/* * Hello world example of using the authenticated encryption with mbed TLS * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * * This file is part of mbed TLS (https://tls.mbed.org) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "mbedtls/cipher.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include #include static void print_hex(const char *title, const unsigned char buf[], size_t len) { printf("%s: ", title); for (size_t i = 0; i < len; i++) printf("%02x", buf[i]); printf("\r\n"); } /* * The pre-shared key. Should be generated randomly and be unique to the * device/channel/etc. Just used a fixed on here for simplicity. */ static const unsigned char secret_key[16] = { 0xf4, 0x82, 0xc6, 0x70, 0x3c, 0xc7, 0x61, 0x0a, 0xb9, 0xa0, 0xb8, 0xe9, 0x87, 0xb8, 0xc1, 0x72, }; static int example(void) { /* message that should be protected */ const char message[] = "Some things are better left unread"; /* metadata transmitted in the clear but authenticated */ const char metadata[] = "eg sequence number, routing info"; /* ciphertext buffer large enough to hold message + nonce + tag */ unsigned char ciphertext[128] = { 0 }; int ret; printf("\r\n\r\n"); print_hex("plaintext message", (unsigned char *) message, sizeof message); /* * Setup random number generator * (Note: later this might be done automatically.) */ mbedtls_entropy_context entropy; /* entropy pool for seeding PRNG */ mbedtls_ctr_drbg_context drbg; /* pseudo-random generator */ mbedtls_entropy_init(&entropy); mbedtls_ctr_drbg_init(&drbg); /* Seed the PRNG using the entropy pool, and throw in our secret key as an * additional source of randomness. */ ret = mbedtls_ctr_drbg_seed(&drbg, mbedtls_entropy_func, &entropy, secret_key, sizeof (secret_key)); if (ret != 0) { printf("mbedtls_ctr_drbg_init() returned -0x%04X\r\n", -ret); return 1; } /* * Setup AES-CCM contex */ mbedtls_cipher_context_t ctx; mbedtls_cipher_init(&ctx); ret = mbedtls_cipher_setup(&ctx, mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CCM)); if (ret != 0) { printf("mbedtls_cipher_setup() returned -0x%04X\r\n", -ret); return 1; } ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_ENCRYPT); if (ret != 0) { printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret); return 1; } /* * Encrypt-authenticate the message and authenticate additional data * * First generate a random 8-byte nonce. * Put it directly in the output buffer as the recipient will need it. * * Warning: you must never re-use the same (key, nonce) pair. One of the * best ways to ensure this to use a counter for the nonce. However this * means you should save the counter accross rebots, if the key is a * long-term one. The alternative we choose here is to generate the nonce * randomly. However it only works if you have a good source of * randomness. */ const size_t nonce_len = 8; mbedtls_ctr_drbg_random(&drbg, ciphertext, nonce_len); size_t ciphertext_len = 0; /* Go for a conservative 16-byte (128-bit) tag * and append it to the ciphertext */ const size_t tag_len = 16; ret = mbedtls_cipher_auth_encrypt(&ctx, ciphertext, nonce_len, (const unsigned char *) metadata, sizeof metadata, (const unsigned char *) message, sizeof message, ciphertext + nonce_len, &ciphertext_len, ciphertext + nonce_len + sizeof message, tag_len ); if (ret != 0) { printf("mbedtls_cipher_auth_encrypt() returned -0x%04X\r\n", -ret); return 1; } ciphertext_len += nonce_len + tag_len; /* * The following information should now be transmitted: * - first ciphertext_len bytes of ciphertext buffer * - metadata if not already transmitted elsewhere */ print_hex("ciphertext", ciphertext, ciphertext_len); /* * Decrypt-authenticate */ unsigned char decrypted[128] = { 0 }; size_t decrypted_len = 0; ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_DECRYPT); if (ret != 0) { printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret); return 1; } ret = mbedtls_cipher_auth_decrypt(&ctx, ciphertext, nonce_len, (const unsigned char *) metadata, sizeof metadata, ciphertext + nonce_len, ciphertext_len - nonce_len - tag_len, decrypted, &decrypted_len, ciphertext + ciphertext_len - tag_len, tag_len ); /* Checking the return code is CRITICAL for security here */ if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) { printf("Something bad is happening! Data is not authentic!\r\n"); return 1; } if (ret != 0) { printf("mbedtls_cipher_authdecrypt() returned -0x%04X\r\n", -ret); return 1; } print_hex("decrypted", decrypted, decrypted_len); printf("\r\nDONE\r\n"); return 0; } #if defined(TARGET_LIKE_MBED) #include "mbed/test_env.h" #include "minar/minar.h" static void run() { /* Use 115200 bps for consistency with other examples */ Serial pc(USBTX, USBRX); pc.baud(115200); MBED_HOSTTEST_TIMEOUT(10); MBED_HOSTTEST_SELECT(default); MBED_HOSTTEST_DESCRIPTION(mbed TLS example authcrypt); MBED_HOSTTEST_START("MBEDTLS_EX_AUTHCRYPT"); MBED_HOSTTEST_RESULT(example() == 0); } void app_start(int, char*[]) { minar::Scheduler::postCallback(FunctionPointer0(run).bind()); } #else int main() { return example(); } #endif