Fido U2F complete (#716)
[proxmark3-svn] / client / crypto / libpcrypto.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2018 Merlok
3 // Copyright (C) 2018 drHatson
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // crypto commands
10 //-----------------------------------------------------------------------------
11
12 #include "crypto/libpcrypto.h"
13 #include <stdlib.h>
14 #include <unistd.h>
15 #include <string.h>
16 #include <mbedtls/asn1.h>
17 #include <mbedtls/aes.h>
18 #include <mbedtls/cmac.h>
19 #include <mbedtls/pk.h>
20 #include <mbedtls/ecdsa.h>
21 #include <mbedtls/sha256.h>
22 #include <mbedtls/ctr_drbg.h>
23 #include <mbedtls/entropy.h>
24 #include <mbedtls/error.h>
25 #include <crypto/asn1utils.h>
26 #include <util.h>
27
28 // NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
29 int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){
30 uint8_t iiv[16] = {0};
31 if (iv)
32 memcpy(iiv, iv, 16);
33
34 mbedtls_aes_context aes;
35 mbedtls_aes_init(&aes);
36 if (mbedtls_aes_setkey_enc(&aes, key, 128))
37 return 1;
38 if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, length, iiv, input, output))
39 return 2;
40 mbedtls_aes_free(&aes);
41
42 return 0;
43 }
44
45 int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){
46 uint8_t iiv[16] = {0};
47 if (iv)
48 memcpy(iiv, iv, 16);
49
50 mbedtls_aes_context aes;
51 mbedtls_aes_init(&aes);
52 if (mbedtls_aes_setkey_dec(&aes, key, 128))
53 return 1;
54 if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, length, iiv, input, output))
55 return 2;
56 mbedtls_aes_free(&aes);
57
58 return 0;
59 }
60
61 // NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
62 // https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf
63 int aes_cmac(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) {
64 memset(mac, 0x00, 16);
65
66 // NIST 800-38B
67 return mbedtls_aes_cmac_prf_128(key, MBEDTLS_AES_BLOCK_SIZE, input, length, mac);
68 }
69
70 int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) {
71 uint8_t cmac[16] = {0};
72 memset(mac, 0x00, 8);
73
74 int res = aes_cmac(iv, key, input, cmac, length);
75 if (res)
76 return res;
77
78 for(int i = 0; i < 8; i++)
79 mac[i] = cmac[i * 2 + 1];
80
81 return 0;
82 }
83
84 static uint8_t fixed_rand_value[250] = {0};
85 static int fixed_rand(void *rng_state, unsigned char *output, size_t len) {
86 if (len <= 250) {
87 memcpy(output, fixed_rand_value, len);
88 } else {
89 memset(output, 0x00, len);
90 }
91
92 return 0;
93 }
94
95 int sha256hash(uint8_t *input, int length, uint8_t *hash) {
96 if (!hash || !input)
97 return 1;
98
99 mbedtls_sha256_context sctx;
100 mbedtls_sha256_init(&sctx);
101 mbedtls_sha256_starts(&sctx, 0); // SHA-256, not 224
102 mbedtls_sha256_update(&sctx, input, length);
103 mbedtls_sha256_finish(&sctx, hash);
104 mbedtls_sha256_free(&sctx);
105
106 return 0;
107 }
108
109 int ecdsa_init_str(mbedtls_ecdsa_context *ctx, char * key_d, char *key_x, char *key_y) {
110 if (!ctx)
111 return 1;
112
113 int res;
114
115 mbedtls_ecdsa_init(ctx);
116 res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
117 if (res)
118 return res;
119
120 if (key_d) {
121 res = mbedtls_mpi_read_string(&ctx->d, 16, key_d);
122 if (res)
123 return res;
124 }
125
126 if (key_x && key_y) {
127 res = mbedtls_ecp_point_read_string(&ctx->Q, 16, key_x, key_y);
128 if (res)
129 return res;
130 }
131
132 return 0;
133 }
134
135 int ecdsa_init(mbedtls_ecdsa_context *ctx, uint8_t * key_d, uint8_t *key_xy) {
136 if (!ctx)
137 return 1;
138
139 int res;
140
141 mbedtls_ecdsa_init(ctx);
