mbed TLS v3.1.0
Macros | Typedefs | Functions
Password-authenticated key exchange (PAKE)

Macros

#define PSA_PAKE_SIDE_FIRST   ((psa_pake_side_t)0x01)
 
#define PSA_PAKE_SIDE_SECOND   ((psa_pake_side_t)0x02)
 
#define PSA_PAKE_SIDE_CLIENT   ((psa_pake_side_t)0x11)
 
#define PSA_PAKE_SIDE_SERVER   ((psa_pake_side_t)0x12)
 
#define PSA_PAKE_PRIMITIVE_TYPE_ECC   ((psa_pake_primitive_type_t)0x01)
 
#define PSA_PAKE_PRIMITIVE_TYPE_DH   ((psa_pake_primitive_type_t)0x02)
 
#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits)
 
#define PSA_PAKE_STEP_KEY_SHARE   ((psa_pake_step_t)0x01)
 
#define PSA_PAKE_STEP_ZK_PUBLIC   ((psa_pake_step_t)0x02)
 
#define PSA_PAKE_STEP_ZK_PROOF   ((psa_pake_step_t)0x03)
 

Typedefs

typedef uint8_t psa_pake_side_t
 Encoding of the side of PAKE. More...
 
typedef uint8_t psa_pake_step_t
 
typedef uint8_t psa_pake_primitive_type_t
 
typedef uint8_t psa_pake_family_t
 Encoding of the family of the primitive associated with the PAKE. More...
 
typedef uint32_t psa_pake_primitive_t
 Encoding of the primitive associated with the PAKE. More...
 
typedef struct
psa_pake_cipher_suite_s 
psa_pake_cipher_suite_t
 
typedef struct psa_pake_operation_s psa_pake_operation_t
 

Functions

static psa_algorithm_t psa_pake_cs_get_algorithm (const psa_pake_cipher_suite_t *cipher_suite)
 
static void psa_pake_cs_set_algorithm (psa_pake_cipher_suite_t *cipher_suite, psa_algorithm_t algorithm)
 
static psa_pake_primitive_t psa_pake_cs_get_primitive (const psa_pake_cipher_suite_t *cipher_suite)
 
static void psa_pake_cs_set_primitive (psa_pake_cipher_suite_t *cipher_suite, psa_pake_primitive_t primitive)
 
static psa_algorithm_t psa_pake_cs_get_hash (const psa_pake_cipher_suite_t *cipher_suite)
 
static void psa_pake_cs_set_hash (psa_pake_cipher_suite_t *cipher_suite, psa_algorithm_t hash)
 
static psa_pake_operation_t psa_pake_operation_init (void)
 
psa_status_t psa_pake_setup (psa_pake_operation_t *operation, psa_pake_cipher_suite_t cipher_suite)
 
psa_status_t psa_pake_set_password_key (psa_pake_operation_t *operation, mbedtls_svc_key_id_t password)
 
psa_status_t psa_pake_set_user (psa_pake_operation_t *operation, const uint8_t *user_id, size_t user_id_len)
 
psa_status_t psa_pake_set_peer (psa_pake_operation_t *operation, const uint8_t *peer_id, size_t peer_id_len)
 
psa_status_t psa_pake_set_side (psa_pake_operation_t *operation, psa_pake_side_t side)
 
psa_status_t psa_pake_output (psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length)
 
psa_status_t psa_pake_input (psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *input, size_t input_length)
 
psa_status_t psa_pake_get_implicit_key (psa_pake_operation_t *operation, psa_key_derivation_operation_t *output)
 

Detailed Description

This is a proposed PAKE interface for the PSA Crypto API. It is not part of the official PSA Crypto API yet.

Note
The content of this section is not part of the stable API and ABI of Mbed Crypto and may change arbitrarily from version to version. Same holds for the corresponding macros PSA_ALG_CATEGORY_PAKE and PSA_ALG_JPAKE.

