aboutsummaryrefslogtreecommitdiff
path: root/lib/mbedtls-2.27.0/programs/psa/key_ladder_demo.c
diff options
context:
space:
mode:
authorAdam Harrison <adamdharrison@gmail.com>2022-11-26 16:20:59 -0500
committerAdam Harrison <adamdharrison@gmail.com>2022-11-29 18:39:46 -0500
commitfc0c4ed9a3103e0e6534311923668879fc8e0875 (patch)
tree6e7723c3f45d39f06c243d9c18a3c038da948793 /lib/mbedtls-2.27.0/programs/psa/key_ladder_demo.c
parent3836606e2b735ba7b2dc0f580231843660587fb4 (diff)
downloadlite-xl-plugin-manager-fc0c4ed9a3103e0e6534311923668879fc8e0875.tar.gz
lite-xl-plugin-manager-fc0c4ed9a3103e0e6534311923668879fc8e0875.zip
Removed openssl, and curl, and added mbedded tls.curl-removal
Almost fully removed curl, needs more testing. Fixed most issues, now trying to cross compile. Fix? Sigh.
Diffstat (limited to 'lib/mbedtls-2.27.0/programs/psa/key_ladder_demo.c')
-rw-r--r--lib/mbedtls-2.27.0/programs/psa/key_ladder_demo.c707
1 files changed, 707 insertions, 0 deletions
diff --git a/lib/mbedtls-2.27.0/programs/psa/key_ladder_demo.c b/lib/mbedtls-2.27.0/programs/psa/key_ladder_demo.c
new file mode 100644
index 0000000..5d64349
--- /dev/null
+++ b/lib/mbedtls-2.27.0/programs/psa/key_ladder_demo.c
@@ -0,0 +1,707 @@
+/**
+ * PSA API key derivation demonstration
+ *
+ * This program calculates a key ladder: a chain of secret material, each
+ * derived from the previous one in a deterministic way based on a label.
+ * Two keys are identical if and only if they are derived from the same key
+ * using the same label.
+ *
+ * The initial key is called the master key. The master key is normally
+ * randomly generated, but it could itself be derived from another key.
+ *
+ * This program derives a series of keys called intermediate keys.
+ * The first intermediate key is derived from the master key using the
+ * first label passed on the command line. Each subsequent intermediate
+ * key is derived from the previous one using the next label passed
+ * on the command line.
+ *
+ * This program has four modes of operation:
+ *
+ * - "generate": generate a random master key.
+ * - "wrap": derive a wrapping key from the last intermediate key,
+ * and use that key to encrypt-and-authenticate some data.
+ * - "unwrap": derive a wrapping key from the last intermediate key,
+ * and use that key to decrypt-and-authenticate some
+ * ciphertext created by wrap mode.
+ * - "save": save the last intermediate key so that it can be reused as
+ * the master key in another run of the program.
+ *
+ * See the usage() output for the command line usage. See the file
+ * `key_ladder_demo.sh` for an example run.
+ */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* First include Mbed TLS headers to get the Mbed TLS configuration and
+ * platform definitions that we'll use in this program. Also include
+ * standard C headers for functions we'll use here. */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
+
+#include <psa/crypto.h>
+
+/* If the build options we need are not enabled, compile a placeholder. */
+#if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
+ !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \
+ !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) || \
+ defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+int main( void )
+{
+ printf( "MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or "
+ "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or "
+ "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO "
+ "not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER "
+ "defined.\n" );
+ return( 0 );
+}
+#else
+
+/* The real program starts here. */
+
+/* Run a system function and bail out if it fails. */
+#define SYS_CHECK( expr ) \
+ do \
+ { \
+ if( ! ( expr ) ) \
+ { \
+ perror( #expr ); \
+ status = DEMO_ERROR; \
+ goto exit; \
+ } \
+ } \
+ while( 0 )
+
+/* Run a PSA function and bail out if it fails. */
