1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2018 Merlok
3 // Copyright (C) 2018 drHatson
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
8 //-----------------------------------------------------------------------------
10 //-----------------------------------------------------------------------------
12 #include "crypto/libpcrypto.h"
16 #include <mbedtls/asn1.h>
17 #include <mbedtls/aes.h>
18 #include <mbedtls/cmac.h>
19 #include <mbedtls/ecdsa.h>
20 #include <mbedtls/sha256.h>
21 #include <mbedtls/ctr_drbg.h>
22 #include <mbedtls/entropy.h>
23 #include <mbedtls/error.h>
24 #include <crypto/asn1utils.h>
27 // NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
28 int aes_encode(uint8_t *iv
, uint8_t *key
, uint8_t *input
, uint8_t *output
, int length
){
29 uint8_t iiv
[16] = {0};
33 mbedtls_aes_context aes
;
34 mbedtls_aes_init(&aes
);
35 if (mbedtls_aes_setkey_enc(&aes
, key
, 128))
37 if (mbedtls_aes_crypt_cbc(&aes
, MBEDTLS_AES_ENCRYPT
, length
, iiv
, input
, output
))
39 mbedtls_aes_free(&aes
);
44 int aes_decode(uint8_t *iv
, uint8_t *key
, uint8_t *input
, uint8_t *output
, int length
){
45 uint8_t iiv
[16] = {0};
49 mbedtls_aes_context aes
;
50 mbedtls_aes_init(&aes
);
51 if (mbedtls_aes_setkey_dec(&aes
, key
, 128))
53 if (mbedtls_aes_crypt_cbc(&aes
, MBEDTLS_AES_DECRYPT
, length
, iiv
, input
, output
))
55 mbedtls_aes_free(&aes
);
60 // NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
61 // https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf
62 int aes_cmac(uint8_t *iv
, uint8_t *key
, uint8_t *input
, uint8_t *mac
, int length
) {
63 memset(mac
, 0x00, 16);
66 return mbedtls_aes_cmac_prf_128(key
, MBEDTLS_AES_BLOCK_SIZE
, input
, length
, mac
);
69 int aes_cmac8(uint8_t *iv
, uint8_t *key
, uint8_t *input
, uint8_t *mac
, int length
) {
70 uint8_t cmac
[16] = {0};
73 int res
= aes_cmac(iv
, key
, input
, cmac
, length
);
77 for(int i
= 0; i
< 8; i
++)
78 mac
[i
] = cmac
[i
* 2 + 1];
83 static uint8_t fixed_rand_value
[250] = {0};
84 static int fixed_rand(void *rng_state
, unsigned char *output
, size_t len
) {
86 memcpy(output
, fixed_rand_value
, len
);
88 memset(output
, 0x00, len
);
94 int sha256hash(uint8_t *input
, int length
, uint8_t *hash
) {
98 mbedtls_sha256_context sctx
;
99 mbedtls_sha256_init(&sctx
);
100 mbedtls_sha256_starts(&sctx
, 0); // SHA-256, not 224
101 mbedtls_sha256_update(&sctx
, input
, length
);
102 mbedtls_sha256_finish(&sctx
, hash
);
103 mbedtls_sha256_free(&sctx
);
108 int ecdsa_init_str(mbedtls_ecdsa_context
*ctx
, char * key_d
, char *key_x
, char *key_y
) {
114 mbedtls_ecdsa_init(ctx
);
115 res
= mbedtls_ecp_group_load(&ctx
->grp
, MBEDTLS_ECP_DP_SECP256R1
); // secp256r1
120 res
= mbedtls_mpi_read_string(&ctx
->d
, 16, key_d
);
125 if (key_x
&& key_y
) {
126 res
= mbedtls_ecp_point_read_string(&ctx
->Q
, 16, key_x
, key_y
);
134 int ecdsa_init(mbedtls_ecdsa_context
*ctx