142 res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
143 if (res)
144 return res;
145
146 if (key_d) {
147 res = mbedtls_mpi_read_binary(&ctx->d, key_d, 32);
148 if (res)
149 return res;
150 }
151
152 if (key_xy) {
153 res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, 32 * 2 + 1);
154 if (res)
155 return res;
156 }
157
158 return 0;
159 }
160
161 int ecdsa_key_create(uint8_t * key_d, uint8_t *key_xy) {
162 int res;
163 mbedtls_ecdsa_context ctx;
164 ecdsa_init(&ctx, NULL, NULL);
165
166
167 mbedtls_entropy_context entropy;
168 mbedtls_ctr_drbg_context ctr_drbg;
169 const char *pers = "ecdsaproxmark";
170
171 mbedtls_entropy_init(&entropy);
172 mbedtls_ctr_drbg_init(&ctr_drbg);
173
174 res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
175 if (res)
176 goto exit;
177
178 res = mbedtls_ecdsa_genkey(&ctx, MBEDTLS_ECP_DP_SECP256R1, mbedtls_ctr_drbg_random, &ctr_drbg);
179 if (res)
180 goto exit;
181
182 res = mbedtls_mpi_write_binary(&ctx.d, key_d, 32);
183 if (res)
184 goto exit;
185
186 size_t keylen = 0;
187 uint8_t public_key[200] = {0};
188 res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &keylen, public_key, sizeof(public_key));
189 if (res)
190 goto exit;
191
192 if (keylen != 65) { // 0x04 <key x 32b><key y 32b>
193 res = 1;
194 goto exit;
195 }
196 memcpy(key_xy, public_key, 65);
197
198 exit:
199 mbedtls_entropy_free(&entropy);
200 mbedtls_ctr_drbg_free(&ctr_drbg);
201 mbedtls_ecdsa_free(&ctx);
202 return res;
203 }
204
205 char *ecdsa_get_error(int ret) {
206 static char retstr[300];
207 memset(retstr, 0x00, sizeof(retstr));
208 mbedtls_strerror(ret, retstr, sizeof(retstr));
209 return retstr;
210 }
211
212 int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen) {
213 int res = 0;
214 size_t realkeylen = 0;
215 if (keylen < 65)
216 return 1;
217
218 mbedtls_ecdsa_context ctx;
219 mbedtls_ecdsa_init(&ctx);
220
221 res = mbedtls_ecp_group_load(&ctx.grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
222 if (res)
223 goto exit;
224
225 res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk) );
226 if (res)
227 goto exit;
228
229 res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen);
230 if (realkeylen != 65)
231 res = 2;
232 exit:
233 mbedtls_ecdsa_free(&ctx);
234 return res;
235 }
236
237 int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) {
238 int res;
239 *signaturelen = 0;
240
241 uint8_t shahash[32] = {0};
242 res = sha256hash(input, length, shahash);
243 if (res)
244 return res;
245
246 mbedtls_entropy_context entropy;
247 mbedtls_ctr_drbg_context ctr_drbg;
248 const char *pers = "ecdsaproxmark";
249
250 mbedtls_entropy_init(&entropy);
251 mbedtls_ctr_drbg_init(&ctr_drbg);
252
253 res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
254 if (res)
255 goto exit;
256
257 mbedtls_ecdsa_context ctx;
258 ecdsa_init(&ctx, key_d, key_xy);
259 res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg);
260
261 exit:
262 mbedtls_ctr_drbg_free(&ctr_drbg);
263 mbedtls_ecdsa_free(&ctx);
264 return res;
265 }
266
267 int ecdsa_signature_create_test(char * key_d, char *key_x, char *key_y, char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) {
268 int res;
269 *signaturelen = 0;
270
271 uint8_t shahash[32] = {0};
272 res = sha256hash(input, length, shahash);
273 if (res)
274 return res;
275
276 int rndlen = 0;
277 param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen);
278
279 mbedtls_ecdsa_context ctx;
280 ecdsa_init_str(&ctx, key_d, key_x, key_y);
281 res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL);
282
