diff options
Diffstat (limited to 'thirdparty/nRF5_SDK_15.0.0_a53641a/external/mbedtls/yotta/data/example-authcrypt')
2 files changed, 265 insertions, 0 deletions
diff --git a/thirdparty/nRF5_SDK_15.0.0_a53641a/external/mbedtls/yotta/data/example-authcrypt/README.md b/thirdparty/nRF5_SDK_15.0.0_a53641a/external/mbedtls/yotta/data/example-authcrypt/README.md new file mode 100644 index 0000000..ae4b1ef --- /dev/null +++ b/thirdparty/nRF5_SDK_15.0.0_a53641a/external/mbedtls/yotta/data/example-authcrypt/README.md @@ -0,0 +1,68 @@ +# Authenticated Encryption Example + +This application performs authenticated encryption and authenticated decryption of a buffer. It serves as a tutorial for the basic authenticated encryption functions of mbed TLS. + +## Pre-requisites + +To build and run this example you must have: + +* A computer with the following software installed: + * [CMake](http://www.cmake.org/download/). + * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows). + * [Python](https://www.python.org/downloads/). + * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). + * A serial terminal emulator (Like screen, pySerial and cu). +* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below). +* A micro-USB cable. +* If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration). + +## Getting started + +1. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the "OpenSDA" connector on the target board. + +2. Navigate to the mbedtls directory supplied with your release and open a terminal. + +3. Set the yotta target: + + ``` + yotta target frdm-k64f-gcc + ``` + +4. Build mbedtls and the examples. This may take a long time if this is your first compilation: + + ``` + $ yotta build + ``` + +5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-authcrypt.bin` to your mbed board and wait until the LED next to the USB port stops blinking. + +6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. + + Use the following settings: + + * 115200 baud (not 9600). + * 8N1. + * No flow control. + +7. Press the Reset button on the board. + +8. The output in the terminal window should look like: + + ``` + {{timeout;10}} + {{host_test_name;default}} + {{description;mbed TLS example authcrypt}} + {{test_id;MBEDTLS_EX_AUTHCRYPT}} + {{start}} + + + plaintext message: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400 + ciphertext: c57f7afb94f14c7977d785d08682a2596bd62ee9dcf216b8cccd997afee9b402f5de1739e8e6467aa363749ef39392e5c66622b01c7203ec0a3d14 + decrypted: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400 + + DONE + {{success}} + {{end}} + ``` + +The actual output for the ciphertext line will vary on each run because of the use of a random nonce in the encryption process. diff --git a/thirdparty/nRF5_SDK_15.0.0_a53641a/external/mbedtls/yotta/data/example-authcrypt/main.cpp b/thirdparty/nRF5_SDK_15.0.0_a53641a/external/mbedtls/yotta/data/example-authcrypt/main.cpp new file mode 100644 index 0000000..23fad27 --- /dev/null +++ b/thirdparty/nRF5_SDK_15.0.0_a53641a/external/mbedtls/yotta/data/example-authcrypt/main.cpp @@ -0,0 +1,197 @@ +/* + * Hello world example of using the authenticated encryption with mbed TLS + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#include "mbedtls/cipher.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" + +#include <stdio.h> +#include <string.h> + +static void print_hex(const char *title, const unsigned char buf[], size_t len) +{ + printf("%s: ", title); + + for (size_t i = 0; i < len; i++) + printf("%02x", buf[i]); + + printf("\r\n"); +} + +/* + * The pre-shared key. Should be generated randomly and be unique to the + * device/channel/etc. Just used a fixed on here for simplicity. + */ +static const unsigned char secret_key[16] = { + 0xf4, 0x82, 0xc6, 0x70, 0x3c, 0xc7, 0x61, 0x0a, + 0xb9, 0xa0, 0xb8, 0xe9, 0x87, 0xb8, 0xc1, 0x72, +}; + +static int example(void) +{ + /* message that should be protected */ + const char message[] = "Some things are better left unread"; + /* metadata transmitted in the clear but authenticated */ + const char metadata[] = "eg sequence number, routing info"; + /* ciphertext buffer large enough to hold message + nonce + tag */ + unsigned char ciphertext[128] = { 