, uint8_t * key_d
, uint8_t *key_xy
) {
140 mbedtls_ecdsa_init(ctx
);
141 res
= mbedtls_ecp_group_load(&ctx
->grp
, MBEDTLS_ECP_DP_SECP256R1
); // secp256r1
146 res
= mbedtls_mpi_read_binary(&ctx
->d
, key_d
, 32);
152 res
= mbedtls_ecp_point_read_binary(&ctx
->grp
, &ctx
->Q
, key_xy
, 32 * 2 + 1);
160 int ecdsa_key_create(uint8_t * key_d
, uint8_t *key_xy
) {
162 mbedtls_ecdsa_context ctx
;
163 ecdsa_init(&ctx
, NULL
, NULL
);
166 mbedtls_entropy_context entropy
;
167 mbedtls_ctr_drbg_context ctr_drbg
;
168 const char *pers
= "ecdsaproxmark";
170 mbedtls_entropy_init(&entropy
);
171 mbedtls_ctr_drbg_init(&ctr_drbg
);
173 res
= mbedtls_ctr_drbg_seed(&ctr_drbg
, mbedtls_entropy_func
, &entropy
, (const unsigned char *)pers
, strlen(pers
));
177 res
= mbedtls_ecdsa_genkey(&ctx
, MBEDTLS_ECP_DP_SECP256R1
, mbedtls_ctr_drbg_random
, &ctr_drbg
);
181 res
= mbedtls_mpi_write_binary(&ctx
.d
, key_d
, 32);
186 uint8_t public_key
[200] = {0};
187 res
= mbedtls_ecp_point_write_binary(&ctx
.grp
, &ctx
.Q
, MBEDTLS_ECP_PF_UNCOMPRESSED
, &keylen
, public_key
, sizeof(public_key
));
191 if (keylen
!= 65) { // 0x04 <key x 32b><key y 32b>
195 memcpy(key_xy
, public_key
, 65);
198 mbedtls_entropy_free(&entropy
);
199 mbedtls_ctr_drbg_free(&ctr_drbg
);
200 mbedtls_ecdsa_free(&ctx
);
204 char *ecdsa_get_error(int ret
) {
205 static char retstr
[300];
206 memset(retstr
, 0x00, sizeof(retstr
));
207 mbedtls_strerror(ret
, retstr
, sizeof(retstr
));
211 int ecdsa_signature_create(uint8_t *key_d
, uint8_t *key_xy
, uint8_t *input
, int length
, uint8_t *signature
, size_t *signaturelen
) {
215 uint8_t shahash
[32] = {0};
216 res
= sha256hash(input
, length
, shahash
);
220 mbedtls_entropy_context entropy
;
221 mbedtls_ctr_drbg_context ctr_drbg
;
222 const char *pers
= "ecdsaproxmark";
224 mbedtls_entropy_init(&entropy
);
225 mbedtls_ctr_drbg_init(&ctr_drbg
);
227 res
= mbedtls_ctr_drbg_seed(&ctr_drbg
, mbedtls_entropy_func
, &entropy
, (const unsigned char *)pers
, strlen(pers
));
231 mbedtls_ecdsa_context ctx
;
232 ecdsa_init(&ctx
, key_d
, key_xy
);
233 res
= mbedtls_ecdsa_write_signature(&ctx
, MBEDTLS_MD_SHA256
, shahash
, sizeof(shahash
), signature
, signaturelen
, mbedtls_ctr_drbg_random
, &ctr_drbg
);
236 mbedtls_ctr_drbg_free(&ctr_drbg
);
237 mbedtls_ecdsa_free(&ctx
);
241 int ecdsa_signature_create_test(char * key_d
, char *key_x
, char *key_y
, char *random
, uint8_t *input
, int length
, uint8_t *signature
, size_t *signaturelen
) {
245 uint8_t shahash
[32] = {0};
246 res
= sha256hash(input
, length
, shahash
);
251 param_gethex_to_eol(random
, 0, fixed_rand_value
, sizeof(fixed_rand_value
), &rndlen
);
253 mbedtls_ecdsa_context ctx
;
254 ecdsa_init_str(&ctx
, key_d
, key_x
, key_y
);
255 res
= mbedtls_ecdsa_write_signature(&ctx
, MBEDTLS_MD_SHA256
, shahash
, sizeof(shahash
), signature
, signaturelen
, fixed_rand
, NULL
);
257 mbedtls_ecdsa_free(&ctx
);
