2.7: New password-based authenticated encryption sample program pbcrypt#2472
2.7: New password-based authenticated encryption sample program pbcrypt#2472gilles-peskine-arm wants to merge 8 commits intoMbed-TLS:mbedtls-2.7from
Conversation
5b98db7 to
78ea903
Compare
d538625 to
593f68e
Compare
|
@gilles-peskine-arm There appears to be a significant intersection with #2698 - adding sample usage scripts for programs and testing them in the CI. Does that mean the two PRs conflicts with each other? If that's the case, I'd suggest giving priority to #2698 and labeling this one as "needs: preceding PR". |
Sample program for authenticated encryption using a key derived from a password. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test it in all.sh. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The sample program aescrypt2 shows bad practice: hand-rolled CBC implementation, CBC+HMAC for AEAD, hand-rolled iterated SHA-2 for key stretching, no algorithm agility. The new sample program pbcrypt does the same thing, but better. So remove aescrypt2. Fix Mbed-TLS#1906 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
593f68e to
143bf4d
Compare
|
Ok, thanks! |
| @@ -0,0 +1,87 @@ | |||
| #!/bin/sh | |||
| set -e -u | |||
There was a problem hiding this comment.
When #2698 is ready and backported, include demo_common.sh and adapt the code here accordingly.
mpg
left a comment
There was a problem hiding this comment.
I've made a design review and I'm happy with the design. In particular, using a temporary file avoids releasing possibly unauthentic plaintext, which would otherwise be a risk with streaming AEAD decryption.
programs/cipher/pbcrypt.c
Outdated
| (unsigned long long) header[7] ), | ||
| payload_size <= SIZE_MAX, | ||
| "Payload too large" ); | ||
| metadata->payload_size = payload_size; |
There was a problem hiding this comment.
This line is causing failures on Windows due to the conversion from unsigned long long to size_t. Given the check above it should be fine, but the compiler is complaining about it.
This is a cast to a smaller type on 32-bit platforms. It's ok because the size was checked just above, but Visual Studio wants the cast to be explicit. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This cast is needed because mbedtls_cipher_setkey uses int instead of size_t for the key size. It's safe because the key size fits in an int. Visual Studio wants the cast to be explicit. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
Due to the imminent retirement of 2.7, I am closing this pull request. I have ported the program to 2.16 in #4216. Compared to the 2.7 version, I added ChaChaPoly support and fixed a couple of minor bugs, all in new commits. |
This PR introduces
programs/cipher/pbcrypt, a new sample program to demonstrate password-based authenticated encryption.This is meant to illustrate good practice, so please review accordingly. A few caveats:
Provide a demo usage script and run it from
all.sh.Remove the badly designed
aescrypt2. Fix #1906.This PR is for 2.7. I'll forward-port it to 2.16+ once it's approved. I think this will mean the following changes;
#ifdefaboutmainand tocipher_is_aead.mbedtls_zeroizebymbedtls_platform_zeroize.key_ladder_demodemonstrates symmetric key derivation and single-part AEAD.