0 }; + int ret; + + printf("\r\n\r\n"); + print_hex("plaintext message", (unsigned char *) message, sizeof message); + + /* + * Setup random number generator + * (Note: later this might be done automatically.) + */ + mbedtls_entropy_context entropy; /* entropy pool for seeding PRNG */ + mbedtls_ctr_drbg_context drbg; /* pseudo-random generator */ + + mbedtls_entropy_init(&entropy); + mbedtls_ctr_drbg_init(&drbg); + + /* Seed the PRNG using the entropy pool, and throw in our secret key as an + * additional source of randomness. */ + ret = mbedtls_ctr_drbg_seed(&drbg, mbedtls_entropy_func, &entropy, + secret_key, sizeof (secret_key)); + if (ret != 0) { + printf("mbedtls_ctr_drbg_init() returned -0x%04X\r\n", -ret); + return 1; + } + + /* + * Setup AES-CCM contex + */ + mbedtls_cipher_context_t ctx; + + mbedtls_cipher_init(&ctx); + + ret = mbedtls_cipher_setup(&ctx, mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CCM)); + if (ret != 0) { + printf("mbedtls_cipher_setup() returned -0x%04X\r\n", -ret); + return 1; + } + + ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_ENCRYPT); + if (ret != 0) { + printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret); + return 1; + } + + /* + * Encrypt-authenticate the message and authenticate additional data + * + * First generate a random 8-byte nonce. + * Put it directly in the output buffer as the recipient will need it. + * + * Warning: you must never re-use the same (key, nonce) pair. One of the + * best ways to ensure this to use a counter for the nonce. However this + * means you should save the counter accross rebots, if the key is a + * long-term one. The alternative we choose here is to generate the nonce + * randomly. However it only works if you have a good source of + * randomness. + */ + const size_t nonce_len = 8; + mbedtls_ctr_drbg_random(&drbg, ciphertext, nonce_len); + + size_t ciphertext_len = 0; + /* Go for a conservative 16-byte (128-bit) tag + * and append it to the ciphertext */ + const size_t tag_len = 16; + ret = mbedtls_cipher_auth_encrypt(&ctx, ciphertext, nonce_len, + (const unsigned char *) metadata, sizeof metadata, + (const unsigned char *) message, sizeof message, + ciphertext + nonce_len, &ciphertext_len, + ciphertext + nonce_len + sizeof message, tag_len ); + if (ret != 0) { + printf("mbedtls_cipher_auth_encrypt() returned -0x%04X\r\n", -ret); + return 1; + } + ciphertext_len += nonce_len + tag_len; + + /* + * The following information should now be transmitted: + * - first ciphertext_len bytes of ciphertext buffer + * - metadata if not already transmitted elsewhere + */ + print_hex("ciphertext", ciphertext, ciphertext_len); + + /* + * Decrypt-authenticate + */ + unsigned char decrypted[128] = { 0 }; + size_t decrypted_len = 0; + + ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_DECRYPT); + if (ret != 0) { + printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret); + return 1; + } + + ret = mbedtls_cipher_auth_decrypt(&ctx, + ciphertext, nonce_len, + (const unsigned char *) metadata, sizeof metadata, + ciphertext + nonce_len, ciphertext_len - nonce_len - tag_len, + decrypted, &decrypted_len, + ciphertext + ciphertext_len - tag_len, tag_len ); + /* Checking the return code is CRITICAL for security here */ + if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) { + printf("Something bad is happening! Data is not authentic!\r\n"); + return 1; + } + if (ret != 0) { + printf("mbedtls_cipher_authdecrypt() returned -0x%04X\r\n", -ret); + return 1; + } + + print_hex("decrypted", decrypted, decrypted_len); + + printf("\r\nDONE\r\n"); + + return 0; +} + +#if defined(TARGET_LIKE_MBED) + +#include "mbed-drivers/test_env.h" +#include "minar/minar.h" + +static void run() { + MBED_HOSTTEST_TIMEOUT(10); + MBED_HOSTTEST_SELECT(default); + MBED_HOSTTEST_DESCRIPTION(mbed TLS example authcrypt); + MBED_HOSTTEST_START("MBEDTLS_EX_AUTHCRYPT"); + MBED_HOSTTEST_RESULT(example() == 0); +} + +void app_start(int, char*[]) { + /* Use 115200 bps for consistency with other examples */ + get_stdio_serial().baud(115200); + minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind()); +} + +#else + +int main() { + return example(); +} + +#endif |