Macro Definition Documentation

#define PSA_PAKE_PRIMITIVE (   pake_type,
  pake_family,
  pake_bits 
)
Value:
((pake_bits & 0xFFFF) != pake_bits) ? 0 : \
((psa_pake_primitive_t) (((pake_type) << 24 | \
(pake_family) << 16) | (pake_bits)))
uint32_t psa_pake_primitive_t
Encoding of the primitive associated with the PAKE.

Construct a PAKE primitive from type, family and bit-size.

Parameters
pake_typeThe type of the primitive (value of type psa_pake_primitive_type_t).
pake_familyThe family of the primitive (the type and interpretation of this parameter depends on type, for more information consult the documentation of individual psa_pake_primitive_type_t constants).
pake_bitsThe bit-size of the primitive (Value of type size_t. The interpretation of this parameter depends on family, for more information consult the documentation of individual psa_pake_primitive_type_t constants).
Returns
The constructed primitive value of type psa_pake_primitive_t. Return 0 if the requested primitive can't be encoded as psa_pake_primitive_t.

Definition at line 1094 of file crypto_extra.h.

Referenced by psa_pake_cs_get_primitive().

#define PSA_PAKE_PRIMITIVE_TYPE_DH   ((psa_pake_primitive_type_t)0x02)

The PAKE primitive type indicating the use of Diffie-Hellman groups.

The values of the family and bits fields of the cipher suite identify a specific Diffie-Hellman group, using the same mapping that is used for Diffie-Hellman (psa_dh_family_t) keys.

(Here family means the value returned by psa_pake_cs_get_family() and bits means the value returned by psa_pake_cs_get_bits().)

Input and output during the operation can involve group elements and scalar values:

  1. The format for group elements is the same as for public keys on the specific group would be. For more information, consult the documentation of psa_export_public_key().
  2. The format for scalars is the same as for private keys on the specific group would be. For more information, consult the documentation of psa_export_key().

Definition at line 1073 of file crypto_extra.h.

#define PSA_PAKE_PRIMITIVE_TYPE_ECC   ((psa_pake_primitive_type_t)0x01)

The PAKE primitive type indicating the use of elliptic curves.

The values of the family and bits fields of the cipher suite identify a specific elliptic curve, using the same mapping that is used for ECC (psa_ecc_family_t) keys.

(Here family means the value returned by psa_pake_cs_get_family() and bits means the value returned by psa_pake_cs_get_bits().)

Input and output during the operation can involve group elements and scalar values:

  1. The format for group elements is the same as for public keys on the specific curve would be. For more information, consult the documentation of psa_export_public_key().
  2. The format for scalars is the same as for private keys on the specific curve would be. For more information, consult the documentation of psa_export_key().

Definition at line 1053 of file crypto_extra.h.

#define PSA_PAKE_SIDE_CLIENT   ((psa_pake_side_t)0x11)

The client in an augmented PAKE.

Augmented PAKE algorithms need to differentiate between client and server.

Definition at line 1027 of file crypto_extra.h.

#define PSA_PAKE_SIDE_FIRST   ((psa_pake_side_t)0x01)

The first peer in a balanced PAKE.

Although balanced PAKE algorithms are symmetric, some of them needs an ordering of peers for the transcript calculations. If the algorithm does not need this, both PSA_PAKE_SIDE_FIRST and PSA_PAKE_SIDE_SECOND are accepted.

Definition at line 1012 of file crypto_extra.h.

#define PSA_PAKE_SIDE_SECOND   ((psa_pake_side_t)0x02)

The second peer in a balanced PAKE.

Although balanced PAKE algorithms are symmetric, some of them needs an ordering of peers for the transcript calculations. If the algorithm does not need this, either PSA_PAKE_SIDE_FIRST or PSA_PAKE_SIDE_SECOND are accepted.

Definition at line 1021 of file crypto_extra.h.

#define PSA_PAKE_SIDE_SERVER   ((psa_pake_side_t)0x12)

The server in an augmented PAKE.

Augmented PAKE algorithms need to differentiate between client and server.

Definition at line 1033 of file crypto_extra.h.

#define PSA_PAKE_STEP_KEY_SHARE   ((psa_pake_step_t)0x01)

The key share being sent to or received from the peer.