+#define PSA_CHECK( expr ) \
+ do \
+ { \
+ status = ( expr ); \
+ if( status != PSA_SUCCESS ) \
+ { \
+ printf( "Error %d at line %d: %s\n", \
+ (int) status, \
+ __LINE__, \
+ #expr ); \
+ goto exit; \
+ } \
+ } \
+ while( 0 )
+
+/* To report operational errors in this program, use an error code that is
+ * different from every PSA error code. */
+#define DEMO_ERROR 120
+
+/* The maximum supported key ladder depth. */
+#define MAX_LADDER_DEPTH 10
+
+/* Salt to use when deriving an intermediate key. */
+#define DERIVE_KEY_SALT ( (uint8_t *) "key_ladder_demo.derive" )
+#define DERIVE_KEY_SALT_LENGTH ( strlen( (const char*) DERIVE_KEY_SALT ) )
+
+/* Salt to use when deriving a wrapping key. */
+#define WRAPPING_KEY_SALT ( (uint8_t *) "key_ladder_demo.wrap" )
+#define WRAPPING_KEY_SALT_LENGTH ( strlen( (const char*) WRAPPING_KEY_SALT ) )
+
+/* Size of the key derivation keys (applies both to the master key and
+ * to intermediate keys). */
+#define KEY_SIZE_BYTES 40
+
+/* Algorithm for key derivation. */
+#define KDF_ALG PSA_ALG_HKDF( PSA_ALG_SHA_256 )
+
+/* Type and size of the key used to wrap data. */
+#define WRAPPING_KEY_TYPE PSA_KEY_TYPE_AES
+#define WRAPPING_KEY_BITS 128
+
+/* Cipher mode used to wrap data. */
+#define WRAPPING_ALG PSA_ALG_CCM
+
+/* Nonce size used to wrap data. */
+#define WRAPPING_IV_SIZE 13
+
+/* Header used in files containing wrapped data. We'll save this header
+ * directly without worrying about data representation issues such as
+ * integer sizes and endianness, because the data is meant to be read
+ * back by the same program on the same machine. */
+#define WRAPPED_DATA_MAGIC "key_ladder_demo" // including trailing null byte
+#define WRAPPED_DATA_MAGIC_LENGTH ( sizeof( WRAPPED_DATA_MAGIC ) )
+typedef struct
+{
+ char magic[WRAPPED_DATA_MAGIC_LENGTH];
+ size_t ad_size; /* Size of the additional data, which is this header. */
+ size_t payload_size; /* Size of the encrypted data. */
+ /* Store the IV inside the additional data. It's convenient. */
+ uint8_t iv[WRAPPING_IV_SIZE];
+} wrapped_data_header_t;
+
+/* The modes that this program can operate in (see usage). */
+enum program_mode
+{
+ MODE_GENERATE,
+ MODE_SAVE,
+ MODE_UNWRAP,
+ MODE_WRAP
+};
+
+/* Save a key to a file. In the real world, you may want to export a derived
+ * key sometimes, to share it with another party. */
+static psa_status_t save_key( psa_key_id_t key,
+ const char *output_file_name )
+{
+ psa_status_t status = PSA_SUCCESS;
+ uint8_t key_data[KEY_SIZE_BYTES];
+ size_t key_size;
+ FILE *key_file = NULL;
+
+ PSA_CHECK( psa_export_key( key,
+ key_data, sizeof( key_data ),
+ &key_size ) );
+ SYS_CHECK( ( key_file = fopen( output_file_name, "wb" ) ) != NULL );
+ SYS_CHECK( fwrite( key_data, 1, key_size, key_file ) == key_size );
+ SYS_CHECK( fclose( key_file ) == 0 );
+ key_file = NULL;
+
+exit:
+ if( key_file != NULL)
+ fclose( key_file );
+ return( status );
+}
+
+/* Generate a master key for use in this demo.
+ *
+ * Normally a master key would be non-exportable. For the purpose of this
+ * demo, we want to save it to a file, to avoid relying on the keystore
+ * capability of the PSA crypto library. */
+static psa_status_t generate( const char *key_file_name )
+{
+ psa_status_t status = PSA_SUCCESS;
+ psa_key_id_t key = 0;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+ psa_set_key_usage_flags( &attributes,
+ PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT );
+ psa_set_key_algorithm( &attributes, KDF_ALG );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE );
+ psa_set_key_bits( &attributes, PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ) );
+
+ PSA_CHECK( psa_generate_key( &attributes, &key ) );
+
+ PSA_CHECK( save_key( key, key_file_name ) );
+
+exit:
+ (void) psa_destroy_key( key );
+ return( status );
+}
+
+/* Load the master key from a file.