261 int ecdsa_signature_verify_keystr(char *key_x
, char *key_y
, uint8_t *input
, int length
, uint8_t *signature
, size_t signaturelen
) {
263 uint8_t shahash
[32] = {0};
264 res
= sha256hash(input
, length
, shahash
);
268 mbedtls_ecdsa_context ctx
;
269 ecdsa_init_str(&ctx
, NULL
, key_x
, key_y
);
270 res
= mbedtls_ecdsa_read_signature(&ctx
, shahash
, sizeof(shahash
), signature
, signaturelen
);
272 mbedtls_ecdsa_free(&ctx
);
276 int ecdsa_signature_verify(uint8_t *key_xy
, uint8_t *input
, int length
, uint8_t *signature
, size_t signaturelen
) {
278 uint8_t shahash
[32] = {0};
279 res
= sha256hash(input
, length
, shahash
);
283 mbedtls_ecdsa_context ctx
;
284 ecdsa_init(&ctx
, NULL
, key_xy
);
285 res
= mbedtls_ecdsa_read_signature(&ctx
, shahash
, sizeof(shahash
), signature
, signaturelen
);
287 mbedtls_ecdsa_free(&ctx
);
291 #define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96"
292 #define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19"
293 #define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09"
294 #define T_K "7A1A7E52797FC8CAAA435D2A4DACE39158504BF204FBE19F14DBB427FAEE50AE"
295 #define T_R "2B42F576D07F4165FF65D1F3B1500F81E44C316F1F0B3EF57325B69ACA46104F"
296 #define T_S "DC42C2122D6392CD3E3A993A89502A8198C1886FE69D262C4B329BDB6B63FAF1"
298 int ecdsa_nist_test(bool verbose
) {
300 uint8_t input
[] = "Example of ECDSA with P-256";
301 int length
= strlen((char *)input
);
302 uint8_t signature
[300] = {0};
307 printf(" ECDSA NIST test: ");
309 res
= ecdsa_signature_create_test(T_PRIVATE_KEY
, T_Q_X
, T_Q_Y
, T_K
, input
, length
, signature
, &siglen
);
310 // printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen));
315 uint8_t rval
[300] = {0};
316 uint8_t sval
[300] = {0};
317 res
= ecdsa_asn1_get_signature(signature
, siglen
, rval
, sval
);
322 uint8_t rval_s
[33] = {0};
323 param_gethex_to_eol(T_R
, 0, rval_s
, sizeof(rval_s
), &slen
);
324 uint8_t sval_s
[33] = {0};
325 param_gethex_to_eol(T_S
, 0, sval_s
, sizeof(sval_s
), &slen
);
326 if (strncmp((char *)rval
, (char *)rval_s
, 32) || strncmp((char *)sval
, (char *)sval_s
, 32)) {
327 printf("R or S check error\n");
333 res
= ecdsa_signature_verify_keystr(T_Q_X
, T_Q_Y
, input
, length
, signature
, siglen
);
337 // verify wrong signature
339 res
= ecdsa_signature_verify_keystr(T_Q_X
, T_Q_Y
, input
, length
, signature
, siglen
);
349 printf(" ECDSA binary signature create/check test: ");
351 uint8_t key_d
[32] = {0};
352 uint8_t key_xy
[32 * 2 + 2] = {0};
353 memset(signature
, 0x00, sizeof(signature
));
356 res
= ecdsa_key_create(key_d
, key_xy
);
360 res
= ecdsa_signature_create(key_d
, key_xy
, input
, length
, signature
, &siglen
);
364 res
= ecdsa_signature_verify(key_xy
, input
, length
, signature
, siglen
);
369 res
= ecdsa_signature_verify(key_xy
, input
, length
, signature
, siglen
);
374 printf("passed\n\n");
379 printf("failed\n\n");