The format for both input and output at this step is the same as for public keys on the group determined by the primitive (psa_pake_primitive_t) would be.

For more information on the format, consult the documentation of psa_export_public_key().

For information regarding how the group is determined, consult the documentation PSA_PAKE_PRIMITIVE.

Definition at line 1111 of file crypto_extra.h.

#define PSA_PAKE_STEP_ZK_PROOF   ((psa_pake_step_t)0x03)

A Schnorr NIZKP proof.

This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the value denoted by the letter 'r' in RFC 8235).

Both for input and output, the value at this step is an integer less than the order of the group selected in the cipher suite. The format depends on the group as well:

  • For Montgomery curves, the encoding is little endian.
  • For everything else the encoding is big endian (see Section 2.3.8 of SEC 1: Elliptic Curve Cryptography at https://www.secg.org/sec1-v2.pdf).

In both cases leading zeroes are allowed as long as the length in bytes does not exceed the byte length of the group order.

For information regarding how the group is determined, consult the documentation PSA_PAKE_PRIMITIVE.

Definition at line 1149 of file crypto_extra.h.

#define PSA_PAKE_STEP_ZK_PUBLIC   ((psa_pake_step_t)0x02)

A Schnorr NIZKP public key.

This is the ephemeral public key in the Schnorr Non-Interactive Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235).

The format for both input and output at this step is the same as for public keys on the group determined by the primitive (psa_pake_primitive_t) would be.

For more information on the format, consult the documentation of psa_export_public_key().

For information regarding how the group is determined, consult the documentation PSA_PAKE_PRIMITIVE.

Definition at line 1128 of file crypto_extra.h.

Typedef Documentation

The type of the data strucure for PAKE cipher suites.

This is an implementation-defined struct. Applications should not make any assumptions about the content of this structure. Implementation details can change in future versions without notice.

Definition at line 1157 of file crypto_extra.h.

typedef uint8_t psa_pake_family_t

Encoding of the family of the primitive associated with the PAKE.

For more information see the documentation of individual PSA_PAKE_PRIMITIVE_TYPE_XXX constants.

Definition at line 997 of file crypto_extra.h.

The type of the state data structure for PAKE operations.

Before calling any function on a PAKE operation object, the application must initialize it by any of the following means:

This is an implementation-defined struct. Applications should not make any assumptions about the content of this structure. Implementation details can change in future versions without notice.

Definition at line 1295 of file crypto_extra.h.

typedef uint32_t psa_pake_primitive_t

Encoding of the primitive associated with the PAKE.

For more information see the documentation of the PSA_PAKE_PRIMITIVE macro.

Definition at line 1003 of file crypto_extra.h.

typedef uint8_t psa_pake_primitive_type_t

Encoding of the type of the PAKE's primitive.

Values defined by this standard will never be in the range 0x80-0xff. Vendors who define additional types must use an encoding in this range.

For more information see the documentation of individual PSA_PAKE_PRIMITIVE_TYPE_XXX constants.

Definition at line 990 of file crypto_extra.h.

typedef uint8_t psa_pake_side_t

Encoding of the side of PAKE.

Encodes which side of the algorithm is being executed. For more information see the documentation of individual PSA_PAKE_SIDE_XXX constants.

Definition at line 972 of file crypto_extra.h.

typedef uint8_t psa_pake_step_t

Encoding of input and output indicators for PAKE.

Some PAKE algorithms need to exchange more data than just a single key share. This type is for encoding additional input and output data for such algorithms.

Definition at line 980 of file crypto_extra.h.

Function Documentation

static psa_algorithm_t psa_pake_cs_get_algorithm ( const psa_pake_cipher_suite_t cipher_suite)
inlinestatic

Retrieve the PAKE algorithm from a PAKE cipher suite.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]cipher_suiteThe cipher suite structure to query.
Returns
The PAKE algorithm stored in the cipher suite structure.

Definition at line 1755 of file crypto_extra.h.

References psa_pake_cipher_suite_s::algorithm.

static psa_algorithm_t psa_pake_cs_get_hash ( const psa_pake_cipher_suite_t cipher_suite)
inlinestatic

Retrieve the hash algorithm from a PAKE cipher suite.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]cipher_suiteThe cipher suite structure to query.
Returns
The hash algorithm stored in the cipher suite structure. The return value is 0 if the PAKE is not parametrised by a hash algorithm or if the hash algorithm is not set.

Definition at line 1787 of file crypto_extra.h.

References psa_pake_cipher_suite_s::hash.

static psa_pake_primitive_t psa_pake_cs_get_primitive ( const psa_pake_cipher_suite_t cipher_suite)
inlinestatic

Retrieve the primitive from a PAKE cipher suite.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]cipher_suiteThe cipher suite structure to query.
Returns
The primitive stored in the cipher suite structure.

Definition at line 1771 of file crypto_extra.h.

References psa_pake_cipher_suite_s::bits, psa_pake_cipher_suite_s::family, PSA_PAKE_PRIMITIVE, and psa_pake_cipher_suite_s::type.

static void psa_pake_cs_set_algorithm ( psa_pake_cipher_suite_t cipher_suite,
psa_algorithm_t  algorithm 
)
inlinestatic

Declare the PAKE algorithm for the cipher suite.

This function overwrites any PAKE algorithm previously set in cipher_suite.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]cipher_suiteThe cipher suite structure to write to.
algorithmThe PAKE algorithm to write. (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true.) If this is 0, the PAKE algorithm in cipher_suite becomes unspecified.

Definition at line 1761 of file crypto_extra.h.

References psa_pake_cipher_suite_s::algorithm, and PSA_ALG_IS_PAKE.

static void psa_pake_cs_set_hash ( psa_pake_cipher_suite_t cipher_suite,
psa_algorithm_t  hash 
)
inlinestatic

Declare the hash algorithm for a PAKE cipher suite.

This function overwrites any hash algorithm previously set in cipher_suite.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

Parameters
[out]cipher_suiteThe cipher suite structure to write to.
hashThe hash involved in the cipher suite. (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_HASH(alg) is true.) If this is 0, the hash algorithm in cipher_suite becomes unspecified.

Definition at line 1793 of file crypto_extra.h.

References psa_pake_cipher_suite_s::hash, and PSA_ALG_IS_HASH.

static void psa_pake_cs_set_primitive ( psa_pake_cipher_suite_t cipher_suite,
psa_pake_primitive_t  primitive 
)
inlinestatic

Declare the primitive for a PAKE cipher suite.

This function overwrites any primitive previously set in cipher_suite.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]cipher_suiteThe cipher suite structure to write to.
primitiveThe primitive to write. If this is 0, the primitive type in cipher_suite becomes unspecified.

Definition at line 1778 of file crypto_extra.h.

References psa_pake_cipher_suite_s::bits, psa_pake_cipher_suite_s::family, and psa_pake_cipher_suite_s::type.

psa_status_t psa_pake_get_implicit_key ( psa_pake_operation_t operation,
psa_key_derivation_operation_t output 
)

Get implicitly confirmed shared secret from a PAKE.

At this point there is a cryptographic guarantee that only the authenticated party who used the same password is able to compute the key. But there is no guarantee that the peer is the party it claims to be and was able to do so.

That is, the authentication is only implicit. Since the peer is not authenticated yet, no action should be taken yet that assumes that the peer is who it claims to be. For example, do not access restricted files on the peer's behalf until an explicit authentication has succeeded.

This function can be called after the key exchange phase of the operation has completed. It imports the shared secret output of the PAKE into the provided derivation operation. The input step PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key material in the key derivation operation.

The exact sequence of calls to perform a password-authenticated key exchange depends on the algorithm in use. Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

When this function returns successfully, operation becomes inactive. If this function returns an error status, both operation and key_derivation operations enter an error state and must be aborted by calling psa_pake_abort() and psa_key_derivation_abort() respectively.

Parameters
[in,out]operationActive PAKE operation.
[out]outputA key derivation operation that is ready for an input step of type PSA_KEY_DERIVATION_INPUT_SECRET.
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe PAKE operation state is not valid (it must be active, but beyond that validity is specific to the algorithm).
PSA_ERROR_BAD_STATEThe state of output is not valid for the PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the step is out of order or the application has done this step already and it may not be repeated.
PSA_ERROR_INVALID_ARGUMENTPSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the output’s algorithm.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_pake_input ( psa_pake_operation_t operation,
psa_pake_step_t  step,
uint8_t *  input,
size_t  input_length 
)

Provide input for a step of a password-authenticated key exchange.

Depending on the algorithm being executed, you might need to call this function several times or you might not need to call this at all.

The exact sequence of calls to perform a password-authenticated key exchange depends on the algorithm in use. Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

If this function returns an error status, the operation enters an error state and must be aborted by calling psa_pake_abort().

Parameters
[in,out]operationActive PAKE operation.
stepThe step for which the input is provided.
[out]inputBuffer containing the input in the format appropriate for this step. Refer to the documentation of the individual PSA_PAKE_STEP_XXX constants for more information.
[out]input_lengthSize of the input buffer in bytes.
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe operation state is not valid (it must be active, but beyond that validity is specific to the algorithm).
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_INVALID_ARGUMENTThe input is not valid for the algorithm, ciphersuite or step.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
static struct psa_pake_operation_s psa_pake_operation_init ( void  )
static

Return an initial value for an PAKE operation object.

Definition at line 1815 of file crypto_extra.h.

References PSA_PAKE_OPERATION_INIT.

psa_status_t psa_pake_output ( psa_pake_operation_t operation,
psa_pake_step_t  step,
uint8_t *  output,
size_t  output_size,
size_t *  output_length 
)

Get output for a step of a password-authenticated key exchange.

Depending on the algorithm being executed, you might need to call this function several times or you might not need to call this at all.

The exact sequence of calls to perform a password-authenticated key exchange depends on the algorithm in use. Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

If this function returns an error status, the operation enters an error state and must be aborted by calling psa_pake_abort().

Parameters
[in,out]operationActive PAKE operation.
stepThe step of the algorithm for which the output is requested.
[out]outputBuffer where the output is to be written in the format appropriate for this step. Refer to the documentation of the individual PSA_PAKE_STEP_XXX constants for more information.
output_sizeSize of the output buffer in bytes. This must be at least PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, type).
[out]output_lengthOn success, the number of bytes of the returned output.
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe operation state is not valid (it must be active, but beyond that validity is specific to the algorithm).
PSA_ERROR_BUFFER_TOO_SMALLThe size of the output buffer is too small.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_pake_set_password_key ( psa_pake_operation_t operation,
mbedtls_svc_key_id_t  password 
)

Set the password for a password-authenticated key exchange from key ID.

Call this function when the password, or a value derived from the password, is already present in the key store.

Parameters
[in,out]operationThe operation object to set the password for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the password hasn't been set yet (psa_pake_set_password_key() hasn't been called yet).
passwordIdentifier of the key holding the password or a value derived from the password (eg. by a memory-hard function). It must remain valid until the operation terminates. It must be of type PSA_KEY_TYPE_PASSWORD or PSA_KEY_TYPE_PASSWORD_HASH. It has to allow the usage PSA_KEY_USAGE_DERIVE.
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe operation state is not valid (it must have been set up.)
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_INVALID_HANDLE
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_NOT_PERMITTED
PSA_ERROR_INVALID_ARGUMENTkey is not compatible with the algorithm or the cipher suite.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_pake_set_peer ( psa_pake_operation_t operation,
const uint8_t *  peer_id,
size_t  peer_id_len 
)

Set the peer ID for a password-authenticated key exchange.

Call this function in addition to psa_pake_set_user() for PAKE algorithms that associate a user identifier with each side of the session. For PAKE algorithms that associate a single user identifier with the session, call psa_pake_set_user() only.

Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

Parameters
[in,out]operationThe operation object to set the peer ID for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the peer ID hasn't been set (psa_pake_set_peer() hasn't been called yet).
[in]peer_idThe peer's ID to authenticate.
peer_id_lenSize of the peer_id buffer in bytes.
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe operation state is not valid.
PSA_ERROR_NOT_SUPPORTEDThe algorithm doesn't associate a second identity with the session.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_INVALID_ARGUMENTuser_id is NULL.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_pake_set_side ( psa_pake_operation_t operation,
psa_pake_side_t  side 
)

Set the side for a password-authenticated key exchange.

Not all PAKE algorithms need to differentiate the communicating entities. It is optional to call this function for PAKEs that don't require a side parameter. For such PAKEs the side parameter is ignored.

Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

Parameters
[in,out]operationThe operation object to set the side for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the side hasn't been set (psa_pake_set_side() hasn't been called yet).
sideA value of type psa_pake_side_t signaling the side of the algorithm that is being set up. For more information see the documentation of PSA_PAKE_SIDE_XXX constants.
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe operation state is not valid.
PSA_ERROR_NOT_SUPPORTEDThe side for this algorithm is not supported or is not valid.
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_pake_set_user ( psa_pake_operation_t operation,
const uint8_t *  user_id,
size_t  user_id_len 
)

Set the user ID for a password-authenticated key exchange.

Call this function to set the user ID. For PAKE algorithms that associate a user identifier with each side of the session you need to call psa_pake_set_peer() as well. For PAKE algorithms that associate a single user identifier with the session, call psa_pake_set_user() only.

Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

Parameters
[in,out]operationThe operation object to set the user ID for. It must have been set up by psa_pake_setup() and not yet in use (neither psa_pake_output() nor psa_pake_input() has been called yet). It must be on operation for which the user ID hasn't been set (psa_pake_set_user() hasn't been called yet).
[in]user_idThe user ID to authenticate with.
user_id_lenSize of the user_id buffer in bytes.
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe operation state is not valid.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_INVALID_ARGUMENTuser_id is NULL.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_pake_setup ( psa_pake_operation_t operation,
psa_pake_cipher_suite_t  cipher_suite 
)

Set the session information for a password-authenticated key exchange.

The sequence of operations to set up a password-authenticated key exchange is as follows:

  1. Allocate an operation object which will be passed to all the functions listed here.
  2. Initialize the operation object with one of the methods described in the documentation for psa_pake_operation_t, e.g. PSA_PAKE_OPERATION_INIT.
  3. Call psa_pake_setup() to specify the cipher suite.
  4. Call psa_pake_set_xxx() functions on the operation to complete the setup. The exact sequence of psa_pake_set_xxx() functions that needs to be called depends on the algorithm in use.

Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

A typical sequence of calls to perform a password-authenticated key exchange:

  1. Call psa_pake_output(operation, PSA_PAKE_STEP_KEY_SHARE, ...) to get the key share that needs to be sent to the peer.
  2. Call psa_pake_input(operation, PSA_PAKE_STEP_KEY_SHARE, ...) to provide the key share that was received from the peer.
  3. Depending on the algorithm additional calls to psa_pake_output() and psa_pake_input() might be necessary.
  4. Call psa_pake_get_implicit_key() for accessing the shared secret.

Refer to the documentation of individual PAKE algorithm types (PSA_ALG_XXX values of type psa_algorithm_t such that PSA_ALG_IS_PAKE(alg) is true) for more information.

If an error occurs at any step after a call to psa_pake_setup(), the operation will need to be reset by a call to psa_pake_abort(). The application may call psa_pake_abort() at any time after the operation has been initialized.

After a successful call to psa_pake_setup(), the application must eventually terminate the operation. The following events terminate an operation:

Parameters
[in,out]operationThe operation object to set up. It must have been initialized but not set up yet.
cipher_suiteThe cipher suite to use. (A cipher suite fully characterizes a PAKE algorithm and determines the algorithm as well.)
Return values
PSA_SUCCESSSuccess.
PSA_ERROR_BAD_STATEThe operation state is not valid.
PSA_ERROR_NOT_SUPPORTEDThe cipher_suite is not supported or is not valid.
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.