#define PSA_PAKE_ROLE_CLIENT ((psa_pake_role_t) 0x11) |
The client in an augmented PAKE.
Augmented PAKE algorithms need to differentiate between client and server.
Definition at line 792 of file crypto_extra.h.
#define PSA_PAKE_ROLE_FIRST ((psa_pake_role_t) 0x01) |
The first peer in a balanced PAKE.
Although balanced PAKE algorithms are symmetric, some of them needs an ordering of peers for the transcript calculations. If the algorithm does not need this, both PSA_PAKE_ROLE_FIRST and PSA_PAKE_ROLE_SECOND are accepted.
Definition at line 777 of file crypto_extra.h.
#define PSA_PAKE_ROLE_NONE ((psa_pake_role_t) 0x00) |
A value to indicate no role in a PAKE algorithm. This value can be used in a call to psa_pake_set_role() for symmetric PAKE algorithms which do not assign roles.
Definition at line 768 of file crypto_extra.h.
#define PSA_PAKE_ROLE_SECOND ((psa_pake_role_t) 0x02) |
The second peer in a balanced PAKE.
Although balanced PAKE algorithms are symmetric, some of them needs an ordering of peers for the transcript calculations. If the algorithm does not need this, either PSA_PAKE_ROLE_FIRST or PSA_PAKE_ROLE_SECOND are accepted.
Definition at line 786 of file crypto_extra.h.
#define PSA_PAKE_ROLE_SERVER ((psa_pake_role_t) 0x12) |
The server in an augmented PAKE.
Augmented PAKE algorithms need to differentiate between client and server.
Definition at line 798 of file crypto_extra.h.
#define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t) 0x01) |
The key share being sent to or received from the peer.
The format for both input and output at this step is the same as for public keys on the group determined by the primitive (psa_pake_primitive_t) would be.
For more information on the format, consult the documentation of psa_export_public_key().
For information regarding how the group is determined, consult the documentation PSA_PAKE_PRIMITIVE.
Definition at line 876 of file crypto_extra.h.
#define PSA_PAKE_STEP_ZK_PROOF ((psa_pake_step_t) 0x03) |
A Schnorr NIZKP proof.
This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the value denoted by the letter 'r' in RFC 8235).
Both for input and output, the value at this step is an integer less than the order of the group selected in the cipher suite. The format depends on the group as well:
In both cases leading zeroes are allowed as long as the length in bytes does not exceed the byte length of the group order.
For information regarding how the group is determined, consult the documentation PSA_PAKE_PRIMITIVE.
Definition at line 914 of file crypto_extra.h.
#define PSA_PAKE_STEP_ZK_PUBLIC ((psa_pake_step_t) 0x02) |
A Schnorr NIZKP public key.
This is the ephemeral public key in the Schnorr Non-Interactive Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235).
The format for both input and output at this step is the same as for public keys on the group determined by the primitive (psa_pake_primitive_t) would be.
For more information on the format, consult the documentation of psa_export_public_key().
For information regarding how the group is determined, consult the documentation PSA_PAKE_PRIMITIVE.
Definition at line 893 of file crypto_extra.h.
typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t |
The type of input values for PAKE operations.
Definition at line 1052 of file crypto_extra.h.
typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t |
The type of computation stage for J-PAKE operations.
Definition at line 1055 of file crypto_extra.h.
typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t |
The type of the data structure for PAKE cipher suites.
This is an implementation-defined struct
. Applications should not make any assumptions about the content of this structure. Implementation details can change in future versions without notice.
Definition at line 922 of file crypto_extra.h.
typedef uint8_t psa_pake_family_t |
Encoding of the family of the primitive associated with the PAKE.
For more information see the documentation of individual PSA_PAKE_PRIMITIVE_TYPE_XXX
constants.
Definition at line 756 of file crypto_extra.h.
typedef struct psa_pake_operation_s psa_pake_operation_t |
The type of the state data structure for PAKE operations.
Before calling any function on a PAKE operation object, the application must initialize it by any of the following means:
This is an implementation-defined struct
. Applications should not make any assumptions about the content of this structure. Implementation details can change in future versions without notice.
