eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add material for generating yotta module

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2015-07-28 14:17:48 +02:00 committed by Manuel Pégourié-Gonnard
parent e14dec68ea
commit 63e7ebaaa1
19 changed files with 2730 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

70
yotta/data/example-authcrypt/README.md Normal file
View file

@ -0,0 +1,70 @@
# Authenticated encryption example
This application performs authenticated encryption and authenticated decryption of a buffer. It serves as a tutorial for the basic authenticated encryption functions of mbed TLS.
## Pre-requisites
To build and run this example the requirements below are necessary:
* A computer with the following software installed:
* [CMake](http://www.cmake.org/download/).
* [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows).
* [Python](https://www.python.org/downloads/).
* [ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded).
* A serial terminal emulator (e.g. screen, pySerial, cu).
* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in that case you'll have to substitute frdm-k64f-gcc with the appropriate target below).
* A micro-USB cable.
* If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration).
## Getting started
1. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the micro-usb port labeled "OpenSDA".
2. Navigate to the mbedtls directory supplied with your release and open a terminal.
3. Set the yotta target:
```
yotta target frdm-k64f-gcc
```
4. Check that there are no missing dependencies:
```
$ yt ls
```
If there are, yotta will list them in the terminal. Please install them before proceeding.
5. Build mbedtls and the examples. This will take a long time if it is the first time:
```
$ yt build
```
6. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-authcrypt.bin` to your mbed board and wait until the LED next to the USB port stops blinking.
7. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. For settings, use 9600 baud, 8N1, no flow control.
8. Press the reset button on the board.
9. The output in the terminal window should look like:
```
{{timeout;10}}
{{host_test_name;default}}
{{description;mbed TLS example authcrypt}}
{{test_id;MBEDTLS_EX_AUTHCRYPT}}
{{start}}
plaintext message: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400
ciphertext: c57f7afb94f14c7977d785d08682a2596bd62ee9dcf216b8cccd997afee9b402f5de1739e8e6467aa363749ef39392e5c66622b01c7203ec0a3d14
decrypted: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400
DONE
{{success}}
{{end}}
```
The actual output for the ciphertext line will vary on each run due to the use of a random nonce in the encryption process.

177
yotta/data/example-authcrypt/main.cpp Normal file
View file

@ -0,0 +1,177 @@
/*
* Hello world example of using the authenticated encryption with mbed TLS
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#include "mbedtls/cipher.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <string.h>
static void print_hex(const char *title, const unsigned char buf[], size_t len)
{
printf("%s: ", title);
for (size_t i = 0; i < len; i++)
printf("%02x", buf[i]);
printf("\r\n");
}
/*
* The pre-shared key. Should be generated randomly and be unique to the
* device/channel/etc. Just used a fixed on here for simplicity.
*/
static const unsigned char secret_key[16] = {
0xf4, 0x82, 0xc6, 0x70, 0x3c, 0xc7, 0x61, 0x0a,
0xb9, 0xa0, 0xb8, 0xe9, 0x87, 0xb8, 0xc1, 0x72,
};
static int example(void)
{
/* message that should be protected */
const char message[] = "Some things are better left unread";
/* metadata transmitted in the clear but authenticated */
const char metadata[] = "eg sequence number, routing info";
/* ciphertext buffer large enough to hold message + nonce + tag */
unsigned char ciphertext[128] = { 0 };
int ret;
printf("\r\n\r\n");
print_hex("plaintext message", (unsigned char *) message, sizeof message);
/*
* Setup random number generator
* (Note: later this might be done automatically.)
*/
mbedtls_entropy_context entropy; /* entropy pool for seeding PRNG */
mbedtls_ctr_drbg_context drbg; /* pseudo-random generator */
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&drbg);
/* Seed the PRNG using the entropy pool, and throw in our secret key as an
* additional source of randomness. */
ret = mbedtls_ctr_drbg_seed(&drbg, mbedtls_entropy_func, &entropy,
secret_key, sizeof (secret_key));
if (ret != 0) {
printf("mbedtls_ctr_drbg_init() returned -0x%04X\r\n", -ret);
return 1;
}
/*
* Setup AES-CCM contex
*/
mbedtls_cipher_context_t ctx;
mbedtls_cipher_init(&ctx);
ret = mbedtls_cipher_setup(&ctx, mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CCM));
if (ret != 0) {
printf("mbedtls_cipher_setup() returned -0x%04X\r\n", -ret);
return 1;
}
ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_ENCRYPT);
if (ret != 0) {
printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret);
return 1;
}
/*
* Encrypt-authenticate the message and authenticate additional data
*
* First generate a random 8-byte nonce.
* Put it directly in the output buffer as the recipient will need it.
*
* Warning: you must never re-use the same (key, nonce) pair. One of the
* best ways to ensure this to use a counter for the nonce. However this
* means you should save the counter accross rebots, if the key is a
* long-term one. The alternative we choose here is to generate the nonce
* randomly. However it only works if you have a good source of
* randomness.
*/
const size_t nonce_len = 8;
mbedtls_ctr_drbg_random(&drbg, ciphertext, nonce_len);
size_t ciphertext_len = 0;
/* Go for a conservative 16-byte (128-bit) tag
* and append it to the ciphertext */
const size_t tag_len = 16;
ret = mbedtls_cipher_auth_encrypt(&ctx, ciphertext, nonce_len,
(const unsigned char *) metadata, sizeof metadata,
(const unsigned char *) message, sizeof message,
ciphertext + nonce_len, &ciphertext_len,
ciphertext + nonce_len + sizeof message, tag_len );
if (ret != 0) {
printf("mbedtls_cipher_auth_encrypt() returned -0x%04X\r\n", -ret);
return 1;
}
ciphertext_len += nonce_len + tag_len;
/*
* The following information should now be transmitted:
* - first ciphertext_len bytes of ciphertext buffer
* - metadata if not already transmitted elsewhere
*/
print_hex("ciphertext", ciphertext, ciphertext_len);
/*
* Decrypt-authenticate
*/
unsigned char decrypted[128] = { 0 };
size_t decrypted_len = 0;
ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_DECRYPT);
if (ret != 0) {
printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret);
return 1;
}
ret = mbedtls_cipher_auth_decrypt(&ctx,
ciphertext, nonce_len,
(const unsigned char *) metadata, sizeof metadata,
ciphertext + nonce_len, ciphertext_len - nonce_len - tag_len,
decrypted, &decrypted_len,
ciphertext + ciphertext_len - tag_len, tag_len );
/* Checking the return code is CRITICAL for security here */
if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
printf("Something bad is happening! Data is not authentic!\r\n");
return 1;
}
if (ret != 0) {
printf("mbedtls_cipher_authdecrypt() returned -0x%04X\r\n", -ret);
return 1;
}
print_hex("decrypted", decrypted, decrypted_len);
printf("\r\nDONE\r\n");
return 0;
}
#if defined(TARGET_LIKE_MBED)
#include "mbed/test_env.h"
int main() {
MBED_HOSTTEST_TIMEOUT(10);
MBED_HOSTTEST_SELECT(default);
MBED_HOSTTEST_DESCRIPTION(mbed TLS example authcrypt);
MBED_HOSTTEST_START("MBEDTLS_EX_AUTHCRYPT");
MBED_HOSTTEST_RESULT(example() == 0);
}
#else
int main() {
return example();
}
#endif