+ *
+ * In the real world, this master key would be stored in an internal memory
+ * and the storage would be managed by the keystore capability of the PSA
+ * crypto library. */
+static psa_status_t import_key_from_file( psa_key_usage_t usage,
+ psa_algorithm_t alg,
+ const char *key_file_name,
+ psa_key_id_t *master_key )
+{
+ psa_status_t status = PSA_SUCCESS;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint8_t key_data[KEY_SIZE_BYTES];
+ size_t key_size;
+ FILE *key_file = NULL;
+ unsigned char extra_byte;
+
+ SYS_CHECK( ( key_file = fopen( key_file_name, "rb" ) ) != NULL );
+ SYS_CHECK( ( key_size = fread( key_data, 1, sizeof( key_data ),
+ key_file ) ) != 0 );
+ if( fread( &extra_byte, 1, 1, key_file ) != 0 )
+ {
+ printf( "Key file too large (max: %u).\n",
+ (unsigned) sizeof( key_data ) );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+ SYS_CHECK( fclose( key_file ) == 0 );
+ key_file = NULL;
+
+ psa_set_key_usage_flags( &attributes, usage );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE );
+ PSA_CHECK( psa_import_key( &attributes, key_data, key_size, master_key ) );
+exit:
+ if( key_file != NULL )
+ fclose( key_file );
+ mbedtls_platform_zeroize( key_data, sizeof( key_data ) );
+ if( status != PSA_SUCCESS )
+ {
+ /* If the key creation hasn't happened yet or has failed,
+ * *master_key is null. psa_destroy_key( 0 ) is
+ * guaranteed to do nothing and return PSA_SUCCESS. */
+ (void) psa_destroy_key( *master_key );
+ *master_key = 0;
+ }
+ return( status );
+}
+
+/* Derive the intermediate keys, using the list of labels provided on
+ * the command line. On input, *key is the master key identifier.
+ * This function destroys the master key. On successful output, *key
+ * is the identifier of the final derived key.
+ */
+static psa_status_t derive_key_ladder( const char *ladder[],
+ size_t ladder_depth,
+ psa_key_id_t *key )
+{
+ psa_status_t status = PSA_SUCCESS;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+ size_t i;
+
+ psa_set_key_usage_flags( &attributes,
+ PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT );
+ psa_set_key_algorithm( &attributes, KDF_ALG );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE );
+ psa_set_key_bits( &attributes, PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ) );
+
+ /* For each label in turn, ... */
+ for( i = 0; i < ladder_depth; i++ )
+ {
+ /* Start deriving material from the master key (if i=0) or from
+ * the current intermediate key (if i>0). */
+ PSA_CHECK( psa_key_derivation_setup( &operation, KDF_ALG ) );
+ PSA_CHECK( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_SALT,
+ DERIVE_KEY_SALT, DERIVE_KEY_SALT_LENGTH ) );
+ PSA_CHECK( psa_key_derivation_input_key(
+ &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+ *key ) );
+ PSA_CHECK( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_INFO,
+ (uint8_t*) ladder[i], strlen( ladder[i] ) ) );
+ /* When the parent key is not the master key, destroy it,
+ * since it is no longer needed. */
+ PSA_CHECK( psa_destroy_key( *key ) );
+ *key = 0;
+ /* Derive the next intermediate key from the parent key. */
+ PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation,
+ key ) );
+ PSA_CHECK( psa_key_derivation_abort( &operation ) );
+ }
+
+exit:
+ psa_key_derivation_abort( &operation );
+ if( status != PSA_SUCCESS )
+ {
+ psa_destroy_key( *key );
+ *key = 0;
+ }
+ return( status );
+}
+
+/* Derive a wrapping key from the last intermediate key. */
+static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
+ psa_key_id_t derived_key,
+ psa_key_id_t *wrapping_key )
+{
+ psa_status_t status = PSA_SUCCESS;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+
+ *wrapping_key = 0;
+
+ /* Set up a key derivation operation from the key derived from
+ * the master key. */
+ PSA_CHECK( psa_key_derivation_setup( &operation, KDF_ALG ) );
+ PSA_CHECK( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_SALT,
+ WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH ) );
+ PSA_CHECK( psa_key_derivation_input_key(
+ &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+ derived_key ) );
+ PSA_CHECK( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_INFO,
+ NULL, 0 ) );
+
+ /* Create the wrapping key. */
+ psa_set_key_usage_flags( &attributes, usage );
+ psa_set_key_algorithm( &attributes, WRAPPING_ALG );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
+ psa_set_key_bits( &attributes, WRAPPING_KEY_BITS );
+ PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation,
+ wrapping_key ) );
+
+exit:
+ psa_key_derivation_abort( &operation );
+ return( status );
+}
+
+static psa_status_t wrap_data( const char *input_file_name,
+ const char *output_file_name,
+ psa_key_id_t wrapping_key )
+{
+ psa_status_t status;
+ FILE *input_file = NULL;
+ FILE *output_file = NULL;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t key_type;
+ long input_position;
+ size_t input_size;
+ size_t buffer_size = 0;
+ unsigned char *buffer = NULL;
+ size_t ciphertext_size;
+ wrapped_data_header_t header;
+
+ /* Find the size of the data to wrap. */
+ SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
+ SYS_CHECK( fseek( input_file, 0, SEEK_END ) == 0 );
+ SYS_CHECK( ( input_position = ftell( input_file ) ) != -1 );
+#if LONG_MAX > SIZE_MAX
+ if( input_position > SIZE_MAX )
+ {
+ printf( "Input file too large.\n" );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+#endif
+ input_size = input_position;
+ PSA_CHECK( psa_get_key_attributes( wrapping_key, &attributes ) );
+ key_type = psa_get_key_type( &attributes );
+ buffer_size =
+ PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, WRAPPING_ALG, input_size );
+ /* Check for integer overflow. */
+ if( buffer_size < input_size )
+ {
+ printf( "Input file too large.\n" );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+
+ /* Load the data to wrap. */
+ SYS_CHECK( fseek( input_file, 0, SEEK_SET ) == 0 );
+ SYS_CHECK( ( buffer = calloc( 1, buffer_size ) ) != NULL );
+ SYS_CHECK( fread( buffer, 1, input_size, input_file ) == input_size );
+ SYS_CHECK( fclose( input_file ) == 0 );
+ input_file = NULL;
+
+ /* Construct a header. */
+ memcpy( &header.magic, WRAPPED_DATA_MAGIC, WRAPPED_DATA_MAGIC_LENGTH );
+ header.ad_size = sizeof( header );
+ header.payload_size = input_size;
+
+ /* Wrap the data. */
+ PSA_CHECK( psa_generate_random( header.iv, WRAPPING_IV_SIZE ) );
+ PSA_CHECK( psa_aead_encrypt( wrapping_key, WRAPPING_ALG,
+ header.iv, WRAPPING_IV_SIZE,
+ (uint8_t *) &header, sizeof( header ),
+ buffer, input_size,
+ buffer, buffer_size,
+ &ciphertext_size ) );
+
+ /* Write the output. */
+ SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
+ SYS_CHECK( fwrite( &header, 1, sizeof( header ),
+ output_file ) == sizeof( header ) );
+ SYS_CHECK( fwrite( buffer, 1, ciphertext_size,
+ output_file ) == ciphertext_size );
+ SYS_CHECK( fclose( output_file ) == 0 );
+ output_file = NULL;
+
+exit:
+ if( input_file != NULL )
+ fclose( input_file );
+ if( output_file != NULL )
+ fclose( output_file );
+ if( buffer != NULL )
+ mbedtls_platform_zeroize( buffer, buffer_size );
+ free( buffer );
+ return( status );
+}
+
+static psa_status_t unwrap_data( const char *input_file_name,
+ const char *output_file_name,
+ psa_key_id_t wrapping_key )
+{
+ psa_status_t status;
+ FILE *input_file = NULL;
+ FILE *output_file = NULL;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t key_type;
+ unsigned char *buffer = NULL;
+ size_t ciphertext_size = 0;
+ size_t plaintext_size;
+ wrapped_data_header_t header;
+ unsigned char extra_byte;
+
+ /* Load and validate the header. */
+ SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
+ SYS_CHECK( fread( &header, 1, sizeof( header ),
+ input_file ) == sizeof( header ) );
+ if( memcmp( &header.magic, WRAPPED_DATA_MAGIC,
+ WRAPPED_DATA_MAGIC_LENGTH ) != 0 )
+ {
+ printf( "The input does not start with a valid magic header.\n" );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+ if( header.ad_size != sizeof( header ) )
+ {
+ printf( "The header size is not correct.\n" );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+ PSA_CHECK( psa_get_key_attributes( wrapping_key, &attributes) );
+ key_type = psa_get_key_type( &attributes);
+ ciphertext_size =
+ PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, WRAPPING_ALG, header.payload_size );
+ /* Check for integer overflow. */
+ if( ciphertext_size < header.payload_size )
+ {
+ printf( "Input file too large.\n" );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+
+ /* Load the payload data. */
+ SYS_CHECK( ( buffer = calloc( 1, ciphertext_size ) ) != NULL );
+ SYS_CHECK( fread( buffer, 1, ciphertext_size,
+ input_file ) == ciphertext_size );
+ if( fread( &extra_byte, 1, 1, input_file ) != 0 )
+ {
+ printf( "Extra garbage after ciphertext\n" );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+ SYS_CHECK( fclose( input_file ) == 0 );
+ input_file = NULL;
+
+ /* Unwrap the data. */
+ PSA_CHECK( psa_aead_decrypt( wrapping_key, WRAPPING_ALG,
+ header.iv, WRAPPING_IV_SIZE,
+ (uint8_t *) &header, sizeof( header ),
+ buffer, ciphertext_size,
+ buffer, ciphertext_size,
+ &plaintext_size ) );
+ if( plaintext_size != header.payload_size )
+ {
+ printf( "Incorrect payload size in the header.\n" );
+ status = DEMO_ERROR;
+ goto exit;
+ }
+
+ /* Write the output. */
+ SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
+ SYS_CHECK( fwrite( buffer, 1, plaintext_size,
+ output_file ) == plaintext_size );
+ SYS_CHECK( fclose( output_file ) == 0 );
+ output_file = NULL;
+
+exit:
+ if( input_file != NULL )
+ fclose( input_file );
+ if( output_file != NULL )
+ fclose( output_file );
+ if( buffer != NULL )
+ mbedtls_platform_zeroize( buffer, ciphertext_size );
+ free( buffer );
+ return( status );
+}
+
+static psa_status_t run( enum program_mode mode,
+ const char *key_file_name,
+ const char *ladder[], size_t ladder_depth,
+ const char *input_file_name,
+ const char *output_file_name )
+{
+ psa_status_t status = PSA_SUCCESS;
+ psa_key_id_t derivation_key = 0;
+ psa_key_id_t wrapping_key = 0;
+
+ /* Initialize the PSA crypto library. */
+ PSA_CHECK( psa_crypto_init( ) );
+
+ /* Generate mode is unlike the others. Generate the master key and exit. */
+ if( mode == MODE_GENERATE )
+ return( generate( key_file_name ) );
+
+ /* Read the master key. */
+ PSA_CHECK( import_key_from_file( PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT,
+ KDF_ALG,
+ key_file_name,
+ &derivation_key ) );
+
+ /* Calculate the derived key for this session. */
+ PSA_CHECK( derive_key_ladder( ladder, ladder_depth,
+ &derivation_key ) );
+
+ switch( mode )
+ {
+ case MODE_SAVE:
+ PSA_CHECK( save_key( derivation_key, output_file_name ) );
+ break;
+ case MODE_UNWRAP:
+ PSA_CHECK( derive_wrapping_key( PSA_KEY_USAGE_DECRYPT,
+ derivation_key,
+ &wrapping_key ) );
+ PSA_CHECK( unwrap_data( input_file_name, output_file_name,
+ wrapping_key ) );
+ break;
+ case MODE_WRAP:
+ PSA_CHECK( derive_wrapping_key( PSA_KEY_USAGE_ENCRYPT,
+ derivation_key,
+ &wrapping_key ) );
+ PSA_CHECK( wrap_data( input_file_name, output_file_name,
+ wrapping_key ) );
+ break;
+ default:
+ /* Unreachable but some compilers don't realize it. */
+ break;
+ }
+
+exit:
+ /* Destroy any remaining key. Deinitializing the crypto library would do
+ * this anyway since they are volatile keys, but explicitly destroying
+ * keys makes the code easier to reuse. */
+ (void) psa_destroy_key( derivation_key );
+ (void) psa_destroy_key( wrapping_key );
+ /* Deinitialize the PSA crypto library. */
+ mbedtls_psa_crypto_free( );
+ return( status );
+}
+
+static void usage( void )
+{
+ printf( "Usage: key_ladder_demo MODE [OPTION=VALUE]...\n" );
+ printf( "Demonstrate the usage of a key derivation ladder.\n" );
+ printf( "\n" );
+ printf( "Modes:\n" );
+ printf( " generate Generate the master key\n" );
+ printf( " save Save the derived key\n" );
+ printf( " unwrap Unwrap (decrypt) input with the derived key\n" );
+ printf( " wrap Wrap (encrypt) input with the derived key\n" );
+ printf( "\n" );
+ printf( "Options:\n" );
+ printf( " input=FILENAME Input file (required for wrap/unwrap)\n" );
+ printf( " master=FILENAME File containing the master key (default: master.key)\n" );
+ printf( " output=FILENAME Output file (required for save/wrap/unwrap)\n" );
+ printf( " label=TEXT Label for the key derivation.\n" );
+ printf( " This may be repeated multiple times.\n" );
+ printf( " To get the same key, you must use the same master key\n" );
+ printf( " and the same sequence of labels.\n" );
+}
+
+int main( int argc, char *argv[] )
+{
+ const char *key_file_name = "master.key";
+ const char *input_file_name = NULL;
+ const char *output_file_name = NULL;
+ const char *ladder[MAX_LADDER_DEPTH];
+ size_t ladder_depth = 0;
+ int i;
+ enum program_mode mode;
+ psa_status_t status;
+
+ if( argc <= 1 ||
+ strcmp( argv[1], "help" ) == 0 ||
+ strcmp( argv[1], "-help" ) == 0 ||
+ strcmp( argv[1], "--help" ) == 0 )
+ {
+ usage( );
+ return( EXIT_SUCCESS );
+ }
+
+ for( i = 2; i < argc; i++ )
+ {
+ char *q = strchr( argv[i], '=' );
+ if( q == NULL )
+ {
+ printf( "Missing argument to option %s\n", argv[i] );
+ goto usage_failure;
+ }
+ *q = 0;
+ ++q;
+ if( strcmp( argv[i], "input" ) == 0 )
+ input_file_name = q;
+ else if( strcmp( argv[i], "label" ) == 0 )
+ {
+ if( ladder_depth == MAX_LADDER_DEPTH )
+ {
+ printf( "Maximum ladder depth %u exceeded.\n",
+ (unsigned) MAX_LADDER_DEPTH );
+ return( EXIT_FAILURE );
+ }
+ ladder[ladder_depth] = q;
+ ++ladder_depth;
+ }
+ else if( strcmp( argv[i], "master" ) == 0 )
+ key_file_name = q;
+ else if( strcmp( argv[i], "output" ) == 0 )
+ output_file_name = q;
+ else
+ {
+ printf( "Unknown option: %s\n", argv[i] );
+ goto usage_failure;
+ }
+ }
+
+ if( strcmp( argv[1], "generate" ) == 0 )
+ mode = MODE_GENERATE;
+ else if( strcmp( argv[1], "save" ) == 0 )
+ mode = MODE_SAVE;
+ else if( strcmp( argv[1], "unwrap" ) == 0 )
+ mode = MODE_UNWRAP;
+ else if( strcmp( argv[1], "wrap" ) == 0 )
+ mode = MODE_WRAP;
+ else
+ {
+ printf( "Unknown action: %s\n", argv[1] );
+ goto usage_failure;
+ }
+
+ if( input_file_name == NULL &&
+ ( mode == MODE_WRAP || mode == MODE_UNWRAP ) )
+ {
+ printf( "Required argument missing: input\n" );
+ return( DEMO_ERROR );
+ }
+ if( output_file_name == NULL &&
+ ( mode == MODE_SAVE || mode == MODE_WRAP || mode == MODE_UNWRAP ) )
+ {
+ printf( "Required argument missing: output\n" );
+ return( DEMO_ERROR );
+ }
+
+ status = run( mode, key_file_name,
+ ladder, ladder_depth,
+ input_file_name, output_file_name );
+ return( status == PSA_SUCCESS ?
+ EXIT_SUCCESS :
+ EXIT_FAILURE );
+
+usage_failure:
+ usage( );
+ return( EXIT_FAILURE );
+}
+#endif /* MBEDTLS_SHA256_C && MBEDTLS_MD_C && MBEDTLS_AES_C && MBEDTLS_CCM_C && MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */