groche97/torzu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added submodule contents into tree

Browse Source
This commit is contained in:
darktux
2024-04-05 01:58:27 +02:00
parent 01a752555c
commit 9b991208cd
4934 changed files with 1657477 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
externals/mbedtls/programs/.gitignore vendored Normal file
View File

@@ -0,0 +1,83 @@
# Ignore makefiles generated by CMake, but not the makefile that's checked in.
*/Makefile
!fuzz/Makefile
*.sln
*.vcxproj
aes/crypt_and_hash
cipher/cipher_aead_demo
hash/generic_sum
hash/hello
hash/md_hmac_demo
hash/md5sum
hash/sha1sum
hash/sha2sum
pkey/dh_client
pkey/dh_genprime
pkey/dh_server
pkey/ecdh_curve25519
pkey/ecdsa
pkey/gen_key
pkey/key_app
pkey/key_app_writer
pkey/mpi_demo
pkey/pk_decrypt
pkey/pk_encrypt
pkey/pk_sign
pkey/pk_verify
pkey/rsa_decrypt
pkey/rsa_encrypt
pkey/rsa_genkey
pkey/rsa_sign
pkey/rsa_sign_pss
pkey/rsa_verify
pkey/rsa_verify_pss
psa/aead_demo
psa/crypto_examples
psa/hmac_demo
psa/key_ladder_demo
psa/psa_constant_names
psa/psa_hash
random/gen_entropy
random/gen_random_ctr_drbg
ssl/dtls_client
ssl/dtls_server
ssl/mini_client
ssl/ssl_client1
ssl/ssl_client2
ssl/ssl_context_info
ssl/ssl_fork_server
ssl/ssl_mail_client
ssl/ssl_pthread_server
ssl/ssl_server
ssl/ssl_server2
test/benchmark
test/cpp_dummy_build
test/cpp_dummy_build.cpp
test/dlopen
test/ecp-bench
test/metatest
test/query_compile_time_config
test/query_included_headers
test/selftest
test/ssl_cert_test
test/udp_proxy
test/zeroize
util/pem2der
util/strerror
x509/cert_app
x509/cert_req
x509/cert_write
x509/crl_app
x509/load_roots
x509/req_app
###START_GENERATED_FILES###
# Generated source files
/psa/psa_constant_names_generated.c
/test/query_config.c
# Generated data files
pkey/keyfile.key
###END_GENERATED_FILES###

13
externals/mbedtls/programs/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,13 @@
add_subdirectory(aes)
add_subdirectory(cipher)
if (NOT WIN32)
add_subdirectory(fuzz)
endif()
add_subdirectory(hash)
add_subdirectory(pkey)
add_subdirectory(psa)
add_subdirectory(random)
add_subdirectory(ssl)
add_subdirectory(test)
add_subdirectory(util)
add_subdirectory(x509)

428
externals/mbedtls/programs/Makefile vendored Normal file
View File

@@ -0,0 +1,428 @@
MBEDTLS_TEST_PATH = ../tests
include ../scripts/common.make
ifeq ($(shell uname -s),Linux)
DLOPEN_LDFLAGS ?= -ldl
else
DLOPEN_LDFLAGS ?=
endif
DEP=${MBEDLIBS} ${MBEDTLS_TEST_OBJS}
# Only build the dlopen test in shared library builds, and not when building
# for Windows.
ifdef BUILD_DLOPEN
# Don't override the value
else ifdef WINDOWS_BUILD
BUILD_DLOPEN =
else ifdef SHARED
BUILD_DLOPEN = y
else
BUILD_DLOPEN =
endif
## The following assignment is the list of base names of applications that
## will be built on Windows. Extra Linux/Unix/POSIX-only applications can
## be declared by appending with `APPS += ...` afterwards.
## See the get_app_list function in scripts/generate_visualc_files.pl and
## make sure to check that it still works if you tweak the format here.
APPS = \
aes/crypt_and_hash \
cipher/cipher_aead_demo \
hash/generic_sum \
hash/hello \
hash/md_hmac_demo \
pkey/dh_client \
pkey/dh_genprime \
pkey/dh_server \
pkey/ecdh_curve25519 \
pkey/ecdsa \
pkey/gen_key \
pkey/key_app \
pkey/key_app_writer \
pkey/mpi_demo \
pkey/pk_decrypt \
pkey/pk_encrypt \
pkey/pk_sign \
pkey/pk_verify \
pkey/rsa_decrypt \
pkey/rsa_encrypt \
pkey/rsa_genkey \
pkey/rsa_sign \
pkey/rsa_sign_pss \
pkey/rsa_verify \
pkey/rsa_verify_pss \
psa/aead_demo \
psa/crypto_examples \
psa/hmac_demo \
psa/key_ladder_demo \
psa/psa_constant_names \
psa/psa_hash \
random/gen_entropy \
random/gen_random_ctr_drbg \
ssl/dtls_client \
ssl/dtls_server \
ssl/mini_client \
ssl/ssl_client1 \
ssl/ssl_client2 \
ssl/ssl_context_info \
ssl/ssl_fork_server \
ssl/ssl_mail_client \
ssl/ssl_server \
ssl/ssl_server2 \
test/benchmark \
test/metatest \
test/query_compile_time_config \
test/query_included_headers \
test/selftest \
test/udp_proxy \
test/zeroize \
util/pem2der \
util/strerror \
x509/cert_app \
x509/cert_req \
x509/cert_write \
x509/crl_app \
x509/load_roots \
x509/req_app \
# End of APPS
ifeq ($(THREADING),pthread)
APPS += ssl/ssl_pthread_server
endif
ifdef BUILD_DLOPEN
APPS += test/dlopen
endif
ifdef TEST_CPP
APPS += test/cpp_dummy_build
endif
EXES = $(patsubst %,%$(EXEXT),$(APPS))
.SILENT:
.PHONY: all clean list fuzz
all: $(EXES)
ifndef WINDOWS
# APPS doesn't include the fuzzing programs, which aren't "normal"
# sample or test programs, and don't build with MSVC which is
# warning about fopen
all: fuzz
endif
fuzz: ${MBEDTLS_TEST_OBJS}
$(MAKE) -C fuzz
${MBEDTLS_TEST_OBJS}:
$(MAKE) -C ../tests mbedtls_test
.PHONY: generated_files
GENERATED_FILES = psa/psa_constant_names_generated.c test/query_config.c
generated_files: $(GENERATED_FILES)
psa/psa_constant_names_generated.c: $(gen_file_dep) ../scripts/generate_psa_constants.py
psa/psa_constant_names_generated.c: $(gen_file_dep) ../include/psa/crypto_values.h
psa/psa_constant_names_generated.c: $(gen_file_dep) ../include/psa/crypto_extra.h
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tests/suites/test_suite_psa_crypto_metadata.data
psa/psa_constant_names_generated.c:
echo " Gen $@"
$(PYTHON) ../scripts/generate_psa_constants.py
test/query_config.c: $(gen_file_dep) ../scripts/generate_query_config.pl
## The generated file only depends on the options that are present in mbedtls_config.h,
## not on which options are set. To avoid regenerating this file all the time
## when switching between configurations, don't declare mbedtls_config.h as a
## dependency. Remove this file from your working tree if you've just added or
## removed an option in mbedtls_config.h.
#test/query_config.c: $(gen_file_dep) ../include/mbedtls/mbedtls_config.h
test/query_config.c: $(gen_file_dep) ../scripts/data_files/query_config.fmt
test/query_config.c:
echo " Gen $@"
$(PERL) ../scripts/generate_query_config.pl
aes/crypt_and_hash$(EXEXT): aes/crypt_and_hash.c $(DEP)
echo " CC aes/crypt_and_hash.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) aes/crypt_and_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
cipher/cipher_aead_demo$(EXEXT): cipher/cipher_aead_demo.c $(DEP)
echo " CC cipher/cipher_aead_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) cipher/cipher_aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
hash/generic_sum$(EXEXT): hash/generic_sum.c $(DEP)
echo " CC hash/generic_sum.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) hash/generic_sum.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
hash/hello$(EXEXT): hash/hello.c $(DEP)
echo " CC hash/hello.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) hash/hello.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
hash/md_hmac_demo$(EXEXT): hash/md_hmac_demo.c $(DEP)
echo " CC hash/md_hmac_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) hash/md_hmac_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/dh_client$(EXEXT): pkey/dh_client.c $(DEP)
echo " CC pkey/dh_client.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_client.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/dh_genprime$(EXEXT): pkey/dh_genprime.c $(DEP)
echo " CC pkey/dh_genprime.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_genprime.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/dh_server$(EXEXT): pkey/dh_server.c $(DEP)
echo " CC pkey/dh_server.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/ecdh_curve25519$(EXEXT): pkey/ecdh_curve25519.c $(DEP)
echo " CC pkey/ecdh_curve25519.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdh_curve25519.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/ecdsa$(EXEXT): pkey/ecdsa.c $(DEP)
echo " CC pkey/ecdsa.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdsa.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/gen_key$(EXEXT): pkey/gen_key.c $(DEP)
echo " CC pkey/gen_key.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/gen_key.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/key_app$(EXEXT): pkey/key_app.c $(DEP)
echo " CC pkey/key_app.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/key_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/key_app_writer$(EXEXT): pkey/key_app_writer.c $(DEP)
echo " CC pkey/key_app_writer.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/key_app_writer.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/mpi_demo$(EXEXT): pkey/mpi_demo.c $(DEP)
echo " CC pkey/mpi_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/mpi_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/pk_decrypt$(EXEXT): pkey/pk_decrypt.c $(DEP)
echo " CC pkey/pk_decrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_decrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/pk_encrypt$(EXEXT): pkey/pk_encrypt.c $(DEP)
echo " CC pkey/pk_encrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_encrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/pk_sign$(EXEXT): pkey/pk_sign.c $(DEP)
echo " CC pkey/pk_sign.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_sign.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/pk_verify$(EXEXT): pkey/pk_verify.c $(DEP)
echo " CC pkey/pk_verify.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_verify.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_genkey$(EXEXT): pkey/rsa_genkey.c $(DEP)
echo " CC pkey/rsa_genkey.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_genkey.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_sign$(EXEXT): pkey/rsa_sign.c $(DEP)
echo " CC pkey/rsa_sign.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_sign.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_verify$(EXEXT): pkey/rsa_verify.c $(DEP)
echo " CC pkey/rsa_verify.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_verify.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_sign_pss$(EXEXT): pkey/rsa_sign_pss.c $(DEP)
echo " CC pkey/rsa_sign_pss.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_sign_pss.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_verify_pss$(EXEXT): pkey/rsa_verify_pss.c $(DEP)
echo " CC pkey/rsa_verify_pss.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_verify_pss.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_decrypt$(EXEXT): pkey/rsa_decrypt.c $(DEP)
echo " CC pkey/rsa_decrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_decrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_encrypt$(EXEXT): pkey/rsa_encrypt.c $(DEP)
echo " CC pkey/rsa_encrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_encrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
psa/aead_demo$(EXEXT): psa/aead_demo.c $(DEP)
echo " CC psa/aead_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
psa/crypto_examples$(EXEXT): psa/crypto_examples.c $(DEP)
echo " CC psa/crypto_examples.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/crypto_examples.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
psa/hmac_demo$(EXEXT): psa/hmac_demo.c $(DEP)
echo " CC psa/hmac_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/hmac_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
psa/key_ladder_demo$(EXEXT): psa/key_ladder_demo.c $(DEP)
echo " CC psa/key_ladder_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/key_ladder_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
psa/psa_constant_names$(EXEXT): psa/psa_constant_names.c psa/psa_constant_names_generated.c $(DEP)
echo " CC psa/psa_constant_names.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/psa_constant_names.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
psa/psa_hash$(EXEXT): psa/psa_hash.c $(DEP)
echo " CC psa/psa_hash.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) psa/psa_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
random/gen_entropy$(EXEXT): random/gen_entropy.c $(DEP)
echo " CC random/gen_entropy.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) random/gen_entropy.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
random/gen_random_ctr_drbg$(EXEXT): random/gen_random_ctr_drbg.c $(DEP)
echo " CC random/gen_random_ctr_drbg.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) random/gen_random_ctr_drbg.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/dtls_client$(EXEXT): ssl/dtls_client.c $(DEP)
echo " CC ssl/dtls_client.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/dtls_client.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/dtls_server$(EXEXT): ssl/dtls_server.c $(DEP)
echo " CC ssl/dtls_server.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/dtls_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/ssl_client1$(EXEXT): ssl/ssl_client1.c $(DEP)
echo " CC ssl/ssl_client1.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client1.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
SSL_TEST_OBJECTS = test/query_config.o ssl/ssl_test_lib.o
SSL_TEST_DEPS = $(SSL_TEST_OBJECTS) \
test/query_config.h \
ssl/ssl_test_lib.h \
ssl/ssl_test_common_source.c \
$(DEP)
ssl/ssl_test_lib.o: ssl/ssl_test_lib.c ssl/ssl_test_lib.h $(DEP)
echo " CC ssl/ssl_test_lib.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c ssl/ssl_test_lib.c -o $@
ssl/ssl_client2$(EXEXT): ssl/ssl_client2.c $(SSL_TEST_DEPS)
echo " CC ssl/ssl_client2.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client2.c $(SSL_TEST_OBJECTS) $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/ssl_server$(EXEXT): ssl/ssl_server.c $(DEP)
echo " CC ssl/ssl_server.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c $(SSL_TEST_DEPS)
echo " CC ssl/ssl_server2.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c $(SSL_TEST_OBJECTS) $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/ssl_context_info$(EXEXT): ssl/ssl_context_info.c test/query_config.o test/query_config.h $(DEP)
echo " CC ssl/ssl_context_info.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_context_info.c test/query_config.o $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/ssl_fork_server$(EXEXT): ssl/ssl_fork_server.c $(DEP)
echo " CC ssl/ssl_fork_server.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_fork_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/ssl_pthread_server$(EXEXT): ssl/ssl_pthread_server.c $(DEP)
echo " CC ssl/ssl_pthread_server.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_pthread_server.c $(LOCAL_LDFLAGS) -lpthread $(LDFLAGS) -o $@
ssl/ssl_mail_client$(EXEXT): ssl/ssl_mail_client.c $(DEP)
echo " CC ssl/ssl_mail_client.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_mail_client.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/mini_client$(EXEXT): ssl/mini_client.c $(DEP)
echo " CC ssl/mini_client.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/mini_client.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/benchmark$(EXEXT): test/benchmark.c $(DEP)
echo " CC test/benchmark.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/benchmark.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/cpp_dummy_build.cpp: test/generate_cpp_dummy_build.sh
echo " Gen test/cpp_dummy_build.cpp"
test/generate_cpp_dummy_build.sh
test/cpp_dummy_build$(EXEXT): test/cpp_dummy_build.cpp $(DEP)
echo " CXX test/cpp_dummy_build.cpp"
$(CXX) $(LOCAL_CXXFLAGS) $(CXXFLAGS) test/cpp_dummy_build.cpp $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ifdef BUILD_DLOPEN
test/dlopen$(EXEXT): test/dlopen.c $(DEP)
echo " CC test/dlopen.c"
# Do not link any test objects (that would bring in a static dependency on
# libmbedcrypto at least). Do not link with libmbed* (that would defeat the
# purpose of testing dynamic loading).
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/dlopen.c $(LDFLAGS) $(DLOPEN_LDFLAGS) -o $@
endif
test/metatest$(EXEXT): test/metatest.c $(DEP)
echo " CC test/metatest.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I ../library test/metatest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/query_config.o: test/query_config.c test/query_config.h $(DEP)
echo " CC test/query_config.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c test/query_config.c -o $@
test/query_included_headers$(EXEXT): test/query_included_headers.c $(DEP)
echo " CC test/query_included_headers.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_included_headers.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/selftest$(EXEXT): test/selftest.c $(DEP)
echo " CC test/selftest.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/selftest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/udp_proxy$(EXEXT): test/udp_proxy.c $(DEP)
echo " CC test/udp_proxy.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/udp_proxy.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/zeroize$(EXEXT): test/zeroize.c $(DEP)
echo " CC test/zeroize.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/zeroize.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/query_compile_time_config$(EXEXT): test/query_compile_time_config.c test/query_config.o test/query_config.h $(DEP)
echo " CC test/query_compile_time_config.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_compile_time_config.c test/query_config.o $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
util/pem2der$(EXEXT): util/pem2der.c $(DEP)
echo " CC util/pem2der.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) util/pem2der.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
util/strerror$(EXEXT): util/strerror.c $(DEP)
echo " CC util/strerror.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) util/strerror.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
x509/cert_app$(EXEXT): x509/cert_app.c $(DEP)
echo " CC x509/cert_app.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/cert_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
x509/cert_write$(EXEXT): x509/cert_write.c $(DEP)
echo " CC x509/cert_write.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/cert_write.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
x509/crl_app$(EXEXT): x509/crl_app.c $(DEP)
echo " CC x509/crl_app.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/crl_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
x509/cert_req$(EXEXT): x509/cert_req.c $(DEP)
echo " CC x509/cert_req.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/cert_req.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
x509/load_roots$(EXEXT): x509/load_roots.c $(DEP)
echo " CC x509/load_roots.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/load_roots.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
x509/req_app$(EXEXT): x509/req_app.c $(DEP)
echo " CC x509/req_app.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
clean:
ifndef WINDOWS
rm -f $(EXES)
-rm -f ssl/ssl_pthread_server$(EXEXT)
-rm -f test/cpp_dummy_build.cpp test/cpp_dummy_build$(EXEXT)
-rm -f test/dlopen$(EXEXT)
else
if exist *.o del /Q /F *.o
if exist *.exe del /Q /F *.exe
if exist test\cpp_dummy_build.cpp del /Q /F test\cpp_dummy_build.cpp
endif
$(MAKE) -C fuzz clean
list:
echo $(EXES)

118
externals/mbedtls/programs/README.md vendored Normal file
View File

@@ -0,0 +1,118 @@
Mbed TLS sample programs
========================
This subdirectory mostly contains sample programs that illustrate specific features of the library, as well as a few test and support programs.
## Symmetric cryptography (AES) examples
* [`aes/crypt_and_hash.c`](aes/crypt_and_hash.c): file encryption and authentication, demonstrating the generic cipher interface and the generic hash interface.
## Hash (digest) examples
* [`hash/generic_sum.c`](hash/generic_sum.c): file hash calculator and verifier, demonstrating the message digest (`md`) interface.
* [`hash/hello.c`](hash/hello.c): hello-world program for MD5.
## Public-key cryptography examples
### Generic public-key cryptography (`pk`) examples
* [`pkey/gen_key.c`](pkey/gen_key.c): generates a key for any of the supported public-key algorithms (RSA or ECC) and writes it to a file that can be used by the other pk sample programs.
* [`pkey/key_app.c`](pkey/key_app.c): loads a PEM or DER public key or private key file and dumps its content.
* [`pkey/key_app_writer.c`](pkey/key_app_writer.c): loads a PEM or DER public key or private key file and writes it to a new PEM or DER file.
* [`pkey/pk_encrypt.c`](pkey/pk_encrypt.c), [`pkey/pk_decrypt.c`](pkey/pk_decrypt.c): loads a PEM or DER public/private key file and uses the key to encrypt/decrypt a short string through the generic public-key interface.
* [`pkey/pk_sign.c`](pkey/pk_sign.c), [`pkey/pk_verify.c`](pkey/pk_verify.c): loads a PEM or DER private/public key file and uses the key to sign/verify a short string.
### ECDSA and RSA signature examples
* [`pkey/ecdsa.c`](pkey/ecdsa.c): generates an ECDSA key, signs a fixed message and verifies the signature.
* [`pkey/rsa_encrypt.c`](pkey/rsa_encrypt.c), [`pkey/rsa_decrypt.c`](pkey/rsa_decrypt.c): loads an RSA public/private key and uses it to encrypt/decrypt a short string through the low-level RSA interface.
* [`pkey/rsa_genkey.c`](pkey/rsa_genkey.c): generates an RSA key and writes it to a file that can be used with the other RSA sample programs.
* [`pkey/rsa_sign.c`](pkey/rsa_sign.c), [`pkey/rsa_verify.c`](pkey/rsa_verify.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSA PKCS#1 v1.5 algorithm.
* [`pkey/rsa_sign_pss.c`](pkey/rsa_sign_pss.c), [`pkey/rsa_verify_pss.c`](pkey/rsa_verify_pss.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSASSA-PSS algorithm.
### Diffie-Hellman key exchange examples
* [`pkey/dh_client.c`](pkey/dh_client.c), [`pkey/dh_server.c`](pkey/dh_server.c): secure channel demonstrators (client, server). This pair of programs illustrates how to set up a secure channel using RSA for authentication and Diffie-Hellman to generate a shared AES session key.
* [`pkey/ecdh_curve25519.c`](pkey/ecdh_curve25519.c): demonstration of a elliptic curve Diffie-Hellman (ECDH) key agreement.
### Bignum (`mpi`) usage examples
* [`pkey/dh_genprime.c`](pkey/dh_genprime.c): shows how to use the bignum (`mpi`) interface to generate Diffie-Hellman parameters.
* [`pkey/mpi_demo.c`](pkey/mpi_demo.c): demonstrates operations on big integers.
## Random number generator (RNG) examples
* [`random/gen_entropy.c`](random/gen_entropy.c): shows how to use the default entropy sources to generate random data.
Note: most applications should only use the entropy generator to seed a cryptographic pseudorandom generator, as illustrated by `random/gen_random_ctr_drbg.c`.
* [`random/gen_random_ctr_drbg.c`](random/gen_random_ctr_drbg.c): shows how to use the default entropy sources to seed a pseudorandom generator, and how to use the resulting random generator to generate random data.
## SSL/TLS examples
### SSL/TLS sample applications
* [`ssl/dtls_client.c`](ssl/dtls_client.c): a simple DTLS client program, which sends one datagram to the server and reads one datagram in response.
* [`ssl/dtls_server.c`](ssl/dtls_server.c): a simple DTLS server program, which expects one datagram from the client and writes one datagram in response. This program supports DTLS cookies for hello verification.
* [`ssl/mini_client.c`](ssl/mini_client.c): a minimalistic SSL client, which sends a short string and disconnects. This is primarily intended as a benchmark; for a better example of a typical TLS client, see `ssl/ssl_client1.c`.
* [`ssl/ssl_client1.c`](ssl/ssl_client1.c): a simple HTTPS client that sends a fixed request and displays the response.
* [`ssl/ssl_fork_server.c`](ssl/ssl_fork_server.c): a simple HTTPS server using one process per client to send a fixed response. This program requires a Unix/POSIX environment implementing the `fork` system call.
* [`ssl/ssl_mail_client.c`](ssl/ssl_mail_client.c): a simple SMTP-over-TLS or SMTP-STARTTLS client. This client sends an email with fixed content.
* [`ssl/ssl_pthread_server.c`](ssl/ssl_pthread_server.c): a simple HTTPS server using one thread per client to send a fixed response. This program requires the pthread library.
* [`ssl/ssl_server.c`](ssl/ssl_server.c): a simple HTTPS server that sends a fixed response. It serves a single client at a time.
### SSL/TLS feature demonstrators
Note: unlike most of the other programs under the `programs/` directory, these two programs are not intended as a basis for writing an application. They combine most of the features supported by the library, and most applications require only a few features. To write a new application, we recommended that you start with `ssl_client1.c` or `ssl_server.c`, and then look inside `ssl/ssl_client2.c` or `ssl/ssl_server2.c` to see how to use the specific features that your application needs.
* [`ssl/ssl_client2.c`](ssl/ssl_client2.c): an HTTPS client that sends a fixed request and displays the response, with options to select TLS protocol features and Mbed TLS library features.
* [`ssl/ssl_server2.c`](ssl/ssl_server2.c): an HTTPS server that sends a fixed response, with options to select TLS protocol features and Mbed TLS library features.
In addition to providing options for testing client-side features, the `ssl_client2` program has options that allow you to trigger certain behaviors in the server. For example, there are options to select ciphersuites, or to force a renegotiation. These options are useful for testing the corresponding features in a TLS server. Likewise, `ssl_server2` has options to activate certain behaviors that are useful for testing a TLS client.
## Test utilities
* [`test/benchmark.c`](test/benchmark.c): benchmark for cryptographic algorithms.
* [`test/selftest.c`](test/selftest.c): runs the self-test function in each library module.
* [`test/udp_proxy.c`](test/udp_proxy.c): a UDP proxy that can inject certain failures (delay, duplicate, drop). Useful for testing DTLS.
* [`test/zeroize.c`](test/zeroize.c): a test program for `mbedtls_platform_zeroize`, used by [`tests/scripts/test_zeroize.gdb`](tests/scripts/test_zeroize.gdb).
## Development utilities
* [`util/pem2der.c`](util/pem2der.c): a PEM to DER converter. Mbed TLS can read PEM files directly, but this utility can be useful for interacting with other tools or with minimal Mbed TLS builds that lack PEM support.
* [`util/strerror.c`](util/strerror.c): prints the error description corresponding to an integer status returned by an Mbed TLS function.
## X.509 certificate examples
* [`x509/cert_app.c`](x509/cert_app.c): connects to a TLS server and verifies its certificate chain.
* [`x509/cert_req.c`](x509/cert_req.c): generates a certificate signing request (CSR) for a private key.
* [`x509/cert_write.c`](x509/cert_write.c): signs a certificate signing request, or self-signs a certificate.
* [`x509/crl_app.c`](x509/crl_app.c): loads and dumps a certificate revocation list (CRL).
* [`x509/req_app.c`](x509/req_app.c): loads and dumps a certificate signing request (CSR).

13
externals/mbedtls/programs/aes/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,13 @@
set(executables
crypt_and_hash
)
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

577
externals/mbedtls/programs/aes/crypt_and_hash.c vendored Normal file
View File

@@ -0,0 +1,577 @@
/*
* \brief Generic file encryption program using generic wrappers for configured
* security.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* Enable definition of fileno() even when compiling with -std=c99. Must be
* set before mbedtls_config.h, which pulls in glibc's features.h indirectly.
* Harmless on other platforms. */
#define _POSIX_C_SOURCE 200112L
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_MD_C) && \
defined(MBEDTLS_FS_IO)
#include "mbedtls/cipher.h"
#include "mbedtls/md.h"
#include "mbedtls/platform_util.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#endif
#if defined(_WIN32)
#include <windows.h>
#if !defined(_WIN32_WCE)
#include <io.h>
#endif
#else
#include <sys/types.h>
#include <unistd.h>
#endif
#define MODE_ENCRYPT 0
#define MODE_DECRYPT 1
#define USAGE \
"\n crypt_and_hash <mode> <input filename> <output filename> <cipher> <mbedtls_md> <key>\n" \
"\n <mode>: 0 = encrypt, 1 = decrypt\n" \
"\n example: crypt_and_hash 0 file file.aes AES-128-CBC SHA1 hex:E76B2413958B00E193\n" \
"\n"
#if !defined(MBEDTLS_CIPHER_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_CIPHER_C and/or MBEDTLS_MD_C and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
int ret = 1, i;
unsigned n;
int exit_code = MBEDTLS_EXIT_FAILURE;
int mode;
size_t keylen, ilen, olen;
FILE *fkey, *fin = NULL, *fout = NULL;
char *p;
unsigned char IV[16];
unsigned char key[512];
unsigned char digest[MBEDTLS_MD_MAX_SIZE];
unsigned char buffer[1024];
unsigned char output[1024];
unsigned char diff;
const mbedtls_cipher_info_t *cipher_info;
const mbedtls_md_info_t *md_info;
mbedtls_cipher_context_t cipher_ctx;
mbedtls_md_context_t md_ctx;
mbedtls_cipher_mode_t cipher_mode;
unsigned int cipher_block_size;
unsigned char md_size;
#if defined(_WIN32_WCE)
long filesize, offset;
#elif defined(_WIN32)
LARGE_INTEGER li_size;
__int64 filesize, offset;
#else
off_t filesize, offset;
#endif
mbedtls_cipher_init(&cipher_ctx);
mbedtls_md_init(&md_ctx);
/*
* Parse the command-line arguments.
*/
if (argc != 7) {
const int *list;
mbedtls_printf(USAGE);
mbedtls_printf("Available ciphers:\n");
list = mbedtls_cipher_list();
while (*list) {
cipher_info = mbedtls_cipher_info_from_type(*list);
const char *name = mbedtls_cipher_info_get_name(cipher_info);
if (name) {
mbedtls_printf(" %s\n", mbedtls_cipher_info_get_name(cipher_info));
}
list++;
}
mbedtls_printf("\nAvailable message digests:\n");
list = mbedtls_md_list();
while (*list) {
md_info = mbedtls_md_info_from_type(*list);
mbedtls_printf(" %s\n", mbedtls_md_get_name(md_info));
list++;
}
goto exit;
}
mode = atoi(argv[1]);
if (mode != MODE_ENCRYPT && mode != MODE_DECRYPT) {
mbedtls_fprintf(stderr, "invalid operation mode\n");
goto exit;
}
if (strcmp(argv[2], argv[3]) == 0) {
mbedtls_fprintf(stderr, "input and output filenames must differ\n");
goto exit;
}
if ((fin = fopen(argv[2], "rb")) == NULL) {
mbedtls_fprintf(stderr, "fopen(%s,rb) failed\n", argv[2]);
goto exit;
}
if ((fout = fopen(argv[3], "wb+")) == NULL) {
mbedtls_fprintf(stderr, "fopen(%s,wb+) failed\n", argv[3]);
goto exit;
}
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(fin, NULL);
mbedtls_setbuf(fout, NULL);
/*
* Read the Cipher and MD from the command line
*/
cipher_info = mbedtls_cipher_info_from_string(argv[4]);
if (cipher_info == NULL) {
mbedtls_fprintf(stderr, "Cipher '%s' not found\n", argv[4]);
goto exit;
}
if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_setup failed\n");
goto exit;
}
md_info = mbedtls_md_info_from_string(argv[5]);
if (md_info == NULL) {
mbedtls_fprintf(stderr, "Message Digest '%s' not found\n", argv[5]);
goto exit;
}
if (mbedtls_md_setup(&md_ctx, md_info, 1) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_setup failed\n");
goto exit;
}
/*
* Read the secret key from file or command line
*/
if ((fkey = fopen(argv[6], "rb")) != NULL) {
keylen = fread(key, 1, sizeof(key), fkey);
fclose(fkey);
} else {
if (memcmp(argv[6], "hex:", 4) == 0) {
p = &argv[6][4];
keylen = 0;
while (sscanf(p, "%02X", (unsigned int *) &n) > 0 &&
keylen < (int) sizeof(key)) {
key[keylen++] = (unsigned char) n;
p += 2;
}
} else {
keylen = strlen(argv[6]);
if (keylen > (int) sizeof(key)) {
keylen = (int) sizeof(key);
}
memcpy(key, argv[6], keylen);
}
}
#if defined(_WIN32_WCE)
filesize = fseek(fin, 0L, SEEK_END);
#else
#if defined(_WIN32)
/*
* Support large files (> 2Gb) on Win32
*/
li_size.QuadPart = 0;
li_size.LowPart =
SetFilePointer((HANDLE) _get_osfhandle(_fileno(fin)),
li_size.LowPart, &li_size.HighPart, FILE_END);
if (li_size.LowPart == 0xFFFFFFFF && GetLastError() != NO_ERROR) {
mbedtls_fprintf(stderr, "SetFilePointer(0,FILE_END) failed\n");
goto exit;
}
filesize = li_size.QuadPart;
#else
if ((filesize = lseek(fileno(fin), 0, SEEK_END)) < 0) {
perror("lseek");
goto exit;
}
#endif
#endif
if (fseek(fin, 0, SEEK_SET) < 0) {
mbedtls_fprintf(stderr, "fseek(0,SEEK_SET) failed\n");
goto exit;
}
md_size = mbedtls_md_get_size(md_info);
cipher_block_size = mbedtls_cipher_get_block_size(&cipher_ctx);
if (mode == MODE_ENCRYPT) {
/*
* Generate the initialization vector as:
* IV = MD( filesize || filename )[0..15]
*/
for (i = 0; i < 8; i++) {
buffer[i] = (unsigned char) (filesize >> (i << 3));
}
p = argv[2];
if (mbedtls_md_starts(&md_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_starts() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, buffer, 8) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, (unsigned char *) p, strlen(p))
!= 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_finish() returned error\n");
goto exit;
}
memcpy(IV, digest, 16);
/*
* Append the IV at the beginning of the output.
*/
if (fwrite(IV, 1, 16, fout) != 16) {
mbedtls_fprintf(stderr, "fwrite(%d bytes) failed\n", 16);
goto exit;
}
/*
* Hash the IV and the secret key together 8192 times
* using the result to setup the AES context and HMAC.
*/
memset(digest, 0, 32);
memcpy(digest, IV, 16);
for (i = 0; i < 8192; i++) {
if (mbedtls_md_starts(&md_ctx) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_starts() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, key, keylen) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_finish() returned error\n");
goto exit;
}
}
if (mbedtls_cipher_setkey(&cipher_ctx,
digest,
(int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_ENCRYPT) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_setkey() returned error\n");
goto exit;
}
if (mbedtls_cipher_set_iv(&cipher_ctx, IV, 16) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_set_iv() returned error\n");
goto exit;
}
if (mbedtls_cipher_reset(&cipher_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_reset() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_starts(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_starts() returned error\n");
goto exit;
}
/*
* Encrypt and write the ciphertext.
*/
for (offset = 0; offset < filesize; offset += cipher_block_size) {
ilen = ((unsigned int) filesize - offset > cipher_block_size) ?
cipher_block_size : (unsigned int) (filesize - offset);
if (fread(buffer, 1, ilen, fin) != ilen) {
mbedtls_fprintf(stderr, "fread(%ld bytes) failed\n", (long) ilen);
goto exit;
}
if (mbedtls_cipher_update(&cipher_ctx, buffer, ilen, output, &olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_update() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_update(&md_ctx, output, olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_update() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
}
if (mbedtls_cipher_finish(&cipher_ctx, output, &olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_finish() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_update(&md_ctx, output, olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_update() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
/*
* Finally write the HMAC.
*/
if (mbedtls_md_hmac_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_finish() returned error\n");
goto exit;
}
if (fwrite(digest, 1, md_size, fout) != md_size) {
mbedtls_fprintf(stderr, "fwrite(%d bytes) failed\n", md_size);
goto exit;
}
}
if (mode == MODE_DECRYPT) {
/*
* The encrypted file must be structured as follows:
*
* 00 .. 15 Initialization Vector
* 16 .. 31 Encrypted Block #1
* ..
* N*16 .. (N+1)*16 - 1 Encrypted Block #N
* (N+1)*16 .. (N+1)*16 + n Hash(ciphertext)
*/
if (filesize < 16 + md_size) {
mbedtls_fprintf(stderr, "File too short to be encrypted.\n");
goto exit;
}
if (cipher_block_size == 0) {
mbedtls_fprintf(stderr, "Invalid cipher block size: 0. \n");
goto exit;
}
/*
* Check the file size.
*/
cipher_mode = mbedtls_cipher_info_get_mode(cipher_info);
if (cipher_mode != MBEDTLS_MODE_GCM &&
cipher_mode != MBEDTLS_MODE_CTR &&
cipher_mode != MBEDTLS_MODE_CFB &&
cipher_mode != MBEDTLS_MODE_OFB &&
((filesize - md_size) % cipher_block_size) != 0) {
mbedtls_fprintf(stderr, "File content not a multiple of the block size (%u).\n",
cipher_block_size);
goto exit;
}
/*
* Subtract the IV + HMAC length.
*/
filesize -= (16 + md_size);
/*
* Read the IV and original filesize modulo 16.
*/
if (fread(buffer, 1, 16, fin) != 16) {
mbedtls_fprintf(stderr, "fread(%d bytes) failed\n", 16);
goto exit;
}
memcpy(IV, buffer, 16);
/*
* Hash the IV and the secret key together 8192 times
* using the result to setup the AES context and HMAC.
*/
memset(digest, 0, 32);
memcpy(digest, IV, 16);
for (i = 0; i < 8192; i++) {
if (mbedtls_md_starts(&md_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_starts() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, key, keylen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_finish() returned error\n");
goto exit;
}
}
if (mbedtls_cipher_setkey(&cipher_ctx,
digest,
(int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_DECRYPT) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_setkey() returned error\n");
goto exit;
}
if (mbedtls_cipher_set_iv(&cipher_ctx, IV, 16) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_set_iv() returned error\n");
goto exit;
}
if (mbedtls_cipher_reset(&cipher_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_reset() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_starts(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_starts() returned error\n");
goto exit;
}
/*
* Decrypt and write the plaintext.
*/
for (offset = 0; offset < filesize; offset += cipher_block_size) {
ilen = ((unsigned int) filesize - offset > cipher_block_size) ?
cipher_block_size : (unsigned int) (filesize - offset);
if (fread(buffer, 1, ilen, fin) != ilen) {
mbedtls_fprintf(stderr, "fread(%u bytes) failed\n",
cipher_block_size);
goto exit;
}
if (mbedtls_md_hmac_update(&md_ctx, buffer, ilen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_update() returned error\n");
goto exit;
}
if (mbedtls_cipher_update(&cipher_ctx, buffer, ilen, output,
&olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_update() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
}
/*
* Verify the message authentication code.
*/
if (mbedtls_md_hmac_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_finish() returned error\n");
goto exit;
}
if (fread(buffer, 1, md_size, fin) != md_size) {
mbedtls_fprintf(stderr, "fread(%d bytes) failed\n", md_size);
goto exit;
}
/* Use constant-time buffer comparison */
diff = 0;
for (i = 0; i < md_size; i++) {
diff |= digest[i] ^ buffer[i];
}
if (diff != 0) {
mbedtls_fprintf(stderr, "HMAC check failed: wrong key, "
"or file corrupted.\n");
goto exit;
}
/*
* Write the final block of data
*/
if (mbedtls_cipher_finish(&cipher_ctx, output, &olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_finish() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
}
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
if (fin) {
fclose(fin);
}
if (fout) {
fclose(fout);
}
/* Zeroize all command line arguments to also cover
the case when the user has missed or reordered some,
in which case the key might not be in argv[6]. */
for (i = 0; i < argc; i++) {
mbedtls_platform_zeroize(argv[i], strlen(argv[i]));
}
mbedtls_platform_zeroize(IV, sizeof(IV));
mbedtls_platform_zeroize(key, sizeof(key));
mbedtls_platform_zeroize(buffer, sizeof(buffer));
mbedtls_platform_zeroize(output, sizeof(output));
mbedtls_platform_zeroize(digest, sizeof(digest));
mbedtls_cipher_free(&cipher_ctx);
mbedtls_md_free(&md_ctx);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_CIPHER_C && MBEDTLS_MD_C && MBEDTLS_FS_IO */

13
externals/mbedtls/programs/cipher/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,13 @@
set(executables
cipher_aead_demo
)
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

259
externals/mbedtls/programs/cipher/cipher_aead_demo.c vendored Normal file
View File

@@ -0,0 +1,259 @@
/**
* Cipher API multi-part AEAD demonstration.
*
* This program AEAD-encrypts a message, using the algorithm and key size
* specified on the command line, using the multi-part API.
*
* It comes with a companion program psa/aead_demo.c, which does the same
* operations with the PSA Crypto API. The goal is that comparing the two
* programs will help people migrating to the PSA Crypto API.
*
* When used with multi-part AEAD operations, the `mbedtls_cipher_context`
* serves a triple purpose (1) hold the key, (2) store the algorithm when no
* operation is active, and (3) save progress information for the current
* operation. With PSA those roles are held by disinct objects: (1) a
* psa_key_id_t to hold the key, a (2) psa_algorithm_t to represent the
* algorithm, and (3) a psa_operation_t for multi-part progress.
*
* On the other hand, with PSA, the algorithms encodes the desired tag length;
* with Cipher the desired tag length needs to be tracked separately.
*
* This program and its companion psa/aead_demo.c illustrate this by doing the
* same sequence of multi-part AEAD computation with both APIs; looking at the
* two side by side should make the differences and similarities clear.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* First include Mbed TLS headers to get the Mbed TLS configuration and
* platform definitions that we'll use in this program. Also include
* standard C headers for functions we'll use here. */
#include "mbedtls/build_info.h"
#include "mbedtls/cipher.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* If the build options we need are not enabled, compile a placeholder. */
#if !defined(MBEDTLS_CIPHER_C) || \
!defined(MBEDTLS_AES_C) || !defined(MBEDTLS_GCM_C) || \
!defined(MBEDTLS_CHACHAPOLY_C)
int main(void)
{
printf("MBEDTLS_MD_C and/or "
"MBEDTLS_AES_C and/or MBEDTLS_GCM_C and/or "
"MBEDTLS_CHACHAPOLY_C not defined\r\n");
return 0;
}
#else
/* The real program starts here. */
const char usage[] =
"Usage: cipher_aead_demo [aes128-gcm|aes256-gcm|aes128-gcm_8|chachapoly]";
/* Dummy data for encryption: IV/nonce, additional data, 2-part message */
const unsigned char iv1[12] = { 0x00 };
const unsigned char add_data1[] = { 0x01, 0x02 };
const unsigned char msg1_part1[] = { 0x03, 0x04 };
const unsigned char msg1_part2[] = { 0x05, 0x06, 0x07 };
/* Dummy data (2nd message) */
const unsigned char iv2[12] = { 0x10 };
const unsigned char add_data2[] = { 0x11, 0x12 };
const unsigned char msg2_part1[] = { 0x13, 0x14 };
const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 };
/* Maximum total size of the messages */
#define MSG1_SIZE (sizeof(msg1_part1) + sizeof(msg1_part2))
#define MSG2_SIZE (sizeof(msg2_part1) + sizeof(msg2_part2))
#define MSG_MAX_SIZE (MSG1_SIZE > MSG2_SIZE ? MSG1_SIZE : MSG2_SIZE)
/* Dummy key material - never do this in production!
* 32-byte is enough to all the key size supported by this program. */
const unsigned char key_bytes[32] = { 0x2a };
/* Print the contents of a buffer in hex */
void print_buf(const char *title, unsigned char *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
printf(" %02x", buf[i]);
}
printf("\n");
}
/* Run an Mbed TLS function and bail out if it fails.
* A string description of the error code can be recovered with:
* programs/util/strerror <value> */
#define CHK(expr) \
do \
{ \
ret = (expr); \
if (ret != 0) \
{ \
printf("Error %d at line %d: %s\n", \
ret, \
__LINE__, \
#expr); \
goto exit; \
} \
} while (0)
/*
* Prepare encryption material:
* - interpret command-line argument
* - set up key
* - outputs: context and tag length, which together hold all the information
*/
static int aead_prepare(const char *info,
mbedtls_cipher_context_t *ctx,
size_t *tag_len)
{
int ret;
/* Convert arg to type + tag_len */
mbedtls_cipher_type_t type;
if (strcmp(info, "aes128-gcm") == 0) {
type = MBEDTLS_CIPHER_AES_128_GCM;
*tag_len = 16;
} else if (strcmp(info, "aes256-gcm") == 0) {
type = MBEDTLS_CIPHER_AES_256_GCM;
*tag_len = 16;
} else if (strcmp(info, "aes128-gcm_8") == 0) {
type = MBEDTLS_CIPHER_AES_128_GCM;
*tag_len = 8;
} else if (strcmp(info, "chachapoly") == 0) {
type = MBEDTLS_CIPHER_CHACHA20_POLY1305;
*tag_len = 16;
} else {
puts(usage);
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
/* Prepare context for the given type */
CHK(mbedtls_cipher_setup(ctx,
mbedtls_cipher_info_from_type(type)));
/* Import key */
int key_len = mbedtls_cipher_get_key_bitlen(ctx);
CHK(mbedtls_cipher_setkey(ctx, key_bytes, key_len, MBEDTLS_ENCRYPT));
exit:
return ret;
}
/*
* Print out some information.
*
* All of this information was present in the command line argument, but his
* function demonstrates how each piece can be recovered from (ctx, tag_len).
*/
static void aead_info(const mbedtls_cipher_context_t *ctx, size_t tag_len)
{
mbedtls_cipher_type_t type = mbedtls_cipher_get_type(ctx);
const mbedtls_cipher_info_t *info = mbedtls_cipher_info_from_type(type);
const char *ciph = mbedtls_cipher_info_get_name(info);
int key_bits = mbedtls_cipher_get_key_bitlen(ctx);
mbedtls_cipher_mode_t mode = mbedtls_cipher_get_cipher_mode(ctx);
const char *mode_str = mode == MBEDTLS_MODE_GCM ? "GCM"
: mode == MBEDTLS_MODE_CHACHAPOLY ? "ChachaPoly"
: "???";
printf("%s, %d, %s, %u\n",
ciph, key_bits, mode_str, (unsigned) tag_len);
}
/*
* Encrypt a 2-part message.
*/
static int aead_encrypt(mbedtls_cipher_context_t *ctx, size_t tag_len,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *part1, size_t part1_len,
const unsigned char *part2, size_t part2_len)
{
int ret;
size_t olen;
#define MAX_TAG_LENGTH 16
unsigned char out[MSG_MAX_SIZE + MAX_TAG_LENGTH];
unsigned char *p = out;
CHK(mbedtls_cipher_set_iv(ctx, iv, iv_len));
CHK(mbedtls_cipher_reset(ctx));
CHK(mbedtls_cipher_update_ad(ctx, ad, ad_len));
CHK(mbedtls_cipher_update(ctx, part1, part1_len, p, &olen));
p += olen;
CHK(mbedtls_cipher_update(ctx, part2, part2_len, p, &olen));
p += olen;
CHK(mbedtls_cipher_finish(ctx, p, &olen));
p += olen;
CHK(mbedtls_cipher_write_tag(ctx, p, tag_len));
p += tag_len;
olen = p - out;
print_buf("out", out, olen);
exit:
return ret;
}
/*
* AEAD demo: set up key/alg, print out info, encrypt messages.
*/
static int aead_demo(const char *info)
{
int ret = 0;
mbedtls_cipher_context_t ctx;
size_t tag_len;
mbedtls_cipher_init(&ctx);
CHK(aead_prepare(info, &ctx, &tag_len));
aead_info(&ctx, tag_len);
CHK(aead_encrypt(&ctx, tag_len,
iv1, sizeof(iv1), add_data1, sizeof(add_data1),
msg1_part1, sizeof(msg1_part1),
msg1_part2, sizeof(msg1_part2)));
CHK(aead_encrypt(&ctx, tag_len,
iv2, sizeof(iv2), add_data2, sizeof(add_data2),
msg2_part1, sizeof(msg2_part1),
msg2_part2, sizeof(msg2_part2)));
exit:
mbedtls_cipher_free(&ctx);
return ret;
}
/*
* Main function
*/
int main(int argc, char **argv)
{
/* Check usage */
if (argc != 2) {
puts(usage);
return 1;
}
int ret;
/* Run the demo */
CHK(aead_demo(argv[1]));
exit:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
#endif

137
externals/mbedtls/programs/demo_common.sh vendored Normal file
View File

@@ -0,0 +1,137 @@
## Common shell functions used by demo scripts programs/*/*.sh.
## How to write a demo script
## ==========================
##
## Include this file near the top of each demo script:
## . "${0%/*}/../demo_common.sh"
##
## Start with a "msg" call that explains the purpose of the script.
## Then call the "depends_on" function to ensure that all config
## dependencies are met.
##
## As the last thing in the script, call the cleanup function.
##
## You can use the functions and variables described below.
set -e -u
## $root_dir is the root directory of the Mbed TLS source tree.
root_dir="${0%/*}"
# Find a nice path to the root directory, avoiding unnecessary "../".
# The code supports demo scripts nested up to 4 levels deep.
# The code works no matter where the demo script is relative to the current
# directory, even if it is called with a relative path.
n=4 # limit the search depth
while ! [ -d "$root_dir/programs" ] || ! [ -d "$root_dir/library" ]; do
if [ $n -eq 0 ]; then
echo >&2 "This doesn't seem to be an Mbed TLS source tree."
exit 125
fi
n=$((n - 1))
case $root_dir in
.) root_dir="..";;
..|?*/..) root_dir="$root_dir/..";;
?*/*) root_dir="${root_dir%/*}";;
/*) root_dir="/";;
*) root_dir=".";;
esac
done
## $programs_dir is the directory containing the sample programs.
# Assume an in-tree build.
programs_dir="$root_dir/programs"
## msg LINE...
## msg <TEXT_ORIGIN
## Display an informational message.
msg () {
if [ $# -eq 0 ]; then
sed 's/^/# /'
else
for x in "$@"; do
echo "# $x"
done
fi
}
## run "Message" COMMAND ARGUMENT...
## Display the message, then run COMMAND with the specified arguments.
run () {
echo
echo "# $1"
shift
echo "+ $*"
"$@"
}
## Like '!', but stop on failure with 'set -e'
not () {
if "$@"; then false; fi
}
## run_bad "Message" COMMAND ARGUMENT...
## Like run, but the command is expected to fail.
run_bad () {
echo
echo "$1 This must fail."
shift
echo "+ ! $*"
not "$@"
}
## config_has SYMBOL...
## Succeeds if the library configuration has all SYMBOLs set.
config_has () {
for x in "$@"; do
"$programs_dir/test/query_compile_time_config" "$x"
done
}
## depends_on SYMBOL...
## Exit if the library configuration does not have all SYMBOLs set.
depends_on () {
m=
for x in "$@"; do
if ! config_has "$x"; then
m="$m $x"
fi
done
if [ -n "$m" ]; then
cat >&2 <<EOF
$0: this demo requires the following
configuration options to be enabled at compile time:
$m
EOF
# Exit with a success status so that this counts as a pass for run_demos.py.
exit
fi
}
## Add the names of files to clean up to this whitespace-separated variable.
## The file names must not contain whitespace characters.
files_to_clean=
## Call this function at the end of each script.
## It is called automatically if the script is killed by a signal.
cleanup () {
rm -f -- $files_to_clean
}
################################################################
## End of the public interfaces. Code beyond this point is not
## meant to be called directly from a demo script.
trap 'cleanup; trap - HUP; kill -HUP $$' HUP
trap 'cleanup; trap - INT; kill -INT $$' INT
trap 'cleanup; trap - TERM; kill -TERM $$' TERM
if config_has MBEDTLS_ENTROPY_NV_SEED; then
# Create a seedfile that's sufficiently long in all library configurations.
# This is necessary for programs that use randomness.
# Assume that the name of the seedfile is the default name.
files_to_clean="$files_to_clean seedfile"
dd if=/dev/urandom of=seedfile ibs=64 obs=64 count=1
fi

10
externals/mbedtls/programs/fuzz/.gitignore vendored Normal file
View File

@@ -0,0 +1,10 @@
fuzz_client
fuzz_dtlsclient
fuzz_dtlsserver
fuzz_pkcs7
fuzz_privkey
fuzz_pubkey
fuzz_server
fuzz_x509crl
fuzz_x509crt
fuzz_x509csr

50
externals/mbedtls/programs/fuzz/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,50 @@
set(libs
${mbedtls_target}
${CMAKE_THREAD_LIBS_INIT}
)
find_library(FUZZINGENGINE_LIB FuzzingEngine)
if(FUZZINGENGINE_LIB)
project(fuzz CXX)
endif()
set(executables_no_common_c
fuzz_pubkey
fuzz_x509crl
fuzz_x509crt
fuzz_x509csr
fuzz_pkcs7
)
set(executables_with_common_c
fuzz_privkey
fuzz_client
fuzz_dtlsclient
fuzz_dtlsserver
fuzz_server
)
foreach(exe IN LISTS executables_no_common_c executables_with_common_c)
set(exe_sources ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
if(NOT FUZZINGENGINE_LIB)
list(APPEND exe_sources onefile.c)
endif()
# This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3
list(FIND executables_with_common_c ${exe} exe_index)
if(${exe_index} GREATER -1)
list(APPEND exe_sources common.c)
endif()
add_executable(${exe} ${exe_sources})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
if (NOT FUZZINGENGINE_LIB)
target_link_libraries(${exe} ${libs})
else()
target_link_libraries(${exe} ${libs} FuzzingEngine)
SET_TARGET_PROPERTIES(${exe} PROPERTIES LINKER_LANGUAGE CXX)
endif()
endforeach()

48
externals/mbedtls/programs/fuzz/Makefile vendored Normal file
View File

@@ -0,0 +1,48 @@
MBEDTLS_TEST_PATH:=../../tests
MBEDTLS_PATH := ../..
include ../../scripts/common.make
DEP=${MBEDLIBS}
ifdef FUZZINGENGINE
LOCAL_LDFLAGS += -lFuzzingEngine
endif
# A test application is built for each suites/test_suite_*.data file.
# Application name is same as .data file's base name and can be
# constructed by stripping path 'suites/' and extension .data.
APPS = $(basename $(wildcard fuzz_*.c))
# Construct executable name by adding OS specific suffix $(EXEXT).
BINARIES := $(addsuffix $(EXEXT),$(APPS))
.SILENT:
.PHONY: all check test clean
all: $(BINARIES)
C_FILES := $(addsuffix .c,$(APPS))
%.o: %.c
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c $< -o $@
ifdef FUZZINGENGINE
$(BINARIES): %$(EXEXT): %.o common.o $(DEP)
echo " $(CC) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
$(CXX) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
else
$(BINARIES): %$(EXEXT): %.o common.o onefile.o $(DEP)
echo " $(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
$(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
endif
clean:
ifndef WINDOWS
rm -rf $(BINARIES) *.o
else
if exist *.o del /Q /F *.o
if exist *.exe del /Q /F *.exe
endif

68
externals/mbedtls/programs/fuzz/README.md vendored Normal file
View File

@@ -0,0 +1,68 @@
What is it?
------
This directory contains fuzz targets.
Fuzz targets are simple codes using the library.
They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance).
These targets were meant to be used with oss-fuzz but can be used in other contexts.
This code was contributed by Philippe Antoine ( Catena cyber ).
How to run?
------
To run the fuzz targets like oss-fuzz:
```
git clone https://github.com/google/oss-fuzz
cd oss-fuzz
python infra/helper.py build_image mbedtls
python infra/helper.py build_fuzzers --sanitizer address mbedtls
python infra/helper.py run_fuzzer mbedtls fuzz_client
```
You can use `undefined` sanitizer as well as `address` sanitizer.
And you can run any of the fuzz targets like `fuzz_client`.
To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance).
Then you need to compile the code with the compiler flags of the wished sanitizer.
```
perl scripts/config.py set MBEDTLS_PLATFORM_TIME_ALT
mkdir build
cd build
cmake ..
make
```
Finally, you can run the targets like `./test/fuzz/fuzz_client`.
Corpus generation for network traffic targets
------
These targets use network traffic as inputs :
* client : simulates a client against (fuzzed) server traffic
* server : simulates a server against (fuzzed) client traffic
* dtls_client
* dtls_server
They also use the last bytes as configuration options.
To generate corpus for these targets, you can do the following, not fully automated steps :
* Build mbedtls programs ssl_server2 and ssl_client2
* Run them one against the other with `reproducible` option turned on while capturing traffic into test.pcap
* Extract tcp payloads, for instance with tshark : `tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt`
* Run a dummy python script to output either client or server corpus file like `python dummy.py test.txt > test.cor`
* Finally, you can add the options by appending the last bytes to the file test.cor
Here is an example of dummy.py for extracting payload from client to server (if we used `tcp.dstport` in tshark command)
```
import sys
import binascii
f = open(sys.argv[1])
for l in f.readlines():
portAndPl=l.split()
if len(portAndPl) == 2:
# determine client or server based on port
if portAndPl[0] == "4433":
print(binascii.unhexlify(portAndPl[1].replace(":","")))
```

105
externals/mbedtls/programs/fuzz/common.c vendored Normal file
View File

@@ -0,0 +1,105 @@
#include "common.h"
#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "mbedtls/ctr_drbg.h"
#if defined(MBEDTLS_PLATFORM_TIME_ALT)
mbedtls_time_t dummy_constant_time(mbedtls_time_t *time)
{
(void) time;
return 0x5af2a056;
}
#endif
void dummy_init(void)
{
#if defined(MBEDTLS_PLATFORM_TIME_ALT)
mbedtls_platform_set_time(dummy_constant_time);
#else
fprintf(stderr, "Warning: fuzzing without constant time\n");
#endif
}
int dummy_send(void *ctx, const unsigned char *buf, size_t len)
{
//silence warning about unused parameter
(void) ctx;
(void) buf;
//pretends we wrote everything ok
if (len > INT_MAX) {
return -1;
}
return (int) len;
}
int fuzz_recv(void *ctx, unsigned char *buf, size_t len)
{
//reads from the buffer from fuzzer
fuzzBufferOffset_t *biomemfuzz = (fuzzBufferOffset_t *) ctx;
if (biomemfuzz->Offset == biomemfuzz->Size) {
//EOF
return 0;
}
if (len > INT_MAX) {
return -1;
}
if (len + biomemfuzz->Offset > biomemfuzz->Size) {
//do not overflow
len = biomemfuzz->Size - biomemfuzz->Offset;
}
memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
biomemfuzz->Offset += len;
return (int) len;
}
int dummy_random(void *p_rng, unsigned char *output, size_t output_len)
{
int ret;
size_t i;
#if defined(MBEDTLS_CTR_DRBG_C)
//mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng
if (p_rng != NULL) {
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
} else {
//fall through to pseudo-random
ret = 0;
}
#else
(void) p_rng;
ret = 0;
#endif
for (i = 0; i < output_len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) rand();
}
return ret;
}
int dummy_entropy(void *data, unsigned char *output, size_t len)
{
size_t i;
(void) data;
//use mbedtls_entropy_func to find bugs in it
//test performance impact of entropy
//ret = mbedtls_entropy_func(data, output, len);
for (i = 0; i < len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) rand();
}
return 0;
}
int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
uint32_t timeout)
{
(void) timeout;
return fuzz_recv(ctx, buf, len);
}

25
externals/mbedtls/programs/fuzz/common.h vendored Normal file
View File

@@ -0,0 +1,25 @@
#include "mbedtls/build_info.h"
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
#endif
#include <stddef.h>
#include <stdint.h>
typedef struct fuzzBufferOffset {
const uint8_t *Data;
size_t Size;
size_t Offset;
} fuzzBufferOffset_t;
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
#endif
void dummy_init(void);
int dummy_send(void *ctx, const unsigned char *buf, size_t len);
int fuzz_recv(void *ctx, unsigned char *buf, size_t len);
int dummy_random(void *p_rng, unsigned char *output, size_t output_len);
int dummy_entropy(void *data, unsigned char *output, size_t len);
int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
uint32_t timeout);

BIN
externals/mbedtls/programs/fuzz/corpuses/client vendored Normal file
View File

Binary file not shown.

BIN
externals/mbedtls/programs/fuzz/corpuses/dtlsclient vendored Normal file
View File

Binary file not shown.

BIN
externals/mbedtls/programs/fuzz/corpuses/dtlsserver vendored Normal file
View File

Binary file not shown.

BIN
externals/mbedtls/programs/fuzz/corpuses/server vendored Normal file
View File

Binary file not shown.

193
externals/mbedtls/programs/fuzz/fuzz_client.c vendored Normal file
View File

@@ -0,0 +1,193 @@
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "test/certs.h"
#include "common.h"
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#if defined(MBEDTLS_SSL_CLI_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
static int initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
static mbedtls_x509_crt cacert;
#endif
const char *alpn_list[3];
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
const unsigned char psk[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
const char psk_id[] = "Client_identity";
#endif
const char *pers = "fuzz_client";
#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#if defined(MBEDTLS_SSL_CLI_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
uint16_t options;
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_x509_crt_init(&cacert);
if (mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len) != 0) {
return 1;
}
#endif
alpn_list[0] = "HTTP";
alpn_list[1] = "fuzzalpn";
alpn_list[2] = NULL;
dummy_init();
initialized = 1;
}
//we take 1 byte as options input
if (Size < 2) {
return 0;
}
options = (Data[Size - 2] << 8) | Data[Size - 1];
//Avoid warnings if compile options imply no options
(void) options;
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
goto exit;
}
if (mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
goto exit;
}
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if (options & 2) {
mbedtls_ssl_conf_psk(&conf, psk, sizeof(psk),
(const unsigned char *) psk_id, sizeof(psk_id) - 1);
}
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
if (options & 4) {
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
} else
#endif
{
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_NONE);
}
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(&conf,
(options &
0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(&conf,
(options &
0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(&conf,
(options &
0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED);
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_session_tickets(&conf,
(options &
0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
#endif
#if defined(MBEDTLS_SSL_ALPN)
if (options & 0x200) {
mbedtls_ssl_conf_alpn_protocols(&conf, alpn_list);
}
#endif
//There may be other options to add :
// mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
srand(1);
mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
goto exit;
}
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
if ((options & 1) == 0) {
if (mbedtls_ssl_set_hostname(&ssl, "localhost") != 0) {
goto exit;
}
}
#endif
biomemfuzz.Data = Data;
biomemfuzz.Size = Size-2;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL);
ret = mbedtls_ssl_handshake(&ssl);
if (ret == 0) {
//keep reading data from server until the end
do {
len = sizeof(buf) - 1;
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
continue;
} else if (ret <= 0) {
//EOF or error
break;
}
} while (1);
}
exit:
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
(void) Size;
#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_client.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

136
externals/mbedtls/programs/fuzz/fuzz_dtlsclient.c vendored Normal file
View File

@@ -0,0 +1,136 @@
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include "common.h"
#include "mbedtls/ssl.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/timing.h"
#include "test/certs.h"
#if defined(MBEDTLS_SSL_CLI_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_TIMING_C)
static int initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
static mbedtls_x509_crt cacert;
#endif
const char *pers = "fuzz_dtlsclient";
#endif
#endif // MBEDTLS_SSL_PROTO_DTLS
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#if defined(MBEDTLS_SSL_PROTO_DTLS) && \
defined(MBEDTLS_SSL_CLI_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_TIMING_C)
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
mbedtls_timing_delay_context timer;
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_x509_crt_init(&cacert);
if (mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len) != 0) {
return 1;
}
#endif
dummy_init();
initialized = 1;
}
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
srand(1);
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
goto exit;
}
if (mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
goto exit;
}
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
#endif
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
goto exit;
}
mbedtls_ssl_set_timer_cb(&ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
if (mbedtls_ssl_set_hostname(&ssl, "localhost") != 0) {
goto exit;
}
#endif
biomemfuzz.Data = Data;
biomemfuzz.Size = Size;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout);
ret = mbedtls_ssl_handshake(&ssl);
if (ret == 0) {
//keep reading data from server until the end
do {
len = sizeof(buf) - 1;
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
continue;
} else if (ret <= 0) {
//EOF or error
break;
}
} while (1);
}
exit:
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_dtlsclient.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

181
externals/mbedtls/programs/fuzz/fuzz_dtlsserver.c vendored Normal file
View File

@@ -0,0 +1,181 @@
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include "common.h"
#include "mbedtls/ssl.h"
#include "test/certs.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/timing.h"
#include "mbedtls/ssl_cookie.h"
#if defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_TIMING_C) && \
(defined(MBEDTLS_MD_CAN_SHA384) || \
defined(MBEDTLS_MD_CAN_SHA256))
const char *pers = "fuzz_dtlsserver";
const unsigned char client_ip[4] = { 0x7F, 0, 0, 1 };
static int initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
static mbedtls_x509_crt srvcert;
static mbedtls_pk_context pkey;
#endif
#endif
#endif // MBEDTLS_SSL_PROTO_DTLS
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#if defined(MBEDTLS_SSL_PROTO_DTLS) && \
defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_TIMING_C) && \
(defined(MBEDTLS_MD_CAN_SHA384) || \
defined(MBEDTLS_MD_CAN_SHA256))
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
mbedtls_timing_delay_context timer;
mbedtls_ssl_cookie_ctx cookie_ctx;
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_x509_crt_init(&srvcert);
mbedtls_pk_init(&pkey);
#endif
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_cookie_init(&cookie_ctx);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
goto exit;
}
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len) != 0) {
return 1;
}
if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len) != 0) {
return 1;
}
if (mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0,
dummy_random, &ctr_drbg) != 0) {
return 1;
}
#endif
dummy_init();
initialized = 1;
}
if (mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
goto exit;
}
srand(1);
mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
if (mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey) != 0) {
goto exit;
}
#endif
if (mbedtls_ssl_cookie_setup(&cookie_ctx, dummy_random, &ctr_drbg) != 0) {
goto exit;
}
mbedtls_ssl_conf_dtls_cookies(&conf,
mbedtls_ssl_cookie_write,
mbedtls_ssl_cookie_check,
&cookie_ctx);
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
goto exit;
}
mbedtls_ssl_set_timer_cb(&ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
biomemfuzz.Data = Data;
biomemfuzz.Size = Size;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout);
if (mbedtls_ssl_set_client_transport_id(&ssl, client_ip, sizeof(client_ip)) != 0) {
goto exit;
}
ret = mbedtls_ssl_handshake(&ssl);
if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
biomemfuzz.Offset = ssl.MBEDTLS_PRIVATE(next_record_offset);
mbedtls_ssl_session_reset(&ssl);
mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout);
if (mbedtls_ssl_set_client_transport_id(&ssl, client_ip, sizeof(client_ip)) != 0) {
goto exit;
}
ret = mbedtls_ssl_handshake(&ssl);
if (ret == 0) {
//keep reading data from server until the end
do {
len = sizeof(buf) - 1;
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
continue;
} else if (ret <= 0) {
//EOF or error
break;
}
} while (1);
}
}
exit:
mbedtls_ssl_cookie_free(&cookie_ctx);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_pk_free(&pkey);
mbedtls_x509_crt_free(&srvcert);
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_dtlsserver.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

20
externals/mbedtls/programs/fuzz/fuzz_pkcs7.c vendored Normal file
View File

@@ -0,0 +1,20 @@
#include <stdint.h>
#include "mbedtls/pkcs7.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#ifdef MBEDTLS_PKCS7_C
mbedtls_pkcs7 pkcs7;
mbedtls_pkcs7_init(&pkcs7);
mbedtls_pkcs7_parse_der(&pkcs7, Data, Size);
mbedtls_pkcs7_free(&pkcs7);
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_pkcs7.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

104
externals/mbedtls/programs/fuzz/fuzz_privkey.c vendored Normal file
View File

@@ -0,0 +1,104 @@
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "common.h"
//4 Kb should be enough for every bug ;-)
#define MAX_LEN 0x1000
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C) && defined(MBEDTLS_ENTROPY_C)
const char *pers = "fuzz_privkey";
#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_ENTROPY_C
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C) && defined(MBEDTLS_ENTROPY_C)
int ret;
mbedtls_pk_context pk;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
if (Size > MAX_LEN) {
//only work on small inputs
Size = MAX_LEN;
}
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
goto exit;
}
ret = mbedtls_pk_parse_key(&pk, Data, Size, NULL, 0,
dummy_random, &ctr_drbg);
if (ret == 0) {
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_RSA) {
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
mbedtls_rsa_context *rsa;
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
rsa = mbedtls_pk_rsa(pk);
if (mbedtls_rsa_export(rsa, &N, &P, &Q, &D, &E) != 0) {
abort();
}
if (mbedtls_rsa_export_crt(rsa, &DP, &DQ, &QP) != 0) {
abort();
}
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
} else
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY ||
mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY_DH) {
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(ecp);
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(grp_id);
/* If the curve is not supported, the key should not have been
* accepted. */
if (curve_info == NULL) {
abort();
}
} else
#endif
{
/* The key is valid but is not of a supported type.
* This should not happen. */
abort();
}
}
exit:
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_pk_free(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
(void) Size;
#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_ENTROPY_C
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_privkey.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

90
externals/mbedtls/programs/fuzz/fuzz_pubkey.c vendored Normal file
View File

@@ -0,0 +1,90 @@
#include <stdint.h>
#include <stdlib.h>
#include "mbedtls/pk.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#ifdef MBEDTLS_PK_PARSE_C
int ret;
mbedtls_pk_context pk;
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_pk_parse_public_key(&pk, Data, Size);
if (ret == 0) {
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_RSA) {
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
mbedtls_rsa_context *rsa;
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
rsa = mbedtls_pk_rsa(pk);
if (mbedtls_rsa_export(rsa, &N, NULL, NULL, NULL, &E) != 0) {
abort();
}
if (mbedtls_rsa_export(rsa, &N, &P, &Q, &D, &E) != MBEDTLS_ERR_RSA_BAD_INPUT_DATA) {
abort();
}
if (mbedtls_rsa_export_crt(rsa, &DP, &DQ, &QP) != MBEDTLS_ERR_RSA_BAD_INPUT_DATA) {
abort();
}
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
} else
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY ||
mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY_DH) {
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(ecp);
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(grp_id);
/* If the curve is not supported, the key should not have been
* accepted. */
if (curve_info == NULL) {
abort();
}
/* It's a public key, so the private value should not have
* been changed from its initialization to 0. */
mbedtls_mpi d;
mbedtls_mpi_init(&d);
if (mbedtls_ecp_export(ecp, NULL, &d, NULL) != 0) {
abort();
}
if (mbedtls_mpi_cmp_int(&d, 0) != 0) {
abort();
}
mbedtls_mpi_free(&d);
} else
#endif
{
/* The key is valid but is not of a supported type.
* This should not happen. */
abort();
}
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_free(&pk);
#else
(void) Data;
(void) Size;
#endif //MBEDTLS_PK_PARSE_C
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_pubkey.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

216
externals/mbedtls/programs/fuzz/fuzz_server.c vendored Normal file
View File

@@ -0,0 +1,216 @@
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/ssl_ticket.h"
#include "test/certs.h"
#include "common.h"
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#if defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
const char *pers = "fuzz_server";
static int initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
static mbedtls_x509_crt srvcert;
static mbedtls_pk_context pkey;
#endif
const char *alpn_list[3];
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
const unsigned char psk[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
const char psk_id[] = "Client_identity";
#endif
#endif // MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#if defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_context ticket_ctx;
#endif
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
uint8_t options;
//we take 1 byte as options input
if (Size < 1) {
return 0;
}
options = Data[Size - 1];
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_x509_crt_init(&srvcert);
mbedtls_pk_init(&pkey);
#endif
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_init(&ticket_ctx);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
return 1;
}
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len) != 0) {
return 1;
}
if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len) != 0) {
return 1;
}
if (mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0,
dummy_random, &ctr_drbg) != 0) {
return 1;
}
#endif
alpn_list[0] = "HTTP";
alpn_list[1] = "fuzzalpn";
alpn_list[2] = NULL;
dummy_init();
initialized = 1;
}
if (mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
goto exit;
}
srand(1);
mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
if (mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey) != 0) {
goto exit;
}
#endif
mbedtls_ssl_conf_cert_req_ca_list(&conf,
(options &
0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED);
#if defined(MBEDTLS_SSL_ALPN)
if (options & 0x2) {
mbedtls_ssl_conf_alpn_protocols(&conf, alpn_list);
}
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
if (options & 0x4) {
if (mbedtls_ssl_ticket_setup(&ticket_ctx,
dummy_random, &ctr_drbg,
MBEDTLS_CIPHER_AES_256_GCM,
86400) != 0) {
goto exit;
}
mbedtls_ssl_conf_session_tickets_cb(&conf,
mbedtls_ssl_ticket_write,
mbedtls_ssl_ticket_parse,
&ticket_ctx);
}
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(&conf,
(options &
0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(&conf,
(options &
0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED);
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if (options & 0x40) {
mbedtls_ssl_conf_psk(&conf, psk, sizeof(psk),
(const unsigned char *) psk_id, sizeof(psk_id) - 1);
}
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(&conf,
(options &
0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED);
#endif
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
goto exit;
}
biomemfuzz.Data = Data;
biomemfuzz.Size = Size-1;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL);
mbedtls_ssl_session_reset(&ssl);
ret = mbedtls_ssl_handshake(&ssl);
if (ret == 0) {
//keep reading data from server until the end
do {
len = sizeof(buf) - 1;
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
continue;
} else if (ret <= 0) {
//EOF or error
break;
}
} while (1);
}
exit:
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_free(&ticket_ctx);
#endif
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
#endif
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif
#else
(void) Data;
(void) Size;
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_server.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

39
externals/mbedtls/programs/fuzz/fuzz_x509crl.c vendored Normal file
View File

@@ -0,0 +1,39 @@
#include <stdint.h>
#include "mbedtls/x509_crl.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#ifdef MBEDTLS_X509_CRL_PARSE_C
int ret;
mbedtls_x509_crl crl;
unsigned char buf[4096];
mbedtls_x509_crl_init(&crl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_crl_parse(&crl, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
ret = mbedtls_x509_crl_info((char *) buf, sizeof(buf) - 1, " ", &crl);
}
#else
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_crl_free(&crl);
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_x509crl.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

39
externals/mbedtls/programs/fuzz/fuzz_x509crt.c vendored Normal file
View File

@@ -0,0 +1,39 @@
#include <stdint.h>
#include "mbedtls/x509_crt.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#ifdef MBEDTLS_X509_CRT_PARSE_C
int ret;
mbedtls_x509_crt crt;
unsigned char buf[4096];
mbedtls_x509_crt_init(&crt);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_crt_parse(&crt, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
ret = mbedtls_x509_crt_info((char *) buf, sizeof(buf) - 1, " ", &crt);
}
#else
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_crt_free(&crt);
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_x509crt.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

39
externals/mbedtls/programs/fuzz/fuzz_x509csr.c vendored Normal file
View File

@@ -0,0 +1,39 @@
#include <stdint.h>
#include "mbedtls/x509_csr.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
#ifdef MBEDTLS_X509_CSR_PARSE_C
int ret;
mbedtls_x509_csr csr;
unsigned char buf[4096];
mbedtls_x509_csr_init(&csr);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_csr_parse(&csr, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
ret = mbedtls_x509_csr_info((char *) buf, sizeof(buf) - 1, " ", &csr);
}
#else
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_csr_free(&csr);
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
externals/mbedtls/programs/fuzz/fuzz_x509csr.options vendored Normal file
View File

@@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

69
externals/mbedtls/programs/fuzz/onefile.c vendored Normal file
View File

@@ -0,0 +1,69 @@
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
/* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway
* in case it contains platform-specific #defines related to malloc or
* stdio functions. */
#include "mbedtls/build_info.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int main(int argc, char **argv)
{
FILE *fp;
uint8_t *Data;
size_t Size;
const char *argv0 = argv[0] == NULL ? "PROGRAM_NAME" : argv[0];
if (argc != 2) {
fprintf(stderr, "Usage: %s REPRODUCER_FILE\n", argv0);
return 1;
}
//opens the file, get its size, and reads it into a buffer
fp = fopen(argv[1], "rb");
if (fp == NULL) {
fprintf(stderr, "%s: Error in fopen\n", argv0);
perror(argv[1]);
return 2;
}
if (fseek(fp, 0L, SEEK_END) != 0) {
fprintf(stderr, "%s: Error in fseek(SEEK_END)\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
Size = ftell(fp);
if (Size == (size_t) -1) {
fprintf(stderr, "%s: Error in ftell\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
if (fseek(fp, 0L, SEEK_SET) != 0) {
fprintf(stderr, "%s: Error in fseek(0)\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
Data = malloc(Size);
if (Data == NULL) {
fprintf(stderr, "%s: Could not allocate memory\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
if (fread(Data, Size, 1, fp) != 1) {
fprintf(stderr, "%s: Error in fread\n", argv0);
perror(argv[1]);
free(Data);
fclose(fp);
return 2;
}
//launch fuzzer
LLVMFuzzerTestOneInput(Data, Size);
free(Data);
fclose(fp);
return 0;
}

15
externals/mbedtls/programs/hash/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,15 @@
set(executables
generic_sum
hello
md_hmac_demo
)
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

209
externals/mbedtls/programs/hash/generic_sum.c vendored Normal file
View File

@@ -0,0 +1,209 @@
/*
* generic message digest layer demonstration program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_MD_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/md.h"
#include <stdio.h>
#include <string.h>
#endif
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_MD_C and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
static int generic_wrapper(const mbedtls_md_info_t *md_info, char *filename, unsigned char *sum)
{
int ret = mbedtls_md_file(md_info, filename, sum);
if (ret == 1) {
mbedtls_fprintf(stderr, "failed to open: %s\n", filename);
}
if (ret == 2) {
mbedtls_fprintf(stderr, "failed to read: %s\n", filename);
}
return ret;
}
static int generic_print(const mbedtls_md_info_t *md_info, char *filename)
{
int i;
unsigned char sum[MBEDTLS_MD_MAX_SIZE];
if (generic_wrapper(md_info, filename, sum) != 0) {
return 1;
}
for (i = 0; i < mbedtls_md_get_size(md_info); i++) {
mbedtls_printf("%02x", sum[i]);
}
mbedtls_printf(" %s\n", filename);
return 0;
}
static int generic_check(const mbedtls_md_info_t *md_info, char *filename)
{
int i;
size_t n;
FILE *f;
int nb_err1, nb_err2;
int nb_tot1, nb_tot2;
unsigned char sum[MBEDTLS_MD_MAX_SIZE];
char line[1024];
char diff;
#if defined(__clang_analyzer__)
char buf[MBEDTLS_MD_MAX_SIZE * 2 + 1] = { };
#else
char buf[MBEDTLS_MD_MAX_SIZE * 2 + 1];
#endif
if ((f = fopen(filename, "rb")) == NULL) {
mbedtls_printf("failed to open: %s\n", filename);
return 1;
}
nb_err1 = nb_err2 = 0;
nb_tot1 = nb_tot2 = 0;
memset(line, 0, sizeof(line));
n = sizeof(line);
while (fgets(line, (int) n - 1, f) != NULL) {
n = strlen(line);
if (n < (size_t) 2 * mbedtls_md_get_size(md_info) + 4) {
mbedtls_printf("No '%s' hash found on line.\n", mbedtls_md_get_name(md_info));
continue;
}
if (line[2 * mbedtls_md_get_size(md_info)] != ' ' ||
line[2 * mbedtls_md_get_size(md_info) + 1] != ' ') {
mbedtls_printf("No '%s' hash found on line.\n", mbedtls_md_get_name(md_info));
continue;
}
if (line[n - 1] == '\n') {
n--; line[n] = '\0';
}
if (line[n - 1] == '\r') {
n--; line[n] = '\0';
}
nb_tot1++;
if (generic_wrapper(md_info, line + 2 + 2 * mbedtls_md_get_size(md_info), sum) != 0) {
nb_err1++;
continue;
}
nb_tot2++;
for (i = 0; i < mbedtls_md_get_size(md_info); i++) {
sprintf(buf + i * 2, "%02x", sum[i]);
}
/* Use constant-time buffer comparison */
diff = 0;
for (i = 0; i < 2 * mbedtls_md_get_size(md_info); i++) {
diff |= line[i] ^ buf[i];
}
if (diff != 0) {
nb_err2++;
mbedtls_fprintf(stderr, "wrong checksum: %s\n", line + 66);
}
n = sizeof(line);
}
if (nb_err1 != 0) {
mbedtls_printf("WARNING: %d (out of %d) input files could "
"not be read\n", nb_err1, nb_tot1);
}
if (nb_err2 != 0) {
mbedtls_printf("WARNING: %d (out of %d) computed checksums did "
"not match\n", nb_err2, nb_tot2);
}
fclose(f);
return nb_err1 != 0 || nb_err2 != 0;
}
int main(int argc, char *argv[])
{
int ret = 1, i;
int exit_code = MBEDTLS_EXIT_FAILURE;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
mbedtls_md_init(&md_ctx);
if (argc < 2) {
const int *list;
mbedtls_printf("print mode: generic_sum <mbedtls_md> <file> <file> ...\n");
mbedtls_printf("check mode: generic_sum <mbedtls_md> -c <checksum file>\n");
mbedtls_printf("\nAvailable message digests:\n");
list = mbedtls_md_list();
while (*list) {
md_info = mbedtls_md_info_from_type(*list);
mbedtls_printf(" %s\n", mbedtls_md_get_name(md_info));
list++;
}
mbedtls_exit(exit_code);
}
/*
* Read the MD from the command line
*/
md_info = mbedtls_md_info_from_string(argv[1]);
if (md_info == NULL) {
mbedtls_fprintf(stderr, "Message Digest '%s' not found\n", argv[1]);
mbedtls_exit(exit_code);
}
if (mbedtls_md_setup(&md_ctx, md_info, 0)) {
mbedtls_fprintf(stderr, "Failed to initialize context.\n");
mbedtls_exit(exit_code);
}
ret = 0;
if (argc == 4 && strcmp("-c", argv[2]) == 0) {
ret |= generic_check(md_info, argv[3]);
goto exit;
}
for (i = 2; i < argc; i++) {
ret |= generic_print(md_info, argv[i]);
}
if (ret == 0) {
exit_code = MBEDTLS_EXIT_SUCCESS;
}
exit:
mbedtls_md_free(&md_ctx);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_MD_C && MBEDTLS_FS_IO */

45
externals/mbedtls/programs/hash/hello.c vendored Normal file
View File

@@ -0,0 +1,45 @@
/*
* Classic "Hello, world" demonstration program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_MD5_C)
#include "mbedtls/md5.h"
#endif
#if !defined(MBEDTLS_MD5_C)
int main(void)
{
mbedtls_printf("MBEDTLS_MD5_C not defined.\n");
mbedtls_exit(0);
}
#else
int main(void)
{
int i, ret;
unsigned char digest[16];
char str[] = "Hello, world!";
mbedtls_printf("\n MD5('%s') = ", str);
if ((ret = mbedtls_md5((unsigned char *) str, 13, digest)) != 0) {
mbedtls_exit(MBEDTLS_EXIT_FAILURE);
}
for (i = 0; i < 16; i++) {
mbedtls_printf("%02x", digest[i]);
}
mbedtls_printf("\n\n");
mbedtls_exit(MBEDTLS_EXIT_SUCCESS);
}
#endif /* MBEDTLS_MD5_C */

136
externals/mbedtls/programs/hash/md_hmac_demo.c vendored Normal file
View File

@@ -0,0 +1,136 @@
/**
* MD API multi-part HMAC demonstration.
*
* This programs computes the HMAC of two messages using the multi-part API.
*
* This is a companion to psa/hmac_demo.c, doing the same operations with the
* legacy MD API. The goal is that comparing the two programs will help people
* migrating to the PSA Crypto API.
*
* When it comes to multi-part HMAC operations, the `mbedtls_md_context`
* serves a dual purpose (1) hold the key, and (2) save progress information
* for the current operation. With PSA those roles are held by two disinct
* objects: (1) a psa_key_id_t to hold the key, and (2) a psa_operation_t for
* multi-part progress.
*
* This program and its companion psa/hmac_demo.c illustrate this by doing the
* same sequence of multi-part HMAC computation with both APIs; looking at the
* two side by side should make the differences and similarities clear.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* First include Mbed TLS headers to get the Mbed TLS configuration and
* platform definitions that we'll use in this program. Also include
* standard C headers for functions we'll use here. */
#include "mbedtls/build_info.h"
#include "mbedtls/md.h"
#include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
#include <stdlib.h>
#include <stdio.h>
/* If the build options we need are not enabled, compile a placeholder. */
#if !defined(MBEDTLS_MD_C)
int main(void)
{
printf("MBEDTLS_MD_C not defined\r\n");
return 0;
}
#else
/* The real program starts here. */
/* Dummy inputs for HMAC */
const unsigned char msg1_part1[] = { 0x01, 0x02 };
const unsigned char msg1_part2[] = { 0x03, 0x04 };
const unsigned char msg2_part1[] = { 0x05, 0x05 };
const unsigned char msg2_part2[] = { 0x06, 0x06 };
/* Dummy key material - never do this in production!
* This example program uses SHA-256, so a 32-byte key makes sense. */
const unsigned char key_bytes[32] = { 0 };
/* Print the contents of a buffer in hex */
void print_buf(const char *title, unsigned char *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
printf(" %02x", buf[i]);
}
printf("\n");
}
/* Run an Mbed TLS function and bail out if it fails.
* A string description of the error code can be recovered with:
* programs/util/strerror <value> */
#define CHK(expr) \
do \
{ \
ret = (expr); \
if (ret != 0) \
{ \
printf("Error %d at line %d: %s\n", \
ret, \
__LINE__, \
#expr); \
goto exit; \
} \
} while (0)
/*
* This function demonstrates computation of the HMAC of two messages using
* the multipart API.
*/
int hmac_demo(void)
{
int ret;
const mbedtls_md_type_t alg = MBEDTLS_MD_SHA256;
unsigned char out[MBEDTLS_MD_MAX_SIZE]; // safe but not optimal
mbedtls_md_context_t ctx;
mbedtls_md_init(&ctx);
/* prepare context and load key */
// the last argument to setup is 1 to enable HMAC (not just hashing)
const mbedtls_md_info_t *info = mbedtls_md_info_from_type(alg);
CHK(mbedtls_md_setup(&ctx, info, 1));
CHK(mbedtls_md_hmac_starts(&ctx, key_bytes, sizeof(key_bytes)));
/* compute HMAC(key, msg1_part1 | msg1_part2) */
CHK(mbedtls_md_hmac_update(&ctx, msg1_part1, sizeof(msg1_part1)));
CHK(mbedtls_md_hmac_update(&ctx, msg1_part2, sizeof(msg1_part2)));
CHK(mbedtls_md_hmac_finish(&ctx, out));
print_buf("msg1", out, mbedtls_md_get_size(info));
/* compute HMAC(key, msg2_part1 | msg2_part2) */
CHK(mbedtls_md_hmac_reset(&ctx)); // prepare for new operation
CHK(mbedtls_md_hmac_update(&ctx, msg2_part1, sizeof(msg2_part1)));
CHK(mbedtls_md_hmac_update(&ctx, msg2_part2, sizeof(msg2_part2)));
CHK(mbedtls_md_hmac_finish(&ctx, out));
print_buf("msg2", out, mbedtls_md_get_size(info));
exit:
mbedtls_md_free(&ctx);
mbedtls_platform_zeroize(out, sizeof(out));
return ret;
}
int main(void)
{
int ret;
CHK(hmac_demo());
exit:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
#endif

41
externals/mbedtls/programs/pkey/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,41 @@
set(executables_mbedtls
dh_client
dh_server
)
foreach(exe IN LISTS executables_mbedtls)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
target_link_libraries(${exe} ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
set(executables_mbedcrypto
dh_genprime
ecdh_curve25519
ecdsa
gen_key
key_app
key_app_writer
mpi_demo
pk_encrypt
pk_decrypt
pk_sign
pk_verify
rsa_decrypt
rsa_encrypt
rsa_genkey
rsa_sign
rsa_sign_pss
rsa_verify
rsa_verify_pss
)
foreach(exe IN LISTS executables_mbedcrypto)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
install(TARGETS ${executables_mbedtls} ${executables_mbedcrypto}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

288
externals/mbedtls/programs/pkey/dh_client.c vendored Normal file
View File

@@ -0,0 +1,288 @@
/*
* Diffie-Hellman-Merkle key exchange (client side)
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
#include "mbedtls/rsa.h"
#include "mbedtls/sha256.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <string.h>
#endif
#define SERVER_NAME "localhost"
#define SERVER_PORT "11999"
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
mbedtls_exit(0);
}
#elif defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
int main(void)
{
mbedtls_printf("MBEDTLS_BLOCK_CIPHER_NO_DECRYPT defined.\n");
mbedtls_exit(0);
}
#else
int main(void)
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
unsigned int mdlen;
size_t n, buflen;
mbedtls_net_context server_fd;
unsigned char *p, *end;
unsigned char buf[2048];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_mpi N, E;
const char *pers = "dh_client";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_rsa_context rsa;
mbedtls_dhm_context dhm;
mbedtls_aes_context aes;
mbedtls_net_init(&server_fd);
mbedtls_dhm_init(&dhm);
mbedtls_aes_init(&aes);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_mpi_init(&N);
mbedtls_mpi_init(&E);
/*
* 1. Setup the RNG
*/
mbedtls_printf("\n . Seeding the random number generator");
fflush(stdout);
mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
/*
* 2. Read the server's public RSA key
*/
mbedtls_printf("\n . Reading public key from rsa_pub.txt");
fflush(stdout);
if ((f = fopen("rsa_pub.txt", "rb")) == NULL) {
mbedtls_printf(" failed\n ! Could not open rsa_pub.txt\n" \
" ! Please run rsa_genkey first\n\n");
goto exit;
}
mbedtls_rsa_init(&rsa);
if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
(ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
fclose(f);
goto exit;
}
fclose(f);
/*
* 3. Initiate the connection
*/
mbedtls_printf("\n . Connecting to tcp/%s/%s", SERVER_NAME,
SERVER_PORT);
fflush(stdout);
if ((ret = mbedtls_net_connect(&server_fd, SERVER_NAME,
SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
goto exit;
}
/*
* 4a. First get the buffer length
*/
mbedtls_printf("\n . Receiving the server's DH parameters");
fflush(stdout);
memset(buf, 0, sizeof(buf));
if ((ret = mbedtls_net_recv(&server_fd, buf, 2)) != 2) {
mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
goto exit;
}
n = buflen = (buf[0] << 8) | buf[1];
if (buflen < 1 || buflen > sizeof(buf)) {
mbedtls_printf(" failed\n ! Got an invalid buffer length\n\n");
goto exit;
}
/*
* 4b. Get the DHM parameters: P, G and Ys = G^Xs mod P
*/
memset(buf, 0, sizeof(buf));
if ((ret = mbedtls_net_recv(&server_fd, buf, n)) != (int) n) {
mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
goto exit;
}
p = buf, end = buf + buflen;
if ((ret = mbedtls_dhm_read_params(&dhm, &p, end)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_dhm_read_params returned %d\n\n", ret);
goto exit;
}
n = mbedtls_dhm_get_len(&dhm);
if (n < 64 || n > 512) {
mbedtls_printf(" failed\n ! Invalid DHM modulus size\n\n");
goto exit;
}
/*
* 5. Check that the server's RSA signature matches
* the SHA-256 hash of (P,G,Ys)
*/
mbedtls_printf("\n . Verifying the server's RSA signature");
fflush(stdout);
p += 2;
if ((n = (size_t) (end - p)) != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf(" failed\n ! Invalid RSA signature size\n\n");
goto exit;
}
mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
if (mdlen == 0) {
mbedtls_printf(" failed\n ! Invalid digest type\n\n");
goto exit;
}
if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256,
mdlen, hash, p)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret);
goto exit;
}
/*
* 6. Send our public value: Yc = G ^ Xc mod P
*/
mbedtls_printf("\n . Sending own public value to server");
fflush(stdout);
n = mbedtls_dhm_get_len(&dhm);
if ((ret = mbedtls_dhm_make_public(&dhm, (int) n, buf, n,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_dhm_make_public returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_net_send(&server_fd, buf, n)) != (int) n) {
mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret);
goto exit;
}
/*
* 7. Derive the shared secret: K = Ys ^ Xc mod P
*/
mbedtls_printf("\n . Shared secret: ");
fflush(stdout);
if ((ret = mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &n,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_dhm_calc_secret returned %d\n\n", ret);
goto exit;
}
for (n = 0; n < 16; n++) {
mbedtls_printf("%02x", buf[n]);
}
/*
* 8. Setup the AES-256 decryption key
*
* This is an overly simplified example; best practice is
* to hash the shared secret with a random value to derive
* the keying material for the encryption/decryption keys,
* IVs and MACs.
*/
mbedtls_printf("...\n . Receiving and decrypting the ciphertext");
fflush(stdout);
ret = mbedtls_aes_setkey_dec(&aes, buf, 256);
if (ret != 0) {
goto exit;
}
memset(buf, 0, sizeof(buf));
if ((ret = mbedtls_net_recv(&server_fd, buf, 16)) != 16) {
mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_DECRYPT, buf, buf);
if (ret != 0) {
goto exit;
}
buf[16] = '\0';
mbedtls_printf("\n . Plaintext is \"%s\"\n\n", (char *) buf);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_net_free(&server_fd);
mbedtls_aes_free(&aes);
mbedtls_rsa_free(&rsa);
mbedtls_dhm_free(&dhm);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_mpi_free(&N);
mbedtls_mpi_free(&E);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */

161
externals/mbedtls/programs/pkey/dh_genprime.c vendored Normal file
View File

@@ -0,0 +1,161 @@
/*
* Diffie-Hellman-Merkle key exchange (prime generation)
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_GENPRIME)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_FS_IO and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_GENPRIME not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/bignum.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <string.h>
#define USAGE \
"\n usage: dh_genprime param=<>...\n" \
"\n acceptable parameters:\n" \
" bits=%%d default: 2048\n"
#define DFL_BITS 2048
/*
* Note: G = 4 is always a quadratic residue mod P,
* so it is a generator of order Q (with P = 2*Q+1).
*/
#define GENERATOR "4"
int main(int argc, char **argv)
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_mpi G, P, Q;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "dh_genprime";
FILE *fout;
int nbits = DFL_BITS;
int i;
char *p, *q;
mbedtls_mpi_init(&G); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
goto exit;
}
for (i = 1; i < argc; i++) {
p = argv[i];
if ((q = strchr(p, '=')) == NULL) {
goto usage;
}
*q++ = '\0';
if (strcmp(p, "bits") == 0) {
nbits = atoi(q);
if (nbits < 0 || nbits > MBEDTLS_MPI_MAX_BITS) {
goto usage;
}
} else {
goto usage;
}
}
if ((ret = mbedtls_mpi_read_string(&G, 10, GENERATOR)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_string returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ! Generating large primes may take minutes!\n");
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n . Generating the modulus, please wait...");
fflush(stdout);
/*
* This can take a long time...
*/
if ((ret = mbedtls_mpi_gen_prime(&P, nbits, 1,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_gen_prime returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n . Verifying that Q = (P-1)/2 is prime...");
fflush(stdout);
if ((ret = mbedtls_mpi_sub_int(&Q, &P, 1)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_sub_int returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_mpi_div_int(&Q, NULL, &Q, 2)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_div_int returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_mpi_is_prime_ext(&Q, 50, mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_is_prime returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n . Exporting the value in dh_prime.txt...");
fflush(stdout);
if ((fout = fopen("dh_prime.txt", "wb+")) == NULL) {
mbedtls_printf(" failed\n ! Could not create dh_prime.txt\n\n");
goto exit;
}
if (((ret = mbedtls_mpi_write_file("P = ", &P, 16, fout)) != 0) ||
((ret = mbedtls_mpi_write_file("G = ", &G, 16, fout)) != 0)) {
mbedtls_printf(" failed\n ! mbedtls_mpi_write_file returned %d\n\n", ret);
fclose(fout);
goto exit;
}
mbedtls_printf(" ok\n\n");
fclose(fout);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_mpi_free(&G); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_FS_IO &&
MBEDTLS_CTR_DRBG_C && MBEDTLS_GENPRIME */

2
externals/mbedtls/programs/pkey/dh_prime.txt vendored Normal file
View File

@@ -0,0 +1,2 @@
P = FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
G = 02

306
externals/mbedtls/programs/pkey/dh_server.c vendored Normal file
View File

@@ -0,0 +1,306 @@
/*
* Diffie-Hellman-Merkle key exchange (server side)
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
#include "mbedtls/rsa.h"
#include "mbedtls/sha256.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <string.h>
#endif
#define SERVER_PORT "11999"
#define PLAINTEXT "==Hello there!=="
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
mbedtls_exit(0);
}
#else
int main(void)
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
unsigned int mdlen;
size_t n, buflen;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[2048];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
unsigned char buf2[2];
const char *pers = "dh_server";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_rsa_context rsa;
mbedtls_dhm_context dhm;
mbedtls_aes_context aes;
mbedtls_mpi N, P, Q, D, E, dhm_P, dhm_G;
mbedtls_net_init(&listen_fd);
mbedtls_net_init(&client_fd);
mbedtls_dhm_init(&dhm);
mbedtls_aes_init(&aes);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&dhm_P);
mbedtls_mpi_init(&dhm_G);
/*
* 1. Setup the RNG
*/
mbedtls_printf("\n . Seeding the random number generator");
fflush(stdout);
mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
/*
* 2a. Read the server's private RSA key
*/
mbedtls_printf("\n . Reading private key from rsa_priv.txt");
fflush(stdout);
if ((f = fopen("rsa_priv.txt", "rb")) == NULL) {
mbedtls_printf(" failed\n ! Could not open rsa_priv.txt\n" \
" ! Please run rsa_genkey first\n\n");
goto exit;
}
mbedtls_rsa_init(&rsa);
if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&D, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&P, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&Q, 16, f)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n",
ret);
fclose(f);
goto exit;
}
fclose(f);
if ((ret = mbedtls_rsa_import(&rsa, &N, &P, &Q, &D, &E)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_import returned %d\n\n",
ret);
goto exit;
}
if ((ret = mbedtls_rsa_complete(&rsa)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_complete returned %d\n\n",
ret);
goto exit;
}
/*
* 2b. Get the DHM modulus and generator
*/
mbedtls_printf("\n . Reading DH parameters from dh_prime.txt");
fflush(stdout);
if ((f = fopen("dh_prime.txt", "rb")) == NULL) {
mbedtls_printf(" failed\n ! Could not open dh_prime.txt\n" \
" ! Please run dh_genprime first\n\n");
goto exit;
}
if ((ret = mbedtls_mpi_read_file(&dhm_P, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&dhm_G, 16, f)) != 0 ||
(ret = mbedtls_dhm_set_group(&dhm, &dhm_P, &dhm_G) != 0)) {
mbedtls_printf(" failed\n ! Invalid DH parameter file\n\n");
fclose(f);
goto exit;
}
fclose(f);
/*
* 3. Wait for a client to connect
*/
mbedtls_printf("\n . Waiting for a remote connection");
fflush(stdout);
if ((ret = mbedtls_net_bind(&listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_bind returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_net_accept(&listen_fd, &client_fd,
NULL, 0, NULL)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_accept returned %d\n\n", ret);
goto exit;
}
/*
* 4. Setup the DH parameters (P,G,Ys)
*/
mbedtls_printf("\n . Sending the server's DH parameters");
fflush(stdout);
memset(buf, 0, sizeof(buf));
if ((ret =
mbedtls_dhm_make_params(&dhm, (int) mbedtls_dhm_get_len(&dhm), buf, &n,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_dhm_make_params returned %d\n\n", ret);
goto exit;
}
/*
* 5. Sign the parameters and send them
*/
mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
if (mdlen == 0) {
mbedtls_printf(" failed\n ! Invalid digest type\n\n");
goto exit;
}
if ((ret = mbedtls_sha256(buf, n, hash, 0)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret);
goto exit;
}
const size_t rsa_key_len = mbedtls_rsa_get_len(&rsa);
buf[n] = (unsigned char) (rsa_key_len >> 8);
buf[n + 1] = (unsigned char) (rsa_key_len);
if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg,
MBEDTLS_MD_SHA256, mdlen,
hash, buf + n + 2)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret);
goto exit;
}
buflen = n + 2 + rsa_key_len;
buf2[0] = (unsigned char) (buflen >> 8);
buf2[1] = (unsigned char) (buflen);
if ((ret = mbedtls_net_send(&client_fd, buf2, 2)) != 2 ||
(ret = mbedtls_net_send(&client_fd, buf, buflen)) != (int) buflen) {
mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret);
goto exit;
}
/*
* 6. Get the client's public value: Yc = G ^ Xc mod P
*/
mbedtls_printf("\n . Receiving the client's public value");
fflush(stdout);
memset(buf, 0, sizeof(buf));
n = mbedtls_dhm_get_len(&dhm);
if ((ret = mbedtls_net_recv(&client_fd, buf, n)) != (int) n) {
mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_dhm_read_public(&dhm, buf, n)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_dhm_read_public returned %d\n\n", ret);
goto exit;
}
/*
* 7. Derive the shared secret: K = Ys ^ Xc mod P
*/
mbedtls_printf("\n . Shared secret: ");
fflush(stdout);
if ((ret = mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &n,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_dhm_calc_secret returned %d\n\n", ret);
goto exit;
}
for (n = 0; n < 16; n++) {
mbedtls_printf("%02x", buf[n]);
}
/*
* 8. Setup the AES-256 encryption key
*
* This is an overly simplified example; best practice is
* to hash the shared secret with a random value to derive
* the keying material for the encryption/decryption keys
* and MACs.
*/
mbedtls_printf("...\n . Encrypting and sending the ciphertext");
fflush(stdout);
ret = mbedtls_aes_setkey_enc(&aes, buf, 256);
if (ret != 0) {
goto exit;
}
memcpy(buf, PLAINTEXT, 16);
ret = mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_ENCRYPT, buf, buf);
if (ret != 0) {
goto exit;
}
if ((ret = mbedtls_net_send(&client_fd, buf, 16)) != 16) {
mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret);
goto exit;
}
mbedtls_printf("\n\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&dhm_P);
mbedtls_mpi_free(&dhm_G);
mbedtls_net_free(&client_fd);
mbedtls_net_free(&listen_fd);
mbedtls_aes_free(&aes);
mbedtls_rsa_free(&rsa);
mbedtls_dhm_free(&dhm);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */

189
externals/mbedtls/programs/pkey/ecdh_curve25519.c vendored Normal file
View File

@@ -0,0 +1,189 @@
/*
* Example ECDHE with Curve25519 program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_ECDH_C) || \
!defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_ECDH_C and/or "
"MBEDTLS_ECP_DP_CURVE25519_ENABLED and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C "
"not defined\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/ecdh.h"
#include <string.h>
int main(int argc, char *argv[])
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_ecdh_context ctx_cli, ctx_srv;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char cli_to_srv[36], srv_to_cli[33];
const char pers[] = "ecdh";
size_t srv_olen;
size_t cli_olen;
unsigned char secret_cli[32] = { 0 };
unsigned char secret_srv[32] = { 0 };
const unsigned char *p_cli_to_srv = cli_to_srv;
((void) argc);
((void) argv);
mbedtls_ecdh_init(&ctx_cli);
mbedtls_ecdh_init(&ctx_srv);
mbedtls_ctr_drbg_init(&ctr_drbg);
/*
* Initialize random number generation
*/
mbedtls_printf(" . Seed the random number generator...");
fflush(stdout);
mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy,
(const unsigned char *) pers,
sizeof(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n",
ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* Client: initialize context and generate keypair
*/
mbedtls_printf(" . Set up client context, generate EC key pair...");
fflush(stdout);
ret = mbedtls_ecdh_setup(&ctx_cli, MBEDTLS_ECP_DP_CURVE25519);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdh_setup returned %d\n", ret);
goto exit;
}
ret = mbedtls_ecdh_make_params(&ctx_cli, &cli_olen, cli_to_srv,
sizeof(cli_to_srv),
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdh_make_params returned %d\n",
ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* Server: initialize context and generate keypair
*/
mbedtls_printf(" . Server: read params, generate public key...");
fflush(stdout);
ret = mbedtls_ecdh_read_params(&ctx_srv, &p_cli_to_srv,
p_cli_to_srv + sizeof(cli_to_srv));
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdh_read_params returned %d\n",
ret);
goto exit;
}
ret = mbedtls_ecdh_make_public(&ctx_srv, &srv_olen, srv_to_cli,
sizeof(srv_to_cli),
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdh_make_public returned %d\n",
ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* Client: read public key
*/
mbedtls_printf(" . Client: read public key...");
fflush(stdout);
ret = mbedtls_ecdh_read_public(&ctx_cli, srv_to_cli,
sizeof(srv_to_cli));
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdh_read_public returned %d\n",
ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* Calculate secrets
*/
mbedtls_printf(" . Calculate secrets...");
fflush(stdout);
ret = mbedtls_ecdh_calc_secret(&ctx_cli, &cli_olen, secret_cli,
sizeof(secret_cli),
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdh_calc_secret returned %d\n",
ret);
goto exit;
}
ret = mbedtls_ecdh_calc_secret(&ctx_srv, &srv_olen, secret_srv,
sizeof(secret_srv),
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdh_calc_secret returned %d\n",
ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* Verification: are the computed secrets equal?
*/
mbedtls_printf(" . Check if both calculated secrets are equal...");
fflush(stdout);
ret = memcmp(secret_srv, secret_cli, srv_olen);
if (ret != 0 || (cli_olen != srv_olen)) {
mbedtls_printf(" failed\n ! Shared secrets not equal.\n");
goto exit;
}
mbedtls_printf(" ok\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_ecdh_free(&ctx_srv);
mbedtls_ecdh_free(&ctx_cli);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_ECDH_C && MBEDTLS_ECP_DP_CURVE25519_ENABLED &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */

220
externals/mbedtls/programs/pkey/ecdsa.c vendored Normal file
View File

@@ -0,0 +1,220 @@
/*
* Example ECDSA program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_ECDSA_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/sha256.h"
#include <string.h>
#endif
/*
* Uncomment to show key and signature details
*/
#define VERBOSE
/*
* Uncomment to force use of a specific curve
*/
#define ECPARAMS MBEDTLS_ECP_DP_SECP192R1
#if !defined(ECPARAMS)
#define ECPARAMS mbedtls_ecp_curve_list()->grp_id
#endif
#if !defined(MBEDTLS_ECDSA_C) || !defined(MBEDTLS_SHA256_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_ECDSA_C and/or MBEDTLS_SHA256_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C not defined\n");
mbedtls_exit(0);
}
#else
#if defined(VERBOSE)
static void dump_buf(const char *title, unsigned char *buf, size_t len)
{
size_t i;
mbedtls_printf("%s", title);
for (i = 0; i < len; i++) {
mbedtls_printf("%c%c", "0123456789ABCDEF" [buf[i] / 16],
"0123456789ABCDEF" [buf[i] % 16]);
}
mbedtls_printf("\n");
}
static void dump_pubkey(const char *title, mbedtls_ecdsa_context *key)
{
unsigned char buf[300];
size_t len;
if (mbedtls_ecp_write_public_key(key, MBEDTLS_ECP_PF_UNCOMPRESSED,
&len, buf, sizeof(buf)) != 0) {
mbedtls_printf("internal error\n");
return;
}
dump_buf(title, buf, len);
}
#else
#define dump_buf(a, b, c)
#define dump_pubkey(a, b)
#endif
int main(int argc, char *argv[])
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_ecdsa_context ctx_sign, ctx_verify;
mbedtls_ecp_point Q;
mbedtls_ecp_point_init(&Q);
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char message[100];
unsigned char hash[32];
unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
size_t sig_len;
const char *pers = "ecdsa";
((void) argv);
mbedtls_ecdsa_init(&ctx_sign);
mbedtls_ecdsa_init(&ctx_verify);
mbedtls_ctr_drbg_init(&ctr_drbg);
memset(sig, 0, sizeof(sig));
memset(message, 0x25, sizeof(message));
if (argc != 1) {
mbedtls_printf("usage: ecdsa\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
/*
* Generate a key pair for signing
*/
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n . Generating key pair...");
fflush(stdout);
if ((ret = mbedtls_ecdsa_genkey(&ctx_sign, ECPARAMS,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdsa_genkey returned %d\n", ret);
goto exit;
}
mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(&ctx_sign);
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(grp_id);
mbedtls_printf(" ok (key size: %d bits)\n", (int) curve_info->bit_size);
dump_pubkey(" + Public key: ", &ctx_sign);
/*
* Compute message hash
*/
mbedtls_printf(" . Computing message hash...");
fflush(stdout);
if ((ret = mbedtls_sha256(message, sizeof(message), hash, 0)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
dump_buf(" + Hash: ", hash, sizeof(hash));
/*
* Sign message hash
*/
mbedtls_printf(" . Signing message hash...");
fflush(stdout);
if ((ret = mbedtls_ecdsa_write_signature(&ctx_sign, MBEDTLS_MD_SHA256,
hash, sizeof(hash),
sig, sizeof(sig), &sig_len,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdsa_write_signature returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok (signature length = %u)\n", (unsigned int) sig_len);
dump_buf(" + Signature: ", sig, sig_len);
/*
* Transfer public information to verifying context
*
* We could use the same context for verification and signatures, but we
* chose to use a new one in order to make it clear that the verifying
* context only needs the public key (Q), and not the private key (d).
*/
mbedtls_printf(" . Preparing verification context...");
fflush(stdout);
if ((ret = mbedtls_ecp_export(&ctx_sign, NULL, NULL, &Q)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecp_export returned %d\n", ret);
goto exit;
}
if ((ret = mbedtls_ecp_set_public_key(grp_id, &ctx_verify, &Q)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecp_set_public_key returned %d\n", ret);
goto exit;
}
/*
* Verify signature
*/
mbedtls_printf(" ok\n . Verifying signature...");
fflush(stdout);
if ((ret = mbedtls_ecdsa_read_signature(&ctx_verify,
hash, sizeof(hash),
sig, sig_len)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecdsa_read_signature returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_ecdsa_free(&ctx_verify);
mbedtls_ecdsa_free(&ctx_sign);
mbedtls_ecp_point_free(&Q);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
ECPARAMS */

478
externals/mbedtls/programs/pkey/gen_key.c vendored Normal file
View File

@@ -0,0 +1,478 @@
/*
* Key generation application
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_PK_WRITE_C) || !defined(MBEDTLS_PEM_WRITE_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_BIGNUM_C)
int main(void)
{
mbedtls_printf("MBEDTLS_PK_WRITE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_PEM_WRITE_C and/or MBEDTLS_BIGNUM_C "
"not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/rsa.h"
#include "mbedtls/error.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#if !defined(_WIN32)
#include <unistd.h>
#define DEV_RANDOM_THRESHOLD 32
int dev_random_entropy_poll(void *data, unsigned char *output,
size_t len, size_t *olen)
{
FILE *file;
size_t ret, left = len;
unsigned char *p = output;
((void) data);
*olen = 0;
file = fopen("/dev/random", "rb");
if (file == NULL) {
return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
}
while (left > 0) {
/* /dev/random can return much less than requested. If so, try again */
ret = fread(p, 1, left, file);
if (ret == 0 && ferror(file)) {
fclose(file);
return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
}
p += ret;
left -= ret;
sleep(1);
}
fclose(file);
*olen = len;
return 0;
}
#endif /* !_WIN32 */
#if defined(MBEDTLS_ECP_C)
#define DFL_EC_CURVE mbedtls_ecp_curve_list()->grp_id
#else
#define DFL_EC_CURVE 0
#endif
#if !defined(_WIN32) && defined(MBEDTLS_FS_IO)
#define USAGE_DEV_RANDOM \
" use_dev_random=0|1 default: 0\n"
#else
#define USAGE_DEV_RANDOM ""
#endif /* !_WIN32 && MBEDTLS_FS_IO */
#define FORMAT_PEM 0
#define FORMAT_DER 1
#define DFL_TYPE MBEDTLS_PK_RSA
#define DFL_RSA_KEYSIZE 4096
#define DFL_FILENAME "keyfile.key"
#define DFL_FORMAT FORMAT_PEM
#define DFL_USE_DEV_RANDOM 0
#define USAGE \
"\n usage: gen_key param=<>...\n" \
"\n acceptable parameters:\n" \
" type=rsa|ec default: rsa\n" \
" rsa_keysize=%%d default: 4096\n" \
" ec_curve=%%s see below\n" \
" filename=%%s default: keyfile.key\n" \
" format=pem|der default: pem\n" \
USAGE_DEV_RANDOM \
"\n"
/*
* global options
*/
struct options {
int type; /* the type of key to generate */
int rsa_keysize; /* length of key in bits */
int ec_curve; /* curve identifier for EC keys */
const char *filename; /* filename of the key file */
int format; /* the output format to use */
int use_dev_random; /* use /dev/random as entropy source */
} opt;
static int write_private_key(mbedtls_pk_context *key, const char *output_file)
{
int ret;
FILE *f;
unsigned char output_buf[16000];
unsigned char *c = output_buf;
size_t len = 0;
memset(output_buf, 0, 16000);
if (opt.format == FORMAT_PEM) {
if ((ret = mbedtls_pk_write_key_pem(key, output_buf, 16000)) != 0) {
return ret;
}
len = strlen((char *) output_buf);
} else {
if ((ret = mbedtls_pk_write_key_der(key, output_buf, 16000)) < 0) {
return ret;
}
len = ret;
c = output_buf + sizeof(output_buf) - len;
}
if ((f = fopen(output_file, "wb")) == NULL) {
return -1;
}
if (fwrite(c, 1, len, f) != len) {
fclose(f);
return -1;
}
fclose(f);
return 0;
}
#if defined(MBEDTLS_ECP_C)
static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
{
int ret = 0;
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(
mbedtls_ecp_keypair_get_group_id(ecp));
mbedtls_printf("curve: %s\n", curve_info->name);
mbedtls_ecp_group grp;
mbedtls_ecp_group_init(&grp);
mbedtls_mpi D;
mbedtls_mpi_init(&D);
mbedtls_ecp_point pt;
mbedtls_ecp_point_init(&pt);
mbedtls_mpi X, Y;
mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
(has_private ? &D : NULL),
&pt));
unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
size_t len = 0;
MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
&grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
&len, point_bin, sizeof(point_bin)));
switch (mbedtls_ecp_get_type(&grp)) {
case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
if ((len & 1) == 0 || point_bin[0] != 0x04) {
/* Point in an unxepected format. This shouldn't happen. */
ret = -1;
goto cleanup;
}
MBEDTLS_MPI_CHK(
mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
MBEDTLS_MPI_CHK(
mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
mbedtls_mpi_write_file("Y_Q: ", &Y, 16, NULL);
break;
case MBEDTLS_ECP_TYPE_MONTGOMERY:
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
break;
default:
mbedtls_printf(
"This program does not yet support listing coordinates for this curve type.\n");
break;
}
if (has_private) {
mbedtls_mpi_write_file("D: ", &D, 16, NULL);
}
cleanup:
mbedtls_ecp_group_free(&grp);
mbedtls_mpi_free(&D);
mbedtls_ecp_point_free(&pt);
mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
return ret;
}
#endif
int main(int argc, char *argv[])
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_pk_context key;
char buf[1024];
int i;
char *p, *q;
#if defined(MBEDTLS_RSA_C)
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
#endif /* MBEDTLS_RSA_C */
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "gen_key";
#if defined(MBEDTLS_ECP_C)
const mbedtls_ecp_curve_info *curve_info;
#endif
/*
* Set to sane values
*/
#if defined(MBEDTLS_RSA_C)
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
#endif /* MBEDTLS_RSA_C */
mbedtls_entropy_init(&entropy);
mbedtls_pk_init(&key);
mbedtls_ctr_drbg_init(&ctr_drbg);
memset(buf, 0, sizeof(buf));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
#if defined(MBEDTLS_ECP_C)
mbedtls_printf(" available ec_curve values:\n");
curve_info = mbedtls_ecp_curve_list();
mbedtls_printf(" %s (default)\n", curve_info->name);
while ((++curve_info)->name != NULL) {
mbedtls_printf(" %s\n", curve_info->name);
}
#endif /* MBEDTLS_ECP_C */
goto exit;
}
opt.type = DFL_TYPE;
opt.rsa_keysize = DFL_RSA_KEYSIZE;
opt.ec_curve = DFL_EC_CURVE;
opt.filename = DFL_FILENAME;
opt.format = DFL_FORMAT;
opt.use_dev_random = DFL_USE_DEV_RANDOM;
for (i = 1; i < argc; i++) {
p = argv[i];
if ((q = strchr(p, '=')) == NULL) {
goto usage;
}
*q++ = '\0';
if (strcmp(p, "type") == 0) {
if (strcmp(q, "rsa") == 0) {
opt.type = MBEDTLS_PK_RSA;
} else if (strcmp(q, "ec") == 0) {
opt.type = MBEDTLS_PK_ECKEY;
} else {
goto usage;
}
} else if (strcmp(p, "format") == 0) {
if (strcmp(q, "pem") == 0) {
opt.format = FORMAT_PEM;
} else if (strcmp(q, "der") == 0) {
opt.format = FORMAT_DER;
} else {
goto usage;
}
} else if (strcmp(p, "rsa_keysize") == 0) {
opt.rsa_keysize = atoi(q);
if (opt.rsa_keysize < 1024 ||
opt.rsa_keysize > MBEDTLS_MPI_MAX_BITS) {
goto usage;
}
}
#if defined(MBEDTLS_ECP_C)
else if (strcmp(p, "ec_curve") == 0) {
if ((curve_info = mbedtls_ecp_curve_info_from_name(q)) == NULL) {
goto usage;
}
opt.ec_curve = curve_info->grp_id;
}
#endif
else if (strcmp(p, "filename") == 0) {
opt.filename = q;
} else if (strcmp(p, "use_dev_random") == 0) {
opt.use_dev_random = atoi(q);
if (opt.use_dev_random < 0 || opt.use_dev_random > 1) {
goto usage;
}
} else {
goto usage;
}
}
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
#if !defined(_WIN32) && defined(MBEDTLS_FS_IO)
if (opt.use_dev_random) {
if ((ret = mbedtls_entropy_add_source(&entropy, dev_random_entropy_poll,
NULL, DEV_RANDOM_THRESHOLD,
MBEDTLS_ENTROPY_SOURCE_STRONG)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_entropy_add_source returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf("\n Using /dev/random, so can take a long time! ");
fflush(stdout);
}
#endif /* !_WIN32 && MBEDTLS_FS_IO */
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
/*
* 1.1. Generate the key
*/
mbedtls_printf("\n . Generating the private key ...");
fflush(stdout);
if ((ret = mbedtls_pk_setup(&key,
mbedtls_pk_info_from_type((mbedtls_pk_type_t) opt.type))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_setup returned -0x%04x", (unsigned int) -ret);
goto exit;
}
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
if (opt.type == MBEDTLS_PK_RSA) {
ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(key), mbedtls_ctr_drbg_random, &ctr_drbg,
opt.rsa_keysize, 65537);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_gen_key returned -0x%04x",
(unsigned int) -ret);
goto exit;
}
} else
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_C)
if (opt.type == MBEDTLS_PK_ECKEY) {
ret = mbedtls_ecp_gen_key((mbedtls_ecp_group_id) opt.ec_curve,
mbedtls_pk_ec(key),
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ecp_gen_key returned -0x%04x",
(unsigned int) -ret);
goto exit;
}
} else
#endif /* MBEDTLS_ECP_C */
{
mbedtls_printf(" failed\n ! key type not supported\n");
goto exit;
}
/*
* 1.2 Print the key
*/
mbedtls_printf(" ok\n . Key information:\n");
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) {
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(key);
if ((ret = mbedtls_rsa_export(rsa, &N, &P, &Q, &D, &E)) != 0 ||
(ret = mbedtls_rsa_export_crt(rsa, &DP, &DQ, &QP)) != 0) {
mbedtls_printf(" failed\n ! could not export RSA parameters\n\n");
goto exit;
}
mbedtls_mpi_write_file("N: ", &N, 16, NULL);
mbedtls_mpi_write_file("E: ", &E, 16, NULL);
mbedtls_mpi_write_file("D: ", &D, 16, NULL);
mbedtls_mpi_write_file("P: ", &P, 16, NULL);
mbedtls_mpi_write_file("Q: ", &Q, 16, NULL);
mbedtls_mpi_write_file("DP: ", &DP, 16, NULL);
mbedtls_mpi_write_file("DQ: ", &DQ, 16, NULL);
mbedtls_mpi_write_file("QP: ", &QP, 16, NULL);
} else
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
if (show_ecp_key(mbedtls_pk_ec(key), 1) != 0) {
mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
goto exit;
}
} else
#endif
mbedtls_printf(" ! key type not supported\n");
/*
* 1.3 Export key
*/
mbedtls_printf(" . Writing key to file...");
if ((ret = write_private_key(&key, opt.filename)) != 0) {
mbedtls_printf(" failed\n");
goto exit;
}
mbedtls_printf(" ok\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, buf, sizeof(buf));
mbedtls_printf(" - %s\n", buf);
#else
mbedtls_printf("\n");
#endif
}
#if defined(MBEDTLS_RSA_C)
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
#endif /* MBEDTLS_RSA_C */
mbedtls_pk_free(&key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* program viability conditions */

368
externals/mbedtls/programs/pkey/key_app.c vendored Normal file
View File

@@ -0,0 +1,368 @@
/*
* Key reading application
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_BIGNUM_C) && \
defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_FS_IO) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/error.h"
#include "mbedtls/rsa.h"
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <string.h>
#endif
#define MODE_NONE 0
#define MODE_PRIVATE 1
#define MODE_PUBLIC 2
#define DFL_MODE MODE_NONE
#define DFL_FILENAME "keyfile.key"
#define DFL_PASSWORD ""
#define DFL_PASSWORD_FILE ""
#define DFL_DEBUG_LEVEL 0
#define USAGE \
"\n usage: key_app param=<>...\n" \
"\n acceptable parameters:\n" \
" mode=private|public default: none\n" \
" filename=%%s default: keyfile.key\n" \
" password=%%s default: \"\"\n" \
" password_file=%%s default: \"\"\n" \
"\n"
#if !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
#if defined(MBEDTLS_ECP_C)
static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
{
int ret = 0;
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(
mbedtls_ecp_keypair_get_group_id(ecp));
mbedtls_printf("curve: %s\n", curve_info->name);
mbedtls_ecp_group grp;
mbedtls_ecp_group_init(&grp);
mbedtls_mpi D;
mbedtls_mpi_init(&D);
mbedtls_ecp_point pt;
mbedtls_ecp_point_init(&pt);
mbedtls_mpi X, Y;
mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
(has_private ? &D : NULL),
&pt));
unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
size_t len = 0;
MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
&grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
&len, point_bin, sizeof(point_bin)));
switch (mbedtls_ecp_get_type(&grp)) {
case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
if ((len & 1) == 0 || point_bin[0] != 0x04) {
/* Point in an unxepected format. This shouldn't happen. */
ret = -1;
goto cleanup;
}
MBEDTLS_MPI_CHK(
mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
MBEDTLS_MPI_CHK(
mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
mbedtls_mpi_write_file("Y_Q: ", &Y, 16, NULL);
break;
case MBEDTLS_ECP_TYPE_MONTGOMERY:
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
break;
default:
mbedtls_printf(
"This program does not yet support listing coordinates for this curve type.\n");
break;
}
if (has_private) {
mbedtls_mpi_write_file("D: ", &D, 16, NULL);
}
cleanup:
mbedtls_ecp_group_free(&grp);
mbedtls_mpi_free(&D);
mbedtls_ecp_point_free(&pt);
mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
return ret;
}
#endif
/*
* global options
*/
struct options {
int mode; /* the mode to run the application in */
const char *filename; /* filename of the key file */
const char *password; /* password for the private key */
const char *password_file; /* password_file for the private key */
} opt;
int main(int argc, char *argv[])
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
char buf[1024];
int i;
char *p, *q;
const char *pers = "pkey/key_app";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_pk_context pk;
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
/*
* Set to sane values
*/
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_pk_init(&pk);
memset(buf, 0, sizeof(buf));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto cleanup;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
goto cleanup;
}
opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME;
opt.password = DFL_PASSWORD;
opt.password_file = DFL_PASSWORD_FILE;
for (i = 1; i < argc; i++) {
p = argv[i];
if ((q = strchr(p, '=')) == NULL) {
goto usage;
}
*q++ = '\0';
if (strcmp(p, "mode") == 0) {
if (strcmp(q, "private") == 0) {
opt.mode = MODE_PRIVATE;
} else if (strcmp(q, "public") == 0) {
opt.mode = MODE_PUBLIC;
} else {
goto usage;
}
} else if (strcmp(p, "filename") == 0) {
opt.filename = q;
} else if (strcmp(p, "password") == 0) {
opt.password = q;
} else if (strcmp(p, "password_file") == 0) {
opt.password_file = q;
} else {
goto usage;
}
}
if (opt.mode == MODE_PRIVATE) {
if (strlen(opt.password) && strlen(opt.password_file)) {
mbedtls_printf("Error: cannot have both password and password_file\n");
goto usage;
}
if (strlen(opt.password_file)) {
FILE *f;
mbedtls_printf("\n . Loading the password file ...");
if ((f = fopen(opt.password_file, "rb")) == NULL) {
mbedtls_printf(" failed\n ! fopen returned NULL\n");
goto cleanup;
}
if (fgets(buf, sizeof(buf), f) == NULL) {
fclose(f);
mbedtls_printf("Error: fgets() failed to retrieve password\n");
goto cleanup;
}
fclose(f);
i = (int) strlen(buf);
if (buf[i - 1] == '\n') {
buf[i - 1] = '\0';
}
if (buf[i - 2] == '\r') {
buf[i - 2] = '\0';
}
opt.password = buf;
}
/*
* 1.1. Load the key
*/
mbedtls_printf("\n . Loading the private key ...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n",
(unsigned int) -ret);
goto cleanup;
}
ret = mbedtls_pk_parse_keyfile(&pk, opt.filename, opt.password,
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_keyfile returned -0x%04x\n",
(unsigned int) -ret);
goto cleanup;
}
mbedtls_printf(" ok\n");
/*
* 1.2 Print the key
*/
mbedtls_printf(" . Key information ...\n");
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_RSA) {
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(pk);
if ((ret = mbedtls_rsa_export(rsa, &N, &P, &Q, &D, &E)) != 0 ||
(ret = mbedtls_rsa_export_crt(rsa, &DP, &DQ, &QP)) != 0) {
mbedtls_printf(" failed\n ! could not export RSA parameters\n\n");
goto cleanup;
}
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("N: ", &N, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("E: ", &E, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("D: ", &D, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("P: ", &P, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q: ", &Q, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("DP: ", &DP, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("DQ: ", &DQ, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("QP: ", &QP, 16, NULL));
} else
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY) {
if (show_ecp_key(mbedtls_pk_ec(pk), 1) != 0) {
mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
goto cleanup;
}
} else
#endif
{
mbedtls_printf("Do not know how to print key information for this type\n");
goto cleanup;
}
} else if (opt.mode == MODE_PUBLIC) {
/*
* 1.1. Load the key
*/
mbedtls_printf("\n . Loading the public key ...");
fflush(stdout);
ret = mbedtls_pk_parse_public_keyfile(&pk, opt.filename);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_public_keyfile returned -0x%04x\n",
(unsigned int) -ret);
goto cleanup;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" . Key information ...\n");
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_RSA) {
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(pk);
if ((ret = mbedtls_rsa_export(rsa, &N, NULL, NULL,
NULL, &E)) != 0) {
mbedtls_printf(" failed\n ! could not export RSA parameters\n\n");
goto cleanup;
}
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("N: ", &N, 16, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("E: ", &E, 16, NULL));
} else
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY) {
if (show_ecp_key(mbedtls_pk_ec(pk), 0) != 0) {
mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
goto cleanup;
}
} else
#endif
{
mbedtls_printf("Do not know how to print key information for this type\n");
goto cleanup;
}
} else {
goto usage;
}
exit_code = MBEDTLS_EXIT_SUCCESS;
cleanup:
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
mbedtls_strerror(ret, buf, sizeof(buf));
mbedtls_printf(" ! Last error was: %s\n", buf);
}
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_pk_free(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */

495
externals/mbedtls/programs/pkey/key_app_writer.c vendored Normal file
View File

@@ -0,0 +1,495 @@
/*
* Key writing application
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_PK_PARSE_C) || \
!defined(MBEDTLS_PK_WRITE_C) || \
!defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_BIGNUM_C)
int main(void)
{
mbedtls_printf("MBEDTLS_PK_PARSE_C and/or MBEDTLS_PK_WRITE_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_FS_IO and/or MBEDTLS_BIGNUM_C not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/error.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <string.h>
#if defined(MBEDTLS_PEM_WRITE_C)
#define USAGE_OUT \
" output_file=%%s default: keyfile.pem\n" \
" output_format=pem|der default: pem\n"
#else
#define USAGE_OUT \
" output_file=%%s default: keyfile.der\n" \
" output_format=der default: der\n"
#endif
#if defined(MBEDTLS_PEM_WRITE_C)
#define DFL_OUTPUT_FILENAME "keyfile.pem"
#define DFL_OUTPUT_FORMAT OUTPUT_FORMAT_PEM
#else
#define DFL_OUTPUT_FILENAME "keyfile.der"
#define DFL_OUTPUT_FORMAT OUTPUT_FORMAT_DER
#endif
#define DFL_MODE MODE_NONE
#define DFL_FILENAME "keyfile.key"
#define DFL_DEBUG_LEVEL 0
#define DFL_OUTPUT_MODE OUTPUT_MODE_NONE
#define MODE_NONE 0
#define MODE_PRIVATE 1
#define MODE_PUBLIC 2
#define OUTPUT_MODE_NONE 0
#define OUTPUT_MODE_PRIVATE 1
#define OUTPUT_MODE_PUBLIC 2
#define OUTPUT_FORMAT_PEM 0
#define OUTPUT_FORMAT_DER 1
#define USAGE \
"\n usage: key_app_writer param=<>...\n" \
"\n acceptable parameters:\n" \
" mode=private|public default: none\n" \
" filename=%%s default: keyfile.key\n" \
" output_mode=private|public default: none\n" \
USAGE_OUT \
"\n"
/*
* global options
*/
struct options {
int mode; /* the mode to run the application in */
const char *filename; /* filename of the key file */
int output_mode; /* the output mode to use */
const char *output_file; /* where to store the constructed key file */
int output_format; /* the output format to use */
} opt;
static int write_public_key(mbedtls_pk_context *key, const char *output_file)
{
int ret;
FILE *f;
unsigned char output_buf[16000];
unsigned char *c = output_buf;
size_t len = 0;
memset(output_buf, 0, 16000);
#if defined(MBEDTLS_PEM_WRITE_C)
if (opt.output_format == OUTPUT_FORMAT_PEM) {
if ((ret = mbedtls_pk_write_pubkey_pem(key, output_buf, 16000)) != 0) {
return ret;
}
len = strlen((char *) output_buf);
} else
#endif
{
if ((ret = mbedtls_pk_write_pubkey_der(key, output_buf, 16000)) < 0) {
return ret;
}
len = ret;
c = output_buf + sizeof(output_buf) - len;
}
if ((f = fopen(output_file, "w")) == NULL) {
return -1;
}
if (fwrite(c, 1, len, f) != len) {
fclose(f);
return -1;
}
fclose(f);
return 0;
}
static int write_private_key(mbedtls_pk_context *key, const char *output_file)
{
int ret;
FILE *f;
unsigned char output_buf[16000];
unsigned char *c = output_buf;
size_t len = 0;
memset(output_buf, 0, 16000);
#if defined(MBEDTLS_PEM_WRITE_C)
if (opt.output_format == OUTPUT_FORMAT_PEM) {
if ((ret = mbedtls_pk_write_key_pem(key, output_buf, 16000)) != 0) {
return ret;
}
len = strlen((char *) output_buf);
} else
#endif
{
if ((ret = mbedtls_pk_write_key_der(key, output_buf, 16000)) < 0) {
return ret;
}
len = ret;
c = output_buf + sizeof(output_buf) - len;
}
if ((f = fopen(output_file, "w")) == NULL) {
return -1;
}
if (fwrite(c, 1, len, f) != len) {
fclose(f);
return -1;
}
fclose(f);
return 0;
}
#if defined(MBEDTLS_ECP_C)
static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
{
int ret = 0;
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(
mbedtls_ecp_keypair_get_group_id(ecp));
mbedtls_printf("curve: %s\n", curve_info->name);
mbedtls_ecp_group grp;
mbedtls_ecp_group_init(&grp);
mbedtls_mpi D;
mbedtls_mpi_init(&D);
mbedtls_ecp_point pt;
mbedtls_ecp_point_init(&pt);
mbedtls_mpi X, Y;
mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
(has_private ? &D : NULL),
&pt));
unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
size_t len = 0;
MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
&grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
&len, point_bin, sizeof(point_bin)));
switch (mbedtls_ecp_get_type(&grp)) {
case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
if ((len & 1) == 0 || point_bin[0] != 0x04) {
/* Point in an unxepected format. This shouldn't happen. */
ret = -1;
goto cleanup;
}
MBEDTLS_MPI_CHK(
mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
MBEDTLS_MPI_CHK(
mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
mbedtls_mpi_write_file("Y_Q: ", &Y, 16, NULL);
break;
case MBEDTLS_ECP_TYPE_MONTGOMERY:
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
break;
default:
mbedtls_printf(
"This program does not yet support listing coordinates for this curve type.\n");
break;
}
if (has_private) {
mbedtls_mpi_write_file("D: ", &D, 16, NULL);
}
cleanup:
mbedtls_ecp_group_free(&grp);
mbedtls_mpi_free(&D);
mbedtls_ecp_point_free(&pt);
mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
return ret;
}
#endif
int main(int argc, char *argv[])
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
#if defined(MBEDTLS_ERROR_C)
char buf[200];
#endif
int i;
char *p, *q;
const char *pers = "pkey/key_app";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_pk_context key;
#if defined(MBEDTLS_RSA_C)
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
#endif /* MBEDTLS_RSA_C */
/*
* Set to sane values
*/
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_pk_init(&key);
#if defined(MBEDTLS_ERROR_C)
memset(buf, 0, sizeof(buf));
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_RSA_C)
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
#endif /* MBEDTLS_RSA_C */
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
goto exit;
}
opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME;
opt.output_mode = DFL_OUTPUT_MODE;
opt.output_file = DFL_OUTPUT_FILENAME;
opt.output_format = DFL_OUTPUT_FORMAT;
for (i = 1; i < argc; i++) {
p = argv[i];
if ((q = strchr(p, '=')) == NULL) {
goto usage;
}
*q++ = '\0';
if (strcmp(p, "mode") == 0) {
if (strcmp(q, "private") == 0) {
opt.mode = MODE_PRIVATE;
} else if (strcmp(q, "public") == 0) {
opt.mode = MODE_PUBLIC;
} else {
goto usage;
}
} else if (strcmp(p, "output_mode") == 0) {
if (strcmp(q, "private") == 0) {
opt.output_mode = OUTPUT_MODE_PRIVATE;
} else if (strcmp(q, "public") == 0) {
opt.output_mode = OUTPUT_MODE_PUBLIC;
} else {
goto usage;
}
} else if (strcmp(p, "output_format") == 0) {
#if defined(MBEDTLS_PEM_WRITE_C)
if (strcmp(q, "pem") == 0) {
opt.output_format = OUTPUT_FORMAT_PEM;
} else
#endif
if (strcmp(q, "der") == 0) {
opt.output_format = OUTPUT_FORMAT_DER;
} else {
goto usage;
}
} else if (strcmp(p, "filename") == 0) {
opt.filename = q;
} else if (strcmp(p, "output_file") == 0) {
opt.output_file = q;
} else {
goto usage;
}
}
if (opt.mode == MODE_NONE && opt.output_mode != OUTPUT_MODE_NONE) {
mbedtls_printf("\nCannot output a key without reading one.\n");
goto exit;
}
if (opt.mode == MODE_PUBLIC && opt.output_mode == OUTPUT_MODE_PRIVATE) {
mbedtls_printf("\nCannot output a private key from a public key.\n");
goto exit;
}
if (opt.mode == MODE_PRIVATE) {
/*
* 1.1. Load the key
*/
mbedtls_printf("\n . Loading the private key ...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
ret = mbedtls_pk_parse_keyfile(&key, opt.filename, NULL,
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_keyfile returned -0x%04x",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1.2 Print the key
*/
mbedtls_printf(" . Key information ...\n");
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) {
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(key);
if ((ret = mbedtls_rsa_export(rsa, &N, &P, &Q, &D, &E)) != 0 ||
(ret = mbedtls_rsa_export_crt(rsa, &DP, &DQ, &QP)) != 0) {
mbedtls_printf(" failed\n ! could not export RSA parameters\n\n");
goto exit;
}
mbedtls_mpi_write_file("N: ", &N, 16, NULL);
mbedtls_mpi_write_file("E: ", &E, 16, NULL);
mbedtls_mpi_write_file("D: ", &D, 16, NULL);
mbedtls_mpi_write_file("P: ", &P, 16, NULL);
mbedtls_mpi_write_file("Q: ", &Q, 16, NULL);
mbedtls_mpi_write_file("DP: ", &DP, 16, NULL);
mbedtls_mpi_write_file("DQ: ", &DQ, 16, NULL);
mbedtls_mpi_write_file("QP: ", &QP, 16, NULL);
} else
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
if (show_ecp_key(mbedtls_pk_ec(key), 1) != 0) {
mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
goto exit;
}
} else
#endif
mbedtls_printf("key type not supported yet\n");
} else if (opt.mode == MODE_PUBLIC) {
/*
* 1.1. Load the key
*/
mbedtls_printf("\n . Loading the public key ...");
fflush(stdout);
ret = mbedtls_pk_parse_public_keyfile(&key, opt.filename);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_public_key returned -0x%04x",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1.2 Print the key
*/
mbedtls_printf(" . Key information ...\n");
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) {
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(key);
if ((ret = mbedtls_rsa_export(rsa, &N, NULL, NULL,
NULL, &E)) != 0) {
mbedtls_printf(" failed\n ! could not export RSA parameters\n\n");
goto exit;
}
mbedtls_mpi_write_file("N: ", &N, 16, NULL);
mbedtls_mpi_write_file("E: ", &E, 16, NULL);
} else
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
if (show_ecp_key(mbedtls_pk_ec(key), 0) != 0) {
mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
goto exit;
}
} else
#endif
mbedtls_printf("key type not supported yet\n");
} else {
goto usage;
}
if (opt.output_mode == OUTPUT_MODE_PUBLIC) {
write_public_key(&key, opt.output_file);
}
if (opt.output_mode == OUTPUT_MODE_PRIVATE) {
write_private_key(&key, opt.output_file);
}
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, buf, sizeof(buf));
mbedtls_printf(" - %s\n", buf);
#else
mbedtls_printf("\n");
#endif
}
#if defined(MBEDTLS_RSA_C)
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
#endif /* MBEDTLS_RSA_C */
mbedtls_pk_free(&key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* program viability conditions */

84
externals/mbedtls/programs/pkey/mpi_demo.c vendored Normal file
View File

@@ -0,0 +1,84 @@
/*
* Simple MPI demonstration program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/bignum.h"
#include <stdio.h>
#endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
int main(void)
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_mpi E, P, Q, N, H, D, X, Y, Z;
mbedtls_mpi_init(&E); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q); mbedtls_mpi_init(&N);
mbedtls_mpi_init(&H); mbedtls_mpi_init(&D); mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
mbedtls_mpi_init(&Z);
MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P, 10, "2789"));
MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&Q, 10, "3203"));
MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 10, "257"));
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&N, &P, &Q));
mbedtls_printf("\n Public key:\n\n");
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file(" N = ", &N, 10, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file(" E = ", &E, 10, NULL));
mbedtls_printf("\n Private key:\n\n");
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file(" P = ", &P, 10, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file(" Q = ", &Q, 10, NULL));
#if defined(MBEDTLS_GENPRIME)
MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P, &P, 1));
MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q, &Q, 1));
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &P, &Q));
MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&D, &E, &H));
mbedtls_mpi_write_file(" D = E^-1 mod (P-1)*(Q-1) = ",
&D, 10, NULL);
#else
mbedtls_printf("\nTest skipped (MBEDTLS_GENPRIME not defined).\n\n");
#endif
MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&X, 10, "55555"));
MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&Y, &X, &E, &N, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&Z, &Y, &D, &N, NULL));
mbedtls_printf("\n RSA operation:\n\n");
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file(" X (plaintext) = ", &X, 10, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file(" Y (ciphertext) = X^E mod N = ", &Y, 10, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_file(" Z (decrypted) = Y^D mod N = ", &Z, 10, NULL));
mbedtls_printf("\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
cleanup:
mbedtls_mpi_free(&E); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q); mbedtls_mpi_free(&N);
mbedtls_mpi_free(&H); mbedtls_mpi_free(&D); mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
mbedtls_mpi_free(&Z);
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
mbedtls_printf("\nAn error occurred.\n");
}
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_FS_IO */

153
externals/mbedtls/programs/pkey/pk_decrypt.c vendored Normal file
View File

@@ -0,0 +1,153 @@
/*
* Public key-based simple decryption program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <string.h>
#endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_PK_PARSE_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_PK_PARSE_C and/or "
"MBEDTLS_FS_IO and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
unsigned c;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i, olen = 0;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char result[1024];
unsigned char buf[512];
const char *pers = "mbedtls_pk_decrypt";
((void) argv);
mbedtls_pk_init(&pk);
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
memset(result, 0, sizeof(result));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 2) {
mbedtls_printf("usage: mbedtls_pk_decrypt <key_file>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf("\n . Reading private key from '%s'", argv[1]);
fflush(stdout);
if ((ret = mbedtls_pk_parse_keyfile(&pk, argv[1], "",
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_keyfile returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
/*
* Extract the RSA encrypted value from the text file
*/
if ((f = fopen("result-enc.txt", "rb")) == NULL) {
mbedtls_printf("\n ! Could not open %s\n\n", "result-enc.txt");
ret = 1;
goto exit;
}
i = 0;
while (fscanf(f, "%02X", (unsigned int *) &c) > 0 &&
i < (int) sizeof(buf)) {
buf[i++] = (unsigned char) c;
}
fclose(f);
/*
* Decrypt the encrypted RSA data and print the result.
*/
mbedtls_printf("\n . Decrypting the encrypted data");
fflush(stdout);
if ((ret = mbedtls_pk_decrypt(&pk, buf, i, result, &olen, sizeof(result),
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_decrypt returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf("\n . OK\n\n");
mbedtls_printf("The decrypted result is: '%s'\n\n", result);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free(&pk);
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
mbedtls_strerror(ret, (char *) buf, sizeof(buf));
mbedtls_printf(" ! Last error was: %s\n", buf);
}
#endif
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */

154
externals/mbedtls/programs/pkey/pk_encrypt.c vendored Normal file
View File

@@ -0,0 +1,154 @@
/*
* RSA simple data encryption program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO) && \
defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#include <string.h>
#endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_PK_PARSE_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_PK_PARSE_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i, olen = 0;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char input[1024];
unsigned char buf[512];
const char *pers = "mbedtls_pk_encrypt";
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_encrypt <key_file> <string of max 100 characters>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf("\n . Reading public key from '%s'", argv[1]);
fflush(stdout);
if ((ret = mbedtls_pk_parse_public_keyfile(&pk, argv[1])) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_public_keyfile returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
if (strlen(argv[2]) > 100) {
mbedtls_printf(" Input data larger than 100 characters.\n\n");
goto exit;
}
memcpy(input, argv[2], strlen(argv[2]));
/*
* Calculate the RSA encryption of the hash.
*/
mbedtls_printf("\n . Generating the encrypted value");
fflush(stdout);
if ((ret = mbedtls_pk_encrypt(&pk, input, strlen(argv[2]),
buf, &olen, sizeof(buf),
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_encrypt returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
/*
* Write the signature into result-enc.txt
*/
if ((f = fopen("result-enc.txt", "wb+")) == NULL) {
mbedtls_printf(" failed\n ! Could not create %s\n\n",
"result-enc.txt");
ret = 1;
goto exit;
}
for (i = 0; i < olen; i++) {
mbedtls_fprintf(f, "%02X%s", buf[i],
(i + 1) % 16 == 0 ? "\r\n" : " ");
}
fclose(f);
mbedtls_printf("\n . Done (created \"%s\")\n\n", "result-enc.txt");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free(&pk);
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
mbedtls_strerror(ret, (char *) buf, sizeof(buf));
mbedtls_printf(" ! Last error was: %s\n", buf);
}
#endif
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_PK_PARSE_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */

155
externals/mbedtls/programs/pkey/pk_sign.c vendored Normal file
View File

@@ -0,0 +1,155 @@
/*
* Public key-based signature creation program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_MD_C and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/error.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/pk.h"
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char hash[32];
unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
char filename[512];
const char *pers = "mbedtls_pk_sign";
size_t olen = 0;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_sign <key_file> <filename>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf("\n . Reading private key from '%s'", argv[1]);
fflush(stdout);
if ((ret = mbedtls_pk_parse_keyfile(&pk, argv[1], "",
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! Could not parse '%s'\n", argv[1]);
goto exit;
}
/*
* Compute the SHA-256 hash of the input file,
* then calculate the signature of the hash.
*/
mbedtls_printf("\n . Generating the SHA-256 signature");
fflush(stdout);
if ((ret = mbedtls_md_file(
mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
argv[2], hash)) != 0) {
mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]);
goto exit;
}
if ((ret = mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0,
buf, sizeof(buf), &olen,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_sign returned -0x%04x\n", (unsigned int) -ret);
goto exit;
}
/*
* Write the signature into <filename>.sig
*/
mbedtls_snprintf(filename, sizeof(filename), "%s.sig", argv[2]);
if ((f = fopen(filename, "wb+")) == NULL) {
mbedtls_printf(" failed\n ! Could not create %s\n\n", filename);
goto exit;
}
if (fwrite(buf, 1, olen, f) != olen) {
mbedtls_printf("failed\n ! fwrite failed\n\n");
fclose(f);
goto exit;
}
fclose(f);
mbedtls_printf("\n . Done (created \"%s\")\n\n", filename);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free(&pk);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
mbedtls_strerror(ret, (char *) buf, sizeof(buf));
mbedtls_printf(" ! Last error was: %s\n", buf);
}
#endif
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_MD_CAN_SHA256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_CTR_DRBG_C */

128
externals/mbedtls/programs/pkey/pk_verify.c vendored Normal file
View File

@@ -0,0 +1,128 @@
/*
* Public key-based signature verification program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_PK_PARSE_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_MD_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_PK_PARSE_C and/or "
"MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_pk_context pk;
unsigned char hash[32];
unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
char filename[512];
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_verify <key_file> <filename>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Reading public key from '%s'", argv[1]);
fflush(stdout);
if ((ret = mbedtls_pk_parse_public_keyfile(&pk, argv[1])) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_public_keyfile returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
/*
* Extract the signature from the file
*/
mbedtls_snprintf(filename, sizeof(filename), "%s.sig", argv[2]);
if ((f = fopen(filename, "rb")) == NULL) {
mbedtls_printf("\n ! Could not open %s\n\n", filename);
goto exit;
}
i = fread(buf, 1, sizeof(buf), f);
fclose(f);
/*
* Compute the SHA-256 hash of the input file and
* verify the signature
*/
mbedtls_printf("\n . Verifying the SHA-256 signature");
fflush(stdout);
if ((ret = mbedtls_md_file(
mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
argv[2], hash)) != 0) {
mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]);
goto exit;
}
if ((ret = mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, hash, 0,
buf, i)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_verify returned -0x%04x\n", (unsigned int) -ret);
goto exit;
}
mbedtls_printf("\n . OK (the signature is valid)\n\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
mbedtls_strerror(ret, (char *) buf, sizeof(buf));
mbedtls_printf(" ! Last error was: %s\n", buf);
}
#endif
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */

172
externals/mbedtls/programs/pkey/rsa_decrypt.c vendored Normal file
View File

@@ -0,0 +1,172 @@
/*
* RSA simple decryption program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_RSA_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/rsa.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <string.h>
#endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_FS_IO and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
unsigned c;
size_t i;
mbedtls_rsa_context rsa;
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char result[1024];
unsigned char buf[512];
const char *pers = "rsa_decrypt";
((void) argv);
memset(result, 0, sizeof(result));
if (argc != 1) {
mbedtls_printf("usage: rsa_decrypt\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
mbedtls_exit(exit_code);
}
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
mbedtls_rsa_init(&rsa);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen(pers));
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n",
ret);
goto exit;
}
mbedtls_printf("\n . Reading private key from rsa_priv.txt");
fflush(stdout);
if ((f = fopen("rsa_priv.txt", "rb")) == NULL) {
mbedtls_printf(" failed\n ! Could not open rsa_priv.txt\n" \
" ! Please run rsa_genkey first\n\n");
goto exit;
}
if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&D, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&P, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&Q, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&DP, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&DQ, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&QP, 16, f)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n",
ret);
fclose(f);
goto exit;
}
fclose(f);
if ((ret = mbedtls_rsa_import(&rsa, &N, &P, &Q, &D, &E)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_import returned %d\n\n",
ret);
goto exit;
}
if ((ret = mbedtls_rsa_complete(&rsa)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_complete returned %d\n\n",
ret);
goto exit;
}
/*
* Extract the RSA encrypted value from the text file
*/
if ((f = fopen("result-enc.txt", "rb")) == NULL) {
mbedtls_printf("\n ! Could not open %s\n\n", "result-enc.txt");
goto exit;
}
i = 0;
while (fscanf(f, "%02X", (unsigned int *) &c) > 0 &&
i < (int) sizeof(buf)) {
buf[i++] = (unsigned char) c;
}
fclose(f);
if (i != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf("\n ! Invalid RSA signature format\n\n");
goto exit;
}
/*
* Decrypt the encrypted RSA data and print the result.
*/
mbedtls_printf("\n . Decrypting the encrypted data");
fflush(stdout);
ret = mbedtls_rsa_pkcs1_decrypt(&rsa, mbedtls_ctr_drbg_random,
&ctr_drbg, &i,
buf, result, 1024);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_decrypt returned %d\n\n",
ret);
goto exit;
}
mbedtls_printf("\n . OK\n\n");
mbedtls_printf("The decrypted result is: '%s'\n\n", result);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_rsa_free(&rsa);
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_FS_IO */

149
externals/mbedtls/programs/pkey/rsa_encrypt.c vendored Normal file
View File

@@ -0,0 +1,149 @@
/*
* RSA simple data encryption program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_RSA_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO) && \
defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/rsa.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <string.h>
#endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char input[1024];
unsigned char buf[512];
const char *pers = "rsa_encrypt";
mbedtls_mpi N, E;
if (argc != 2) {
mbedtls_printf("usage: rsa_encrypt <string of max 100 characters>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
mbedtls_exit(exit_code);
}
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
mbedtls_rsa_init(&rsa);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen(pers));
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n",
ret);
goto exit;
}
mbedtls_printf("\n . Reading public key from rsa_pub.txt");
fflush(stdout);
if ((f = fopen("rsa_pub.txt", "rb")) == NULL) {
mbedtls_printf(" failed\n ! Could not open rsa_pub.txt\n" \
" ! Please run rsa_genkey first\n\n");
goto exit;
}
if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&E, 16, f)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n",
ret);
fclose(f);
goto exit;
}
fclose(f);
if ((ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_import returned %d\n\n",
ret);
goto exit;
}
if (strlen(argv[1]) > 100) {
mbedtls_printf(" Input data larger than 100 characters.\n\n");
goto exit;
}
memcpy(input, argv[1], strlen(argv[1]));
/*
* Calculate the RSA encryption of the hash.
*/
mbedtls_printf("\n . Generating the RSA encrypted value");
fflush(stdout);
ret = mbedtls_rsa_pkcs1_encrypt(&rsa, mbedtls_ctr_drbg_random,
&ctr_drbg, strlen(argv[1]), input, buf);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_encrypt returned %d\n\n",
ret);
goto exit;
}
/*
* Write the signature into result-enc.txt
*/
if ((f = fopen("result-enc.txt", "wb+")) == NULL) {
mbedtls_printf(" failed\n ! Could not create %s\n\n", "result-enc.txt");
goto exit;
}
for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
mbedtls_fprintf(f, "%02X%s", buf[i],
(i + 1) % 16 == 0 ? "\r\n" : " ");
}
fclose(f);
mbedtls_printf("\n . Done (created \"%s\")\n\n", "result-enc.txt");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_mpi_free(&N); mbedtls_mpi_free(&E);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_rsa_free(&rsa);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */

141
externals/mbedtls/programs/pkey/rsa_genkey.c vendored Normal file
View File

@@ -0,0 +1,141 @@
/*
* Example RSA key generation program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/bignum.h"
#include "mbedtls/rsa.h"
#include <stdio.h>
#include <string.h>
#endif
#define KEY_SIZE 2048
#define EXPONENT 65537
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_GENPRIME) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_RSA_C and/or MBEDTLS_GENPRIME and/or "
"MBEDTLS_FS_IO and/or MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
int main(void)
{
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_rsa_context rsa;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
FILE *fpub = NULL;
FILE *fpriv = NULL;
const char *pers = "rsa_genkey";
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_rsa_init(&rsa);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n . Generating the RSA key [ %d-bit ]...", KEY_SIZE);
fflush(stdout);
if ((ret = mbedtls_rsa_gen_key(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg, KEY_SIZE,
EXPONENT)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_gen_key returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n . Exporting the public key in rsa_pub.txt....");
fflush(stdout);
if ((ret = mbedtls_rsa_export(&rsa, &N, &P, &Q, &D, &E)) != 0 ||
(ret = mbedtls_rsa_export_crt(&rsa, &DP, &DQ, &QP)) != 0) {
mbedtls_printf(" failed\n ! could not export RSA parameters\n\n");
goto exit;
}
if ((fpub = fopen("rsa_pub.txt", "wb+")) == NULL) {
mbedtls_printf(" failed\n ! could not open rsa_pub.txt for writing\n\n");
goto exit;
}
if ((ret = mbedtls_mpi_write_file("N = ", &N, 16, fpub)) != 0 ||
(ret = mbedtls_mpi_write_file("E = ", &E, 16, fpub)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_write_file returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n . Exporting the private key in rsa_priv.txt...");
fflush(stdout);
if ((fpriv = fopen("rsa_priv.txt", "wb+")) == NULL) {
mbedtls_printf(" failed\n ! could not open rsa_priv.txt for writing\n");
goto exit;
}
if ((ret = mbedtls_mpi_write_file("N = ", &N, 16, fpriv)) != 0 ||
(ret = mbedtls_mpi_write_file("E = ", &E, 16, fpriv)) != 0 ||
(ret = mbedtls_mpi_write_file("D = ", &D, 16, fpriv)) != 0 ||
(ret = mbedtls_mpi_write_file("P = ", &P, 16, fpriv)) != 0 ||
(ret = mbedtls_mpi_write_file("Q = ", &Q, 16, fpriv)) != 0 ||
(ret = mbedtls_mpi_write_file("DP = ", &DP, 16, fpriv)) != 0 ||
(ret = mbedtls_mpi_write_file("DQ = ", &DQ, 16, fpriv)) != 0 ||
(ret = mbedtls_mpi_write_file("QP = ", &QP, 16, fpriv)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_write_file returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
if (fpub != NULL) {
fclose(fpub);
}
if (fpriv != NULL) {
fclose(fpriv);
}
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
mbedtls_rsa_free(&rsa);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_RSA_C &&
MBEDTLS_GENPRIME && MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */

8
externals/mbedtls/programs/pkey/rsa_priv.txt vendored Normal file
View File

@@ -0,0 +1,8 @@
N = A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211
E = 010001
D = 589552BB4F2F023ADDDD5586D0C8FD857512D82080436678D07F984A29D892D31F1F7000FC5A39A0F73E27D885E47249A4148C8A5653EF69F91F8F736BA9F84841C2D99CD8C24DE8B72B5C9BE0EDBE23F93D731749FEA9CFB4A48DD2B7F35A2703E74AA2D4DB7DE9CEEA7D763AF0ADA7AC176C4E9A22C4CDA65CEC0C65964401
P = CD083568D2D46C44C40C1FA0101AF2155E59C70B08423112AF0C1202514BBA5210765E29FF13036F56C7495894D80CF8C3BAEE2839BACBB0B86F6A2965F60DB1
Q = CA0EEEA5E710E8E9811A6B846399420E3AE4A4C16647E426DDF8BBBCB11CD3F35CE2E4B6BCAD07AE2C0EC2ECBFCC601B207CDD77B5673E16382B1130BF465261
DP = 0D0E21C07BF434B4A83B116472C2147A11D8EB98A33CFBBCF1D275EF19D815941622435AAF3839B6C432CA53CE9E772CFBE1923A937A766FD93E96E6EDEC1DF1
DQ = 269CEBE6305DFEE4809377F078C814E37B45AE6677114DFC4F76F5097E1F3031D592567AC55B9B98213B40ECD54A4D2361F5FAACA1B1F51F71E4690893C4F081
QP = 97AC5BB885ABCA314375E9E4DB1BA4B2218C90619F61BD474F5785075ECA81750A735199A8C191FE2D3355E7CF601A70E5CABDE0E02C2538BB9FB4871540B3C1

2
externals/mbedtls/programs/pkey/rsa_pub.txt vendored Normal file
View File

@@ -0,0 +1,2 @@
N = A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211
E = 010001

155
externals/mbedtls/programs/pkey/rsa_sign.c vendored Normal file
View File

@@ -0,0 +1,155 @@
/*
* RSA/SHA-256 signature creation program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/rsa.h"
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
mbedtls_rsa_init(&rsa);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
if (argc != 2) {
mbedtls_printf("usage: rsa_sign <filename>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Reading private key from rsa_priv.txt");
fflush(stdout);
if ((f = fopen("rsa_priv.txt", "rb")) == NULL) {
mbedtls_printf(" failed\n ! Could not open rsa_priv.txt\n" \
" ! Please run rsa_genkey first\n\n");
goto exit;
}
if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&D, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&P, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&Q, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&DP, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&DQ, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&QP, 16, f)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
fclose(f);
goto exit;
}
fclose(f);
if ((ret = mbedtls_rsa_import(&rsa, &N, &P, &Q, &D, &E)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_import returned %d\n\n",
ret);
goto exit;
}
if ((ret = mbedtls_rsa_complete(&rsa)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_complete returned %d\n\n",
ret);
goto exit;
}
mbedtls_printf("\n . Checking the private key");
fflush(stdout);
if ((ret = mbedtls_rsa_check_privkey(&rsa)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_check_privkey failed with -0x%0x\n",
(unsigned int) -ret);
goto exit;
}
/*
* Compute the SHA-256 hash of the input file,
* then calculate the RSA signature of the hash.
*/
mbedtls_printf("\n . Generating the RSA/SHA-256 signature");
fflush(stdout);
if ((ret = mbedtls_md_file(
mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
argv[1], hash)) != 0) {
mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[1]);
goto exit;
}
if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, NULL, NULL, MBEDTLS_MD_SHA256,
32, hash, buf)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_sign returned -0x%0x\n\n",
(unsigned int) -ret);
goto exit;
}
/*
* Write the signature into <filename>.sig
*/
mbedtls_snprintf(filename, sizeof(filename), "%s.sig", argv[1]);
if ((f = fopen(filename, "wb+")) == NULL) {
mbedtls_printf(" failed\n ! Could not create %s\n\n", argv[1]);
goto exit;
}
for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
mbedtls_fprintf(f, "%02X%s", buf[i],
(i + 1) % 16 == 0 ? "\r\n" : " ");
}
fclose(f);
mbedtls_printf("\n . Done (created \"%s\")\n\n", filename);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_rsa_free(&rsa);
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_FS_IO */

161
externals/mbedtls/programs/pkey/rsa_sign_pss.c vendored Normal file
View File

@@ -0,0 +1,161 @@
/*
* RSASSA-PSS/SHA-256 signature creation program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_MD_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_RSA_C and/or MBEDTLS_MD_CAN_SHA256 and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/rsa.h"
#include "mbedtls/pk.h"
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
const char *pers = "rsa_sign_pss";
size_t olen = 0;
mbedtls_entropy_init(&entropy);
mbedtls_pk_init(&pk);
mbedtls_ctr_drbg_init(&ctr_drbg);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: rsa_sign_pss <key_file> <filename>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf("\n . Reading private key from '%s'", argv[1]);
fflush(stdout);
if ((ret = mbedtls_pk_parse_keyfile(&pk, argv[1], "",
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! Could not read key from '%s'\n", argv[1]);
mbedtls_printf(" ! mbedtls_pk_parse_public_keyfile returned %d\n\n", ret);
goto exit;
}
if (!mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA)) {
mbedtls_printf(" failed\n ! Key is not an RSA key\n");
goto exit;
}
if ((ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk),
MBEDTLS_RSA_PKCS_V21,
MBEDTLS_MD_SHA256)) != 0) {
mbedtls_printf(" failed\n ! Padding not supported\n");
goto exit;
}
/*
* Compute the SHA-256 hash of the input file,
* then calculate the RSA signature of the hash.
*/
mbedtls_printf("\n . Generating the RSA/SHA-256 signature");
fflush(stdout);
if ((ret = mbedtls_md_file(
mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
argv[2], hash)) != 0) {
mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]);
goto exit;
}
if ((ret = mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0,
buf, sizeof(buf), &olen,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_sign returned %d\n\n", ret);
goto exit;
}
/*
* Write the signature into <filename>.sig
*/
mbedtls_snprintf(filename, 512, "%s.sig", argv[2]);
if ((f = fopen(filename, "wb+")) == NULL) {
mbedtls_printf(" failed\n ! Could not create %s\n\n", filename);
goto exit;
}
if (fwrite(buf, 1, olen, f) != olen) {
mbedtls_printf("failed\n ! fwrite failed\n\n");
fclose(f);
goto exit;
}
fclose(f);
mbedtls_printf("\n . Done (created \"%s\")\n\n", filename);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free(&pk);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_RSA_C &&
MBEDTLS_MD_CAN_SHA256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_CTR_DRBG_C */

134
externals/mbedtls/programs/pkey/rsa_verify.c vendored Normal file
View File

@@ -0,0 +1,134 @@
/*
* RSA/SHA-256 signature verification program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/rsa.h"
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
unsigned c;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
mbedtls_mpi N, E;
unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
mbedtls_rsa_init(&rsa);
mbedtls_mpi_init(&N);
mbedtls_mpi_init(&E);
if (argc != 2) {
mbedtls_printf("usage: rsa_verify <filename>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Reading public key from rsa_pub.txt");
fflush(stdout);
if ((f = fopen("rsa_pub.txt", "rb")) == NULL) {
mbedtls_printf(" failed\n ! Could not open rsa_pub.txt\n" \
" ! Please run rsa_genkey first\n\n");
goto exit;
}
if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
(ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
(ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
fclose(f);
goto exit;
}
fclose(f);
/*
* Extract the RSA signature from the text file
*/
mbedtls_snprintf(filename, sizeof(filename), "%s.sig", argv[1]);
if ((f = fopen(filename, "rb")) == NULL) {
mbedtls_printf("\n ! Could not open %s\n\n", filename);
goto exit;
}
i = 0;
while (fscanf(f, "%02X", (unsigned int *) &c) > 0 &&
i < (int) sizeof(buf)) {
buf[i++] = (unsigned char) c;
}
fclose(f);
if (i != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf("\n ! Invalid RSA signature format\n\n");
goto exit;
}
/*
* Compute the SHA-256 hash of the input file and
* verify the signature
*/
mbedtls_printf("\n . Verifying the RSA/SHA-256 signature");
fflush(stdout);
if ((ret = mbedtls_md_file(
mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
argv[1], hash)) != 0) {
mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[1]);
goto exit;
}
if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256,
32, hash, buf)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned -0x%0x\n\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf("\n . OK (the signature is valid)\n\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_rsa_free(&rsa);
mbedtls_mpi_free(&N);
mbedtls_mpi_free(&E);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_FS_IO */

136
externals/mbedtls/programs/pkey/rsa_verify_pss.c vendored Normal file
View File

@@ -0,0 +1,136 @@
/*
* RSASSA-PSS/SHA-256 signature verification program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
#include "mbedtls/md.h"
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_MD_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_RSA_C and/or MBEDTLS_MD_CAN_SHA256 and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/md.h"
#include "mbedtls/pem.h"
#include "mbedtls/pk.h"
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_pk_context pk;
unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: rsa_verify_pss <key_file> <filename>\n");
#if defined(_WIN32)
mbedtls_printf("\n");
#endif
goto exit;
}
mbedtls_printf("\n . Reading public key from '%s'", argv[1]);
fflush(stdout);
if ((ret = mbedtls_pk_parse_public_keyfile(&pk, argv[1])) != 0) {
mbedtls_printf(" failed\n ! Could not read key from '%s'\n", argv[1]);
mbedtls_printf(" ! mbedtls_pk_parse_public_keyfile returned %d\n\n", ret);
goto exit;
}
if (!mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA)) {
mbedtls_printf(" failed\n ! Key is not an RSA key\n");
goto exit;
}
if ((ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk),
MBEDTLS_RSA_PKCS_V21,
MBEDTLS_MD_SHA256)) != 0) {
mbedtls_printf(" failed\n ! Invalid padding\n");
goto exit;
}
/*
* Extract the RSA signature from the file
*/
mbedtls_snprintf(filename, 512, "%s.sig", argv[2]);
if ((f = fopen(filename, "rb")) == NULL) {
mbedtls_printf("\n ! Could not open %s\n\n", filename);
goto exit;
}
i = fread(buf, 1, MBEDTLS_MPI_MAX_SIZE, f);
fclose(f);
/*
* Compute the SHA-256 hash of the input file and
* verify the signature
*/
mbedtls_printf("\n . Verifying the RSA/SHA-256 signature");
fflush(stdout);
if ((ret = mbedtls_md_file(
mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
argv[2], hash)) != 0) {
mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]);
goto exit;
}
if ((ret = mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, hash, 0,
buf, i)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_verify returned %d\n\n", ret);
goto exit;
}
mbedtls_printf("\n . OK (the signature is valid)\n\n");
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */

48
externals/mbedtls/programs/psa/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,48 @@
set(executables
aead_demo
crypto_examples
hmac_demo
key_ladder_demo
psa_constant_names
psa_hash
)
if(GEN_FILES)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_BINARY_DIR}/psa_constant_names_generated.c
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_psa_constants.py
${CMAKE_CURRENT_BINARY_DIR}
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/../..
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_psa_constants.py
${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_values.h
${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_extra.h
)
else()
link_to_source(psa_constant_names_generated.c)
endif()
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
target_include_directories(psa_constant_names PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
if(GEN_FILES)
add_custom_target(generate_psa_constant_names_generated_c
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/psa_constant_names_generated.c)
add_dependencies(psa_constant_names generate_psa_constant_names_generated_c)
endif()
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
install(PROGRAMS
key_ladder_demo.sh
DESTINATION "bin")

281
externals/mbedtls/programs/psa/aead_demo.c vendored Normal file
View File

@@ -0,0 +1,281 @@
/**
* PSA API multi-part AEAD demonstration.
*
* This program AEAD-encrypts a message, using the algorithm and key size
* specified on the command line, using the multi-part API.
*
* It comes with a companion program cipher/cipher_aead_demo.c, which does the
* same operations with the legacy Cipher API. The goal is that comparing the
* two programs will help people migrating to the PSA Crypto API.
*
* When used with multi-part AEAD operations, the `mbedtls_cipher_context`
* serves a triple purpose (1) hold the key, (2) store the algorithm when no
* operation is active, and (3) save progress information for the current
* operation. With PSA those roles are held by disinct objects: (1) a
* psa_key_id_t to hold the key, a (2) psa_algorithm_t to represent the
* algorithm, and (3) a psa_operation_t for multi-part progress.
*
* On the other hand, with PSA, the algorithms encodes the desired tag length;
* with Cipher the desired tag length needs to be tracked separately.
*
* This program and its companion cipher/cipher_aead_demo.c illustrate this by
* doing the same sequence of multi-part AEAD computation with both APIs;
* looking at the two side by side should make the differences and
* similarities clear.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* First include Mbed TLS headers to get the Mbed TLS configuration and
* platform definitions that we'll use in this program. Also include
* standard C headers for functions we'll use here. */
#include "mbedtls/build_info.h"
#include "psa/crypto.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* If the build options we need are not enabled, compile a placeholder. */
#if !defined(MBEDTLS_PSA_CRYPTO_C) || \
!defined(MBEDTLS_AES_C) || !defined(MBEDTLS_GCM_C) || \
!defined(MBEDTLS_CHACHAPOLY_C) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main(void)
{
printf("MBEDTLS_PSA_CRYPTO_C and/or "
"MBEDTLS_AES_C and/or MBEDTLS_GCM_C and/or "
"MBEDTLS_CHACHAPOLY_C not defined, and/or "
"MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined\r\n");
return 0;
}
#else
/* The real program starts here. */
const char usage[] =
"Usage: aead_demo [aes128-gcm|aes256-gcm|aes128-gcm_8|chachapoly]";
/* Dummy data for encryption: IV/nonce, additional data, 2-part message */
const unsigned char iv1[12] = { 0x00 };
const unsigned char add_data1[] = { 0x01, 0x02 };
const unsigned char msg1_part1[] = { 0x03, 0x04 };
const unsigned char msg1_part2[] = { 0x05, 0x06, 0x07 };
/* Dummy data (2nd message) */
const unsigned char iv2[12] = { 0x10 };
const unsigned char add_data2[] = { 0x11, 0x12 };
const unsigned char msg2_part1[] = { 0x13, 0x14 };
const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 };
/* Maximum total size of the messages */
#define MSG1_SIZE (sizeof(msg1_part1) + sizeof(msg1_part2))
#define MSG2_SIZE (sizeof(msg2_part1) + sizeof(msg2_part2))
#define MSG_MAX_SIZE (MSG1_SIZE > MSG2_SIZE ? MSG1_SIZE : MSG2_SIZE)
/* Dummy key material - never do this in production!
* 32-byte is enough to all the key size supported by this program. */
const unsigned char key_bytes[32] = { 0x2a };
/* Print the contents of a buffer in hex */
void print_buf(const char *title, uint8_t *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
printf(" %02x", buf[i]);
}
printf("\n");
}
/* Run a PSA function and bail out if it fails.
* The symbolic name of the error code can be recovered using:
* programs/psa/psa_constant_name status <value> */
#define PSA_CHECK(expr) \
do \
{ \
status = (expr); \
if (status != PSA_SUCCESS) \
{ \
printf("Error %d at line %d: %s\n", \
(int) status, \
__LINE__, \
#expr); \
goto exit; \
} \
} \
while (0)
/*
* Prepare encryption material:
* - interpret command-line argument
* - set up key
* - outputs: key and algorithm, which together hold all the information
*/
static psa_status_t aead_prepare(const char *info,
psa_key_id_t *key,
psa_algorithm_t *alg)
{
psa_status_t status;
/* Convert arg to alg + key_bits + key_type */
size_t key_bits;
psa_key_type_t key_type;
if (strcmp(info, "aes128-gcm") == 0) {
*alg = PSA_ALG_GCM;
key_bits = 128;
key_type = PSA_KEY_TYPE_AES;
} else if (strcmp(info, "aes256-gcm") == 0) {
*alg = PSA_ALG_GCM;
key_bits = 256;
key_type = PSA_KEY_TYPE_AES;
} else if (strcmp(info, "aes128-gcm_8") == 0) {
*alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 8);
key_bits = 128;
key_type = PSA_KEY_TYPE_AES;
} else if (strcmp(info, "chachapoly") == 0) {
*alg = PSA_ALG_CHACHA20_POLY1305;
key_bits = 256;
key_type = PSA_KEY_TYPE_CHACHA20;
} else {
puts(usage);
return PSA_ERROR_INVALID_ARGUMENT;
}
/* Prepare key attributes */
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
psa_set_key_algorithm(&attributes, *alg);
psa_set_key_type(&attributes, key_type);
psa_set_key_bits(&attributes, key_bits); // optional
/* Import key */
PSA_CHECK(psa_import_key(&attributes, key_bytes, key_bits / 8, key));
exit:
return status;
}
/*
* Print out some information.
*
* All of this information was present in the command line argument, but his
* function demonstrates how each piece can be recovered from (key, alg).
*/
static void aead_info(psa_key_id_t key, psa_algorithm_t alg)
{
psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
(void) psa_get_key_attributes(key, &attr);
psa_key_type_t key_type = psa_get_key_type(&attr);
size_t key_bits = psa_get_key_bits(&attr);
psa_algorithm_t base_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
size_t tag_len = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
const char *type_str = key_type == PSA_KEY_TYPE_AES ? "AES"
: key_type == PSA_KEY_TYPE_CHACHA20 ? "Chacha"
: "???";
const char *base_str = base_alg == PSA_ALG_GCM ? "GCM"
: base_alg == PSA_ALG_CHACHA20_POLY1305 ? "ChachaPoly"
: "???";
printf("%s, %u, %s, %u\n",
type_str, (unsigned) key_bits, base_str, (unsigned) tag_len);
}
/*
* Encrypt a 2-part message.
*/
static int aead_encrypt(psa_key_id_t key, psa_algorithm_t alg,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *part1, size_t part1_len,
const unsigned char *part2, size_t part2_len)
{
psa_status_t status;
size_t olen, olen_tag;
unsigned char out[PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(MSG_MAX_SIZE)];
unsigned char *p = out, *end = out + sizeof(out);
unsigned char tag[PSA_AEAD_TAG_MAX_SIZE];
psa_aead_operation_t op = PSA_AEAD_OPERATION_INIT;
PSA_CHECK(psa_aead_encrypt_setup(&op, key, alg));
PSA_CHECK(psa_aead_set_nonce(&op, iv, iv_len));
PSA_CHECK(psa_aead_update_ad(&op, ad, ad_len));
PSA_CHECK(psa_aead_update(&op, part1, part1_len, p, end - p, &olen));
p += olen;
PSA_CHECK(psa_aead_update(&op, part2, part2_len, p, end - p, &olen));
p += olen;
PSA_CHECK(psa_aead_finish(&op, p, end - p, &olen,
tag, sizeof(tag), &olen_tag));
p += olen;
memcpy(p, tag, olen_tag);
p += olen_tag;
olen = p - out;
print_buf("out", out, olen);
exit:
psa_aead_abort(&op); // required on errors, harmless on success
return status;
}
/*
* AEAD demo: set up key/alg, print out info, encrypt messages.
*/
static psa_status_t aead_demo(const char *info)
{
psa_status_t status;
psa_key_id_t key;
psa_algorithm_t alg;
PSA_CHECK(aead_prepare(info, &key, &alg));
aead_info(key, alg);
PSA_CHECK(aead_encrypt(key, alg,
iv1, sizeof(iv1), add_data1, sizeof(add_data1),
msg1_part1, sizeof(msg1_part1),
msg1_part2, sizeof(msg1_part2)));
PSA_CHECK(aead_encrypt(key, alg,
iv2, sizeof(iv2), add_data2, sizeof(add_data2),
msg2_part1, sizeof(msg2_part1),
msg2_part2, sizeof(msg2_part2)));
exit:
psa_destroy_key(key);
return status;
}
/*
* Main function
*/
int main(int argc, char **argv)
{
psa_status_t status = PSA_SUCCESS;
/* Check usage */
if (argc != 2) {
puts(usage);
return EXIT_FAILURE;
}
/* Initialize the PSA crypto library. */
PSA_CHECK(psa_crypto_init());
/* Run the demo */
PSA_CHECK(aead_demo(argv[1]));
/* Deinitialize the PSA crypto library. */
mbedtls_psa_crypto_free();
exit:
return status == PSA_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE;
}
#endif

321
externals/mbedtls/programs/psa/crypto_examples.c vendored Normal file
View File

@@ -0,0 +1,321 @@
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "psa/crypto.h"
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#define ASSERT(predicate) \
do \
{ \
if (!(predicate)) \
{ \
printf("\tassertion failed at %s:%d - '%s'\r\n", \
__FILE__, __LINE__, #predicate); \
goto exit; \
} \
} while (0)
#define ASSERT_STATUS(actual, expected) \
do \
{ \
if ((actual) != (expected)) \
{ \
printf("\tassertion failed at %s:%d - " \
"actual:%d expected:%d\r\n", __FILE__, __LINE__, \
(psa_status_t) actual, (psa_status_t) expected); \
goto exit; \
} \
} while (0)
#if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_AES_C) || \
!defined(MBEDTLS_CIPHER_MODE_CBC) || !defined(MBEDTLS_CIPHER_MODE_CTR) || \
!defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main(void)
{
printf("MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_AES_C and/or "
"MBEDTLS_CIPHER_MODE_CBC and/or MBEDTLS_CIPHER_MODE_CTR "
"and/or MBEDTLS_CIPHER_MODE_WITH_PADDING "
"not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER"
" defined.\r\n");
return 0;
}
#else
static psa_status_t cipher_operation(psa_cipher_operation_t *operation,
const uint8_t *input,
size_t input_size,
size_t part_size,
uint8_t *output,
size_t output_size,
size_t *output_len)
{
psa_status_t status;
size_t bytes_to_write = 0, bytes_written = 0, len = 0;
*output_len = 0;
while (bytes_written != input_size) {
bytes_to_write = (input_size - bytes_written > part_size ?
part_size :
input_size - bytes_written);
status = psa_cipher_update(operation, input + bytes_written,
bytes_to_write, output + *output_len,
output_size - *output_len, &len);
ASSERT_STATUS(status, PSA_SUCCESS);
bytes_written += bytes_to_write;
*output_len += len;
}
status = psa_cipher_finish(operation, output + *output_len,
output_size - *output_len, &len);
ASSERT_STATUS(status, PSA_SUCCESS);
*output_len += len;
exit:
return status;
}
static psa_status_t cipher_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
uint8_t *iv,
size_t iv_size,
const uint8_t *input,
size_t input_size,
size_t part_size,
uint8_t *output,
size_t output_size,
size_t *output_len)
{
psa_status_t status;
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
size_t iv_len = 0;
memset(&operation, 0, sizeof(operation));
status = psa_cipher_encrypt_setup(&operation, key, alg);
ASSERT_STATUS(status, PSA_SUCCESS);
status = psa_cipher_generate_iv(&operation, iv, iv_size, &iv_len);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_operation(&operation, input, input_size, part_size,
output, output_size, output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
exit:
psa_cipher_abort(&operation);
return status;
}
static psa_status_t cipher_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *iv,
size_t iv_size,
const uint8_t *input,
size_t input_size,
size_t part_size,
uint8_t *output,
size_t output_size,
size_t *output_len)
{
psa_status_t status;
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
memset(&operation, 0, sizeof(operation));
status = psa_cipher_decrypt_setup(&operation, key, alg);
ASSERT_STATUS(status, PSA_SUCCESS);
status = psa_cipher_set_iv(&operation, iv, iv_size);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_operation(&operation, input, input_size, part_size,
output, output_size, output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
exit:
psa_cipher_abort(&operation);
return status;
}
static psa_status_t
cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block(void)
{
enum {
block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES),
key_bits = 256,
part_size = block_size,
};
const psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING;
psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t key = 0;
size_t output_len = 0;
uint8_t iv[block_size];
uint8_t input[block_size];
uint8_t encrypt[block_size];
uint8_t decrypt[block_size];
status = psa_generate_random(input, sizeof(input));
ASSERT_STATUS(status, PSA_SUCCESS);
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, key_bits);
status = psa_generate_key(&attributes, &key);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_encrypt(key, alg, iv, sizeof(iv),
input, sizeof(input), part_size,
encrypt, sizeof(encrypt), &output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_decrypt(key, alg, iv, sizeof(iv),
encrypt, output_len, part_size,
decrypt, sizeof(decrypt), &output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
status = memcmp(input, decrypt, sizeof(input));
ASSERT_STATUS(status, PSA_SUCCESS);
exit:
psa_destroy_key(key);
return status;
}
static psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi(void)
{
enum {
block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES),
key_bits = 256,
input_size = 100,
part_size = 10,
};
const psa_algorithm_t alg = PSA_ALG_CBC_PKCS7;
psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t key = 0;
size_t output_len = 0;
uint8_t iv[block_size], input[input_size],
encrypt[input_size + block_size], decrypt[input_size + block_size];
status = psa_generate_random(input, sizeof(input));
ASSERT_STATUS(status, PSA_SUCCESS);
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, key_bits);
status = psa_generate_key(&attributes, &key);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_encrypt(key, alg, iv, sizeof(iv),
input, sizeof(input), part_size,
encrypt, sizeof(encrypt), &output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_decrypt(key, alg, iv, sizeof(iv),
encrypt, output_len, part_size,
decrypt, sizeof(decrypt), &output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
status = memcmp(input, decrypt, sizeof(input));
ASSERT_STATUS(status, PSA_SUCCESS);
exit:
psa_destroy_key(key);
return status;
}
static psa_status_t cipher_example_encrypt_decrypt_aes_ctr_multi(void)
{
enum {
block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES),
key_bits = 256,
input_size = 100,
part_size = 10,
};
const psa_algorithm_t alg = PSA_ALG_CTR;
psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t key = 0;
size_t output_len = 0;
uint8_t iv[block_size], input[input_size], encrypt[input_size],
decrypt[input_size];
status = psa_generate_random(input, sizeof(input));
ASSERT_STATUS(status, PSA_SUCCESS);
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, key_bits);
status = psa_generate_key(&attributes, &key);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_encrypt(key, alg, iv, sizeof(iv),
input, sizeof(input), part_size,
encrypt, sizeof(encrypt), &output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
status = cipher_decrypt(key, alg, iv, sizeof(iv),
encrypt, output_len, part_size,
decrypt, sizeof(decrypt), &output_len);
ASSERT_STATUS(status, PSA_SUCCESS);
status = memcmp(input, decrypt, sizeof(input));
ASSERT_STATUS(status, PSA_SUCCESS);
exit:
psa_destroy_key(key);
return status;
}
static void cipher_examples(void)
{
psa_status_t status;
printf("cipher encrypt/decrypt AES CBC no padding:\r\n");
status = cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block();
if (status == PSA_SUCCESS) {
printf("\tsuccess!\r\n");
}
printf("cipher encrypt/decrypt AES CBC PKCS7 multipart:\r\n");
status = cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi();
if (status == PSA_SUCCESS) {
printf("\tsuccess!\r\n");
}
printf("cipher encrypt/decrypt AES CTR multipart:\r\n");
status = cipher_example_encrypt_decrypt_aes_ctr_multi();
if (status == PSA_SUCCESS) {
printf("\tsuccess!\r\n");
}
}
int main(void)
{
ASSERT(psa_crypto_init() == PSA_SUCCESS);
cipher_examples();
exit:
mbedtls_psa_crypto_free();
return 0;
}
#endif /* MBEDTLS_PSA_CRYPTO_C && MBEDTLS_AES_C && MBEDTLS_CIPHER_MODE_CBC &&
MBEDTLS_CIPHER_MODE_CTR && MBEDTLS_CIPHER_MODE_WITH_PADDING */

159
externals/mbedtls/programs/psa/hmac_demo.c vendored Normal file
View File

@@ -0,0 +1,159 @@
/**
* PSA API multi-part HMAC demonstration.
*
* This programs computes the HMAC of two messages using the multi-part API.
*
* It comes with a companion program hash/md_hmac_demo.c, which does the same
* operations with the legacy MD API. The goal is that comparing the two
* programs will help people migrating to the PSA Crypto API.
*
* When it comes to multi-part HMAC operations, the `mbedtls_md_context`
* serves a dual purpose (1) hold the key, and (2) save progress information
* for the current operation. With PSA those roles are held by two disinct
* objects: (1) a psa_key_id_t to hold the key, and (2) a psa_operation_t for
* multi-part progress.
*
* This program and its companion hash/md_hmac_demo.c illustrate this by doing
* the same sequence of multi-part HMAC computation with both APIs; looking at
* the two side by side should make the differences and similarities clear.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* First include Mbed TLS headers to get the Mbed TLS configuration and
* platform definitions that we'll use in this program. Also include
* standard C headers for functions we'll use here. */
#include "mbedtls/build_info.h"
#include "psa/crypto.h"
#include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
#include <stdlib.h>
#include <stdio.h>
/* If the build options we need are not enabled, compile a placeholder. */
#if !defined(MBEDTLS_PSA_CRYPTO_C) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main(void)
{
printf("MBEDTLS_PSA_CRYPTO_C not defined, "
"and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined\r\n");
return 0;
}
#else
/* The real program starts here. */
/* Dummy inputs for HMAC */
const unsigned char msg1_part1[] = { 0x01, 0x02 };
const unsigned char msg1_part2[] = { 0x03, 0x04 };
const unsigned char msg2_part1[] = { 0x05, 0x05 };
const unsigned char msg2_part2[] = { 0x06, 0x06 };
/* Dummy key material - never do this in production!
* This example program uses SHA-256, so a 32-byte key makes sense. */
const unsigned char key_bytes[32] = { 0 };
/* Print the contents of a buffer in hex */
void print_buf(const char *title, uint8_t *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
printf(" %02x", buf[i]);
}
printf("\n");
}
/* Run a PSA function and bail out if it fails.
* The symbolic name of the error code can be recovered using:
* programs/psa/psa_constant_name status <value> */
#define PSA_CHECK(expr) \
do \
{ \
status = (expr); \
if (status != PSA_SUCCESS) \
{ \
printf("Error %d at line %d: %s\n", \
(int) status, \
__LINE__, \
#expr); \
goto exit; \
} \
} \
while (0)
/*
* This function demonstrates computation of the HMAC of two messages using
* the multipart API.
*/
psa_status_t hmac_demo(void)
{
psa_status_t status;
const psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256);
uint8_t out[PSA_MAC_MAX_SIZE]; // safe but not optimal
/* PSA_MAC_LENGTH(PSA_KEY_TYPE_HMAC, 8 * sizeof( key_bytes ), alg)
* should work but see https://github.com/Mbed-TLS/mbedtls/issues/4320 */
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t key = 0;
/* prepare key */
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
psa_set_key_bits(&attributes, 8 * sizeof(key_bytes)); // optional
status = psa_import_key(&attributes,
key_bytes, sizeof(key_bytes), &key);
if (status != PSA_SUCCESS) {
return status;
}
/* prepare operation */
psa_mac_operation_t op = PSA_MAC_OPERATION_INIT;
size_t out_len = 0;
/* compute HMAC(key, msg1_part1 | msg1_part2) */
PSA_CHECK(psa_mac_sign_setup(&op, key, alg));
PSA_CHECK(psa_mac_update(&op, msg1_part1, sizeof(msg1_part1)));
PSA_CHECK(psa_mac_update(&op, msg1_part2, sizeof(msg1_part2)));
PSA_CHECK(psa_mac_sign_finish(&op, out, sizeof(out), &out_len));
print_buf("msg1", out, out_len);
/* compute HMAC(key, msg2_part1 | msg2_part2) */
PSA_CHECK(psa_mac_sign_setup(&op, key, alg));
PSA_CHECK(psa_mac_update(&op, msg2_part1, sizeof(msg2_part1)));
PSA_CHECK(psa_mac_update(&op, msg2_part2, sizeof(msg2_part2)));
PSA_CHECK(psa_mac_sign_finish(&op, out, sizeof(out), &out_len));
print_buf("msg2", out, out_len);
exit:
psa_mac_abort(&op); // needed on error, harmless on success
psa_destroy_key(key);
mbedtls_platform_zeroize(out, sizeof(out));
return status;
}
int main(void)
{
psa_status_t status = PSA_SUCCESS;
/* Initialize the PSA crypto library. */
PSA_CHECK(psa_crypto_init());
/* Run the demo */
PSA_CHECK(hmac_demo());
/* Deinitialize the PSA crypto library. */
mbedtls_psa_crypto_free();
exit:
return status == PSA_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE;
}
#endif

691
externals/mbedtls/programs/psa/key_ladder_demo.c vendored Normal file
View File

@@ -0,0 +1,691 @@
/**
* PSA API key derivation demonstration
*
* This program calculates a key ladder: a chain of secret material, each
* derived from the previous one in a deterministic way based on a label.
* Two keys are identical if and only if they are derived from the same key
* using the same label.
*
* The initial key is called the master key. The master key is normally
* randomly generated, but it could itself be derived from another key.
*
* This program derives a series of keys called intermediate keys.
* The first intermediate key is derived from the master key using the
* first label passed on the command line. Each subsequent intermediate
* key is derived from the previous one using the next label passed
* on the command line.
*
* This program has four modes of operation:
*
* - "generate": generate a random master key.
* - "wrap": derive a wrapping key from the last intermediate key,
* and use that key to encrypt-and-authenticate some data.
* - "unwrap": derive a wrapping key from the last intermediate key,
* and use that key to decrypt-and-authenticate some
* ciphertext created by wrap mode.
* - "save": save the last intermediate key so that it can be reused as
* the master key in another run of the program.
*
* See the usage() output for the command line usage. See the file
* `key_ladder_demo.sh` for an example run.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* First include Mbed TLS headers to get the Mbed TLS configuration and
* platform definitions that we'll use in this program. Also include
* standard C headers for functions we'll use here. */
#include "mbedtls/build_info.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "mbedtls/platform.h" // for mbedtls_setbuf
#include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
#include <psa/crypto.h>
/* If the build options we need are not enabled, compile a placeholder. */
#if !defined(PSA_WANT_ALG_SHA_256) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \
!defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main(void)
{
printf("PSA_WANT_ALG_SHA_256 and/or MBEDTLS_MD_C and/or "
"MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or "
"MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO "
"not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER "
"defined.\n");
return 0;
}
#else
/* The real program starts here. */
/* Run a system function and bail out if it fails. */
#define SYS_CHECK(expr) \
do \
{ \
if (!(expr)) \
{ \
perror( #expr); \
status = DEMO_ERROR; \
goto exit; \
} \
} \
while (0)
/* Run a PSA function and bail out if it fails. */
#define PSA_CHECK(expr) \
do \
{ \
status = (expr); \
if (status != PSA_SUCCESS) \
{ \
printf("Error %d at line %d: %s\n", \
(int) status, \
__LINE__, \
#expr); \
goto exit; \
} \
} \
while (0)
/* To report operational errors in this program, use an error code that is
* different from every PSA error code. */
#define DEMO_ERROR 120
/* The maximum supported key ladder depth. */
#define MAX_LADDER_DEPTH 10
/* Salt to use when deriving an intermediate key. */
#define DERIVE_KEY_SALT ((uint8_t *) "key_ladder_demo.derive")
#define DERIVE_KEY_SALT_LENGTH (strlen((const char *) DERIVE_KEY_SALT))
/* Salt to use when deriving a wrapping key. */
#define WRAPPING_KEY_SALT ((uint8_t *) "key_ladder_demo.wrap")
#define WRAPPING_KEY_SALT_LENGTH (strlen((const char *) WRAPPING_KEY_SALT))
/* Size of the key derivation keys (applies both to the master key and
* to intermediate keys). */
#define KEY_SIZE_BYTES 40
/* Algorithm for key derivation. */
#define KDF_ALG PSA_ALG_HKDF(PSA_ALG_SHA_256)
/* Type and size of the key used to wrap data. */
#define WRAPPING_KEY_TYPE PSA_KEY_TYPE_AES
#define WRAPPING_KEY_BITS 128
/* Cipher mode used to wrap data. */
#define WRAPPING_ALG PSA_ALG_CCM
/* Nonce size used to wrap data. */
#define WRAPPING_IV_SIZE 13
/* Header used in files containing wrapped data. We'll save this header
* directly without worrying about data representation issues such as
* integer sizes and endianness, because the data is meant to be read
* back by the same program on the same machine. */
#define WRAPPED_DATA_MAGIC "key_ladder_demo" // including trailing null byte
#define WRAPPED_DATA_MAGIC_LENGTH (sizeof(WRAPPED_DATA_MAGIC))
typedef struct {
char magic[WRAPPED_DATA_MAGIC_LENGTH];
size_t ad_size; /* Size of the additional data, which is this header. */
size_t payload_size; /* Size of the encrypted data. */
/* Store the IV inside the additional data. It's convenient. */
uint8_t iv[WRAPPING_IV_SIZE];
} wrapped_data_header_t;
/* The modes that this program can operate in (see usage). */
enum program_mode {
MODE_GENERATE,
MODE_SAVE,
MODE_UNWRAP,
MODE_WRAP
};
/* Save a key to a file. In the real world, you may want to export a derived
* key sometimes, to share it with another party. */
static psa_status_t save_key(psa_key_id_t key,
const char *output_file_name)
{
psa_status_t status = PSA_SUCCESS;
uint8_t key_data[KEY_SIZE_BYTES];
size_t key_size;
FILE *key_file = NULL;
PSA_CHECK(psa_export_key(key,
key_data, sizeof(key_data),
&key_size));
SYS_CHECK((key_file = fopen(output_file_name, "wb")) != NULL);
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(key_file, NULL);
SYS_CHECK(fwrite(key_data, 1, key_size, key_file) == key_size);
SYS_CHECK(fclose(key_file) == 0);
key_file = NULL;
exit:
if (key_file != NULL) {
fclose(key_file);
}
return status;
}
/* Generate a master key for use in this demo.
*
* Normally a master key would be non-exportable. For the purpose of this
* demo, we want to save it to a file, to avoid relying on the keystore
* capability of the PSA crypto library. */
static psa_status_t generate(const char *key_file_name)
{
psa_status_t status = PSA_SUCCESS;
psa_key_id_t key = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
psa_set_key_algorithm(&attributes, KDF_ALG);
psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(KEY_SIZE_BYTES));
PSA_CHECK(psa_generate_key(&attributes, &key));
PSA_CHECK(save_key(key, key_file_name));
exit:
(void) psa_destroy_key(key);
return status;
}
/* Load the master key from a file.
*
* In the real world, this master key would be stored in an internal memory
* and the storage would be managed by the keystore capability of the PSA
* crypto library. */
static psa_status_t import_key_from_file(psa_key_usage_t usage,
psa_algorithm_t alg,
const char *key_file_name,
psa_key_id_t *master_key)
{
psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
uint8_t key_data[KEY_SIZE_BYTES];
size_t key_size;
FILE *key_file = NULL;
unsigned char extra_byte;
SYS_CHECK((key_file = fopen(key_file_name, "rb")) != NULL);
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(key_file, NULL);
SYS_CHECK((key_size = fread(key_data, 1, sizeof(key_data),
key_file)) != 0);
if (fread(&extra_byte, 1, 1, key_file) != 0) {
printf("Key file too large (max: %u).\n",
(unsigned) sizeof(key_data));
status = DEMO_ERROR;
goto exit;
}
SYS_CHECK(fclose(key_file) == 0);
key_file = NULL;
psa_set_key_usage_flags(&attributes, usage);
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
PSA_CHECK(psa_import_key(&attributes, key_data, key_size, master_key));
exit:
if (key_file != NULL) {
fclose(key_file);
}
mbedtls_platform_zeroize(key_data, sizeof(key_data));
if (status != PSA_SUCCESS) {
/* If the key creation hasn't happened yet or has failed,
* *master_key is null. psa_destroy_key( 0 ) is
* guaranteed to do nothing and return PSA_SUCCESS. */
(void) psa_destroy_key(*master_key);
*master_key = 0;
}
return status;
}
/* Derive the intermediate keys, using the list of labels provided on
* the command line. On input, *key is the master key identifier.
* This function destroys the master key. On successful output, *key
* is the identifier of the final derived key.
*/
static psa_status_t derive_key_ladder(const char *ladder[],
size_t ladder_depth,
psa_key_id_t *key)
{
psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
size_t i;
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
psa_set_key_algorithm(&attributes, KDF_ALG);
psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(KEY_SIZE_BYTES));
/* For each label in turn, ... */
for (i = 0; i < ladder_depth; i++) {
/* Start deriving material from the master key (if i=0) or from
* the current intermediate key (if i>0). */
PSA_CHECK(psa_key_derivation_setup(&operation, KDF_ALG));
PSA_CHECK(psa_key_derivation_input_bytes(
&operation, PSA_KEY_DERIVATION_INPUT_SALT,
DERIVE_KEY_SALT, DERIVE_KEY_SALT_LENGTH));
PSA_CHECK(psa_key_derivation_input_key(
&operation, PSA_KEY_DERIVATION_INPUT_SECRET,
*key));
PSA_CHECK(psa_key_derivation_input_bytes(
&operation, PSA_KEY_DERIVATION_INPUT_INFO,
(uint8_t *) ladder[i], strlen(ladder[i])));
/* When the parent key is not the master key, destroy it,
* since it is no longer needed. */
PSA_CHECK(psa_destroy_key(*key));
*key = 0;
/* Derive the next intermediate key from the parent key. */
PSA_CHECK(psa_key_derivation_output_key(&attributes, &operation,
key));
PSA_CHECK(psa_key_derivation_abort(&operation));
}
exit:
psa_key_derivation_abort(&operation);
if (status != PSA_SUCCESS) {
psa_destroy_key(*key);
*key = 0;
}
return status;
}
/* Derive a wrapping key from the last intermediate key. */
static psa_status_t derive_wrapping_key(psa_key_usage_t usage,
psa_key_id_t derived_key,
psa_key_id_t *wrapping_key)
{
psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
*wrapping_key = 0;
/* Set up a key derivation operation from the key derived from
* the master key. */
PSA_CHECK(psa_key_derivation_setup(&operation, KDF_ALG));
PSA_CHECK(psa_key_derivation_input_bytes(
&operation, PSA_KEY_DERIVATION_INPUT_SALT,
WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH));
PSA_CHECK(psa_key_derivation_input_key(
&operation, PSA_KEY_DERIVATION_INPUT_SECRET,
derived_key));
PSA_CHECK(psa_key_derivation_input_bytes(
&operation, PSA_KEY_DERIVATION_INPUT_INFO,
NULL, 0));
/* Create the wrapping key. */
psa_set_key_usage_flags(&attributes, usage);
psa_set_key_algorithm(&attributes, WRAPPING_ALG);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, WRAPPING_KEY_BITS);
PSA_CHECK(psa_key_derivation_output_key(&attributes, &operation,
wrapping_key));
exit:
psa_key_derivation_abort(&operation);
return status;
}
static psa_status_t wrap_data(const char *input_file_name,
const char *output_file_name,
psa_key_id_t wrapping_key)
{
psa_status_t status;
FILE *input_file = NULL;
FILE *output_file = NULL;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
long input_position;
size_t input_size;
size_t buffer_size = 0;
unsigned char *buffer = NULL;
size_t ciphertext_size;
wrapped_data_header_t header;
/* Find the size of the data to wrap. */
SYS_CHECK((input_file = fopen(input_file_name, "rb")) != NULL);
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(input_file, NULL);
SYS_CHECK(fseek(input_file, 0, SEEK_END) == 0);
SYS_CHECK((input_position = ftell(input_file)) != -1);
#if LONG_MAX > SIZE_MAX
if (input_position > SIZE_MAX) {
printf("Input file too large.\n");
status = DEMO_ERROR;
goto exit;
}
#endif
input_size = input_position;
PSA_CHECK(psa_get_key_attributes(wrapping_key, &attributes));
key_type = psa_get_key_type(&attributes);
buffer_size =
PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, WRAPPING_ALG, input_size);
/* Check for integer overflow. */
if (buffer_size < input_size) {
printf("Input file too large.\n");
status = DEMO_ERROR;
goto exit;
}
/* Load the data to wrap. */
SYS_CHECK(fseek(input_file, 0, SEEK_SET) == 0);
SYS_CHECK((buffer = calloc(1, buffer_size)) != NULL);
SYS_CHECK(fread(buffer, 1, input_size, input_file) == input_size);
SYS_CHECK(fclose(input_file) == 0);
input_file = NULL;
/* Construct a header. */
memcpy(&header.magic, WRAPPED_DATA_MAGIC, WRAPPED_DATA_MAGIC_LENGTH);
header.ad_size = sizeof(header);
header.payload_size = input_size;
/* Wrap the data. */
PSA_CHECK(psa_generate_random(header.iv, WRAPPING_IV_SIZE));
PSA_CHECK(psa_aead_encrypt(wrapping_key, WRAPPING_ALG,
header.iv, WRAPPING_IV_SIZE,
(uint8_t *) &header, sizeof(header),
buffer, input_size,
buffer, buffer_size,
&ciphertext_size));
/* Write the output. */
SYS_CHECK((output_file = fopen(output_file_name, "wb")) != NULL);
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(output_file, NULL);
SYS_CHECK(fwrite(&header, 1, sizeof(header),
output_file) == sizeof(header));
SYS_CHECK(fwrite(buffer, 1, ciphertext_size,
output_file) == ciphertext_size);
SYS_CHECK(fclose(output_file) == 0);
output_file = NULL;
exit:
if (input_file != NULL) {
fclose(input_file);
}
if (output_file != NULL) {
fclose(output_file);
}
if (buffer != NULL) {
mbedtls_platform_zeroize(buffer, buffer_size);
}
free(buffer);
return status;
}
static psa_status_t unwrap_data(const char *input_file_name,
const char *output_file_name,
psa_key_id_t wrapping_key)
{
psa_status_t status;
FILE *input_file = NULL;
FILE *output_file = NULL;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
unsigned char *buffer = NULL;
size_t ciphertext_size = 0;
size_t plaintext_size;
wrapped_data_header_t header;
unsigned char extra_byte;
/* Load and validate the header. */
SYS_CHECK((input_file = fopen(input_file_name, "rb")) != NULL);
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(input_file, NULL);
SYS_CHECK(fread(&header, 1, sizeof(header),
input_file) == sizeof(header));
if (memcmp(&header.magic, WRAPPED_DATA_MAGIC,
WRAPPED_DATA_MAGIC_LENGTH) != 0) {
printf("The input does not start with a valid magic header.\n");
status = DEMO_ERROR;
goto exit;
}
if (header.ad_size != sizeof(header)) {
printf("The header size is not correct.\n");
status = DEMO_ERROR;
goto exit;
}
PSA_CHECK(psa_get_key_attributes(wrapping_key, &attributes));
key_type = psa_get_key_type(&attributes);
ciphertext_size =
PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, WRAPPING_ALG, header.payload_size);
/* Check for integer overflow. */
if (ciphertext_size < header.payload_size) {
printf("Input file too large.\n");
status = DEMO_ERROR;
goto exit;
}
/* Load the payload data. */
SYS_CHECK((buffer = calloc(1, ciphertext_size)) != NULL);
SYS_CHECK(fread(buffer, 1, ciphertext_size,
input_file) == ciphertext_size);
if (fread(&extra_byte, 1, 1, input_file) != 0) {
printf("Extra garbage after ciphertext\n");
status = DEMO_ERROR;
goto exit;
}
SYS_CHECK(fclose(input_file) == 0);
input_file = NULL;
/* Unwrap the data. */
PSA_CHECK(psa_aead_decrypt(wrapping_key, WRAPPING_ALG,
header.iv, WRAPPING_IV_SIZE,
(uint8_t *) &header, sizeof(header),
buffer, ciphertext_size,
buffer, ciphertext_size,
&plaintext_size));
if (plaintext_size != header.payload_size) {
printf("Incorrect payload size in the header.\n");
status = DEMO_ERROR;
goto exit;
}
/* Write the output. */
SYS_CHECK((output_file = fopen(output_file_name, "wb")) != NULL);
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(output_file, NULL);
SYS_CHECK(fwrite(buffer, 1, plaintext_size,
output_file) == plaintext_size);
SYS_CHECK(fclose(output_file) == 0);
output_file = NULL;
exit:
if (input_file != NULL) {
fclose(input_file);
}
if (output_file != NULL) {
fclose(output_file);
}
if (buffer != NULL) {
mbedtls_platform_zeroize(buffer, ciphertext_size);
}
free(buffer);
return status;
}
static psa_status_t run(enum program_mode mode,
const char *key_file_name,
const char *ladder[], size_t ladder_depth,
const char *input_file_name,
const char *output_file_name)
{
psa_status_t status = PSA_SUCCESS;
psa_key_id_t derivation_key = 0;
psa_key_id_t wrapping_key = 0;
/* Initialize the PSA crypto library. */
PSA_CHECK(psa_crypto_init());
/* Generate mode is unlike the others. Generate the master key and exit. */
if (mode == MODE_GENERATE) {
return generate(key_file_name);
}
/* Read the master key. */
PSA_CHECK(import_key_from_file(PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT,
KDF_ALG,
key_file_name,
&derivation_key));
/* Calculate the derived key for this session. */
PSA_CHECK(derive_key_ladder(ladder, ladder_depth,
&derivation_key));
switch (mode) {
case MODE_SAVE:
PSA_CHECK(save_key(derivation_key, output_file_name));
break;
case MODE_UNWRAP:
PSA_CHECK(derive_wrapping_key(PSA_KEY_USAGE_DECRYPT,
derivation_key,
&wrapping_key));
PSA_CHECK(unwrap_data(input_file_name, output_file_name,
wrapping_key));
break;
case MODE_WRAP:
PSA_CHECK(derive_wrapping_key(PSA_KEY_USAGE_ENCRYPT,
derivation_key,
&wrapping_key));
PSA_CHECK(wrap_data(input_file_name, output_file_name,
wrapping_key));
break;
default:
/* Unreachable but some compilers don't realize it. */
break;
}
exit:
/* Destroy any remaining key. Deinitializing the crypto library would do
* this anyway since they are volatile keys, but explicitly destroying
* keys makes the code easier to reuse. */
(void) psa_destroy_key(derivation_key);
(void) psa_destroy_key(wrapping_key);
/* Deinitialize the PSA crypto library. */
mbedtls_psa_crypto_free();
return status;
}
static void usage(void)
{
printf("Usage: key_ladder_demo MODE [OPTION=VALUE]...\n");
printf("Demonstrate the usage of a key derivation ladder.\n");
printf("\n");
printf("Modes:\n");
printf(" generate Generate the master key\n");
printf(" save Save the derived key\n");
printf(" unwrap Unwrap (decrypt) input with the derived key\n");
printf(" wrap Wrap (encrypt) input with the derived key\n");
printf("\n");
printf("Options:\n");
printf(" input=FILENAME Input file (required for wrap/unwrap)\n");
printf(" master=FILENAME File containing the master key (default: master.key)\n");
printf(" output=FILENAME Output file (required for save/wrap/unwrap)\n");
printf(" label=TEXT Label for the key derivation.\n");
printf(" This may be repeated multiple times.\n");
printf(" To get the same key, you must use the same master key\n");
printf(" and the same sequence of labels.\n");
}
int main(int argc, char *argv[])
{
const char *key_file_name = "master.key";
const char *input_file_name = NULL;
const char *output_file_name = NULL;
const char *ladder[MAX_LADDER_DEPTH];
size_t ladder_depth = 0;
int i;
enum program_mode mode;
psa_status_t status;
if (argc <= 1 ||
strcmp(argv[1], "help") == 0 ||
strcmp(argv[1], "-help") == 0 ||
strcmp(argv[1], "--help") == 0) {
usage();
return EXIT_SUCCESS;
}
for (i = 2; i < argc; i++) {
char *q = strchr(argv[i], '=');
if (q == NULL) {
printf("Missing argument to option %s\n", argv[i]);
goto usage_failure;
}
*q = 0;
++q;
if (strcmp(argv[i], "input") == 0) {
input_file_name = q;
} else if (strcmp(argv[i], "label") == 0) {
if (ladder_depth == MAX_LADDER_DEPTH) {
printf("Maximum ladder depth %u exceeded.\n",
(unsigned) MAX_LADDER_DEPTH);
return EXIT_FAILURE;
}
ladder[ladder_depth] = q;
++ladder_depth;
} else if (strcmp(argv[i], "master") == 0) {
key_file_name = q;
} else if (strcmp(argv[i], "output") == 0) {
output_file_name = q;
} else {
printf("Unknown option: %s\n", argv[i]);
goto usage_failure;
}
}
if (strcmp(argv[1], "generate") == 0) {
mode = MODE_GENERATE;
} else if (strcmp(argv[1], "save") == 0) {
mode = MODE_SAVE;
} else if (strcmp(argv[1], "unwrap") == 0) {
mode = MODE_UNWRAP;
} else if (strcmp(argv[1], "wrap") == 0) {
mode = MODE_WRAP;
} else {
printf("Unknown action: %s\n", argv[1]);
goto usage_failure;
}
if (input_file_name == NULL &&
(mode == MODE_WRAP || mode == MODE_UNWRAP)) {
printf("Required argument missing: input\n");
return DEMO_ERROR;
}
if (output_file_name == NULL &&
(mode == MODE_SAVE || mode == MODE_WRAP || mode == MODE_UNWRAP)) {
printf("Required argument missing: output\n");
return DEMO_ERROR;
}
status = run(mode, key_file_name,
ladder, ladder_depth,
input_file_name, output_file_name);
return status == PSA_SUCCESS ?
EXIT_SUCCESS :
EXIT_FAILURE;
usage_failure:
usage();
return EXIT_FAILURE;
}
#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_MD_C &&
MBEDTLS_AES_C && MBEDTLS_CCM_C &&
MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */

51
externals/mbedtls/programs/psa/key_ladder_demo.sh vendored Executable file
View File

@@ -0,0 +1,51 @@
#!/bin/sh
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
. "${0%/*}/../demo_common.sh"
msg <<'EOF'
This script demonstrates the use of the PSA cryptography interface to
create a master key, derive a key from it and use that derived key to
wrap some data using an AEAD algorithm.
EOF
depends_on MBEDTLS_SHA256_C MBEDTLS_MD_C MBEDTLS_AES_C MBEDTLS_CCM_C MBEDTLS_PSA_CRYPTO_C MBEDTLS_FS_IO
program="${0%/*}"/key_ladder_demo
if [ -e master.key ]; then
echo "# Reusing the existing master.key file."
else
files_to_clean="$files_to_clean master.key"
run "Generate a master key." \
"$program" generate master=master.key
fi
files_to_clean="$files_to_clean input.txt hello_world.wrap"
echo "Here is some input. See it wrapped." >input.txt
run "Derive a key and wrap some data with it." \
"$program" wrap master=master.key label=hello label=world \
input=input.txt output=hello_world.wrap
files_to_clean="$files_to_clean hello_world.txt"
run "Derive the same key again and unwrap the data." \
"$program" unwrap master=master.key label=hello label=world \
input=hello_world.wrap output=hello_world.txt
run "Compare the unwrapped data with the original input." \
cmp input.txt hello_world.txt
files_to_clean="$files_to_clean hellow_orld.txt"
run_bad "Derive a different key and attempt to unwrap the data." \
"$program" unwrap master=master.key input=hello_world.wrap output=hellow_orld.txt label=hellow label=orld
files_to_clean="$files_to_clean hello.key"
run "Save the first step of the key ladder, then load it as a master key and construct the rest of the ladder." \
"$program" save master=master.key label=hello \
input=hello_world.wrap output=hello.key
run "Check that we get the same key by unwrapping data made by the other key." \
"$program" unwrap master=hello.key label=world \
input=hello_world.wrap output=hello_world.txt
cleanup

310
externals/mbedtls/programs/psa/psa_constant_names.c vendored Normal file
View File

@@ -0,0 +1,310 @@
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include <errno.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "psa/crypto.h"
/* This block is present to support Visual Studio builds prior to 2015 */
#if defined(_MSC_VER) && _MSC_VER < 1900
#include <stdarg.h>
int snprintf(char *s, size_t n, const char *fmt, ...)
{
int ret;
va_list argp;
/* Avoid calling the invalid parameter handler by checking ourselves */
if (s == NULL || n == 0 || fmt == NULL) {
return -1;
}
va_start(argp, fmt);
#if defined(_TRUNCATE) && !defined(__MINGW32__)
ret = _vsnprintf_s(s, n, _TRUNCATE, fmt, argp);
#else
ret = _vsnprintf(s, n, fmt, argp);
if (ret < 0 || (size_t) ret == n) {
s[n-1] = '\0';
ret = -1;
}
#endif
va_end(argp);
return ret;
}
#endif
static void append(char **buffer, size_t buffer_size,
size_t *required_size,
const char *string, size_t length)
{
*required_size += length;
if (*required_size < buffer_size) {
memcpy(*buffer, string, length);
*buffer += length;
}
}
static void append_integer(char **buffer, size_t buffer_size,
size_t *required_size,
const char *format /*printf format for value*/,
unsigned long value)
{
size_t n = snprintf(*buffer, buffer_size - *required_size, format, value);
if (n < buffer_size - *required_size) {
*buffer += n;
}
*required_size += n;
}
/* The code of these function is automatically generated and included below. */
static const char *psa_ecc_family_name(psa_ecc_family_t curve);
static const char *psa_dh_family_name(psa_dh_family_t group);
static const char *psa_hash_algorithm_name(psa_algorithm_t hash_alg);
static void append_with_curve(char **buffer, size_t buffer_size,
size_t *required_size,
const char *string, size_t length,
psa_ecc_family_t curve)
{
const char *family_name = psa_ecc_family_name(curve);
append(buffer, buffer_size, required_size, string, length);
append(buffer, buffer_size, required_size, "(", 1);
if (family_name != NULL) {
append(buffer, buffer_size, required_size,
family_name, strlen(family_name));
} else {
append_integer(buffer, buffer_size, required_size,
"0x%02x", curve);
}
append(buffer, buffer_size, required_size, ")", 1);
}
static void append_with_group(char **buffer, size_t buffer_size,
size_t *required_size,
const char *string, size_t length,
psa_dh_family_t group)
{
const char *group_name = psa_dh_family_name(group);
append(buffer, buffer_size, required_size, string, length);
append(buffer, buffer_size, required_size, "(", 1);
if (group_name != NULL) {
append(buffer, buffer_size, required_size,
group_name, strlen(group_name));
} else {
append_integer(buffer, buffer_size, required_size,
"0x%02x", group);
}
append(buffer, buffer_size, required_size, ")", 1);
}
typedef const char *(*psa_get_algorithm_name_func_ptr)(psa_algorithm_t alg);
static void append_with_alg(char **buffer, size_t buffer_size,
size_t *required_size,
psa_get_algorithm_name_func_ptr get_name,
psa_algorithm_t alg)
{
const char *name = get_name(alg);
if (name != NULL) {
append(buffer, buffer_size, required_size,
name, strlen(name));
} else {
append_integer(buffer, buffer_size, required_size,
"0x%08lx", alg);
}
}
#include "psa_constant_names_generated.c"
static int psa_snprint_status(char *buffer, size_t buffer_size,
psa_status_t status)
{
const char *name = psa_strerror(status);
if (name == NULL) {
return snprintf(buffer, buffer_size, "%ld", (long) status);
} else {
size_t length = strlen(name);
if (length < buffer_size) {
memcpy(buffer, name, length + 1);
return (int) length;
} else {
return (int) buffer_size;
}
}
}
static int psa_snprint_ecc_curve(char *buffer, size_t buffer_size,
psa_ecc_family_t curve)
{
const char *name = psa_ecc_family_name(curve);
if (name == NULL) {
return snprintf(buffer, buffer_size, "0x%02x", (unsigned) curve);
} else {
size_t length = strlen(name);
if (length < buffer_size) {
memcpy(buffer, name, length + 1);
return (int) length;
} else {
return (int) buffer_size;
}
}
}
static int psa_snprint_dh_group(char *buffer, size_t buffer_size,
psa_dh_family_t group)
{
const char *name = psa_dh_family_name(group);
if (name == NULL) {
return snprintf(buffer, buffer_size, "0x%02x", (unsigned) group);
} else {
size_t length = strlen(name);
if (length < buffer_size) {
memcpy(buffer, name, length + 1);
return (int) length;
} else {
return (int) buffer_size;
}
}
}
static void usage(const char *program_name)
{
printf("Usage: %s TYPE VALUE [VALUE...]\n",
program_name == NULL ? "psa_constant_names" : program_name);
printf("Print the symbolic name whose numerical value is VALUE in TYPE.\n");
printf("Supported types (with = between aliases):\n");
printf(" alg=algorithm Algorithm (psa_algorithm_t)\n");
printf(" curve=ecc_curve Elliptic curve identifier (psa_ecc_family_t)\n");
printf(" group=dh_group Diffie-Hellman group identifier (psa_dh_family_t)\n");
printf(" type=key_type Key type (psa_key_type_t)\n");
printf(" usage=key_usage Key usage (psa_key_usage_t)\n");
printf(" error=status Status code (psa_status_t)\n");
}
typedef enum {
TYPE_STATUS,
} signed_value_type;
int process_signed(signed_value_type type, long min, long max, char **argp)
{
for (; *argp != NULL; argp++) {
char buffer[200];
char *end;
long value = strtol(*argp, &end, 0);
if (*end) {
printf("Non-numeric value: %s\n", *argp);
return EXIT_FAILURE;
}
if (value < min || (errno == ERANGE && value < 0)) {
printf("Value too small: %s\n", *argp);
return EXIT_FAILURE;
}
if (value > max || (errno == ERANGE && value > 0)) {
printf("Value too large: %s\n", *argp);
return EXIT_FAILURE;
}
switch (type) {
case TYPE_STATUS:
psa_snprint_status(buffer, sizeof(buffer),
(psa_status_t) value);
break;
}
puts(buffer);
}
return EXIT_SUCCESS;
}
typedef enum {
TYPE_ALGORITHM,
TYPE_ECC_CURVE,
TYPE_DH_GROUP,
TYPE_KEY_TYPE,
TYPE_KEY_USAGE,
} unsigned_value_type;
int process_unsigned(unsigned_value_type type, unsigned long max, char **argp)
{
for (; *argp != NULL; argp++) {
char buffer[200];
char *end;
unsigned long value = strtoul(*argp, &end, 0);
if (*end) {
printf("Non-numeric value: %s\n", *argp);
return EXIT_FAILURE;
}
if (value > max || errno == ERANGE) {
printf("Value out of range: %s\n", *argp);
return EXIT_FAILURE;
}
switch (type) {
case TYPE_ALGORITHM:
psa_snprint_algorithm(buffer, sizeof(buffer),
(psa_algorithm_t) value);
break;
case TYPE_ECC_CURVE:
psa_snprint_ecc_curve(buffer, sizeof(buffer),
(psa_ecc_family_t) value);
break;
case TYPE_DH_GROUP:
psa_snprint_dh_group(buffer, sizeof(buffer),
(psa_dh_family_t) value);
break;
case TYPE_KEY_TYPE:
psa_snprint_key_type(buffer, sizeof(buffer),
(psa_key_type_t) value);
break;
case TYPE_KEY_USAGE:
psa_snprint_key_usage(buffer, sizeof(buffer),
(psa_key_usage_t) value);
break;
}
puts(buffer);
}
return EXIT_SUCCESS;
}
int main(int argc, char *argv[])
{
if (argc <= 1 ||
!strcmp(argv[1], "help") ||
!strcmp(argv[1], "--help")) {
usage(argv[0]);
return EXIT_FAILURE;
}
if (!strcmp(argv[1], "error") || !strcmp(argv[1], "status")) {
/* There's no way to obtain the actual range of a signed type,
* so hard-code it here: psa_status_t is int32_t. */
return process_signed(TYPE_STATUS, INT32_MIN, INT32_MAX,
argv + 2);
} else if (!strcmp(argv[1], "alg") || !strcmp(argv[1], "algorithm")) {
return process_unsigned(TYPE_ALGORITHM, (psa_algorithm_t) (-1),
argv + 2);
} else if (!strcmp(argv[1], "curve") || !strcmp(argv[1], "ecc_curve")) {
return process_unsigned(TYPE_ECC_CURVE, (psa_ecc_family_t) (-1),
argv + 2);
} else if (!strcmp(argv[1], "group") || !strcmp(argv[1], "dh_group")) {
return process_unsigned(TYPE_DH_GROUP, (psa_dh_family_t) (-1),
argv + 2);
} else if (!strcmp(argv[1], "type") || !strcmp(argv[1], "key_type")) {
return process_unsigned(TYPE_KEY_TYPE, (psa_key_type_t) (-1),
argv + 2);
} else if (!strcmp(argv[1], "usage") || !strcmp(argv[1], "key_usage")) {
return process_unsigned(TYPE_KEY_USAGE, (psa_key_usage_t) (-1),
argv + 2);
} else {
printf("Unknown type: %s\n", argv[1]);
return EXIT_FAILURE;
}
}

159
externals/mbedtls/programs/psa/psa_hash.c vendored Normal file
View File

@@ -0,0 +1,159 @@
/*
* Example computing a SHA-256 hash using the PSA Crypto API
*
* The example computes the SHA-256 hash of a test string using the
* one-shot API call psa_hash_compute() and the using multi-part
* operation, which requires psa_hash_setup(), psa_hash_update() and
* psa_hash_finish(). The multi-part operation is popular on embedded
* devices where a rolling hash needs to be computed.
*
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "psa/crypto.h"
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* Information about hashing with the PSA API can be
* found here:
* https://arm-software.github.io/psa-api/crypto/1.1/api/ops/hashes.html
*
* The algorithm used by this demo is SHA 256.
* Please see include/psa/crypto_values.h to see the other
* algorithms that are supported by Mbed TLS.
* If you switch to a different algorithm you will need to update
* the hash data in the EXAMPLE_HASH_VALUE macro below. */
#if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(PSA_WANT_ALG_SHA_256)
int main(void)
{
mbedtls_printf("MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256"
"not defined.\r\n");
return EXIT_SUCCESS;
}
#else
#define HASH_ALG PSA_ALG_SHA_256
const uint8_t sample_message[] = "Hello World!";
/* sample_message is terminated with a null byte which is not part of
* the message itself so we make sure to subtract it in order to get
* the message length. */
const size_t sample_message_length = sizeof(sample_message) - 1;
#define EXPECTED_HASH_VALUE { \
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, \
0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, \
0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69 \
}
const uint8_t expected_hash[] = EXPECTED_HASH_VALUE;
const size_t expected_hash_len = sizeof(expected_hash);
int main(void)
{
psa_status_t status;
uint8_t hash[PSA_HASH_LENGTH(HASH_ALG)];
size_t hash_length;
psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
psa_hash_operation_t cloned_hash_operation = PSA_HASH_OPERATION_INIT;
mbedtls_printf("PSA Crypto API: SHA-256 example\n\n");
status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_printf("psa_crypto_init failed\n");
return EXIT_FAILURE;
}
/* Compute hash using multi-part operation */
status = psa_hash_setup(&hash_operation, HASH_ALG);
if (status == PSA_ERROR_NOT_SUPPORTED) {
mbedtls_printf("unknown hash algorithm supplied\n");
return EXIT_FAILURE;
} else if (status != PSA_SUCCESS) {
mbedtls_printf("psa_hash_setup failed\n");
return EXIT_FAILURE;
}
status = psa_hash_update(&hash_operation, sample_message, sample_message_length);
if (status != PSA_SUCCESS) {
mbedtls_printf("psa_hash_update failed\n");
goto cleanup;
}
status = psa_hash_clone(&hash_operation, &cloned_hash_operation);
if (status != PSA_SUCCESS) {
mbedtls_printf("PSA hash clone failed\n");
goto cleanup;
}
status = psa_hash_finish(&hash_operation, hash, sizeof(hash), &hash_length);
if (status != PSA_SUCCESS) {
mbedtls_printf("psa_hash_finish failed\n");
goto cleanup;
}
/* Check the result of the operation against the sample */
if (hash_length != expected_hash_len ||
(memcmp(hash, expected_hash, expected_hash_len) != 0)) {
mbedtls_printf("Multi-part hash operation gave the wrong result!\n\n");
goto cleanup;
}
status =
psa_hash_verify(&cloned_hash_operation, expected_hash,
expected_hash_len);
if (status != PSA_SUCCESS) {
mbedtls_printf("psa_hash_verify failed\n");
goto cleanup;
} else {
mbedtls_printf("Multi-part hash operation successful!\n");
}
/* Clear local variables prior to one-shot hash demo */
memset(hash, 0, sizeof(hash));
hash_length = 0;
/* Compute hash using one-shot function call */
status = psa_hash_compute(HASH_ALG,
sample_message, sample_message_length,
hash, sizeof(hash),
&hash_length);
if (status != PSA_SUCCESS) {
mbedtls_printf("psa_hash_compute failed\n");
goto cleanup;
}
if (hash_length != expected_hash_len ||
(memcmp(hash, expected_hash, expected_hash_len) != 0)) {
mbedtls_printf("One-shot hash operation gave the wrong result!\n\n");
goto cleanup;
}
mbedtls_printf("One-shot hash operation successful!\n\n");
/* Print out result */
mbedtls_printf("The SHA-256( '%s' ) is: ", sample_message);
for (size_t j = 0; j < expected_hash_len; j++) {
mbedtls_printf("%02x", hash[j]);
}
mbedtls_printf("\n");
mbedtls_psa_crypto_free();
return EXIT_SUCCESS;
cleanup:
psa_hash_abort(&hash_operation);
psa_hash_abort(&cloned_hash_operation);
return EXIT_FAILURE;
}
#endif /* !MBEDTLS_PSA_CRYPTO_C || !PSA_WANT_ALG_SHA_256 */

20
externals/mbedtls/programs/psa/psa_hash_demo.sh vendored Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
. "${0%/*}/../demo_common.sh"
msg <<'EOF'
This program demonstrates the use of the PSA cryptography interface to
compute a SHA-256 hash of a test string using the one-shot API call
and also using the multi-part operation API.
EOF
depends_on MBEDTLS_PSA_CRYPTO_C PSA_WANT_ALG_SHA_256
program="${0%/*}"/psa_hash
"$program"
cleanup

14
externals/mbedtls/programs/random/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,14 @@
set(executables
gen_entropy
gen_random_ctr_drbg
)
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

75
externals/mbedtls/programs/random/gen_entropy.c vendored Normal file
View File

@@ -0,0 +1,75 @@
/**
* \brief Use and generate multiple entropies calls into a file
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/entropy.h"
#include <stdio.h>
#endif
#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
FILE *f;
int i, k, ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_entropy_context entropy;
unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
if (argc < 2) {
mbedtls_fprintf(stderr, "usage: %s <output filename>\n", argv[0]);
mbedtls_exit(exit_code);
}
if ((f = fopen(argv[1], "wb+")) == NULL) {
mbedtls_printf("failed to open '%s' for writing.\n", argv[1]);
mbedtls_exit(exit_code);
}
mbedtls_entropy_init(&entropy);
for (i = 0, k = 768; i < k; i++) {
ret = mbedtls_entropy_func(&entropy, buf, sizeof(buf));
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_entropy_func returned -%04X\n",
(unsigned int) ret);
goto cleanup;
}
fwrite(buf, 1, sizeof(buf), f);
mbedtls_printf("Generating %ldkb of data in file '%s'... %04.1f" \
"%% done\r",
(long) (sizeof(buf) * k / 1024),
argv[1],
(100 * (float) (i + 1)) / k);
fflush(stdout);
}
exit_code = MBEDTLS_EXIT_SUCCESS;
cleanup:
mbedtls_printf("\n");
fclose(f);
mbedtls_entropy_free(&entropy);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_ENTROPY_C */

107
externals/mbedtls/programs/random/gen_random_ctr_drbg.c vendored Normal file
View File

@@ -0,0 +1,107 @@
/**
* \brief Use and generate random data into a file via the CTR_DBRG based on AES
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_CTR_DRBG_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_FS_IO)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <stdio.h>
#endif
#if !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_CTR_DRBG_C and/or MBEDTLS_ENTROPY_C and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
FILE *f;
int i, k, ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
unsigned char buf[1024];
mbedtls_ctr_drbg_init(&ctr_drbg);
if (argc < 2) {
mbedtls_fprintf(stderr, "usage: %s <output filename>\n", argv[0]);
mbedtls_exit(exit_code);
}
if ((f = fopen(argv[1], "wb+")) == NULL) {
mbedtls_printf("failed to open '%s' for writing.\n", argv[1]);
mbedtls_exit(exit_code);
}
mbedtls_entropy_init(&entropy);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg,
mbedtls_entropy_func,
&entropy,
(const unsigned char *) "RANDOM_GEN",
10);
if (ret != 0) {
mbedtls_printf("failed in mbedtls_ctr_drbg_seed: %d\n", ret);
goto cleanup;
}
mbedtls_ctr_drbg_set_prediction_resistance(&ctr_drbg, MBEDTLS_CTR_DRBG_PR_OFF);
#if defined(MBEDTLS_FS_IO)
ret = mbedtls_ctr_drbg_update_seed_file(&ctr_drbg, "seedfile");
if (ret == MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR) {
mbedtls_printf("Failed to open seedfile. Generating one.\n");
ret = mbedtls_ctr_drbg_write_seed_file(&ctr_drbg, "seedfile");
if (ret != 0) {
mbedtls_printf("failed in mbedtls_ctr_drbg_write_seed_file: %d\n", ret);
goto cleanup;
}
} else if (ret != 0) {
mbedtls_printf("failed in mbedtls_ctr_drbg_update_seed_file: %d\n", ret);
goto cleanup;
}
#endif
for (i = 0, k = 768; i < k; i++) {
ret = mbedtls_ctr_drbg_random(&ctr_drbg, buf, sizeof(buf));
if (ret != 0) {
mbedtls_printf("failed!\n");
goto cleanup;
}
fwrite(buf, 1, sizeof(buf), f);
mbedtls_printf("Generating %ldkb of data in file '%s'... %04.1f" \
"%% done\r",
(long) (sizeof(buf) * k / 1024),
argv[1],
(100 * (float) (i + 1)) / k);
fflush(stdout);
}
exit_code = MBEDTLS_EXIT_SUCCESS;
cleanup:
mbedtls_printf("\n");
fclose(f);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_CTR_DRBG_C && MBEDTLS_ENTROPY_C */

61
externals/mbedtls/programs/ssl/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,61 @@
find_package(Threads)
set(libs
${mbedtls_target}
)
set(executables
dtls_client
dtls_server
mini_client
ssl_client1
ssl_client2
ssl_context_info
ssl_fork_server
ssl_mail_client
ssl_server
ssl_server2
)
if(GEN_FILES)
# Inform CMake that the following file will be generated as part of the build
# process, so it doesn't complain that it doesn't exist yet. Starting from
# CMake 3.20, this will no longer be necessary as CMake will automatically
# propagate this information across the tree, for now it's only visible
# inside the same directory, so we need to propagate manually.
set_source_files_properties(
${CMAKE_CURRENT_BINARY_DIR}/../test/query_config.c
PROPERTIES GENERATED TRUE)
endif()
foreach(exe IN LISTS executables)
set(extra_sources "")
if(exe STREQUAL "ssl_client2" OR exe STREQUAL "ssl_server2")
list(APPEND extra_sources
ssl_test_lib.c
${CMAKE_CURRENT_SOURCE_DIR}/../test/query_config.h
${CMAKE_CURRENT_BINARY_DIR}/../test/query_config.c)
endif()
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
${extra_sources})
target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
if(exe STREQUAL "ssl_client2" OR exe STREQUAL "ssl_server2")
if(GEN_FILES)
add_dependencies(${exe} generate_query_config_c)
endif()
target_include_directories(${exe}
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../test)
endif()
endforeach()
if(THREADS_FOUND)
add_executable(ssl_pthread_server ssl_pthread_server.c $<TARGET_OBJECTS:mbedtls_test>)
target_include_directories(ssl_pthread_server PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
target_link_libraries(ssl_pthread_server ${libs} ${CMAKE_THREAD_LIBS_INIT})
list(APPEND executables ssl_pthread_server)
endif(THREADS_FOUND)
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

342
externals/mbedtls/programs/ssl/dtls_client.c vendored Normal file
View File

@@ -0,0 +1,342 @@
/*
* Simple DTLS client demonstration program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_TIMING_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_PEM_PARSE_C)
int main(void)
{
mbedtls_printf("MBEDTLS_SSL_CLI_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
"MBEDTLS_NET_C and/or MBEDTLS_TIMING_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_exit(0);
}
#else
#include <string.h>
#include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/timing.h"
#include "test/certs.h"
/* Uncomment out the following line to default to IPv4 and disable IPv6 */
//#define FORCE_IPV4
#define SERVER_PORT "4433"
#define SERVER_NAME "localhost"
#ifdef FORCE_IPV4
#define SERVER_ADDR "127.0.0.1" /* Forces IPv4 */
#else
#define SERVER_ADDR "::1"
#endif
#define MESSAGE "Echo this"
#define READ_TIMEOUT_MS 1000
#define MAX_RETRY 5
#define DEBUG_LEVEL 0
static void my_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
((void) level);
mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
fflush((FILE *) ctx);
}
int main(int argc, char *argv[])
{
int ret, len;
mbedtls_net_context server_fd;
uint32_t flags;
unsigned char buf[1024];
const char *pers = "dtls_client";
int retry_left = MAX_RETRY;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_timing_delay_context timer;
((void) argc);
((void) argv);
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
/*
* 0. Initialize the RNG and the session data
*/
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 0. Load certificates
*/
mbedtls_printf(" . Loading the CA root certificate ...");
fflush(stdout);
ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
if (ret < 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf(" ok (%d skipped)\n", ret);
/*
* 1. Start the connection
*/
mbedtls_printf(" . Connecting to udp/%s/%s...", SERVER_NAME, SERVER_PORT);
fflush(stdout);
if ((ret = mbedtls_net_connect(&server_fd, SERVER_ADDR,
SERVER_PORT, MBEDTLS_NET_PROTO_UDP)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 2. Setup stuff
*/
mbedtls_printf(" . Setting up the DTLS structure...");
fflush(stdout);
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
goto exit;
}
/* OPTIONAL is usually a bad choice for security, but makes interop easier
* in this simplified example, in which the ca chain is hardcoded.
* Production code should set a proper ca chain and use REQUIRED. */
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
mbedtls_ssl_conf_read_timeout(&conf, READ_TIMEOUT_MS);
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_ssl_set_hostname(&ssl, SERVER_NAME)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &server_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout);
mbedtls_ssl_set_timer_cb(&ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
mbedtls_printf(" ok\n");
/*
* 4. Handshake
*/
mbedtls_printf(" . Performing the DTLS handshake...");
fflush(stdout);
do {
ret = mbedtls_ssl_handshake(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 5. Verify the server certificate
*/
mbedtls_printf(" . Verifying peer X.509 certificate...");
/* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
* handshake would not succeed if the peer's cert is bad. Even if we used
* MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) {
#if !defined(MBEDTLS_X509_REMOVE_INFO)
char vrfy_buf[512];
#endif
mbedtls_printf(" failed\n");
#if !defined(MBEDTLS_X509_REMOVE_INFO)
mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
mbedtls_printf("%s\n", vrfy_buf);
#endif
} else {
mbedtls_printf(" ok\n");
}
/*
* 6. Write the echo request
*/
send_request:
mbedtls_printf(" > Write to server:");
fflush(stdout);
len = sizeof(MESSAGE) - 1;
do {
ret = mbedtls_ssl_write(&ssl, (unsigned char *) MESSAGE, len);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret < 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
goto exit;
}
len = ret;
mbedtls_printf(" %d bytes written\n\n%s\n\n", len, MESSAGE);
/*
* 7. Read the echo response
*/
mbedtls_printf(" < Read from server:");
fflush(stdout);
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
do {
ret = mbedtls_ssl_read(&ssl, buf, len);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret <= 0) {
switch (ret) {
case MBEDTLS_ERR_SSL_TIMEOUT:
mbedtls_printf(" timeout\n\n");
if (retry_left-- > 0) {
goto send_request;
}
goto exit;
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf(" connection was closed gracefully\n");
goto close_notify;
default:
mbedtls_printf(" mbedtls_ssl_read returned -0x%x\n\n", (unsigned int) -ret);
goto exit;
}
}
len = ret;
mbedtls_printf(" %d bytes read\n\n%s\n\n", len, buf);
/*
* 8. Done, cleanly close the connection
*/
close_notify:
mbedtls_printf(" . Closing the connection...");
/* No error checking, the connection might be closed already */
do {
ret = mbedtls_ssl_close_notify(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
ret = 0;
mbedtls_printf(" done\n");
/*
* 9. Final clean-ups and exit
*/
exit:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf);
}
#endif
mbedtls_net_free(&server_fd);
mbedtls_x509_crt_free(&cacert);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Shell can not handle large exit numbers -> 1 for errors */
if (ret < 0) {
ret = 1;
}
mbedtls_exit(ret);
}
#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_NET_C &&
MBEDTLS_TIMING_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C && MBEDTLS_PEM_PARSE_C */

408
externals/mbedtls/programs/ssl/dtls_server.c vendored Normal file
View File

@@ -0,0 +1,408 @@
/*
* Simple DTLS server demonstration program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/* Uncomment out the following line to default to IPv4 and disable IPv6 */
//#define FORCE_IPV4
#ifdef FORCE_IPV4
#define BIND_IP "0.0.0.0" /* Forces IPv4 */
#else
#define BIND_IP "::"
#endif
#if !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_SSL_COOKIE_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_TIMING_C)
int main(void)
{
printf("MBEDTLS_SSL_SRV_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
"MBEDTLS_SSL_COOKIE_C and/or MBEDTLS_NET_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_TIMING_C not defined.\n");
mbedtls_exit(0);
}
#else
#if defined(_WIN32)
#include <windows.h>
#endif
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/x509.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ssl_cookie.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
#include "mbedtls/timing.h"
#include "test/certs.h"
#if defined(MBEDTLS_SSL_CACHE_C)
#include "mbedtls/ssl_cache.h"
#endif
#define READ_TIMEOUT_MS 10000 /* 10 seconds */
#define DEBUG_LEVEL 0
static void my_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
((void) level);
mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
fflush((FILE *) ctx);
}
int main(void)
{
int ret, len;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[1024];
const char *pers = "dtls_server";
unsigned char client_ip[16] = { 0 };
size_t cliip_len;
mbedtls_ssl_cookie_ctx cookie_ctx;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
mbedtls_timing_delay_context timer;
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache;
#endif
mbedtls_net_init(&listen_fd);
mbedtls_net_init(&client_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_cookie_init(&cookie_ctx);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init(&cache);
#endif
mbedtls_x509_crt_init(&srvcert);
mbedtls_pk_init(&pkey);
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
/*
* 1. Seed the RNG
*/
printf(" . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
printf(" ok\n");
/*
* 2. Load the certificates and private RSA key
*/
printf("\n . Loading the server cert. and key...");
fflush(stdout);
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use mbedtls_x509_crt_parse_file() to read the
* server and CA certificates, as well as mbedtls_pk_parse_keyfile().
*/
ret = mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len);
if (ret != 0) {
printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
if (ret != 0) {
printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_pk_parse_key(&pkey,
(const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len,
NULL,
0,
mbedtls_ctr_drbg_random,
&ctr_drbg);
if (ret != 0) {
printf(" failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret);
goto exit;
}
printf(" ok\n");
/*
* 3. Setup the "listening" UDP socket
*/
printf(" . Bind on udp/*/4433 ...");
fflush(stdout);
if ((ret = mbedtls_net_bind(&listen_fd, BIND_IP, "4433", MBEDTLS_NET_PROTO_UDP)) != 0) {
printf(" failed\n ! mbedtls_net_bind returned %d\n\n", ret);
goto exit;
}
printf(" ok\n");
/*
* 4. Setup stuff
*/
printf(" . Setting up the DTLS data...");
fflush(stdout);
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
mbedtls_ssl_conf_read_timeout(&conf, READ_TIMEOUT_MS);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(&conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set);
#endif
mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
if ((ret = mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey)) != 0) {
printf(" failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_ssl_cookie_setup(&cookie_ctx,
mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
printf(" failed\n ! mbedtls_ssl_cookie_setup returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
&cookie_ctx);
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_set_timer_cb(&ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
printf(" ok\n");
reset:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
printf("Last error was: %d - %s\n\n", ret, error_buf);
}
#endif
mbedtls_net_free(&client_fd);
mbedtls_ssl_session_reset(&ssl);
/*
* 5. Wait until a client connects
*/
printf(" . Waiting for a remote connection ...");
fflush(stdout);
if ((ret = mbedtls_net_accept(&listen_fd, &client_fd,
client_ip, sizeof(client_ip), &cliip_len)) != 0) {
printf(" failed\n ! mbedtls_net_accept returned %d\n\n", ret);
goto exit;
}
/* For HelloVerifyRequest cookies */
if ((ret = mbedtls_ssl_set_client_transport_id(&ssl,
client_ip, cliip_len)) != 0) {
printf(" failed\n ! "
"mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n", (unsigned int) -ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &client_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout);
printf(" ok\n");
/*
* 6. Handshake
*/
printf(" . Performing the DTLS handshake...");
fflush(stdout);
do {
ret = mbedtls_ssl_handshake(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
printf(" hello verification requested\n");
ret = 0;
goto reset;
} else if (ret != 0) {
printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret);
goto reset;
}
printf(" ok\n");
/*
* 7. Read the echo Request
*/
printf(" < Read from client:");
fflush(stdout);
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
do {
ret = mbedtls_ssl_read(&ssl, buf, len);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret <= 0) {
switch (ret) {
case MBEDTLS_ERR_SSL_TIMEOUT:
printf(" timeout\n\n");
goto reset;
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
printf(" connection was closed gracefully\n");
goto close_notify;
default:
printf(" mbedtls_ssl_read returned -0x%x\n\n", (unsigned int) -ret);
goto reset;
}
}
len = ret;
printf(" %d bytes read\n\n%s\n\n", len, buf);
/*
* 8. Write the 200 Response
*/
printf(" > Write to client:");
fflush(stdout);
do {
ret = mbedtls_ssl_write(&ssl, buf, len);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE);
if (ret < 0) {
printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
goto exit;
}
len = ret;
printf(" %d bytes written\n\n%s\n\n", len, buf);
/*
* 9. Done, cleanly close the connection
*/
close_notify:
printf(" . Closing the connection...");
/* No error checking, the connection might be closed already */
do {
ret = mbedtls_ssl_close_notify(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
ret = 0;
printf(" done\n");
goto reset;
/*
* Final clean-ups and exit
*/
exit:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
printf("Last error was: %d - %s\n\n", ret, error_buf);
}
#endif
mbedtls_net_free(&client_fd);
mbedtls_net_free(&listen_fd);
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_cookie_free(&cookie_ctx);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free(&cache);
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Shell can not handle large exit numbers -> 1 for errors */
if (ret < 0) {
ret = 1;
}
mbedtls_exit(ret);
}
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS &&
MBEDTLS_SSL_COOKIE_C && MBEDTLS_NET_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C
&& MBEDTLS_PEM_PARSE_C && MBEDTLS_TIMING_C */

274
externals/mbedtls/programs/ssl/mini_client.c vendored Normal file
View File

@@ -0,0 +1,274 @@
/*
* Minimal SSL client, used for memory measurements.
* (meant to be used with config-suite-b.h or config-ccm-psk-tls1_2.h)
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
/*
* We're creating and connecting the socket "manually" rather than using the
* NET module, in order to avoid the overhead of getaddrinfo() which tends to
* dominate memory usage in small configurations. For the sake of simplicity,
* only a Unix version is implemented.
*
* Warning: we are breaking some of the abstractions from the NET layer here.
* This is not a good example for general use. This programs has the specific
* goal of minimizing use of the libc functions on full-blown OSes.
*/
#if defined(unix) || defined(__unix__) || defined(__unix) || defined(__APPLE__)
#define UNIX
#endif
#if !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(UNIX)
int main(void)
{
mbedtls_printf("MBEDTLS_CTR_DRBG_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_SSL_CLI_C and/or UNIX "
"not defined.\n");
mbedtls_exit(0);
}
#else
#include <string.h>
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/*
* Hardcoded values for server host and port
*/
#define PORT_BE 0x1151 /* 4433 */
#define PORT_LE 0x5111
#define ADDR_BE 0x7f000001 /* 127.0.0.1 */
#define ADDR_LE 0x0100007f
#define HOSTNAME "localhost" /* for cert verification if enabled */
#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
const char *pers = "mini_client";
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
const unsigned char psk[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
const char psk_id[] = "Client_identity";
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/* This is tests/data_files/test-ca2.crt, a CA using EC secp384r1 */
const unsigned char ca_cert[] = {
0x30, 0x82, 0x02, 0x52, 0x30, 0x82, 0x01, 0xd7, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,
0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c,
0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c,
0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x45,
0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x33, 0x30, 0x39,
0x32, 0x34, 0x31, 0x35, 0x34, 0x39, 0x34, 0x38, 0x5a, 0x17, 0x0d, 0x32,
0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x34, 0x39, 0x34, 0x38, 0x5a,
0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c,
0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c,
0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x45,
0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22,
0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f,
0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e,
0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95,
0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95,
0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a,
0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2,
0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47,
0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66,
0x16, 0x60, 0x33, 0x1e, 0xa3, 0x81, 0xa0, 0x30, 0x81, 0x9d, 0x30, 0x1d,
0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d, 0x6d, 0x20,
0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24,
0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23,
0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01,
0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb,
0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,
0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61,
0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,
0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20,
0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09,
0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0c, 0x06,
0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03,
0x69, 0x00, 0x30, 0x66, 0x02, 0x31, 0x00, 0xc3, 0xb4, 0x62, 0x73, 0x56,
0x28, 0x95, 0x00, 0x7d, 0x78, 0x12, 0x26, 0xd2, 0x71, 0x7b, 0x19, 0xf8,
0x8a, 0x98, 0x3e, 0x92, 0xfe, 0x33, 0x9e, 0xe4, 0x79, 0xd2, 0xfe, 0x7a,
0xb7, 0x87, 0x74, 0x3c, 0x2b, 0xb8, 0xd7, 0x69, 0x94, 0x0b, 0xa3, 0x67,
0x77, 0xb8, 0xb3, 0xbe, 0xd1, 0x36, 0x32, 0x02, 0x31, 0x00, 0xfd, 0x67,
0x9c, 0x94, 0x23, 0x67, 0xc0, 0x56, 0xba, 0x4b, 0x33, 0x15, 0x00, 0xc6,
0xe3, 0xcc, 0x31, 0x08, 0x2c, 0x9c, 0x8b, 0xda, 0xa9, 0x75, 0x23, 0x2f,
0xb8, 0x28, 0xe7, 0xf2, 0x9c, 0x14, 0x3a, 0x40, 0x01, 0x5c, 0xaf, 0x0c,
0xb2, 0xcf, 0x74, 0x7f, 0x30, 0x9f, 0x08, 0x43, 0xad, 0x20,
};
#endif /* MBEDTLS_X509_CRT_PARSE_C */
enum exit_codes {
exit_ok = 0,
ctr_drbg_seed_failed,
ssl_config_defaults_failed,
ssl_setup_failed,
hostname_failed,
socket_failed,
connect_failed,
x509_crt_parse_failed,
ssl_handshake_failed,
ssl_write_failed,
};
int main(void)
{
int ret = exit_ok;
mbedtls_net_context server_fd;
struct sockaddr_in addr;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt ca;
#endif
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_init(&ctr_drbg);
/*
* 0. Initialize and setup stuff
*/
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init(&ca);
#endif
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
ret = ctr_drbg_seed_failed;
goto exit;
}
if (mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
ret = ssl_config_defaults_failed;
goto exit;
}
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_conf_psk(&conf, psk, sizeof(psk),
(const unsigned char *) psk_id, sizeof(psk_id) - 1);
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if (mbedtls_x509_crt_parse_der(&ca, ca_cert, sizeof(ca_cert)) != 0) {
ret = x509_crt_parse_failed;
goto exit;
}
mbedtls_ssl_conf_ca_chain(&conf, &ca, NULL);
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
#endif
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
ret = ssl_setup_failed;
goto exit;
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if (mbedtls_ssl_set_hostname(&ssl, HOSTNAME) != 0) {
ret = hostname_failed;
goto exit;
}
#endif
/*
* 1. Start the connection
*/
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
ret = 1; /* for endianness detection */
addr.sin_port = *((char *) &ret) == ret ? PORT_LE : PORT_BE;
addr.sin_addr.s_addr = *((char *) &ret) == ret ? ADDR_LE : ADDR_BE;
ret = 0;
if ((server_fd.fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
ret = socket_failed;
goto exit;
}
if (connect(server_fd.fd,
(const struct sockaddr *) &addr, sizeof(addr)) < 0) {
ret = connect_failed;
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
if (mbedtls_ssl_handshake(&ssl) != 0) {
ret = ssl_handshake_failed;
goto exit;
}
/*
* 2. Write the GET request and close the connection
*/
if (mbedtls_ssl_write(&ssl, (const unsigned char *) GET_REQUEST,
sizeof(GET_REQUEST) - 1) <= 0) {
ret = ssl_write_failed;
goto exit;
}
mbedtls_ssl_close_notify(&ssl);
exit:
mbedtls_net_free(&server_fd);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_free(&ca);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(ret);
}
#endif

288
externals/mbedtls/programs/ssl/ssl_client1.c vendored Normal file
View File

@@ -0,0 +1,288 @@
/*
* SSL client demonstration program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "test/certs.h"
#include <string.h>
#define SERVER_PORT "4433"
#define SERVER_NAME "localhost"
#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
#define DEBUG_LEVEL 1
static void my_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
((void) level);
mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
fflush((FILE *) ctx);
}
int main(void)
{
int ret = 1, len;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context server_fd;
uint32_t flags;
unsigned char buf[1024];
const char *pers = "ssl_client1";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
/*
* 0. Initialize the RNG and the session data
*/
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 0. Initialize certificates
*/
mbedtls_printf(" . Loading the CA root certificate ...");
fflush(stdout);
ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
if (ret < 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf(" ok (%d skipped)\n", ret);
/*
* 1. Start the connection
*/
mbedtls_printf(" . Connecting to tcp/%s/%s...", SERVER_NAME, SERVER_PORT);
fflush(stdout);
if ((ret = mbedtls_net_connect(&server_fd, SERVER_NAME,
SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 2. Setup stuff
*/
mbedtls_printf(" . Setting up the SSL/TLS structure...");
fflush(stdout);
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_ssl_set_hostname(&ssl, SERVER_NAME)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
/*
* 4. Handshake
*/
mbedtls_printf(" . Performing the SSL/TLS handshake...");
fflush(stdout);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
(unsigned int) -ret);
goto exit;
}
}
mbedtls_printf(" ok\n");
/*
* 5. Verify the server certificate
*/
mbedtls_printf(" . Verifying peer X.509 certificate...");
/* In real life, we probably want to bail out when ret != 0 */
if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) {
#if !defined(MBEDTLS_X509_REMOVE_INFO)
char vrfy_buf[512];
#endif
mbedtls_printf(" failed\n");
#if !defined(MBEDTLS_X509_REMOVE_INFO)
mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
mbedtls_printf("%s\n", vrfy_buf);
#endif
} else {
mbedtls_printf(" ok\n");
}
/*
* 3. Write the GET request
*/
mbedtls_printf(" > Write to server:");
fflush(stdout);
len = sprintf((char *) buf, GET_REQUEST);
while ((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
goto exit;
}
}
len = ret;
mbedtls_printf(" %d bytes written\n\n%s", len, (char *) buf);
/*
* 7. Read the HTTP response
*/
mbedtls_printf(" < Read from server:");
fflush(stdout);
do {
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
break;
}
if (ret < 0) {
mbedtls_printf("failed\n ! mbedtls_ssl_read returned %d\n\n", ret);
break;
}
if (ret == 0) {
mbedtls_printf("\n\nEOF\n\n");
break;
}
len = ret;
mbedtls_printf(" %d bytes read\n\n%s", len, (char *) buf);
} while (1);
mbedtls_ssl_close_notify(&ssl);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
#ifdef MBEDTLS_ERROR_C
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf);
}
#endif
mbedtls_net_free(&server_fd);
mbedtls_x509_crt_free(&cacert);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
MBEDTLS_PEM_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C */

3230
externals/mbedtls/programs/ssl/ssl_client2.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

1012
externals/mbedtls/programs/ssl/ssl_context_info.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

381
externals/mbedtls/programs/ssl/ssl_fork_server.c vendored Normal file
View File

@@ -0,0 +1,381 @@
/*
* SSL server demonstration program using fork() for handling multiple clients
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_TIMING_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_PEM_PARSE_C)
int main(int argc, char *argv[])
{
((void) argc);
((void) argv);
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_exit(0);
}
#elif defined(_WIN32)
int main(void)
{
mbedtls_printf("_WIN32 defined. This application requires fork() and signals "
"to work correctly.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "test/certs.h"
#include "mbedtls/x509.h"
#include "mbedtls/ssl.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/timing.h"
#include <string.h>
#include <signal.h>
#if !defined(_MSC_VER) || defined(EFIX64) || defined(EFI32)
#include <unistd.h>
#endif
#define HTTP_RESPONSE \
"HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
"<h2>Mbed TLS Test Server</h2>\r\n" \
"<p>Successful connection using: %s</p>\r\n"
#define DEBUG_LEVEL 0
static void my_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
((void) level);
mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
fflush((FILE *) ctx);
}
int main(void)
{
int ret = 1, len, cnt = 0, pid;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[1024];
const char *pers = "ssl_fork_server";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
mbedtls_net_init(&listen_fd);
mbedtls_net_init(&client_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_entropy_init(&entropy);
mbedtls_pk_init(&pkey);
mbedtls_x509_crt_init(&srvcert);
mbedtls_ctr_drbg_init(&ctr_drbg);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
signal(SIGCHLD, SIG_IGN);
/*
* 0. Initial seeding of the RNG
*/
mbedtls_printf("\n . Initial seeding of the random generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed! mbedtls_ctr_drbg_seed returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1. Load the certificates and private RSA key
*/
mbedtls_printf(" . Loading the server cert. and key...");
fflush(stdout);
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use mbedtls_x509_crt_parse_file() to read the
* server and CA certificates, as well as mbedtls_pk_parse_keyfile().
*/
ret = mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len);
if (ret != 0) {
mbedtls_printf(" failed! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
if (ret != 0) {
mbedtls_printf(" failed! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0,
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed! mbedtls_pk_parse_key returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1b. Prepare SSL configuration
*/
mbedtls_printf(" . Configuring SSL...");
fflush(stdout);
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
mbedtls_printf(" failed! mbedtls_ssl_config_defaults returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
if ((ret = mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey)) != 0) {
mbedtls_printf(" failed! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 2. Setup the listening TCP socket
*/
mbedtls_printf(" . Bind on https://localhost:4433/ ...");
fflush(stdout);
if ((ret = mbedtls_net_bind(&listen_fd, NULL, "4433", MBEDTLS_NET_PROTO_TCP)) != 0) {
mbedtls_printf(" failed! mbedtls_net_bind returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
while (1) {
/*
* 3. Wait until a client connects
*/
mbedtls_net_init(&client_fd);
mbedtls_ssl_init(&ssl);
mbedtls_printf(" . Waiting for a remote connection ...\n");
fflush(stdout);
if ((ret = mbedtls_net_accept(&listen_fd, &client_fd,
NULL, 0, NULL)) != 0) {
mbedtls_printf(" failed! mbedtls_net_accept returned %d\n\n", ret);
goto exit;
}
/*
* 3.5. Forking server thread
*/
mbedtls_printf(" . Forking to handle connection ...");
fflush(stdout);
pid = fork();
if (pid < 0) {
mbedtls_printf(" failed! fork returned %d\n\n", pid);
goto exit;
}
if (pid != 0) {
mbedtls_printf(" ok\n");
mbedtls_net_close(&client_fd);
if ((ret = mbedtls_ctr_drbg_reseed(&ctr_drbg,
(const unsigned char *) "parent",
6)) != 0) {
mbedtls_printf(" failed! mbedtls_ctr_drbg_reseed returned %d\n\n", ret);
goto exit;
}
continue;
}
mbedtls_net_close(&listen_fd);
pid = getpid();
/*
* 4. Setup stuff
*/
mbedtls_printf("pid %d: Setting up the SSL data.\n", pid);
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_reseed(&ctr_drbg,
(const unsigned char *) "child",
5)) != 0) {
mbedtls_printf(
"pid %d: SSL setup failed! mbedtls_ctr_drbg_reseed returned %d\n\n",
pid, ret);
goto exit;
}
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
mbedtls_printf(
"pid %d: SSL setup failed! mbedtls_ssl_setup returned %d\n\n",
pid, ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
mbedtls_printf("pid %d: SSL setup ok\n", pid);
/*
* 5. Handshake
*/
mbedtls_printf("pid %d: Performing the SSL/TLS handshake.\n", pid);
fflush(stdout);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(
"pid %d: SSL handshake failed! mbedtls_ssl_handshake returned %d\n\n",
pid, ret);
goto exit;
}
}
mbedtls_printf("pid %d: SSL handshake ok\n", pid);
/*
* 6. Read the HTTP Request
*/
mbedtls_printf("pid %d: Start reading from client.\n", pid);
fflush(stdout);
do {
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret <= 0) {
switch (ret) {
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf("pid %d: connection was closed gracefully\n", pid);
break;
case MBEDTLS_ERR_NET_CONN_RESET:
mbedtls_printf("pid %d: connection was reset by peer\n", pid);
break;
default:
mbedtls_printf("pid %d: mbedtls_ssl_read returned %d\n", pid, ret);
break;
}
break;
}
len = ret;
mbedtls_printf("pid %d: %d bytes read\n\n%s", pid, len, (char *) buf);
if (ret > 0) {
break;
}
} while (1);
/*
* 7. Write the 200 Response
*/
mbedtls_printf("pid %d: Start writing to client.\n", pid);
fflush(stdout);
len = sprintf((char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite(&ssl));
while (cnt++ < 100) {
while ((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0) {
if (ret == MBEDTLS_ERR_NET_CONN_RESET) {
mbedtls_printf(
"pid %d: Write failed! peer closed the connection\n\n", pid);
goto exit;
}
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(
"pid %d: Write failed! mbedtls_ssl_write returned %d\n\n",
pid, ret);
goto exit;
}
}
len = ret;
mbedtls_printf("pid %d: %d bytes written\n\n%s\n", pid, len, (char *) buf);
mbedtls_net_usleep(1000000);
}
mbedtls_ssl_close_notify(&ssl);
goto exit;
}
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_net_free(&client_fd);
mbedtls_net_free(&listen_fd);
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_PARSE_C &&
! _WIN32 */

804
externals/mbedtls/programs/ssl/ssl_mail_client.c vendored Normal file
View File

@@ -0,0 +1,804 @@
/*
* SSL client for SMTP servers
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* Enable definition of gethostname() even when compiling with -std=c99. Must
* be set before mbedtls_config.h, which pulls in glibc's features.h indirectly.
* Harmless on other platforms. */
#define _POSIX_C_SOURCE 200112L
#define _XOPEN_SOURCE 600
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
#else
#include "mbedtls/base64.h"
#include "mbedtls/error.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "test/certs.h"
#include "mbedtls/x509.h"
#include <stdlib.h>
#include <string.h>
#if !defined(_MSC_VER) || defined(EFIX64) || defined(EFI32)
#include <unistd.h>
#else
#include <io.h>
#endif
#if defined(_WIN32) || defined(_WIN32_WCE)
#include <winsock2.h>
#include <windows.h>
#if defined(_MSC_VER)
#if defined(_WIN32_WCE)
#pragma comment( lib, "ws2.lib" )
#else
#pragma comment( lib, "ws2_32.lib" )
#endif
#endif /* _MSC_VER */
#endif
#define DFL_SERVER_NAME "localhost"
#define DFL_SERVER_PORT "465"
#define DFL_USER_NAME "user"
#define DFL_USER_PWD "password"
#define DFL_MAIL_FROM ""
#define DFL_MAIL_TO ""
#define DFL_DEBUG_LEVEL 0
#define DFL_CA_FILE ""
#define DFL_CRT_FILE ""
#define DFL_KEY_FILE ""
#define DFL_FORCE_CIPHER 0
#define DFL_MODE 0
#define DFL_AUTHENTICATION 0
#define MODE_SSL_TLS 0
#define MODE_STARTTLS 0
#if defined(MBEDTLS_BASE64_C)
#define USAGE_AUTH \
" authentication=%%d default: 0 (disabled)\n" \
" user_name=%%s default: \"" DFL_USER_NAME "\"\n" \
" user_pwd=%%s default: \"" \
DFL_USER_PWD "\"\n"
#else
#define USAGE_AUTH \
" authentication options disabled. (Require MBEDTLS_BASE64_C)\n"
#endif /* MBEDTLS_BASE64_C */
#if defined(MBEDTLS_FS_IO)
#define USAGE_IO \
" ca_file=%%s default: \"\" (pre-loaded)\n" \
" crt_file=%%s default: \"\" (pre-loaded)\n" \
" key_file=%%s default: \"\" (pre-loaded)\n"
#else
#define USAGE_IO \
" No file operations available (MBEDTLS_FS_IO not defined)\n"
#endif /* MBEDTLS_FS_IO */
#define USAGE \
"\n usage: ssl_mail_client param=<>...\n" \
"\n acceptable parameters:\n" \
" server_name=%%s default: " DFL_SERVER_NAME "\n" \
" server_port=%%d default: " \
DFL_SERVER_PORT "\n" \
" debug_level=%%d default: 0 (disabled)\n" \
" mode=%%d default: 0 (SSL/TLS) (1 for STARTTLS)\n" \
USAGE_AUTH \
" mail_from=%%s default: \"\"\n" \
" mail_to=%%s default: \"\"\n" \
USAGE_IO \
" force_ciphersuite=<name> default: all enabled\n" \
" acceptable ciphersuite names:\n"
/*
* global options
*/
struct options {
const char *server_name; /* hostname of the server (client only) */
const char *server_port; /* port on which the ssl service runs */
int debug_level; /* level of debugging */
int authentication; /* if authentication is required */
int mode; /* SSL/TLS (0) or STARTTLS (1) */
const char *user_name; /* username to use for authentication */
const char *user_pwd; /* password to use for authentication */
const char *mail_from; /* E-Mail address to use as sender */
const char *mail_to; /* E-Mail address to use as recipient */
const char *ca_file; /* the file with the CA certificate(s) */
const char *crt_file; /* the file with the client certificate */
const char *key_file; /* the file with the client key */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
} opt;
static void my_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
((void) level);
mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
fflush((FILE *) ctx);
}
static int do_handshake(mbedtls_ssl_context *ssl)
{
int ret;
uint32_t flags;
unsigned char buf[1024];
memset(buf, 0, 1024);
/*
* 4. Handshake
*/
mbedtls_printf(" . Performing the SSL/TLS handshake...");
fflush(stdout);
while ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
#if defined(MBEDTLS_ERROR_C)
mbedtls_strerror(ret, (char *) buf, 1024);
#endif
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned %d: %s\n\n", ret, buf);
return -1;
}
}
mbedtls_printf(" ok\n [ Ciphersuite is %s ]\n",
mbedtls_ssl_get_ciphersuite(ssl));
/*
* 5. Verify the server certificate
*/
mbedtls_printf(" . Verifying peer X.509 certificate...");
/* In real life, we probably want to bail out when ret != 0 */
if ((flags = mbedtls_ssl_get_verify_result(ssl)) != 0) {
#if !defined(MBEDTLS_X509_REMOVE_INFO)
char vrfy_buf[512];
#endif
mbedtls_printf(" failed\n");
#if !defined(MBEDTLS_X509_REMOVE_INFO)
mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
mbedtls_printf("%s\n", vrfy_buf);
#endif
} else {
mbedtls_printf(" ok\n");
}
#if !defined(MBEDTLS_X509_REMOVE_INFO)
mbedtls_printf(" . Peer certificate information ...\n");
mbedtls_x509_crt_info((char *) buf, sizeof(buf) - 1, " ",
mbedtls_ssl_get_peer_cert(ssl));
mbedtls_printf("%s\n", buf);
#endif
return 0;
}
static int write_ssl_data(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
{
int ret;
mbedtls_printf("\n%s", buf);
while (len && (ret = mbedtls_ssl_write(ssl, buf, len)) <= 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
return -1;
}
}
return 0;
}
static int write_ssl_and_get_response(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
{
int ret;
unsigned char data[128];
char code[4];
size_t i, idx = 0;
mbedtls_printf("\n%s", buf);
while (len && (ret = mbedtls_ssl_write(ssl, buf, len)) <= 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
return -1;
}
}
do {
len = sizeof(data) - 1;
memset(data, 0, sizeof(data));
ret = mbedtls_ssl_read(ssl, data, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
return -1;
}
if (ret <= 0) {
mbedtls_printf("failed\n ! mbedtls_ssl_read returned %d\n\n", ret);
return -1;
}
mbedtls_printf("\n%s", data);
len = ret;
for (i = 0; i < len; i++) {
if (data[i] != '\n') {
if (idx < 4) {
code[idx++] = data[i];
}
continue;
}
if (idx == 4 && code[0] >= '0' && code[0] <= '9' && code[3] == ' ') {
code[3] = '\0';
return atoi(code);
}
idx = 0;
}
} while (1);
}
static int write_and_get_response(mbedtls_net_context *sock_fd, unsigned char *buf, size_t len)
{
int ret;
unsigned char data[128];
char code[4];
size_t i, idx = 0;
mbedtls_printf("\n%s", buf);
if (len && (ret = mbedtls_net_send(sock_fd, buf, len)) <= 0) {
mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret);
return -1;
}
do {
len = sizeof(data) - 1;
memset(data, 0, sizeof(data));
ret = mbedtls_net_recv(sock_fd, data, len);
if (ret <= 0) {
mbedtls_printf("failed\n ! mbedtls_net_recv returned %d\n\n", ret);
return -1;
}
data[len] = '\0';
mbedtls_printf("\n%s", data);
len = ret;
for (i = 0; i < len; i++) {
if (data[i] != '\n') {
if (idx < 4) {
code[idx++] = data[i];
}
continue;
}
if (idx == 4 && code[0] >= '0' && code[0] <= '9' && code[3] == ' ') {
code[3] = '\0';
return atoi(code);
}
idx = 0;
}
} while (1);
}
int main(int argc, char *argv[])
{
int ret = 1, len;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context server_fd;
#if defined(MBEDTLS_BASE64_C)
unsigned char base[1024];
/* buf is used as the destination buffer for printing base with the format:
* "%s\r\n". Hence, the size of buf should be at least the size of base
* plus 2 bytes for the \r and \n characters.
*/
unsigned char buf[sizeof(base) + 2];
#else
unsigned char buf[1024];
#endif
char hostname[32];
const char *pers = "ssl_mail_client";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
mbedtls_pk_context pkey;
int i;
size_t n;
char *p, *q;
const int *list;
/*
* Make sure memory references are valid in case we exit early.
*/
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
memset(&buf, 0, sizeof(buf));
mbedtls_x509_crt_init(&cacert);
mbedtls_x509_crt_init(&clicert);
mbedtls_pk_init(&pkey);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
list = mbedtls_ssl_list_ciphersuites();
while (*list) {
mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list));
list++;
}
mbedtls_printf("\n");
goto exit;
}
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.authentication = DFL_AUTHENTICATION;
opt.mode = DFL_MODE;
opt.user_name = DFL_USER_NAME;
opt.user_pwd = DFL_USER_PWD;
opt.mail_from = DFL_MAIL_FROM;
opt.mail_to = DFL_MAIL_TO;
opt.ca_file = DFL_CA_FILE;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
for (i = 1; i < argc; i++) {
p = argv[i];
if ((q = strchr(p, '=')) == NULL) {
goto usage;
}
*q++ = '\0';
if (strcmp(p, "server_name") == 0) {
opt.server_name = q;
} else if (strcmp(p, "server_port") == 0) {
opt.server_port = q;
} else if (strcmp(p, "debug_level") == 0) {
opt.debug_level = atoi(q);
if (opt.debug_level < 0 || opt.debug_level > 65535) {
goto usage;
}
} else if (strcmp(p, "authentication") == 0) {
opt.authentication = atoi(q);
if (opt.authentication < 0 || opt.authentication > 1) {
goto usage;
}
} else if (strcmp(p, "mode") == 0) {
opt.mode = atoi(q);
if (opt.mode < 0 || opt.mode > 1) {
goto usage;
}
} else if (strcmp(p, "user_name") == 0) {
opt.user_name = q;
} else if (strcmp(p, "user_pwd") == 0) {
opt.user_pwd = q;
} else if (strcmp(p, "mail_from") == 0) {
opt.mail_from = q;
} else if (strcmp(p, "mail_to") == 0) {
opt.mail_to = q;
} else if (strcmp(p, "ca_file") == 0) {
opt.ca_file = q;
} else if (strcmp(p, "crt_file") == 0) {
opt.crt_file = q;
} else if (strcmp(p, "key_file") == 0) {
opt.key_file = q;
} else if (strcmp(p, "force_ciphersuite") == 0) {
opt.force_ciphersuite[0] = -1;
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q);
if (opt.force_ciphersuite[0] <= 0) {
goto usage;
}
opt.force_ciphersuite[1] = 0;
} else {
goto usage;
}
}
/*
* 0. Initialize the RNG and the session data
*/
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1.1. Load the trusted CA
*/
mbedtls_printf(" . Loading the CA root certificate ...");
fflush(stdout);
#if defined(MBEDTLS_FS_IO)
if (strlen(opt.ca_file)) {
ret = mbedtls_x509_crt_parse_file(&cacert, opt.ca_file);
} else
#endif
#if defined(MBEDTLS_PEM_PARSE_C)
ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
#else
{
mbedtls_printf("MBEDTLS_PEM_PARSE_C not defined.");
goto exit;
}
#endif
if (ret < 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok (%d skipped)\n", ret);
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
mbedtls_printf(" . Loading the client cert. and key...");
fflush(stdout);
#if defined(MBEDTLS_FS_IO)
if (strlen(opt.crt_file)) {
ret = mbedtls_x509_crt_parse_file(&clicert, opt.crt_file);
} else
#endif
ret = mbedtls_x509_crt_parse(&clicert, (const unsigned char *) mbedtls_test_cli_crt,
mbedtls_test_cli_crt_len);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
#if defined(MBEDTLS_FS_IO)
if (strlen(opt.key_file)) {
ret = mbedtls_pk_parse_keyfile(&pkey, opt.key_file, "",
mbedtls_ctr_drbg_random, &ctr_drbg);
} else
#endif
#if defined(MBEDTLS_PEM_PARSE_C)
{
ret = mbedtls_pk_parse_key(&pkey,
(const unsigned char *) mbedtls_test_cli_key,
mbedtls_test_cli_key_len,
NULL,
0,
mbedtls_ctr_drbg_random,
&ctr_drbg);
}
#else
{
mbedtls_printf("MBEDTLS_PEM_PARSE_C not defined.");
goto exit;
}
#endif
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 2. Start the connection
*/
mbedtls_printf(" . Connecting to tcp/%s/%s...", opt.server_name,
opt.server_port);
fflush(stdout);
if ((ret = mbedtls_net_connect(&server_fd, opt.server_name,
opt.server_port, MBEDTLS_NET_PROTO_TCP)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 3. Setup stuff
*/
mbedtls_printf(" . Setting up the SSL/TLS structure...");
fflush(stdout);
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
goto exit;
}
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
if (opt.force_ciphersuite[0] != DFL_FORCE_CIPHER) {
mbedtls_ssl_conf_ciphersuites(&conf, opt.force_ciphersuite);
}
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
if ((ret = mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_ssl_set_hostname(&ssl, opt.server_name)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
mbedtls_printf(" ok\n");
if (opt.mode == MODE_SSL_TLS) {
if (do_handshake(&ssl) != 0) {
goto exit;
}
mbedtls_printf(" > Get header from server:");
fflush(stdout);
ret = write_ssl_and_get_response(&ssl, buf, 0);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write EHLO to server:");
fflush(stdout);
gethostname(hostname, 32);
len = sprintf((char *) buf, "EHLO %s\r\n", hostname);
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
} else {
mbedtls_printf(" > Get header from server:");
fflush(stdout);
ret = write_and_get_response(&server_fd, buf, 0);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write EHLO to server:");
fflush(stdout);
gethostname(hostname, 32);
len = sprintf((char *) buf, "EHLO %s\r\n", hostname);
ret = write_and_get_response(&server_fd, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write STARTTLS to server:");
fflush(stdout);
gethostname(hostname, 32);
len = sprintf((char *) buf, "STARTTLS\r\n");
ret = write_and_get_response(&server_fd, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
if (do_handshake(&ssl) != 0) {
goto exit;
}
}
#if defined(MBEDTLS_BASE64_C)
if (opt.authentication) {
mbedtls_printf(" > Write AUTH LOGIN to server:");
fflush(stdout);
len = sprintf((char *) buf, "AUTH LOGIN\r\n");
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 399) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write username to server: %s", opt.user_name);
fflush(stdout);
ret = mbedtls_base64_encode(base, sizeof(base), &n, (const unsigned char *) opt.user_name,
strlen(opt.user_name));
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_base64_encode returned %d\n\n", ret);
goto exit;
}
len = sprintf((char *) buf, "%s\r\n", base);
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 300 || ret > 399) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write password to server: %s", opt.user_pwd);
fflush(stdout);
ret = mbedtls_base64_encode(base, sizeof(base), &n, (const unsigned char *) opt.user_pwd,
strlen(opt.user_pwd));
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_base64_encode returned %d\n\n", ret);
goto exit;
}
len = sprintf((char *) buf, "%s\r\n", base);
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 399) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
}
#endif
mbedtls_printf(" > Write MAIL FROM to server:");
fflush(stdout);
len = sprintf((char *) buf, "MAIL FROM:<%s>\r\n", opt.mail_from);
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write RCPT TO to server:");
fflush(stdout);
len = sprintf((char *) buf, "RCPT TO:<%s>\r\n", opt.mail_to);
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write DATA to server:");
fflush(stdout);
len = sprintf((char *) buf, "DATA\r\n");
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 300 || ret > 399) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_printf(" > Write content to server:");
fflush(stdout);
len = sprintf((char *) buf, "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n"
"This is a simple test mail from the "
"Mbed TLS mail client example.\r\n"
"\r\n"
"Enjoy!", opt.mail_from);
ret = write_ssl_data(&ssl, buf, len);
len = sprintf((char *) buf, "\r\n.\r\n");
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
mbedtls_ssl_close_notify(&ssl);
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_net_free(&server_fd);
mbedtls_x509_crt_free(&clicert);
mbedtls_x509_crt_free(&cacert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C **
MBEDTLS_CTR_DRBG_C */

489
externals/mbedtls/programs/ssl/ssl_pthread_server.c vendored Normal file
View File

@@ -0,0 +1,489 @@
/*
* SSL server demonstration program using pthread for handling multiple
* clients.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_THREADING_C) || \
!defined(MBEDTLS_THREADING_PTHREAD) || !defined(MBEDTLS_PEM_PARSE_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD "
"and/or MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_exit(0);
}
#else
#include <stdlib.h>
#include <string.h>
#if defined(_WIN32)
#include <windows.h>
#endif
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/x509.h"
#include "mbedtls/ssl.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/error.h"
#include "test/certs.h"
#if defined(MBEDTLS_SSL_CACHE_C)
#include "mbedtls/ssl_cache.h"
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
#endif
#define HTTP_RESPONSE \
"HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
"<h2>Mbed TLS Test Server</h2>\r\n" \
"<p>Successful connection using: %s</p>\r\n"
#define DEBUG_LEVEL 0
#define MAX_NUM_THREADS 5
mbedtls_threading_mutex_t debug_mutex;
static void my_mutexed_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
long int thread_id = (long int) pthread_self();
mbedtls_mutex_lock(&debug_mutex);
((void) level);
mbedtls_fprintf((FILE *) ctx, "%s:%04d: [ #%ld ] %s",
file, line, thread_id, str);
fflush((FILE *) ctx);
mbedtls_mutex_unlock(&debug_mutex);
}
typedef struct {
mbedtls_net_context client_fd;
int thread_complete;
const mbedtls_ssl_config *config;
} thread_info_t;
typedef struct {
int active;
thread_info_t data;
pthread_t thread;
} pthread_info_t;
static thread_info_t base_info;
static pthread_info_t threads[MAX_NUM_THREADS];
static void *handle_ssl_connection(void *data)
{
int ret, len;
thread_info_t *thread_info = (thread_info_t *) data;
mbedtls_net_context *client_fd = &thread_info->client_fd;
long int thread_id = (long int) pthread_self();
unsigned char buf[1024];
mbedtls_ssl_context ssl;
/* Make sure memory references are valid */
mbedtls_ssl_init(&ssl);
mbedtls_printf(" [ #%ld ] Setting up SSL/TLS data\n", thread_id);
/*
* 4. Get the SSL context ready
*/
if ((ret = mbedtls_ssl_setup(&ssl, thread_info->config)) != 0) {
mbedtls_printf(" [ #%ld ] failed: mbedtls_ssl_setup returned -0x%04x\n",
thread_id, (unsigned int) -ret);
goto thread_exit;
}
mbedtls_ssl_set_bio(&ssl, client_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
/*
* 5. Handshake
*/
mbedtls_printf(" [ #%ld ] Performing the SSL/TLS handshake\n", thread_id);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" [ #%ld ] failed: mbedtls_ssl_handshake returned -0x%04x\n",
thread_id, (unsigned int) -ret);
goto thread_exit;
}
}
mbedtls_printf(" [ #%ld ] ok\n", thread_id);
/*
* 6. Read the HTTP Request
*/
mbedtls_printf(" [ #%ld ] < Read from client\n", thread_id);
do {
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret <= 0) {
switch (ret) {
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf(" [ #%ld ] connection was closed gracefully\n",
thread_id);
goto thread_exit;
case MBEDTLS_ERR_NET_CONN_RESET:
mbedtls_printf(" [ #%ld ] connection was reset by peer\n",
thread_id);
goto thread_exit;
default:
mbedtls_printf(" [ #%ld ] mbedtls_ssl_read returned -0x%04x\n",
thread_id, (unsigned int) -ret);
goto thread_exit;
}
}
len = ret;
mbedtls_printf(" [ #%ld ] %d bytes read\n=====\n%s\n=====\n",
thread_id, len, (char *) buf);
if (ret > 0) {
break;
}
} while (1);
/*
* 7. Write the 200 Response
*/
mbedtls_printf(" [ #%ld ] > Write to client:\n", thread_id);
len = sprintf((char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite(&ssl));
while ((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0) {
if (ret == MBEDTLS_ERR_NET_CONN_RESET) {
mbedtls_printf(" [ #%ld ] failed: peer closed the connection\n",
thread_id);
goto thread_exit;
}
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" [ #%ld ] failed: mbedtls_ssl_write returned -0x%04x\n",
thread_id, (unsigned int) ret);
goto thread_exit;
}
}
len = ret;
mbedtls_printf(" [ #%ld ] %d bytes written\n=====\n%s\n=====\n",
thread_id, len, (char *) buf);
mbedtls_printf(" [ #%ld ] . Closing the connection...", thread_id);
while ((ret = mbedtls_ssl_close_notify(&ssl)) < 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" [ #%ld ] failed: mbedtls_ssl_close_notify returned -0x%04x\n",
thread_id, (unsigned int) ret);
goto thread_exit;
}
}
mbedtls_printf(" ok\n");
ret = 0;
thread_exit:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
mbedtls_printf(" [ #%ld ] Last error was: -0x%04x - %s\n\n",
thread_id, (unsigned int) -ret, error_buf);
}
#endif
mbedtls_net_free(client_fd);
mbedtls_ssl_free(&ssl);
thread_info->thread_complete = 1;
return NULL;
}
static int thread_create(mbedtls_net_context *client_fd)
{
int ret, i;
/*
* Find in-active or finished thread slot
*/
for (i = 0; i < MAX_NUM_THREADS; i++) {
if (threads[i].active == 0) {
break;
}
if (threads[i].data.thread_complete == 1) {
mbedtls_printf(" [ main ] Cleaning up thread %d\n", i);
pthread_join(threads[i].thread, NULL);
memset(&threads[i], 0, sizeof(pthread_info_t));
break;
}
}
if (i == MAX_NUM_THREADS) {
return -1;
}
/*
* Fill thread-info for thread
*/
memcpy(&threads[i].data, &base_info, sizeof(base_info));
threads[i].active = 1;
memcpy(&threads[i].data.client_fd, client_fd, sizeof(mbedtls_net_context));
if ((ret = pthread_create(&threads[i].thread, NULL, handle_ssl_connection,
&threads[i].data)) != 0) {
return ret;
}
return 0;
}
int main(void)
{
int ret;
mbedtls_net_context listen_fd, client_fd;
const char pers[] = "ssl_pthread_server";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_x509_crt cachain;
mbedtls_pk_context pkey;
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
unsigned char alloc_buf[100000];
#endif
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache;
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf));
#endif
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init(&cache);
#endif
mbedtls_x509_crt_init(&srvcert);
mbedtls_x509_crt_init(&cachain);
mbedtls_ssl_config_init(&conf);
mbedtls_ctr_drbg_init(&ctr_drbg);
memset(threads, 0, sizeof(threads));
mbedtls_net_init(&listen_fd);
mbedtls_net_init(&client_fd);
mbedtls_mutex_init(&debug_mutex);
base_info.config = &conf;
/*
* We use only a single entropy source that is used in all the threads.
*/
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* 1a. Seed the random number generator
*/
mbedtls_printf(" . Seeding the random number generator...");
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1b. Load the certificates and private RSA key
*/
mbedtls_printf("\n . Loading the server cert. and key...");
fflush(stdout);
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use mbedtls_x509_crt_parse_file() to read the
* server and CA certificates, as well as mbedtls_pk_parse_keyfile().
*/
ret = mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_x509_crt_parse(&cachain, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
mbedtls_pk_init(&pkey);
ret = mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0,
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 1c. Prepare SSL configuration
*/
mbedtls_printf(" . Setting up the SSL data....");
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
mbedtls_printf(" failed: mbedtls_ssl_config_defaults returned -0x%04x\n",
(unsigned int) -ret);
goto exit;
}
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_mutexed_debug, stdout);
/* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if
* MBEDTLS_THREADING_C is set.
*/
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(&conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set);
#endif
mbedtls_ssl_conf_ca_chain(&conf, &cachain, NULL);
if ((ret = mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 2. Setup the listening TCP socket
*/
mbedtls_printf(" . Bind on https://localhost:4433/ ...");
fflush(stdout);
if ((ret = mbedtls_net_bind(&listen_fd, NULL, "4433", MBEDTLS_NET_PROTO_TCP)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_bind returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
reset:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
mbedtls_printf(" [ main ] Last error was: -0x%04x - %s\n", (unsigned int) -ret,
error_buf);
}
#endif
/*
* 3. Wait until a client connects
*/
mbedtls_printf(" [ main ] Waiting for a remote connection\n");
if ((ret = mbedtls_net_accept(&listen_fd, &client_fd,
NULL, 0, NULL)) != 0) {
mbedtls_printf(" [ main ] failed: mbedtls_net_accept returned -0x%04x\n",
(unsigned int) ret);
goto exit;
}
mbedtls_printf(" [ main ] ok\n");
mbedtls_printf(" [ main ] Creating a new thread\n");
if ((ret = thread_create(&client_fd)) != 0) {
mbedtls_printf(" [ main ] failed: thread_create returned %d\n", ret);
mbedtls_net_free(&client_fd);
goto reset;
}
ret = 0;
goto reset;
exit:
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free(&cache);
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_ssl_config_free(&conf);
mbedtls_net_free(&listen_fd);
mbedtls_mutex_free(&debug_mutex);
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_free();
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(ret);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_THREADING_C &&
MBEDTLS_THREADING_PTHREAD && MBEDTLS_PEM_PARSE_C */

362
externals/mbedtls/programs/ssl/ssl_server.c vendored Normal file
View File

@@ -0,0 +1,362 @@
/*
* SSL server demonstration program
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_SSL_TLS_C) || \
!defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
"and/or MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_exit(0);
}
#else
#include <stdlib.h>
#include <string.h>
#if defined(_WIN32)
#include <windows.h>
#endif
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/x509.h"
#include "mbedtls/ssl.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
#include "test/certs.h"
#if defined(MBEDTLS_SSL_CACHE_C)
#include "mbedtls/ssl_cache.h"
#endif
#define HTTP_RESPONSE \
"HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
"<h2>Mbed TLS Test Server</h2>\r\n" \
"<p>Successful connection using: %s</p>\r\n"
#define DEBUG_LEVEL 0
static void my_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
((void) level);
mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
fflush((FILE *) ctx);
}
int main(void)
{
int ret, len;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[1024];
const char *pers = "ssl_server";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache;
#endif
mbedtls_net_init(&listen_fd);
mbedtls_net_init(&client_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init(&cache);
#endif
mbedtls_x509_crt_init(&srvcert);
mbedtls_pk_init(&pkey);
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
/*
* 1. Seed the RNG
*/
mbedtls_printf(" . Seeding the random number generator...");
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 2. Load the certificates and private RSA key
*/
mbedtls_printf("\n . Loading the server cert. and key...");
fflush(stdout);
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use mbedtls_x509_crt_parse_file() to read the
* server and CA certificates, as well as mbedtls_pk_parse_keyfile().
*/
ret = mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
goto exit;
}
ret = mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0,
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 3. Setup the listening TCP socket
*/
mbedtls_printf(" . Bind on https://localhost:4433/ ...");
fflush(stdout);
if ((ret = mbedtls_net_bind(&listen_fd, NULL, "4433", MBEDTLS_NET_PROTO_TCP)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_bind returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
/*
* 4. Setup stuff
*/
mbedtls_printf(" . Setting up the SSL data....");
fflush(stdout);
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(&conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set);
#endif
mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
if ((ret = mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
goto exit;
}
mbedtls_printf(" ok\n");
reset:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf);
}
#endif
mbedtls_net_free(&client_fd);
mbedtls_ssl_session_reset(&ssl);
/*
* 3. Wait until a client connects
*/
mbedtls_printf(" . Waiting for a remote connection ...");
fflush(stdout);
if ((ret = mbedtls_net_accept(&listen_fd, &client_fd,
NULL, 0, NULL)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_net_accept returned %d\n\n", ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
mbedtls_printf(" ok\n");
/*
* 5. Handshake
*/
mbedtls_printf(" . Performing the SSL/TLS handshake...");
fflush(stdout);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret);
goto reset;
}
}
mbedtls_printf(" ok\n");
/*
* 6. Read the HTTP Request
*/
mbedtls_printf(" < Read from client:");
fflush(stdout);
do {
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
ret = mbedtls_ssl_read(&ssl, buf, len);
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret <= 0) {
switch (ret) {
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf(" connection was closed gracefully\n");
break;
case MBEDTLS_ERR_NET_CONN_RESET:
mbedtls_printf(" connection was reset by peer\n");
break;
default:
mbedtls_printf(" mbedtls_ssl_read returned -0x%x\n", (unsigned int) -ret);
break;
}
break;
}
len = ret;
mbedtls_printf(" %d bytes read\n\n%s", len, (char *) buf);
if (ret > 0) {
break;
}
} while (1);
/*
* 7. Write the 200 Response
*/
mbedtls_printf(" > Write to client:");
fflush(stdout);
len = sprintf((char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite(&ssl));
while ((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0) {
if (ret == MBEDTLS_ERR_NET_CONN_RESET) {
mbedtls_printf(" failed\n ! peer closed the connection\n\n");
goto reset;
}
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
goto exit;
}
}
len = ret;
mbedtls_printf(" %d bytes written\n\n%s\n", len, (char *) buf);
mbedtls_printf(" . Closing the connection...");
while ((ret = mbedtls_ssl_close_notify(&ssl)) < 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf(" failed\n ! mbedtls_ssl_close_notify returned %d\n\n", ret);
goto reset;
}
}
mbedtls_printf(" ok\n");
ret = 0;
goto reset;
exit:
#ifdef MBEDTLS_ERROR_C
if (ret != 0) {
char error_buf[100];
mbedtls_strerror(ret, error_buf, 100);
mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf);
}
#endif
mbedtls_net_free(&client_fd);
mbedtls_net_free(&listen_fd);
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free(&cache);
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(ret);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C
&& MBEDTLS_FS_IO && MBEDTLS_PEM_PARSE_C */

4347
externals/mbedtls/programs/ssl/ssl_server2.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

375
externals/mbedtls/programs/ssl/ssl_test_common_source.c vendored Normal file
View File

@@ -0,0 +1,375 @@
/*
* Common source code for SSL test programs. This file is included by
* both ssl_client2.c and ssl_server2.c and is intended for source
* code that is textually identical in both programs, but that cannot be
* compiled separately because it refers to types or macros that are
* different in the two programs, or because it would have an incomplete
* type.
*
* This file is meant to be #include'd and cannot be compiled separately.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
void eap_tls_key_derivation(void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type)
{
eap_tls_keys *keys = (eap_tls_keys *) p_expkey;
/* We're only interested in the TLS 1.2 master secret */
if (secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) {
return;
}
if (secret_len != sizeof(keys->master_secret)) {
return;
}
memcpy(keys->master_secret, secret, sizeof(keys->master_secret));
memcpy(keys->randbytes, client_random, 32);
memcpy(keys->randbytes + 32, server_random, 32);
keys->tls_prf_type = tls_prf_type;
}
void nss_keylog_export(void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type)
{
char nss_keylog_line[200];
size_t const client_random_len = 32;
size_t len = 0;
size_t j;
/* We're only interested in the TLS 1.2 master secret */
if (secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) {
return;
}
((void) p_expkey);
((void) server_random);
((void) tls_prf_type);
len += sprintf(nss_keylog_line + len,
"%s", "CLIENT_RANDOM ");
for (j = 0; j < client_random_len; j++) {
len += sprintf(nss_keylog_line + len,
"%02x", client_random[j]);
}
len += sprintf(nss_keylog_line + len, " ");
for (j = 0; j < secret_len; j++) {
len += sprintf(nss_keylog_line + len,
"%02x", secret[j]);
}
len += sprintf(nss_keylog_line + len, "\n");
nss_keylog_line[len] = '\0';
mbedtls_printf("\n");
mbedtls_printf("---------------- NSS KEYLOG -----------------\n");
mbedtls_printf("%s", nss_keylog_line);
mbedtls_printf("---------------------------------------------\n");
if (opt.nss_keylog_file != NULL) {
FILE *f;
if ((f = fopen(opt.nss_keylog_file, "a")) == NULL) {
goto exit;
}
/* Ensure no stdio buffering of secrets, as such buffers cannot be
* wiped. */
mbedtls_setbuf(f, NULL);
if (fwrite(nss_keylog_line, 1, len, f) != len) {
fclose(f);
goto exit;
}
fclose(f);
}
exit:
mbedtls_platform_zeroize(nss_keylog_line,
sizeof(nss_keylog_line));
}
#if defined(MBEDTLS_SSL_DTLS_SRTP)
void dtls_srtp_key_derivation(void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type)
{
dtls_srtp_keys *keys = (dtls_srtp_keys *) p_expkey;
/* We're only interested in the TLS 1.2 master secret */
if (secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) {
return;
}
if (secret_len != sizeof(keys->master_secret)) {
return;
}
memcpy(keys->master_secret, secret, sizeof(keys->master_secret));
memcpy(keys->randbytes, client_random, 32);
memcpy(keys->randbytes + 32, server_random, 32);
keys->tls_prf_type = tls_prf_type;
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
int ssl_check_record(mbedtls_ssl_context const *ssl,
unsigned char const *buf, size_t len)
{
int my_ret = 0, ret_cr1, ret_cr2;
unsigned char *tmp_buf;
/* Record checking may modify the input buffer,
* so make a copy. */
tmp_buf = mbedtls_calloc(1, len);
if (tmp_buf == NULL) {
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
memcpy(tmp_buf, buf, len);
ret_cr1 = mbedtls_ssl_check_record(ssl, tmp_buf, len);
if (ret_cr1 != MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) {
/* Test-only: Make sure that mbedtls_ssl_check_record()
* doesn't alter state. */
memcpy(tmp_buf, buf, len); /* Restore buffer */
ret_cr2 = mbedtls_ssl_check_record(ssl, tmp_buf, len);
if (ret_cr2 != ret_cr1) {
mbedtls_printf("mbedtls_ssl_check_record() returned inconsistent results.\n");
my_ret = -1;
goto cleanup;
}
switch (ret_cr1) {
case 0:
break;
case MBEDTLS_ERR_SSL_INVALID_RECORD:
if (opt.debug_level > 1) {
mbedtls_printf("mbedtls_ssl_check_record() detected invalid record.\n");
}
break;
case MBEDTLS_ERR_SSL_INVALID_MAC:
if (opt.debug_level > 1) {
mbedtls_printf("mbedtls_ssl_check_record() detected unauthentic record.\n");
}
break;
case MBEDTLS_ERR_SSL_UNEXPECTED_RECORD:
if (opt.debug_level > 1) {
mbedtls_printf("mbedtls_ssl_check_record() detected unexpected record.\n");
}
break;
default:
mbedtls_printf("mbedtls_ssl_check_record() failed fatally with -%#04x.\n",
(unsigned int) -ret_cr1);
my_ret = -1;
goto cleanup;
}
/* Regardless of the outcome, forward the record to the stack. */
}
cleanup:
mbedtls_free(tmp_buf);
return my_ret;
}
int recv_cb(void *ctx, unsigned char *buf, size_t len)
{
io_ctx_t *io_ctx = (io_ctx_t *) ctx;
size_t recv_len;
int ret;
if (opt.nbio == 2) {
ret = delayed_recv(io_ctx->net, buf, len);
} else {
ret = mbedtls_net_recv(io_ctx->net, buf, len);
}
if (ret < 0) {
return ret;
}
recv_len = (size_t) ret;
if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
/* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */
if (ssl_check_record(io_ctx->ssl, buf, recv_len) != 0) {
return -1;
}
}
return (int) recv_len;
}
int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len,
uint32_t timeout)
{
io_ctx_t *io_ctx = (io_ctx_t *) ctx;
int ret;
size_t recv_len;
ret = mbedtls_net_recv_timeout(io_ctx->net, buf, len, timeout);
if (ret < 0) {
return ret;
}
recv_len = (size_t) ret;
if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
/* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */
if (ssl_check_record(io_ctx->ssl, buf, recv_len) != 0) {
return -1;
}
}
return (int) recv_len;
}
int send_cb(void *ctx, unsigned char const *buf, size_t len)
{
io_ctx_t *io_ctx = (io_ctx_t *) ctx;
if (opt.nbio == 2) {
return delayed_send(io_ctx->net, buf, len);
}
return mbedtls_net_send(io_ctx->net, buf, len);
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
* for its signature in the key exchange message. As Mbed TLS 1.2 does not
* support them, the handshake fails.
*/
#define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA), \
((hash << 8) | MBEDTLS_SSL_SIG_RSA), \
(0x800 | hash),
#else
#define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA), \
((hash << 8) | MBEDTLS_SSL_SIG_RSA),
#endif
#elif defined(MBEDTLS_PK_CAN_ECDSA_SOME)
#define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA),
#elif defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/* See above */
#define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_RSA), \
(0x800 | hash),
#else
#define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_RSA),
#endif
#else
#define MBEDTLS_SSL_SIG_ALG(hash)
#endif
uint16_t ssl_sig_algs_for_test[] = {
#if defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA512)
#endif
#if defined(MBEDTLS_MD_CAN_SHA384)
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA384)
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA256)
#endif
#if defined(MBEDTLS_MD_CAN_SHA224)
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA224)
#endif
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
#if defined(MBEDTLS_MD_CAN_SHA1)
/* Allow SHA-1 as we use it extensively in tests. */
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1)
#endif
MBEDTLS_TLS1_3_SIG_NONE
};
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Functionally equivalent to mbedtls_x509_crt_verify_info, see that function
* for more info.
*/
int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
uint32_t flags)
{
#if !defined(MBEDTLS_X509_REMOVE_INFO)
return mbedtls_x509_crt_verify_info(buf, size, prefix, flags);
#else /* !MBEDTLS_X509_REMOVE_INFO */
int ret;
char *p = buf;
size_t n = size;
#define X509_CRT_ERROR_INFO(err, err_str, info) \
if ((flags & err) != 0) \
{ \
ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, info); \
MBEDTLS_X509_SAFE_SNPRINTF; \
flags ^= err; \
}
MBEDTLS_X509_CRT_ERROR_INFO_LIST
#undef X509_CRT_ERROR_INFO
if (flags != 0) {
ret = mbedtls_snprintf(p, n, "%sUnknown reason "
"(this should not happen)\n", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
}
return (int) (size - n);
#endif /* MBEDTLS_X509_REMOVE_INFO */
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_print_supported_sig_algs(void)
{
mbedtls_printf("supported signature algorithms:\n");
mbedtls_printf("\trsa_pkcs1_sha256 ");
mbedtls_printf("rsa_pkcs1_sha384 ");
mbedtls_printf("rsa_pkcs1_sha512\n");
mbedtls_printf("\tecdsa_secp256r1_sha256 ");
mbedtls_printf("ecdsa_secp384r1_sha384 ");
mbedtls_printf("ecdsa_secp521r1_sha512\n");
mbedtls_printf("\trsa_pss_rsae_sha256 ");
mbedtls_printf("rsa_pss_rsae_sha384 ");
mbedtls_printf("rsa_pss_rsae_sha512\n");
mbedtls_printf("\trsa_pss_pss_sha256 ");
mbedtls_printf("rsa_pss_pss_sha384 ");
mbedtls_printf("rsa_pss_pss_sha512\n");
mbedtls_printf("\ted25519 ");
mbedtls_printf("ed448 ");
mbedtls_printf("rsa_pkcs1_sha1 ");
mbedtls_printf("ecdsa_sha1\n");
mbedtls_printf("\n");
}

648
externals/mbedtls/programs/ssl/ssl_test_lib.c vendored Normal file
View File

@@ -0,0 +1,648 @@
/*
* Common code library for SSL test programs.
*
* In addition to the functions in this file, there is shared source code
* that cannot be compiled separately in "ssl_test_common_source.c".
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "ssl_test_lib.h"
#if defined(MBEDTLS_TEST_HOOKS)
#include "test/threading_helpers.h"
#endif
#if !defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
#define ARRAY_LENGTH(x) (sizeof(x)/sizeof(x[0]))
void my_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
const char *p, *basename;
/* Extract basename from file */
for (p = basename = file; *p != '\0'; p++) {
if (*p == '/' || *p == '\\') {
basename = p + 1;
}
}
mbedtls_fprintf((FILE *) ctx, "%s:%04d: |%d| %s",
basename, line, level, str);
fflush((FILE *) ctx);
}
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t dummy_constant_time(mbedtls_time_t *time)
{
(void) time;
return 0x5af2a056;
}
#endif
#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
static int dummy_entropy(void *data, unsigned char *output, size_t len)
{
size_t i;
int ret;
(void) data;
ret = mbedtls_entropy_func(data, output, len);
for (i = 0; i < len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) rand();
}
return ret;
}
#endif
void rng_init(rng_context_t *rng)
{
#if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
(void) rng;
psa_crypto_init();
#else /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_init(&rng->drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_init(&rng->drbg);
#else
#error "No DRBG available"
#endif
mbedtls_entropy_init(&rng->entropy);
#endif /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
}
int rng_seed(rng_context_t *rng, int reproducible, const char *pers)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (reproducible) {
mbedtls_fprintf(stderr,
"MBEDTLS_USE_PSA_CRYPTO does not support reproducible mode.\n");
return -1;
}
#endif
#if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
/* The PSA crypto RNG does its own seeding. */
(void) rng;
(void) pers;
if (reproducible) {
mbedtls_fprintf(stderr,
"The PSA RNG does not support reproducible mode.\n");
return -1;
}
return 0;
#else /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
int (*f_entropy)(void *, unsigned char *, size_t) =
(reproducible ? dummy_entropy : mbedtls_entropy_func);
if (reproducible) {
srand(1);
}
#if defined(MBEDTLS_CTR_DRBG_C)
int ret = mbedtls_ctr_drbg_seed(&rng->drbg,
f_entropy, &rng->entropy,
(const unsigned char *) pers,
strlen(pers));
#elif defined(MBEDTLS_HMAC_DRBG_C)
#if defined(MBEDTLS_MD_CAN_SHA256)
const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA256;
#elif defined(MBEDTLS_MD_CAN_SHA512)
const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA512;
#else
#error "No message digest available for HMAC_DRBG"
#endif
int ret = mbedtls_hmac_drbg_seed(&rng->drbg,
mbedtls_md_info_from_type(md_type),
f_entropy, &rng->entropy,
(const unsigned char *) pers,
strlen(pers));
#else /* !defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_HMAC_DRBG_C) */
#error "No DRBG available"
#endif /* !defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_HMAC_DRBG_C) */
if (ret != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n",
(unsigned int) -ret);
return ret;
}
#endif /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
return 0;
}
void rng_free(rng_context_t *rng)
{
#if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
(void) rng;
/* Deinitialize the PSA crypto subsystem. This deactivates all PSA APIs.
* This is ok because none of our applications try to do any crypto after
* deinitializing the RNG. */
mbedtls_psa_crypto_free();
#else /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_free(&rng->drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_free(&rng->drbg);
#else
#error "No DRBG available"
#endif
mbedtls_entropy_free(&rng->entropy);
#endif /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
}
int rng_get(void *p_rng, unsigned char *output, size_t output_len)
{
#if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
(void) p_rng;
return mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE,
output, output_len);
#else /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
rng_context_t *rng = p_rng;
#if defined(MBEDTLS_CTR_DRBG_C)
return mbedtls_ctr_drbg_random(&rng->drbg, output, output_len);
#elif defined(MBEDTLS_HMAC_DRBG_C)
return mbedtls_hmac_drbg_random(&rng->drbg, output, output_len);
#else
#error "No DRBG available"
#endif
#endif /* !MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
}
int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2)
{
char *separator;
if ((separator = strchr(arg, ',')) == NULL) {
return 1;
}
*separator = '\0';
*alg1 = arg;
*alg2 = separator + 1;
if (strcmp(*alg1, "rsa-sign-pkcs1") != 0 &&
strcmp(*alg1, "rsa-sign-pss") != 0 &&
strcmp(*alg1, "rsa-sign-pss-sha256") != 0 &&
strcmp(*alg1, "rsa-sign-pss-sha384") != 0 &&
strcmp(*alg1, "rsa-sign-pss-sha512") != 0 &&
strcmp(*alg1, "rsa-decrypt") != 0 &&
strcmp(*alg1, "ecdsa-sign") != 0 &&
strcmp(*alg1, "ecdh") != 0) {
return 1;
}
if (strcmp(*alg2, "rsa-sign-pkcs1") != 0 &&
strcmp(*alg2, "rsa-sign-pss") != 0 &&
strcmp(*alg1, "rsa-sign-pss-sha256") != 0 &&
strcmp(*alg1, "rsa-sign-pss-sha384") != 0 &&
strcmp(*alg1, "rsa-sign-pss-sha512") != 0 &&
strcmp(*alg2, "rsa-decrypt") != 0 &&
strcmp(*alg2, "ecdsa-sign") != 0 &&
strcmp(*alg2, "ecdh") != 0 &&
strcmp(*alg2, "none") != 0) {
return 1;
}
return 0;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
psa_algorithm_t *psa_alg1,
psa_algorithm_t *psa_alg2,
psa_key_usage_t *usage,
mbedtls_pk_type_t key_type)
{
if (strcmp(alg1, "none") != 0) {
const char *algs[] = { alg1, alg2 };
psa_algorithm_t *psa_algs[] = { psa_alg1, psa_alg2 };
for (int i = 0; i < 2; i++) {
if (strcmp(algs[i], "rsa-sign-pkcs1") == 0) {
*psa_algs[i] = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "rsa-sign-pss") == 0) {
*psa_algs[i] = PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "rsa-sign-pss-sha256") == 0) {
*psa_algs[i] = PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "rsa-sign-pss-sha384") == 0) {
*psa_algs[i] = PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "rsa-sign-pss-sha512") == 0) {
*psa_algs[i] = PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "rsa-decrypt") == 0) {
*psa_algs[i] = PSA_ALG_RSA_PKCS1V15_CRYPT;
*usage |= PSA_KEY_USAGE_DECRYPT;
} else if (strcmp(algs[i], "ecdsa-sign") == 0) {
*psa_algs[i] = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "ecdh") == 0) {
*psa_algs[i] = PSA_ALG_ECDH;
*usage |= PSA_KEY_USAGE_DERIVE;
} else if (strcmp(algs[i], "none") == 0) {
*psa_algs[i] = PSA_ALG_NONE;
}
}
} else {
if (key_type == MBEDTLS_PK_ECKEY) {
*psa_alg1 = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
*psa_alg2 = PSA_ALG_ECDH;
*usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
} else if (key_type == MBEDTLS_PK_RSA) {
*psa_alg1 = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH);
*psa_alg2 = PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH);
*usage = PSA_KEY_USAGE_SIGN_HASH;
} else {
return 1;
}
}
return 0;
}
#if defined(MBEDTLS_PK_C)
int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2,
psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id)
{
int ret;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
ret = mbedtls_pk_get_psa_attributes(pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr);
if (ret != 0) {
return ret;
}
psa_set_key_usage_flags(&key_attr, psa_usage);
psa_set_key_algorithm(&key_attr, psa_alg);
if (psa_alg2 != PSA_ALG_NONE) {
psa_set_key_enrollment_algorithm(&key_attr, psa_alg2);
}
ret = mbedtls_pk_import_into_psa(pk, &key_attr, key_id);
if (ret != 0) {
return ret;
}
mbedtls_pk_free(pk);
mbedtls_pk_init(pk);
ret = mbedtls_pk_setup_opaque(pk, *key_id);
if (ret != 0) {
return ret;
}
return 0;
}
#endif /* MBEDTLS_PK_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback(void *data, mbedtls_x509_crt const *child,
mbedtls_x509_crt **candidates)
{
int ret = 0;
mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data;
mbedtls_x509_crt *first;
/* This is a test-only implementation of the CA callback
* which always returns the entire list of trusted certificates.
* Production implementations managing a large number of CAs
* should use an efficient presentation and lookup for the
* set of trusted certificates (such as a hashtable) and only
* return those trusted certificates which satisfy basic
* parental checks, such as the matching of child `Issuer`
* and parent `Subject` field or matching key identifiers. */
((void) child);
first = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
if (first == NULL) {
ret = -1;
goto exit;
}
mbedtls_x509_crt_init(first);
if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) {
ret = -1;
goto exit;
}
while (ca->next != NULL) {
ca = ca->next;
if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) {
ret = -1;
goto exit;
}
}
exit:
if (ret != 0) {
mbedtls_x509_crt_free(first);
mbedtls_free(first);
first = NULL;
}
*candidates = first;
return ret;
}
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
int delayed_recv(void *ctx, unsigned char *buf, size_t len)
{
static int first_try = 1;
int ret;
if (first_try) {
first_try = 0;
return MBEDTLS_ERR_SSL_WANT_READ;
}
ret = mbedtls_net_recv(ctx, buf, len);
if (ret != MBEDTLS_ERR_SSL_WANT_READ) {
first_try = 1; /* Next call will be a new operation */
}
return ret;
}
int delayed_send(void *ctx, const unsigned char *buf, size_t len)
{
static int first_try = 1;
int ret;
if (first_try) {
first_try = 0;
return MBEDTLS_ERR_SSL_WANT_WRITE;
}
ret = mbedtls_net_send(ctx, buf, len);
if (ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
first_try = 1; /* Next call will be a new operation */
}
return ret;
}
#if !defined(MBEDTLS_TIMING_C)
int idle(mbedtls_net_context *fd,
int idle_reason)
#else
int idle(mbedtls_net_context *fd,
mbedtls_timing_delay_context *timer,
int idle_reason)
#endif
{
int ret;
int poll_type = 0;
if (idle_reason == MBEDTLS_ERR_SSL_WANT_WRITE) {
poll_type = MBEDTLS_NET_POLL_WRITE;
} else if (idle_reason == MBEDTLS_ERR_SSL_WANT_READ) {
poll_type = MBEDTLS_NET_POLL_READ;
}
#if !defined(MBEDTLS_TIMING_C)
else {
return 0;
}
#endif
while (1) {
/* Check if timer has expired */
#if defined(MBEDTLS_TIMING_C)
if (timer != NULL &&
mbedtls_timing_get_delay(timer) == 2) {
break;
}
#endif /* MBEDTLS_TIMING_C */
/* Check if underlying transport became available */
if (poll_type != 0) {
ret = mbedtls_net_poll(fd, poll_type, 0);
if (ret < 0) {
return ret;
}
if (ret == poll_type) {
break;
}
}
}
return 0;
}
#if defined(MBEDTLS_TEST_HOOKS)
void test_hooks_init(void)
{
mbedtls_test_info_reset();
#if defined(MBEDTLS_TEST_MUTEX_USAGE)
mbedtls_test_mutex_usage_init();
#endif
}
int test_hooks_failure_detected(void)
{
#if defined(MBEDTLS_TEST_MUTEX_USAGE)
/* Errors are reported via mbedtls_test_info. */
mbedtls_test_mutex_usage_check();
#endif
if (mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_SUCCESS) {
return 1;
}
return 0;
}
void test_hooks_free(void)
{
#if defined(MBEDTLS_TEST_MUTEX_USAGE)
mbedtls_test_mutex_usage_end();
#endif
}
#endif /* MBEDTLS_TEST_HOOKS */
static const struct {
uint16_t tls_id;
const char *name;
uint8_t is_supported;
} tls_id_group_name_table[] =
{
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
{ MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 0 },
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
{ MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448", 1 },
#else
{ MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448", 0 },
#endif
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \
defined(PSA_WANT_ALG_FFDH)
#if defined(PSA_WANT_DH_RFC7919_2048)
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", 1 },
#else /* PSA_WANT_DH_RFC7919_2048 */
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", 0 },
#endif /* PSA_WANT_DH_RFC7919_2048 */
#if defined(PSA_WANT_DH_RFC7919_3072)
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 1 },
#else /* PSA_WANT_DH_RFC7919_3072 */
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 0 },
#endif /* PSA_WANT_DH_RFC7919_3072 */
#if defined(PSA_WANT_DH_RFC7919_4096)
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 1 },
#else /* PSA_WANT_DH_RFC7919_4096 */
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 0 },
#endif /* PSA_WANT_DH_RFC7919_4096 */
#if defined(PSA_WANT_DH_RFC7919_6144)
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 1 },
#else /* PSA_WANT_DH_RFC7919_6144 */
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 0 },
#endif /* PSA_WANT_DH_RFC7919_6144 */
#if defined(PSA_WANT_DH_RFC7919_8192)
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 1 },
#else /* PSA_WANT_DH_RFC7919_8192 */
{ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 0 },
#endif /* PSA_WANT_DH_RFC7919_8192 */
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED && PSA_WANT_ALG_FFDH */
{ 0, NULL, 0 },
};
static uint16_t mbedtls_ssl_get_curve_tls_id_from_name(const char *name)
{
if (name == NULL) {
return 0;
}
for (int i = 0; tls_id_group_name_table[i].tls_id != 0; i++) {
if (strcmp(tls_id_group_name_table[i].name, name) == 0) {
return tls_id_group_name_table[i].tls_id;
}
}
return 0;
}
static void mbedtls_ssl_print_supported_groups_list(void)
{
for (int i = 0; tls_id_group_name_table[i].tls_id != 0; i++) {
if (tls_id_group_name_table[i].is_supported == 1) {
mbedtls_printf("%s ", tls_id_group_name_table[i].name);
}
}
}
int parse_groups(const char *groups, uint16_t *group_list, size_t group_list_len)
{
char *p = (char *) groups;
char *q = NULL;
size_t i = 0;
if (strcmp(p, "none") == 0) {
group_list[0] = 0;
} else if (strcmp(p, "default") != 0) {
/* Leave room for a final NULL in group list */
while (i < group_list_len - 1 && *p != '\0') {
uint16_t curve_tls_id;
q = p;
/* Terminate the current string */
while (*p != ',' && *p != '\0') {
p++;
}
if (*p == ',') {
*p++ = '\0';
}
if ((curve_tls_id = mbedtls_ssl_get_curve_tls_id_from_name(q)) != 0) {
group_list[i++] = curve_tls_id;
} else {
mbedtls_printf("unknown group %s\n", q);
mbedtls_printf("supported groups: ");
mbedtls_ssl_print_supported_groups_list();
mbedtls_printf("\n");
return -1;
}
}
mbedtls_printf("Number of groups: %u\n", (unsigned int) i);
if (i == group_list_len - 1 && *p != '\0') {
mbedtls_printf("groups list too long, maximum %u",
(unsigned int) (group_list_len - 1));
return -1;
}
group_list[i] = 0;
}
return 0;
}
#endif /* !defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) */

331
externals/mbedtls/programs/ssl/ssl_test_lib.h vendored Normal file
View File

@@ -0,0 +1,331 @@
/*
* Common code for SSL test programs
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#ifndef MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H
#define MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#include "mbedtls/md.h"
#undef HAVE_RNG
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || \
defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG))
#define HAVE_RNG
#elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
#define HAVE_RNG
#elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_HMAC_DRBG_C) && \
(defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA512))
#define HAVE_RNG
#endif
#if !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_SSL_TLS_C)
#define MBEDTLS_SSL_TEST_IMPOSSIBLE \
"MBEDTLS_NET_C and/or " \
"MBEDTLS_SSL_TLS_C not defined."
#elif !defined(HAVE_RNG)
#define MBEDTLS_SSL_TEST_IMPOSSIBLE \
"No random generator is available.\n"
#else
#undef MBEDTLS_SSL_TEST_IMPOSSIBLE
#undef HAVE_RNG
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
#include "mbedtls/timing.h"
#include "mbedtls/base64.h"
#include "test/certs.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
#endif
#include <test/helpers.h>
#include "../test/query_config.h"
#define ALPN_LIST_SIZE 10
#define GROUP_LIST_SIZE 25
#define SIG_ALG_LIST_SIZE 5
typedef struct eap_tls_keys {
unsigned char master_secret[48];
unsigned char randbytes[64];
mbedtls_tls_prf_types tls_prf_type;
} eap_tls_keys;
#if defined(MBEDTLS_SSL_DTLS_SRTP)
/* Supported SRTP mode needs a maximum of :
* - 16 bytes for key (AES-128)
* - 14 bytes SALT
* One for sender, one for receiver context
*/
#define MBEDTLS_TLS_SRTP_MAX_KEY_MATERIAL_LENGTH 60
typedef struct dtls_srtp_keys {
unsigned char master_secret[48];
unsigned char randbytes[64];
mbedtls_tls_prf_types tls_prf_type;
} dtls_srtp_keys;
#endif /* MBEDTLS_SSL_DTLS_SRTP */
typedef struct {
mbedtls_ssl_context *ssl;
mbedtls_net_context *net;
} io_ctx_t;
void my_debug(void *ctx, int level,
const char *file, int line,
const char *str);
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
/* If MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is defined, the SSL test programs will use
* mbedtls_psa_get_random() rather than entropy+DRBG as a random generator.
*
* The constraints are:
* - Without the entropy module, the PSA RNG is the only option.
* - Without at least one of the DRBG modules, the PSA RNG is the only option.
* - The PSA RNG does not support explicit seeding, so it is incompatible with
* the reproducible mode used by test programs.
* - For good overall test coverage, there should be at least one configuration
* where the test programs use the PSA RNG while the PSA RNG is itself based
* on entropy+DRBG, and at least one configuration where the test programs
* do not use the PSA RNG even though it's there.
*
* A simple choice that meets the constraints is to use the PSA RNG whenever
* MBEDTLS_USE_PSA_CRYPTO is enabled. There's no real technical reason the
* choice to use the PSA RNG in the test programs and the choice to use
* PSA crypto when TLS code needs crypto have to be tied together, but it
* happens to be a good match. It's also a good match from an application
* perspective: either PSA is preferred for TLS (both for crypto and for
* random generation) or it isn't.
*/
#define MBEDTLS_TEST_USE_PSA_CRYPTO_RNG
#endif
/** A context for random number generation (RNG).
*/
typedef struct {
#if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
unsigned char dummy;
#else /* MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
mbedtls_entropy_context entropy;
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context drbg;
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_context drbg;
#else
#error "No DRBG available"
#endif
#endif /* MBEDTLS_TEST_USE_PSA_CRYPTO_RNG */
} rng_context_t;
/** Initialize the RNG.
*
* This function only initializes the memory used by the RNG context.
* Before using the RNG, it must be seeded with rng_seed().
*/
void rng_init(rng_context_t *rng);
/* Seed the random number generator.
*
* \param rng The RNG context to use. It must have been initialized
* with rng_init().
* \param reproducible If zero, seed the RNG from entropy.
* If nonzero, use a fixed seed, so that the program
* will produce the same sequence of random numbers
* each time it is invoked.
* \param pers A null-terminated string. Different values for this
* string cause the RNG to emit different output for
* the same seed.
*
* return 0 on success, a negative value on error.
*/
int rng_seed(rng_context_t *rng, int reproducible, const char *pers);
/** Deinitialize the RNG. Free any embedded resource.
*
* \param rng The RNG context to deinitialize. It must have been
* initialized with rng_init().
*/
void rng_free(rng_context_t *rng);
/** Generate random data.
*
* This function is suitable for use as the \c f_rng argument to Mbed TLS
* library functions.
*
* \param p_rng The random generator context. This must be a pointer to
* a #rng_context_t structure.
* \param output The buffer to fill.
* \param output_len The length of the buffer in bytes.
*
* \return \c 0 on success.
* \return An Mbed TLS error code on error.
*/
int rng_get(void *p_rng, unsigned char *output, size_t output_len);
/** Parse command-line option: key_opaque_algs
*
*
* \param arg String value of key_opaque_algs
* Coma-separated pair of values among the following:
* - "rsa-sign-pkcs1"
* - "rsa-sign-pss"
* - "rsa-decrypt"
* - "ecdsa-sign"
* - "ecdh"
* - "none" (only acceptable for the second value).
* \param alg1 Address of pointer to alg #1
* \param alg2 Address of pointer to alg #2
*
* \return \c 0 on success.
* \return \c 1 on parse failure.
*/
int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/** Parse given opaque key algorithms to obtain psa algs and usage
* that will be passed to mbedtls_pk_wrap_as_opaque().
*
*
* \param alg1 input string opaque key algorithm #1
* \param alg2 input string opaque key algorithm #2
* \param psa_alg1 output PSA algorithm #1
* \param psa_alg2 output PSA algorithm #2
* \param usage output key usage
* \param key_type key type used to set default psa algorithm/usage
* when alg1 in "none"
*
* \return \c 0 on success.
* \return \c 1 on parse failure.
*/
int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
psa_algorithm_t *psa_alg1,
psa_algorithm_t *psa_alg2,
psa_key_usage_t *usage,
mbedtls_pk_type_t key_type);
#if defined(MBEDTLS_PK_C)
/** Turn a non-opaque PK context into an opaque one with folowing steps:
* - extract the key data and attributes from the PK context.
* - import the key material into PSA.
* - free the provided PK context and re-initilize it as an opaque PK context
* wrapping the PSA key imported in the above step.
*
* \param[in/out] pk On input the non-opaque PK context which contains the
* key to be wrapped. On output the re-initialized PK
* context which represents the opaque version of the one
* provided as input.
* \param[in] psa_alg The primary algorithm that will be associated to the
* PSA key.
* \param[in] psa_alg2 The enrollment algorithm that will be associated to the
* PSA key.
* \param[in] psa_usage The PSA key usage policy.
* \param[out] key_id The PSA key identifier of the imported key.
*
* \return \c 0 on sucess.
* \return \c -1 on failure.
*/
int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2,
psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id);
#endif /* MBEDTLS_PK_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
/* The test implementation of the PSA external RNG is insecure. When
* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, before using any PSA crypto
* function that makes use of an RNG, you must call
* mbedtls_test_enable_insecure_external_rng(). */
#include <test/fake_external_rng_for_test.h>
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback(void *data, mbedtls_x509_crt const *child,
mbedtls_x509_crt **candidates);
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
/*
* Test recv/send functions that make sure each try returns
* WANT_READ/WANT_WRITE at least once before succeeding
*/
int delayed_recv(void *ctx, unsigned char *buf, size_t len);
int delayed_send(void *ctx, const unsigned char *buf, size_t len);
/*
* Wait for an event from the underlying transport or the timer
* (Used in event-driven IO mode).
*/
int idle(mbedtls_net_context *fd,
#if defined(MBEDTLS_TIMING_C)
mbedtls_timing_delay_context *timer,
#endif
int idle_reason);
#if defined(MBEDTLS_TEST_HOOKS)
/** Initialize whatever test hooks are enabled by the compile-time
* configuration and make sense for the TLS test programs. */
void test_hooks_init(void);
/** Check if any test hooks detected a problem.
*
* If a problem was detected, it's ok for the calling program to keep going,
* but it should ultimately exit with an error status.
*
* \note When implementing a test hook that detects errors on its own
* (as opposed to e.g. leaving the error for a memory sanitizer to
* report), make sure to print a message to standard error either at
* the time the problem is detected or during the execution of this
* function. This function does not indicate what problem was detected,
* so printing a message is the only way to provide feedback in the
* logs of the calling program.
*
* \return Nonzero if a problem was detected.
* \c 0 if no problem was detected.
*/
int test_hooks_failure_detected(void);
/** Free any resources allocated for the sake of test hooks.
*
* Call this at the end of the program so that resource leak analyzers
* don't complain.
*/
void test_hooks_free(void);
#endif /* !MBEDTLS_TEST_HOOKS */
/* Helper functions for FFDH groups. */
int parse_groups(const char *groups, uint16_t *group_list, size_t group_list_len);
#endif /* MBEDTLS_SSL_TEST_IMPOSSIBLE conditions: else */
#endif /* MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H */

92
externals/mbedtls/programs/test/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,92 @@
set(libs
${mbedtls_target}
)
set(executables_libs
metatest
query_included_headers
selftest
udp_proxy
)
set(executables_mbedcrypto
benchmark
query_compile_time_config
zeroize
)
if(TEST_CPP)
set(cpp_dummy_build_cpp "${CMAKE_CURRENT_BINARY_DIR}/cpp_dummy_build.cpp")
set(generate_cpp_dummy_build "${CMAKE_CURRENT_SOURCE_DIR}/generate_cpp_dummy_build.sh")
add_custom_command(
OUTPUT "${cpp_dummy_build_cpp}"
COMMAND "${generate_cpp_dummy_build}" "${cpp_dummy_build_cpp}"
DEPENDS "${generate_cpp_dummy_build}"
WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
)
add_executable(cpp_dummy_build "${cpp_dummy_build_cpp}")
target_include_directories(cpp_dummy_build PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include)
target_link_libraries(cpp_dummy_build ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
endif()
if(USE_SHARED_MBEDTLS_LIBRARY AND
NOT ${CMAKE_SYSTEM_NAME} MATCHES "[Ww][Ii][Nn]")
add_executable(dlopen "dlopen.c")
target_include_directories(dlopen PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include)
target_link_libraries(dlopen ${CMAKE_DL_LIBS})
endif()
if(GEN_FILES)
find_package(Perl REQUIRED)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_BINARY_DIR}/query_config.c
COMMAND
${PERL}
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl
${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h
${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_config.h
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt
${CMAKE_CURRENT_BINARY_DIR}/query_config.c
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl
${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h
${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_config.h
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt
)
# this file will also be used in another directory, so create a target, see
# https://gitlab.kitware.com/cmake/community/-/wikis/FAQ#how-can-i-add-a-dependency-to-a-source-file-which-is-generated-in-a-subdirectory
add_custom_target(generate_query_config_c
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/query_config.c)
else()
link_to_source(query_config.c)
endif()
foreach(exe IN LISTS executables_libs executables_mbedcrypto)
set(extra_sources "")
if(exe STREQUAL "query_compile_time_config")
list(APPEND extra_sources
${CMAKE_CURRENT_SOURCE_DIR}/query_config.h
${CMAKE_CURRENT_BINARY_DIR}/query_config.c)
endif()
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
${extra_sources})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../library)
if(exe STREQUAL "query_compile_time_config")
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR})
endif()
# This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3
list(FIND executables_libs ${exe} exe_index)
if (${exe_index} GREATER -1)
target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
else()
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
endif()
endforeach()
install(TARGETS ${executables_libs} ${executables_mbedcrypto}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

1271
externals/mbedtls/programs/test/benchmark.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

3
externals/mbedtls/programs/test/cmake_package/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
build
Makefile
cmake_package

38
externals/mbedtls/programs/test/cmake_package/CMakeLists.txt vendored Normal file
View File

@@ -0,0 +1,38 @@
cmake_minimum_required(VERSION 3.5.1)
#
# Simulate configuring and building Mbed TLS as the user might do it. We'll
# skip installing it, and use the build directory directly instead.
#
set(MbedTLS_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../../..")
set(MbedTLS_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/mbedtls")
execute_process(
COMMAND "${CMAKE_COMMAND}"
"-H${MbedTLS_SOURCE_DIR}"
"-B${MbedTLS_BINARY_DIR}"
"-DENABLE_PROGRAMS=NO"
"-DENABLE_TESTING=NO"
# Turn on generated files explicitly in case this is a release
"-DGEN_FILES=ON")
execute_process(
COMMAND "${CMAKE_COMMAND}"
--build "${MbedTLS_BINARY_DIR}")
#
# Locate the package.
#
set(MbedTLS_DIR "${MbedTLS_BINARY_DIR}/cmake")
find_package(MbedTLS REQUIRED)
#
# At this point, the Mbed TLS targets should have been imported, and we can now
# link to them from our own program.
#
add_executable(cmake_package cmake_package.c)
target_link_libraries(cmake_package
MbedTLS::mbedcrypto MbedTLS::mbedtls MbedTLS::mbedx509)

27
externals/mbedtls/programs/test/cmake_package/cmake_package.c vendored Normal file
View File

@@ -0,0 +1,27 @@
/*
* Simple program to test that Mbed TLS builds correctly as a CMake package.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#include "mbedtls/version.h"
/* The main reason to build this is for testing the CMake build, so the program
* doesn't need to do very much. It calls a single library function to ensure
* linkage works, but that is all. */
int main()
{
/* This version string is 18 bytes long, as advised by version.h. */
char version[18];
mbedtls_version_get_string_full(version);
mbedtls_printf("Built against %s\n", version);
return 0;
}

Some files were not shown because too many files have changed in this diff Show More