Blame - programs/psa/aead_cipher_psa.c - mirror/mbed-tls

blob: 301701c18dcaf3852cdc15e73f05a9d8688792a5 [file] [log] [blame]

Manuel Pégourié-Gonnard	398d459	2022-01-07 12:26:32 +0100	[diff] [blame^]	1	/*
				2	* Copyright The Mbed TLS Contributors
				3	* SPDX-License-Identifier: Apache-2.0
				4	*
				5	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				6	* not use this file except in compliance with the License.
				7	* You may obtain a copy of the License at
				8	*
				9	* http://www.apache.org/licenses/LICENSE-2.0
				10	*
				11	* Unless required by applicable law or agreed to in writing, software
				12	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				13	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				14	* See the License for the specific language governing permissions and
				15	* limitations under the License.
				16	*/
				17
				18	/*
				19	* This is a simple example of multi-part AEAD computation using both the old
				20	* Cipher API and the new PSA API; its goal is to help migration to PSA Crypto.
				21	*
				22	* When in comes to multi-part HMAC operations, the `mbedtls_md_context`
				23	* serves a triple purpose (1) hold the key, (2) store the algorithm, and (3)
				24	* save progress information for the current operation. With PSA those roles
				25	* are held by disinct objects: (1) a psa_key_id_t to hold the key, a (2)
				26	* psa_algorithm_t to represent the algorithm, and (3) a psa_operation_t for
				27	* multi-part progress.
				28	*
				29	* On the other hand, with PSA, the algorithms encodes the desired tag length;
				30	* with Cipher the desired tag length needs to be tracked separately.
				31	*
				32	* This program illustrates this by doing the same sequence of multi-part AEAD
				33	* computation with both APIs; looking at the two series of functions
				34	* cipher_xxx() and aead_xxx() side by side should make the differences and
				35	* similarities clear.
				36	*/
				37
				38	#include <stdio.h>
				39
				40	#include "mbedtls/build_info.h"
				41
				42	#if !defined(MBEDTLS_PSA_CRYPTO_C) \|\| !defined(MBEDTLS_CIPHER_C) \|\| \
				43	!defined(MBEDTLS_AES_C) \|\| !defined(MBEDTLS_GCM_C) \|\| \
				44	!defined(MBEDTLS_CHACHAPOLY_C)
				45	int main( void )
				46	{
				47	printf( "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_MD_C and/or "
				48	"MBEDTLS_AES_C and/or MBEDTLS_GCM_C and/or "
				49	"MBEDTLS_CHACHAPOLY_C not defined.\r\n" );
				50	return( 0 );
				51	}
				52	#else
				53
				54	#include <string.h>
				55
				56	#include "mbedtls/cipher.h"
				57	#include "psa/crypto.h"
				58
				59	/*
				60	* Common data and helper functions
				61	*/
				62	const char usage[] = "Usage: aead_cipher_psa [gcm128\|gcm256\|gcm128_8\|chachapoly]";
				63
				64	const unsigned char iv1[12] = { 0x00 };
				65	const unsigned char ad1[] = { 0x01, 0x02 };
				66	const unsigned char pa1[] = { 0x03, 0x04 };
				67	const unsigned char pb1[] = { 0x05, 0x06, 0x07 };
				68
				69	const unsigned char iv2[12] = { 0x10 };
				70	const unsigned char ad2[] = { 0x11, 0x12 };
				71	const unsigned char pa2[] = { 0x13, 0x14 };
				72	const unsigned char pb2[] = { 0x15, 0x16, 0x17 };
				73
				74	const unsigned char key_bytes[32] = { 0x2a };
				75
				76	void print_out( const char title, unsigned char out, size_t len )
				77	{
				78	printf( "%s:", title );
				79	for( size_t i = 0; i < len; i++ )
				80	printf( " %02x", out[i] );
				81	printf( "\n" );
				82	}
				83
				84	/*
				85	* Functions using the Cipher API
				86	*/
				87	#define CHK( code ) \
				88	do { \
				89	ret = code; \
				90	if( ret != 0 ) { \
				91	printf( "%s:%03d: ret = -0x%04x\n", __func__, __LINE__, -ret ); \
				92	goto exit; \
				93	} \
				94	} while( 0 )
				95
				96
				97	static int cipher_prepare( const char *info,
				98	mbedtls_cipher_context_t *ctx,
				99	size_t *tag_len )
				100	{
				101	int ret;
				102
				103	mbedtls_cipher_type_t type;
				104	if( strcmp( info, "gcm128" ) == 0 ) {
				105	type = MBEDTLS_CIPHER_AES_128_GCM;
				106	*tag_len = 16;
				107	} else if( strcmp( info, "gcm256" ) == 0 ) {
				108	type = MBEDTLS_CIPHER_AES_256_GCM;
				109	*tag_len = 16;
				110	} else if( strcmp( info, "gcm128_8" ) == 0 ) {
				111	type = MBEDTLS_CIPHER_AES_128_GCM;
				112	*tag_len = 8;
				113	} else if( strcmp( info, "chachapoly" ) == 0 ) {
				114	type = MBEDTLS_CIPHER_CHACHA20_POLY1305;
				115	*tag_len = 16;
				116	} else {
				117	puts( usage );
				118	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
				119	}
				120
				121	CHK( mbedtls_cipher_setup( ctx,
				122	mbedtls_cipher_info_from_type( type ) ) );
				123
				124	size_t key_len = mbedtls_cipher_get_key_bitlen( ctx );
				125	CHK( mbedtls_cipher_setkey( ctx, key_bytes, key_len, MBEDTLS_ENCRYPT ) );
				126
				127	exit:
				128	return( ret );
				129	}
				130
				131	static void cipher_info( const mbedtls_cipher_context_t *ctx, size_t tag_len )
				132	{
				133	// no convenient way to get the cipher type (for example, AES)
				134	const char *ciph = "???";
				135	int key_bits = mbedtls_cipher_get_key_bitlen( ctx );
				136	mbedtls_cipher_mode_t mode = mbedtls_cipher_get_cipher_mode( ctx );
				137
				138	const char *mode_str = mode == MBEDTLS_MODE_GCM ? "GCM"
				139	: mode == MBEDTLS_MODE_CHACHAPOLY ? "ChachaPoly"
				140	: "???";
				141
				142	printf( "cipher: %s, %d, %s, %zu\n", ciph, key_bits, mode_str, tag_len );
				143	}
				144
				145	static int cipher_encrypt( mbedtls_cipher_context_t *ctx, size_t tag_len,
				146	const unsigned char *iv, size_t iv_len,
				147	const unsigned char *ad, size_t ad_len,
				148	const unsigned char *pa, size_t pa_len,
				149	const unsigned char *pb, size_t pb_len )
				150	{
				151	int ret;
				152	size_t olen;
				153	unsigned char out[32];
				154	unsigned char *p = out;
				155
				156	CHK( mbedtls_cipher_set_iv( ctx, iv, iv_len ) );
				157	CHK( mbedtls_cipher_reset( ctx ) );
				158	CHK( mbedtls_cipher_update_ad( ctx, ad, ad_len ) );
				159	CHK( mbedtls_cipher_update( ctx, pa, pa_len, p, &olen ) );
				160	p += olen;
				161	CHK( mbedtls_cipher_update( ctx, pb, pb_len, p, &olen ) );
				162	p += olen;
				163	CHK( mbedtls_cipher_finish( ctx, p, &olen ) );
				164	p += olen;
				165	CHK( mbedtls_cipher_write_tag( ctx, p, tag_len ) );
				166	p += tag_len;
				167
				168	olen = p - out;
				169	print_out( "cipher", out, olen );
				170
				171	exit:
				172	return( ret );
				173	}
				174
				175	static int cipher( const char *info )
				176	{
				177	int ret = 0;
				178
				179	mbedtls_cipher_context_t ctx;
				180	size_t tag_len;
				181
				182	mbedtls_cipher_init( &ctx );
				183
				184	CHK( cipher_prepare( info, &ctx, &tag_len ) );
				185
				186	cipher_info( &ctx, tag_len );
				187
				188	CHK( cipher_encrypt( &ctx, tag_len,
				189	iv1, sizeof( iv1 ), ad1, sizeof( ad1 ),
				190	pa1, sizeof( pa1 ), pb1, sizeof( pb1 ) ) );
				191	CHK( cipher_encrypt( &ctx, tag_len,
				192	iv2, sizeof( iv2 ), ad2, sizeof( ad2 ),
				193	pa2, sizeof( pa2 ), pb2, sizeof( pb2 ) ) );
				194
				195	exit:
				196	mbedtls_cipher_free( &ctx );
				197
				198	return( ret );
				199	}
				200
				201	#undef CHK
				202
				203	/*
				204	* Functions using the PSA Crypto API
				205	*/
				206
				207	#define CHK( code ) \
				208	do { \
				209	status = code; \
				210	if( status != PSA_SUCCESS ) { \
				211	printf( "%s:%03d: status = %d\n", __func__, __LINE__, status ); \
				212	goto exit; \
				213	} \
				214	} while( 0 )
				215
				216	static psa_status_t aead_prepare( const char *info,
				217	psa_key_id_t *key,
				218	psa_algorithm_t *alg )
				219	{
				220	psa_status_t status;
				221
				222	size_t key_bits;
				223	psa_key_type_t key_type;
				224	if( strcmp( info, "gcm128" ) == 0 ) {
				225	*alg = PSA_ALG_GCM;
				226	key_bits = 128;
				227	key_type = PSA_KEY_TYPE_AES;
				228	} else if( strcmp( info, "gcm256" ) == 0 ) {
				229	*alg = PSA_ALG_GCM;
				230	key_bits = 256;
				231	key_type = PSA_KEY_TYPE_AES;
				232	} else if( strcmp( info, "gcm128_8" ) == 0 ) {
				233	*alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 8);
				234	key_bits = 128;
				235	key_type = PSA_KEY_TYPE_AES;
				236	} else if( strcmp( info, "chachapoly" ) == 0 ) {
				237	*alg = PSA_ALG_CHACHA20_POLY1305;
				238	key_bits = 256;
				239	key_type = PSA_KEY_TYPE_CHACHA20;
				240	} else {
				241	puts( usage );
				242	return( PSA_ERROR_INVALID_ARGUMENT );
				243	}
				244
				245	psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
				246	psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
				247	psa_set_key_algorithm( &attributes, *alg );
				248	psa_set_key_type( &attributes, key_type );
				249	psa_set_key_bits( &attributes, key_bits );
				250
				251	CHK( psa_import_key( &attributes, key_bytes, key_bits / 8, key ) );
				252
				253	exit:
				254	return( status );
				255	}
				256
				257	static void aead_info( psa_key_id_t key, psa_algorithm_t alg )
				258	{
				259	psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
				260	(void) psa_get_key_attributes( key, &attr );
				261	psa_key_type_t key_type = psa_get_key_type( &attr );
				262	size_t key_bits = psa_get_key_bits( &attr );
				263	psa_algorithm_t base_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG( alg );
				264	size_t tag_len = PSA_AEAD_TAG_LENGTH( key_type, key_bits, alg );
				265
				266	const char *type_str = key_type == PSA_KEY_TYPE_AES ? "AES"
				267	: key_type == PSA_KEY_TYPE_CHACHA20 ? "Chacha"
				268	: "???";
				269	const char *base_str = base_alg == PSA_ALG_GCM ? "GCM"
				270	: base_alg == PSA_ALG_CHACHA20_POLY1305 ? "ChachaPoly"
				271	: "???";
				272
				273	printf( "aead : %s, %zu, %s, %zu\n", type_str, key_bits, base_str, tag_len );
				274	}
				275
				276	static int aead_encrypt( psa_key_id_t key, psa_algorithm_t alg,
				277	const unsigned char *iv, size_t iv_len,
				278	const unsigned char *ad, size_t ad_len,
				279	const unsigned char *pa, size_t pa_len,
				280	const unsigned char *pb, size_t pb_len )
				281	{
				282	psa_status_t status;
				283	size_t olen, olen_tag;
				284	unsigned char out[32];
				285	unsigned char p = out, end = out + sizeof( out );
				286	unsigned char tag[16];
				287
				288	psa_aead_operation_t op = PSA_AEAD_OPERATION_INIT;
				289	CHK( psa_aead_encrypt_setup( &op, key, alg ) );
				290
				291	CHK( psa_aead_set_nonce( &op, iv, iv_len ) );
				292	CHK( psa_aead_update_ad( &op, ad, ad_len ) );
				293	CHK( psa_aead_update( &op, pa, pa_len, p, end - p, &olen ) );
				294	p += olen;
				295	CHK( psa_aead_update( &op, pb, pb_len, p, end - p, &olen ) );
				296	p += olen;
				297	CHK( psa_aead_finish( &op, p, end - p, &olen,
				298	tag, sizeof( tag ), &olen_tag ) );
				299	p += olen;
				300	memcpy( p, tag, olen_tag );
				301	p += olen_tag;
				302
				303	olen = p - out;
				304	print_out( "aead ", out, olen );
				305	exit:
				306	return( status );
				307	}
				308
				309	static psa_status_t aead( const char *info )
				310	{
				311	psa_status_t status;
				312
				313	psa_key_id_t key;
				314	psa_algorithm_t alg;
				315
				316	CHK( aead_prepare( info, &key, &alg ) );
				317
				318	aead_info( key, alg );
				319
				320	CHK( aead_encrypt( key, alg,
				321	iv1, sizeof( iv1 ), ad1, sizeof( ad1 ),
				322	pa1, sizeof( pa1 ), pb1, sizeof( pb1 ) ) );
				323	CHK( aead_encrypt( key, alg,
				324	iv2, sizeof( iv2 ), ad2, sizeof( ad2 ),
				325	pa2, sizeof( pa2 ), pb2, sizeof( pb2 ) ) );
				326
				327	exit:
				328	return( status );
				329	}
				330
				331	#undef CHK
				332
				333	/*
				334	* Main function
				335	*/
				336	int main( int argc, char **argv )
				337	{
				338	if( argc != 2 )
				339	{
				340	puts( usage );
				341	return( 1 );
				342	}
				343
				344	psa_crypto_init();
				345
				346	cipher( argv[1] );
				347	aead( argv[1] );
				348	}
				349
				350	#endif