283 mbedtls_ecdsa_free(&ctx);
284 return res;
285 }
286
287 int ecdsa_signature_verify_keystr(char *key_x, char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) {
288 int res;
289 uint8_t shahash[32] = {0};
290 res = sha256hash(input, length, shahash);
291 if (res)
292 return res;
293
294 mbedtls_ecdsa_context ctx;
295 ecdsa_init_str(&ctx, NULL, key_x, key_y);
296 res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen);
297
298 mbedtls_ecdsa_free(&ctx);
299 return res;
300 }
301
302 int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) {
303 int res;
304 uint8_t shahash[32] = {0};
305 res = sha256hash(input, length, shahash);
306 if (res)
307 return res;
308
309 mbedtls_ecdsa_context ctx;
310 ecdsa_init(&ctx, NULL, key_xy);
311 res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen);
312
313 mbedtls_ecdsa_free(&ctx);
314 return res;
315 }
316
317 #define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96"
318 #define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19"
319 #define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09"
320 #define T_K "7A1A7E52797FC8CAAA435D2A4DACE39158504BF204FBE19F14DBB427FAEE50AE"
321 #define T_R "2B42F576D07F4165FF65D1F3B1500F81E44C316F1F0B3EF57325B69ACA46104F"
322 #define T_S "DC42C2122D6392CD3E3A993A89502A8198C1886FE69D262C4B329BDB6B63FAF1"
323
324 int ecdsa_nist_test(bool verbose) {
325 int res;
326 uint8_t input[] = "Example of ECDSA with P-256";
327 int length = strlen((char *)input);
328 uint8_t signature[300] = {0};
329 size_t siglen = 0;
330
331 // NIST ecdsa test
332 if (verbose)
333 printf(" ECDSA NIST test: ");
334 // make signature
335 res = ecdsa_signature_create_test(T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen);
336 // printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen));
337 if (res)
338 goto exit;
339
340 // check vectors
341 uint8_t rval[300] = {0};
342 uint8_t sval[300] = {0};
343 res = ecdsa_asn1_get_signature(signature, siglen, rval, sval);
344 if (res)
345 goto exit;
346
347 int slen = 0;
348 uint8_t rval_s[33] = {0};
349 param_gethex_to_eol(T_R, 0, rval_s, sizeof(rval_s), &slen);
350 uint8_t sval_s[33] = {0};
351 param_gethex_to_eol(T_S, 0, sval_s, sizeof(sval_s), &slen);
352 if (strncmp((char *)rval, (char *)rval_s, 32) || strncmp((char *)sval, (char *)sval_s, 32)) {
353 printf("R or S check error\n");
354 res = 100;
355 goto exit;
356 }
357
358 // verify signature
359 res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen);
360 if (res)
361 goto exit;
362
363 // verify wrong signature
364 input[0] ^= 0xFF;
365 res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen);
366 if (!res) {
367 res = 1;
368 goto exit;
369 }
370 if (verbose)
371 printf("passed\n");
372
373 // random ecdsa test
374 if (verbose)
375 printf(" ECDSA binary signature create/check test: ");
376
377 uint8_t key_d[32] = {0};
378 uint8_t key_xy[32 * 2 + 2] = {0};
379 memset(signature, 0x00, sizeof(signature));
380 siglen = 0;
381
382 res = ecdsa_key_create(key_d, key_xy);
383 if (res)
384 goto exit;
385
386 res = ecdsa_signature_create(key_d, key_xy, input, length, signature, &siglen);
387 if (res)
388 goto exit;
389
390 res = ecdsa_signature_verify(key_xy, input, length, signature, siglen);
391 if (res)
392 goto exit;
393
394 input[0] ^= 0xFF;
395 res = ecdsa_signature_verify(key_xy, input, length, signature, siglen);
396 if (!res)
397 goto exit;
398
399 if (verbose)
400 printf("passed\n\n");
401
402 return 0;
403 exit:
404 if (verbose)
405 printf("failed\n\n");
406 return res;
407 }
Impressum, Datenschutz