Definition at line 1049 of file crypto_extra.h.
typedef uint32_t psa_pake_primitive_t |
Encoding of the primitive associated with the PAKE.
For more information see the documentation of the PSA_PAKE_PRIMITIVE macro.
Definition at line 762 of file crypto_extra.h.
typedef uint8_t psa_pake_primitive_type_t |
Encoding of the type of the PAKE's primitive.
Values defined by this standard will never be in the range 0x80-0xff. Vendors who define additional types must use an encoding in this range.
For more information see the documentation of individual PSA_PAKE_PRIMITIVE_TYPE_XXX
constants.
Definition at line 749 of file crypto_extra.h.
typedef uint8_t psa_pake_role_t |
Encoding of the application role of PAKE.
Encodes the application's role in the algorithm is being executed. For more information see the documentation of individual PSA_PAKE_ROLE_XXX
constants.
Definition at line 731 of file crypto_extra.h.
typedef uint8_t psa_pake_step_t |
Encoding of input and output indicators for PAKE.
Some PAKE algorithms need to exchange more data than just a single key share. This type is for encoding additional input and output data for such algorithms.
Definition at line 739 of file crypto_extra.h.
psa_status_t psa_crypto_driver_pake_get_cipher_suite | ( | const psa_crypto_driver_pake_inputs_t * | inputs, |
psa_pake_cipher_suite_t * | cipher_suite | ||
) |
Get the cipher suite from given inputs.
[in] | inputs | Operation inputs. |
[out] | cipher_suite | Return buffer for role. |
PSA_SUCCESS | Success. |
PSA_ERROR_BAD_STATE | Cipher_suite hasn't been set yet. |
psa_status_t psa_crypto_driver_pake_get_password | ( | const psa_crypto_driver_pake_inputs_t * | inputs, |
uint8_t * | buffer, | ||
size_t | buffer_size, | ||
size_t * | buffer_length | ||
) |
Get the password from given inputs.
[in] | inputs | Operation inputs. |
[out] | buffer | Return buffer for password. |
buffer_size | Size of the return buffer in bytes. | |
[out] | buffer_length | Actual size of the password in bytes. |
PSA_SUCCESS | Success. |
PSA_ERROR_BAD_STATE | Password hasn't been set yet. |
psa_status_t psa_crypto_driver_pake_get_password_len | ( | const psa_crypto_driver_pake_inputs_t * | inputs, |
size_t * | password_len | ||
) |
Get the length of the password in bytes from given inputs.
[in] | inputs | Operation inputs. |
[out] | password_len | Password length. |
PSA_SUCCESS | Success. |
PSA_ERROR_BAD_STATE | Password hasn't been set yet. |
psa_status_t psa_crypto_driver_pake_get_peer | ( | const psa_crypto_driver_pake_inputs_t * | inputs, |
uint8_t * | peer_id, | ||
size_t | peer_id_size, | ||
size_t * | peer_id_length | ||
) |
Get the peer id from given inputs.
[in] | inputs | Operation inputs. |
[out] | peer_id | Peer id. |
peer_id_size | Size of peer_id in bytes. | |
[out] | peer_id_length | Size of the peer id in bytes. |
PSA_SUCCESS | Success. |
PSA_ERROR_BAD_STATE | Peer id hasn't been set yet. |
PSA_ERROR_BUFFER_TOO_SMALL | The size of the peer_id is too small. |
psa_status_t psa_crypto_driver_pake_get_peer_len | ( | const psa_crypto_driver_pake_inputs_t * | inputs, |
size_t * | peer_len | ||
) |
Get the length of the peer id in bytes from given inputs.
[in] | inputs | Operation inputs. |
[out] | peer_len | Peer id length. |
PSA_SUCCESS | Success. |
PSA_ERROR_BAD_STATE | Peer id hasn't been set yet. |
psa_status_t psa_crypto_driver_pake_get_user | ( | const psa_crypto_driver_pake_inputs_t * | inputs, |
uint8_t * | user_id, | ||
size_t | user_id_size, | ||
size_t * | user_id_len | ||
) |
Get the user id from given inputs.
[in] | inputs | Operation inputs. |
[out] | user_id | User id. |
user_id_size | Size of user_id in bytes. | |
[out] | user_id_len | Size of the user id in bytes. |
PSA_SUCCESS | Success. |
PSA_ERROR_BAD_STATE | User id hasn't been set yet. |
PSA_ERROR_BUFFER_TOO_SMALL | The size of the user_id is too small. |
psa_status_t psa_crypto_driver_pake_get_user_len | ( | const psa_crypto_driver_pake_inputs_t * | inputs, |
size_t * | user_len | ||
) |
Get the length of the user id in bytes from given inputs.
[in] | inputs | Operation inputs. |
[out] | user_len | User id length. |
PSA_SUCCESS | Success. |
PSA_ERROR_BAD_STATE | User id hasn't been set yet. |
psa_status_t psa_pake_abort | ( | psa_pake_operation_t * | operation | ) |
Abort a PAKE operation.
Aborting an operation frees all associated resources except for the operation
structure itself. Once aborted, the operation object can be reused for another operation by calling psa_pake_setup() again.
This function may be called at any time after the operation object has been initialized as described in psa_pake_operation_t.
In particular, calling psa_pake_abort() after the operation has been terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() is safe and has no effect.
[in,out] | operation | The operation to abort. |
PSA_SUCCESS | Success. |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_BAD_STATE | The library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
|
inlinestatic |
Return an initial value for a PAKE cipher suite object.
Definition at line 1875 of file crypto_extra.h.
References PSA_PAKE_CIPHER_SUITE_INIT.
|
inlinestatic |
Retrieve the PAKE algorithm from a PAKE cipher suite.
[in] | cipher_suite | The cipher suite structure to query. |
Definition at line 1726 of file crypto_extra.h.
References psa_pake_cipher_suite_s::algorithm.
|
inlinestatic |
Retrieve the PAKE primitive bit-size from a PAKE cipher suite.
[in] | cipher_suite | The cipher suite structure to query. |
Definition at line 1765 of file crypto_extra.h.
References psa_pake_cipher_suite_s::bits.
|
inlinestatic |
Retrieve the PAKE family from a PAKE cipher suite.
[in] | cipher_suite | The cipher suite structure to query. |
Definition at line 1759 of file crypto_extra.h.
References psa_pake_cipher_suite_s::family.
|
inlinestatic |
Retrieve the hash algorithm from a PAKE cipher suite.
[in] | cipher_suite | The cipher suite structure to query. |
Definition at line 1771 of file crypto_extra.h.
References psa_pake_cipher_suite_s::hash.
|
inlinestatic |
Retrieve the primitive from a PAKE cipher suite.
[in] | cipher_suite | The cipher suite structure to query. |
Definition at line 1743 of file crypto_extra.h.
References psa_pake_cipher_suite_s::bits, psa_pake_cipher_suite_s::family, PSA_PAKE_PRIMITIVE, and psa_pake_cipher_suite_s::type.
|
inlinestatic |
Declare the PAKE algorithm for the cipher suite.
This function overwrites any PAKE algorithm previously set in cipher_suite
.
[out] | cipher_suite | The cipher suite structure to write to. |
algorithm | The PAKE algorithm to write. (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg ) is true.) If this is 0, the PAKE algorithm in cipher_suite becomes unspecified. |
Definition at line 1732 of file crypto_extra.h.
References psa_pake_cipher_suite_s::algorithm, and PSA_ALG_IS_PAKE.
|
inlinestatic |
Declare the hash algorithm for a PAKE cipher suite.
This function overwrites any hash algorithm previously set in cipher_suite
.
Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
[out] | cipher_suite | The cipher suite structure to write to. |
hash | The hash involved in the cipher suite. (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_HASH(alg ) is true.) If this is 0, the hash algorithm in cipher_suite becomes unspecified. |
Definition at line 1777 of file crypto_extra.h.
References psa_pake_cipher_suite_s::hash, and PSA_ALG_IS_HASH.
|
inlinestatic |
Declare the primitive for a PAKE cipher suite.
This function overwrites any primitive previously set in cipher_suite
.
[out] | cipher_suite | The cipher suite structure to write to. |
primitive | The primitive to write. If this is 0, the primitive type in cipher_suite becomes unspecified. |
Definition at line 1750 of file crypto_extra.h.
References psa_pake_cipher_suite_s::bits, psa_pake_cipher_suite_s::family, and psa_pake_cipher_suite_s::type.
psa_status_t psa_pake_get_implicit_key | ( | psa_pake_operation_t * | operation, |
psa_key_derivation_operation_t * | output | ||
) |
Get implicitly confirmed shared secret from a PAKE.
At this point there is a cryptographic guarantee that only the authenticated party who used the same password is able to compute the key. But there is no guarantee that the peer is the party it claims to be and was able to do so.
That is, the authentication is only implicit. Since the peer is not authenticated yet, no action should be taken yet that assumes that the peer is who it claims to be. For example, do not access restricted files on the peer's behalf until an explicit authentication has succeeded.
This function can be called after the key exchange phase of the operation has completed. It imports the shared secret output of the PAKE into the provided derivation operation. The input step PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key material in the key derivation operation.
The exact sequence of calls to perform a password-authenticated key exchange depends on the algorithm in use. Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
When this function returns successfully, operation
becomes inactive. If this function returns an error status, both operation
and key_derivation
operations enter an error state and must be aborted by calling psa_pake_abort() and psa_key_derivation_abort() respectively.
[in,out] | operation | Active PAKE operation. |
[out] | output | A key derivation operation that is ready for an input step of type PSA_KEY_DERIVATION_INPUT_SECRET. |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_ARGUMENT | PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the algorithm in the output key derivation operation. |
PSA_ERROR_NOT_SUPPORTED | Input from a PAKE is not supported by the algorithm in the output key derivation operation. |
PSA_ERROR_INSUFFICIENT_MEMORY | |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_STORAGE_FAILURE | |
PSA_ERROR_DATA_CORRUPT | |
PSA_ERROR_DATA_INVALID | |
PSA_ERROR_BAD_STATE | The PAKE operation state is not valid (it must be active, but beyond that validity is specific to the algorithm), or the library has not been previously initialized by psa_crypto_init(), or the state of output is not valid for the PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the step is out of order or the application has done this step already and it may not be repeated. It is implementation-dependent whether a failure to initialize results in this error code. |
psa_status_t psa_pake_input | ( | psa_pake_operation_t * | operation, |
psa_pake_step_t | step, | ||
const uint8_t * | input, | ||
size_t | input_length | ||
) |
Provide input for a step of a password-authenticated key exchange.
Depending on the algorithm being executed, you might need to call this function several times or you might not need to call this at all.
The exact sequence of calls to perform a password-authenticated key exchange depends on the algorithm in use. Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
If this function returns an error status, the operation enters an error state and must be aborted by calling psa_pake_abort().
[in,out] | operation | Active PAKE operation. |
step | The step for which the input is provided. | |
[in] | input | Buffer containing the input in the format appropriate for this step . Refer to the documentation of the individual PSA_PAKE_STEP_XXX constants for more information. |
input_length | Size of the input buffer in bytes. |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_SIGNATURE | The verification fails for a PSA_PAKE_STEP_ZK_PROOF input step. |
PSA_ERROR_INVALID_ARGUMENT | input_length is not compatible with the operation’s algorithm, or the input is not valid for the operation's algorithm, cipher suite or step . |
PSA_ERROR_NOT_SUPPORTED | step p is not supported with the operation's algorithm, or the input is not supported for the operation's algorithm, cipher suite or step . |
PSA_ERROR_INSUFFICIENT_MEMORY | |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_STORAGE_FAILURE | |
PSA_ERROR_DATA_CORRUPT | |
PSA_ERROR_DATA_INVALID | |
PSA_ERROR_BAD_STATE | The operation state is not valid (it must be active, and fully set up, and this call must conform to the algorithm's requirements for ordering of input and output steps), or the library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
|
inlinestatic |
Return an initial value for a PAKE operation object.
Definition at line 1881 of file crypto_extra.h.
References PSA_PAKE_OPERATION_INIT.
psa_status_t psa_pake_output | ( | psa_pake_operation_t * | operation, |
psa_pake_step_t | step, | ||
uint8_t * | output, | ||
size_t | output_size, | ||
size_t * | output_length | ||
) |
Get output for a step of a password-authenticated key exchange.
Depending on the algorithm being executed, you might need to call this function several times or you might not need to call this at all.
The exact sequence of calls to perform a password-authenticated key exchange depends on the algorithm in use. Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
If this function returns an error status, the operation enters an error state and must be aborted by calling psa_pake_abort().
[in,out] | operation | Active PAKE operation. |
step | The step of the algorithm for which the output is requested. | |
[out] | output | Buffer where the output is to be written in the format appropriate for this step . Refer to the documentation of the individual PSA_PAKE_STEP_XXX constants for more information. |
output_size | Size of the output buffer in bytes. This must be at least PSA_PAKE_OUTPUT_SIZE(alg , primitive , output_step ) where alg and primitive are the PAKE algorithm and primitive in the operation's cipher suite, and step is the output step. | |
[out] | output_length | On success, the number of bytes of the returned output. |
PSA_SUCCESS | Success. |
PSA_ERROR_BUFFER_TOO_SMALL | The size of the output buffer is too small. |
PSA_ERROR_INVALID_ARGUMENT | step is not compatible with the operation's algorithm. |
PSA_ERROR_NOT_SUPPORTED | step is not supported with the operation's algorithm. |
PSA_ERROR_INSUFFICIENT_ENTROPY | |
PSA_ERROR_INSUFFICIENT_MEMORY | |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_STORAGE_FAILURE | |
PSA_ERROR_DATA_CORRUPT | |
PSA_ERROR_DATA_INVALID | |
PSA_ERROR_BAD_STATE | The operation state is not valid (it must be active, and fully set up, and this call must conform to the algorithm's requirements for ordering of input and output steps), or the library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
psa_status_t psa_pake_set_password_key | ( | psa_pake_operation_t * | operation, |
mbedtls_svc_key_id_t | password | ||
) |
Set the password for a password-authenticated key exchange from key ID.
Call this function when the password, or a value derived from the password, is already present in the key store.
[in,out] | operation | The operation object to set the password for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the password hasn't been set yet (psa_pake_set_password_key() hasn't been called yet). |
password | Identifier of the key holding the password or a value derived from the password (eg. by a memory-hard function). It must remain valid until the operation terminates. It must be of type PSA_KEY_TYPE_PASSWORD or PSA_KEY_TYPE_PASSWORD_HASH. It has to allow the usage PSA_KEY_USAGE_DERIVE. |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_HANDLE | password is not a valid key identifier. |
PSA_ERROR_NOT_PERMITTED | The key does not have the PSA_KEY_USAGE_DERIVE flag, or it does not permit the operation's algorithm. |
PSA_ERROR_INVALID_ARGUMENT | The key type for password is not PSA_KEY_TYPE_PASSWORD or PSA_KEY_TYPE_PASSWORD_HASH, or password is not compatible with the operation's cipher suite. |
PSA_ERROR_NOT_SUPPORTED | The key type or key size of password is not supported with the operation's cipher suite. |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_STORAGE_FAILURE | |
PSA_ERROR_DATA_CORRUPT | |
PSA_ERROR_DATA_INVALID | |
PSA_ERROR_BAD_STATE | The operation state is not valid (it must have been set up.), or the library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
psa_status_t psa_pake_set_peer | ( | psa_pake_operation_t * | operation, |
const uint8_t * | peer_id, | ||
size_t | peer_id_len | ||
) |
Set the peer ID for a password-authenticated key exchange.
Call this function in addition to psa_pake_set_user() for PAKE algorithms that associate a user identifier with each side of the session. For PAKE algorithms that associate a single user identifier with the session, call psa_pake_set_user() only.
Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
[in,out] | operation | The operation object to set the peer ID for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the peer ID hasn't been set (psa_pake_set_peer() hasn't been called yet). |
[in] | peer_id | The peer's ID to authenticate. |
peer_id_len | Size of the peer_id buffer in bytes. |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_ARGUMENT | peer_id is not valid for the operation's algorithm and cipher suite. |
PSA_ERROR_NOT_SUPPORTED | The algorithm doesn't associate a second identity with the session. |
PSA_ERROR_INSUFFICIENT_MEMORY | |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_BAD_STATE | Calling psa_pake_set_peer() is invalid with the operation's algorithm, the operation state is not valid, or the library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
psa_status_t psa_pake_set_role | ( | psa_pake_operation_t * | operation, |
psa_pake_role_t | role | ||
) |
Set the application role for a password-authenticated key exchange.
Not all PAKE algorithms need to differentiate the communicating entities. It is optional to call this function for PAKEs that don't require a role to be specified. For such PAKEs the application role parameter is ignored, or PSA_PAKE_ROLE_NONE can be passed as role
.
Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
[in,out] | operation | The operation object to specify the application's role for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the application's role hasn't been specified (psa_pake_set_role() hasn't been called yet). |
role | A value of type psa_pake_role_t indicating the application's role in the PAKE the algorithm that is being set up. For more information see the documentation of PSA_PAKE_ROLE_XXX constants. |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_ARGUMENT | The role is not a valid PAKE role in the operation’s algorithm. |
PSA_ERROR_NOT_SUPPORTED | The role for this algorithm is not supported or is not valid. |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_BAD_STATE | The operation state is not valid, or the library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
psa_status_t psa_pake_set_user | ( | psa_pake_operation_t * | operation, |
const uint8_t * | user_id, | ||
size_t | user_id_len | ||
) |
Set the user ID for a password-authenticated key exchange.
Call this function to set the user ID. For PAKE algorithms that associate a user identifier with each side of the session you need to call psa_pake_set_peer() as well. For PAKE algorithms that associate a single user identifier with the session, call psa_pake_set_user() only.
Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
[in,out] | operation | The operation object to set the user ID for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the user ID hasn't been set (psa_pake_set_user() hasn't been called yet). |
[in] | user_id | The user ID to authenticate with. |
user_id_len | Size of the user_id buffer in bytes. |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_ARGUMENT | user_id is not valid for the operation's algorithm and cipher suite. |
PSA_ERROR_NOT_SUPPORTED | The value of user_id is not supported by the implementation. |
PSA_ERROR_INSUFFICIENT_MEMORY | |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_BAD_STATE | The operation state is not valid, or the library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
psa_status_t psa_pake_setup | ( | psa_pake_operation_t * | operation, |
const psa_pake_cipher_suite_t * | cipher_suite | ||
) |
Set the session information for a password-authenticated key exchange.
The sequence of operations to set up a password-authenticated key exchange is as follows:
psa_pake_set_xxx()
functions on the operation to complete the setup. The exact sequence of psa_pake_set_xxx()
functions that needs to be called depends on the algorithm in use.Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
A typical sequence of calls to perform a password-authenticated key exchange:
Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX
values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg
) is true) for more information.
If an error occurs at any step after a call to psa_pake_setup(), the operation will need to be reset by a call to psa_pake_abort(). The application may call psa_pake_abort() at any time after the operation has been initialized.
After a successful call to psa_pake_setup(), the application must eventually terminate the operation. The following events terminate an operation:
[in,out] | operation | The operation object to set up. It must have been initialized but not set up yet. |
[in] | cipher_suite | The cipher suite to use. (A cipher suite fully characterizes a PAKE algorithm and determines the algorithm as well.) |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_ARGUMENT | The algorithm in cipher_suite is not a PAKE algorithm, or the PAKE primitive in cipher_suite is not compatible with the PAKE algorithm, or the hash algorithm in cipher_suite is invalid or not compatible with the PAKE algorithm and primitive. |
PSA_ERROR_NOT_SUPPORTED | The algorithm in cipher_suite is not a supported PAKE algorithm, or the PAKE primitive in cipher_suite is not supported or not compatible with the PAKE algorithm, or the hash algorithm in cipher_suite is not supported or not compatible with the PAKE algorithm and primitive. |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_CORRUPTION_DETECTED | |
PSA_ERROR_BAD_STATE | The operation state is not valid, or the library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |