[proxmark3-svn] / armsrc / desfire_crypto.c

/*-
 * Copyright (C) 2010, Romain Tartiere.
 * 
 * This program is free software: you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as published by the
 * Free Software Foundation, either version 3 of the License, or (at your
 * option) any later version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
 * more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 * 
 * $Id$
 */

/*
 * This implementation was written based on information provided by the
 * following documents:
 *
 * NIST Special Publication 800-38B
 * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
 * May 2005
 */
#include "desfire_crypto.h"

static void xor (const uint8_t *ivect, uint8_t *data, const size_t len);
static size_t key_macing_length (desfirekey_t key);

static void xor (const uint8_t *ivect, uint8_t *data, const size_t len) {
    for (size_t i = 0; i < len; i++) {
        data[i] ^= ivect[i];
    }
}

void cmac_generate_subkeys ( desfirekey_t key) {
    int kbs = key_block_size (key);
    const uint8_t R = (kbs == 8) ? 0x1B : 0x87;

    uint8_t l[kbs];
    memset (l, 0, kbs);

    uint8_t ivect[kbs];
    memset (ivect, 0, kbs);

    mifare_cypher_blocks_chained (NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);

    bool xor = false;

    // Used to compute CMAC on complete blocks
    memcpy (key->cmac_sk1, l, kbs);
    xor = l[0] & 0x80;
    lsl (key->cmac_sk1, kbs);
    if (xor)
        key->cmac_sk1[kbs-1] ^= R;

    // Used to compute CMAC on the last block if non-complete
    memcpy (key->cmac_sk2, key->cmac_sk1, kbs);
    xor = key->cmac_sk1[0] & 0x80;
    lsl (key->cmac_sk2, kbs);
    if (xor)
        key->cmac_sk2[kbs-1] ^= R;
}

void cmac (const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac) {
    int kbs = key_block_size (key);
    uint8_t *buffer = malloc (padded_data_length (len, kbs));

    memcpy (buffer, data, len);

    if ((!len) || (len % kbs)) {
        buffer[len++] = 0x80;
        while (len % kbs) {
            buffer[len++] = 0x00;
        }
        xor (key->cmac_sk2, buffer + len - kbs, kbs);
    } else {
        xor (key->cmac_sk1, buffer + len - kbs, kbs);
    }

    mifare_cypher_blocks_chained (NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);

    memcpy (cmac, ivect, kbs);
}

size_t key_block_size (const desfirekey_t key) {
    size_t block_size = 8;

    switch (key->type) {
		case T_DES:
		case T_3DES:
		case T_3K3DES:
			block_size = 8;
			break;
		case T_AES:
			block_size = 16;
			break;
    }

    return block_size;
}

/*
 * Size of MACing produced with the key.
 */
static size_t key_macing_length (const desfirekey_t key) {
    size_t mac_length = MAC_LENGTH;

    switch (key->type) {
    case T_DES:
    case T_3DES:
        mac_length = MAC_LENGTH;
        break;
    case T_3K3DES:
    case T_AES:
        mac_length = CMAC_LENGTH;
        break;
    }

    return mac_length;
}

/*
 * Size required to store nbytes of data in a buffer of size n*block_size.
 */
size_t padded_data_length (const size_t nbytes, const size_t block_size) {
    if ((!nbytes) || (nbytes % block_size))
        return ((nbytes / block_size) + 1) * block_size;
    else
        return nbytes;
}

/*
 * Buffer size required to MAC nbytes of data
 */
size_t maced_data_length (const desfirekey_t key, const size_t nbytes) {
    return nbytes + key_macing_length (key);
}
/*
 * Buffer size required to encipher nbytes of data and a two bytes CRC.
 */
size_t enciphered_data_length (const desfiretag_t tag, const size_t nbytes, int communication_settings) {
    size_t crc_length = 0;
    if (!(communication_settings & NO_CRC)) {
        switch (DESFIRE(tag)->authentication_scheme) {
        case AS_LEGACY:
            crc_length = 2;
            break;
        case AS_NEW:
            crc_length = 4;
            break;
        }
    }

    size_t block_size = DESFIRE(tag)->session_key ? key_block_size (DESFIRE(tag)->session_key) : 1;

    return padded_data_length (nbytes + crc_length, block_size);
}

void* mifare_cryto_preprocess_data (desfiretag_t tag, void *data, size_t *nbytes, off_t offset, int communication_settings) {
    uint8_t *res = data;
    uint8_t mac[4];
    size_t edl;
    bool append_mac = true;
    desfirekey_t key = DESFIRE(tag)->session_key;

    if (!key)
        return data;

    switch (communication_settings & MDCM_MASK) {
    case MDCM_PLAIN:
        if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
            break;

        /*
         * When using new authentication methods, PLAIN data transmission from
         * the PICC to the PCD are CMACed, so we have to maintain the
         * cryptographic initialisation vector up-to-date to check data
         * integrity later.
         *
         * The only difference with CMACed data transmission is that the CMAC
         * is not apended to the data send by the PCD to the PICC.
         */

        append_mac = false;

        /* pass through */
    case MDCM_MACED:
        switch (DESFIRE(tag)->authentication_scheme) {
        case AS_LEGACY:
            if (!(communication_settings & MAC_COMMAND))
                break;

            /* pass through */
            edl = padded_data_length (*nbytes - offset, key_block_size (DESFIRE(tag)->session_key)) + offset;

            // Fill in the crypto buffer with data ...
            memcpy (res, data, *nbytes);
            // ... and 0 padding
            memset (res + *nbytes, 0, edl - *nbytes);

            mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);

            memcpy (mac, res + edl - 8, 4);

            // Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
            memcpy (res, data, *nbytes);

            if (!(communication_settings & MAC_COMMAND))
                break;
            // Append MAC
            size_t bla = maced_data_length (DESFIRE(tag)->session_key, *nbytes - offset) + offset;
			bla++;

            memcpy (res + *nbytes, mac, 4);

            *nbytes += 4;
            break;
        case AS_NEW:
            if (!(communication_settings & CMAC_COMMAND))
                break;
            cmac (key, DESFIRE (tag)->ivect, res, *nbytes, DESFIRE (tag)->cmac);

            if (append_mac) {
                maced_data_length (key, *nbytes);

                memcpy (res, data, *nbytes);
                memcpy (res + *nbytes, DESFIRE (tag)->cmac, CMAC_LENGTH);
                *nbytes += CMAC_LENGTH;
            }
            break;
        }

        break;
    case MDCM_ENCIPHERED:
        /*  |<-------------- data -------------->|
         *  |<--- offset -->|                    |
         *  +---------------+--------------------+-----+---------+
         *  | CMD + HEADERS | DATA TO BE SECURED | CRC | PADDING |
         *  +---------------+--------------------+-----+---------+ ----------------
         *  |               |<~~~~v~~~~~~~~~~~~~>|  ^  |         |   (DES / 3DES)
         *  |               |     `---- crc16() ----'  |         |
         *  |               |                    |  ^  |         | ----- *or* -----
         *  |<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>|  ^  |         |  (3K3DES / AES)
         *                  |     `---- crc32() ----'  |         |
         *                  |                                    | ---- *then* ----
         *                  |<---------------------------------->|
         *                            encypher()/decypher()
         */

            if (!(communication_settings & ENC_COMMAND))
                break;
            edl = enciphered_data_length (tag, *nbytes - offset, communication_settings) + offset;

            // Fill in the crypto buffer with data ...
            memcpy (res, data, *nbytes);
            if (!(communication_settings & NO_CRC)) {
                // ... CRC ...
                switch (DESFIRE (tag)->authentication_scheme) {
                case AS_LEGACY:
                    AppendCrc14443a(res + offset, *nbytes - offset);
                    *nbytes += 2;
                    break;
                case AS_NEW:
                    crc32_append (res, *nbytes);
                    *nbytes += 4;
                    break;
                }
            }
            // ... and padding
            memset (res + *nbytes, 0, edl - *nbytes);

            *nbytes = edl;

            mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
        break;
    default:

        *nbytes = -1;
        res = NULL;
        break;
    }

    return res;

}

void* mifare_cryto_postprocess_data (desfiretag_t tag, void *data, ssize_t *nbytes, int communication_settings)
{
    void *res = data;
    size_t edl;
    void *edata = NULL;
    uint8_t first_cmac_byte = 0x00;

    desfirekey_t key = DESFIRE(tag)->session_key;

    if (!key)
        return data;

    // Return directly if we just have a status code.
    if (1 == *nbytes)
        return res;

    switch (communication_settings & MDCM_MASK) {
    case MDCM_PLAIN:

        if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
            break;

        /* pass through */
    case MDCM_MACED:
        switch (DESFIRE (tag)->authentication_scheme) {
        case AS_LEGACY:
            if (communication_settings & MAC_VERIFY) {
                *nbytes -= key_macing_length (key);
                if (*nbytes <= 0) {
                    *nbytes = -1;
                    res = NULL;
#ifdef WITH_DEBUG
                    Dbprintf ("No room for MAC!");
#endif
                    break;
                }

                edl = enciphered_data_length (tag, *nbytes - 1, communication_settings);
                edata = malloc (edl);

                memcpy (edata, data, *nbytes - 1);
                memset ((uint8_t *)edata + *nbytes - 1, 0, edl - *nbytes + 1);

                mifare_cypher_blocks_chained (tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);

                if (0 != memcmp ((uint8_t *)data + *nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
#ifdef WITH_DEBUG
                    Dbprintf ("MACing not verified");
                    hexdump ((uint8_t *)data + *nbytes - 1, key_macing_length (key), "Expect ", 0);
                    hexdump ((uint8_t *)edata + edl - 8, key_macing_length (key), "Actual ", 0);
#endif
                    DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
                    *nbytes = -1;
                    res = NULL;
                }
            }
            break;
        case AS_NEW:
            if (!(communication_settings & CMAC_COMMAND))
                break;
            if (communication_settings & CMAC_VERIFY) {
                if (*nbytes < 9) {
                    *nbytes = -1;
                    res = NULL;
                    break;
                }
                first_cmac_byte = ((uint8_t *)data)[*nbytes - 9];
                ((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes-1];
            }

            int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
            cmac (key, DESFIRE (tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE (tag)->cmac);

            if (communication_settings & CMAC_VERIFY) {
                ((uint8_t *)data)[*nbytes - 9] = first_cmac_byte;
                if (0 != memcmp (DESFIRE (tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) {
#ifdef WITH_DEBUG
                    Dbprintf ("CMAC NOT verified :-(");
                    hexdump ((uint8_t *)data + *nbytes - 9, 8, "Expect ", 0);
                    hexdump (DESFIRE (tag)->cmac, 8, "Actual ", 0);
#endif
                    DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
                    *nbytes = -1;
                    res = NULL;
                } else {
                    *nbytes -= 8;
                }
            }
            break;
        }

        free (edata);

        break;
    case MDCM_ENCIPHERED:
        (*nbytes)--;
        bool verified = false;
        int crc_pos = 0x00;
        int end_crc_pos = 0x00;
        uint8_t x;

        /*
         * AS_LEGACY:
         * ,-----------------+-------------------------------+--------+
         * \     BLOCK n-1   |              BLOCK n          | STATUS |
         * /  PAYLOAD | CRC0 | CRC1 | 0x80? | 0x000000000000 | 0x9100 |
         * `-----------------+-------------------------------+--------+
         *
         *         <------------ DATA ------------>
         * FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
         *
         * AS_NEW:
         * ,-------------------------------+-----------------------------------------------+--------+
         * \                 BLOCK n-1     |                  BLOCK n                      | STATUS |
         * /  PAYLOAD | CRC0 | CRC1 | CRC2 | CRC3 | 0x80? | 0x0000000000000000000000000000 | 0x9100 |
         * `-------------------------------+-----------------------------------------------+--------+
         * <----------------------------------- DATA ------------------------------------->|
         *
         *         <----------------- DATA ---------------->
         * FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
         *                                    `------------------'
         */

        mifare_cypher_blocks_chained (tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);

        /*
         * Look for the CRC and ensure it is followed by NULL padding.  We
         * can't start by the end because the CRC is supposed to be 0 when
         * verified, and accumulating 0's in it should not change it.
         */
        switch (DESFIRE (tag)->authentication_scheme) {
        case AS_LEGACY:
            crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
            if (crc_pos < 0) {
                /* Single block */
                crc_pos = 0;
            }
            break;
        case AS_NEW:
            /* Move status between payload and CRC */
            res = DESFIRE (tag)->crypto_buffer;
            memcpy (res, data, *nbytes);

            crc_pos = (*nbytes) - 16 - 3;
            if (crc_pos < 0) {
                /* Single block */
                crc_pos = 0;
            }
            memcpy ((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos);
            ((uint8_t *)res)[crc_pos] = 0x00;
            crc_pos++;
            *nbytes += 1;
            break;
        }

        do {
            uint16_t crc16 =0x00;
            uint32_t crc;
            switch (DESFIRE (tag)->authentication_scheme) {
            case AS_LEGACY:
                end_crc_pos = crc_pos + 2;
                AppendCrc14443a (res, end_crc_pos);
				
				// 
				
				
                crc = crc16;
                break;
            case AS_NEW:
                end_crc_pos = crc_pos + 4;
                crc32 (res, end_crc_pos, (uint8_t *)&crc);
                break;
            }
            if (!crc) {
                verified = true;
                for (int n = end_crc_pos; n < *nbytes - 1; n++) {
                    uint8_t byte = ((uint8_t *)res)[n];
                    if (!( (0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos)) ))
                        verified = false;
                }
            }
            if (verified) {
                *nbytes = crc_pos;
                switch (DESFIRE (tag)->authentication_scheme) {
                case AS_LEGACY:
                    ((uint8_t *)data)[(*nbytes)++] = 0x00;
                    break;
                case AS_NEW:
                    /* The status byte was already before the CRC */
                    break;
                }
            } else {
                switch (DESFIRE (tag)->authentication_scheme) {
                case AS_LEGACY:
                    break;
                case AS_NEW:
                    x = ((uint8_t *)res)[crc_pos - 1];
                    ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
                    ((uint8_t *)res)[crc_pos] = x;
                    break;
                }
                crc_pos++;
            }
        } while (!verified && (end_crc_pos < *nbytes));

        if (!verified) {
#ifdef WITH_DEBUG
            /* FIXME In some configurations, the file is transmitted PLAIN */
            Dbprintf("CRC not verified in decyphered stream");
#endif
            DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
            *nbytes = -1;
            res = NULL;
        }

        break;
    default:
        Dbprintf("Unknown communication settings");
        *nbytes = -1;
        res = NULL;
        break;

    }
    return res;
}


void mifare_cypher_single_block (desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size)
{
    uint8_t ovect[MAX_CRYPTO_BLOCK_SIZE];

    if (direction == MCD_SEND) {
        xor (ivect, data, block_size);
    } else {
        memcpy (ovect, data, block_size);
    }

    uint8_t edata[MAX_CRYPTO_BLOCK_SIZE];

    switch (key->type) {
    case T_DES:
        switch (operation) {
        case MCO_ENCYPHER:
            //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
			des_enc(edata, data, key->data);
            break;
        case MCO_DECYPHER:
            //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
			des_dec(edata, data, key->data);
            break;
        }
        break;
    case T_3DES:
        switch (operation) {
        case MCO_ENCYPHER:			
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
			tdes_enc(edata,data, key->data);
            break;
        case MCO_DECYPHER:
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
			tdes_dec(data, edata, key->data);
            break;
        }
        break;
    case T_3K3DES:
        switch (operation) {
        case MCO_ENCYPHER:
			tdes_enc(edata,data, key->data);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT);
            break;
        case MCO_DECYPHER:
			tdes_dec(data, edata, key->data);        
			// DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks3), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
            break;
        }
        break;
    case T_AES:
        switch (operation) 
		{
			case MCO_ENCYPHER:
			{
				AesCtx ctx;
				AesCtxIni(&ctx, ivect, key->data, KEY128,CBC); 
				AesEncrypt(&ctx, data, edata, sizeof(data) );
				break;
			}
			case MCO_DECYPHER:
			{
				AesCtx ctx;
				AesCtxIni(&ctx, ivect, key->data, KEY128,CBC); 
				AesDecrypt(&ctx, edata, data, sizeof(edata));
				break;
			}
        }
        break;
    }

    memcpy (data, edata, block_size);

    if (direction == MCD_SEND) {
        memcpy (ivect, data, block_size);
    } else {
        xor (ivect, data, block_size);
        memcpy (ivect, ovect, block_size);
    }
}

/*
 * This function performs all CBC cyphering / deciphering.
 *
 * The tag argument may be NULL, in which case both key and ivect shall be set.
 * When using the tag session_key and ivect for processing data, these
 * arguments should be set to NULL.
 *
 * Because the tag may contain additional data, one may need to call this
 * function with tag, key and ivect defined.
 */
void mifare_cypher_blocks_chained (desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
    size_t block_size;

    if (tag) {
        if (!key)
            key = DESFIRE (tag)->session_key;
        if (!ivect)
            ivect = DESFIRE (tag)->ivect;

        switch (DESFIRE (tag)->authentication_scheme) {
			case AS_LEGACY:
				memset (ivect, 0, MAX_CRYPTO_BLOCK_SIZE);
				break;
			case AS_NEW:
				break;
        }
    }

    block_size = key_block_size (key);

    size_t offset = 0;
    while (offset < data_size) {
        mifare_cypher_single_block (key, data + offset, ivect, direction, operation, block_size);
        offset += block_size;
    }
}
Commit	Line	Data
f38a1528	1	/*-
	2	* Copyright (C) 2010, Romain Tartiere.
	3	*
	4	* This program is free software: you can redistribute it and/or modify it
	5	* under the terms of the GNU Lesser General Public License as published by the
	6	* Free Software Foundation, either version 3 of the License, or (at your
	7	* option) any later version.
	8	*
	9	* This program is distributed in the hope that it will be useful, but WITHOUT
	10	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	11	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
	12	* more details.
	13	*
	14	* You should have received a copy of the GNU Lesser General Public License
	15	* along with this program. If not, see <http://www.gnu.org/licenses/>
	16	*
	17	* $Id$
	18	*/
	19
	20	/*
	21	* This implementation was written based on information provided by the
	22	* following documents:
	23	*
	24	* NIST Special Publication 800-38B
	25	* Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
	26	* May 2005
	27	*/
	28	#include "desfire_crypto.h"
	29
7838f4be	30	static void xor (const uint8_t ivect, uint8_t data, const size_t len);
7838f4be	31	static size_t key_macing_length (desfirekey_t key);
f38a1528	32
	33	static void xor (const uint8_t ivect, uint8_t data, const size_t len) {
	34	for (size_t i = 0; i < len; i++) {
	35	data[i] ^= ivect[i];
	36	}
	37	}
	38
	39	void cmac_generate_subkeys ( desfirekey_t key) {
	40	int kbs = key_block_size (key);
	41	const uint8_t R = (kbs == 8) ? 0x1B : 0x87;
	42
	43	uint8_t l[kbs];
	44	memset (l, 0, kbs);
	45
	46	uint8_t ivect[kbs];
	47	memset (ivect, 0, kbs);
	48
	49	mifare_cypher_blocks_chained (NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);
	50
	51	bool xor = false;
	52
	53	// Used to compute CMAC on complete blocks
	54	memcpy (key->cmac_sk1, l, kbs);
	55	xor = l[0] & 0x80;
	56	lsl (key->cmac_sk1, kbs);
	57	if (xor)
	58	key->cmac_sk1[kbs-1] ^= R;
	59
	60	// Used to compute CMAC on the last block if non-complete
	61	memcpy (key->cmac_sk2, key->cmac_sk1, kbs);
	62	xor = key->cmac_sk1[0] & 0x80;
	63	lsl (key->cmac_sk2, kbs);
	64	if (xor)
	65	key->cmac_sk2[kbs-1] ^= R;
	66	}
	67
	68	void cmac (const desfirekey_t key, uint8_t ivect, const uint8_t data, size_t len, uint8_t *cmac) {
	69	int kbs = key_block_size (key);
	70	uint8_t *buffer = malloc (padded_data_length (len, kbs));
	71
	72	memcpy (buffer, data, len);
	73
	74	if ((!len) \|\| (len % kbs)) {
	75	buffer[len++] = 0x80;
	76	while (len % kbs) {
	77	buffer[len++] = 0x00;
	78	}
	79	xor (key->cmac_sk2, buffer + len - kbs, kbs);
	80	} else {
	81	xor (key->cmac_sk1, buffer + len - kbs, kbs);
	82	}
	83
	84	mifare_cypher_blocks_chained (NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);
	85
	86	memcpy (cmac, ivect, kbs);
	87	}
	88
	89	size_t key_block_size (const desfirekey_t key) {
	90	size_t block_size = 8;
	91
	92	switch (key->type) {
	93	case T_DES:
	94	case T_3DES:
	95	case T_3K3DES:
96	block_size = 8;
97	break;
98	case T_AES:
99	block_size = 16;
100	break;
101	}
102
103	return block_size;
104	}
105
106	/*
107	* Size of MACing produced with the key.
108	*/
109	static size_t key_macing_length (const desfirekey_t key) {
110	size_t mac_length = MAC_LENGTH;
111
112	switch (key->type) {
113	case T_DES:
114	case T_3DES:
115	mac_length = MAC_LENGTH;
116	break;
117	case T_3K3DES:
118	case T_AES:
119	mac_length = CMAC_LENGTH;
120	break;
121	}
122
123	return mac_length;
124	}
125
126	/*
127	* Size required to store nbytes of data in a buffer of size n*block_size.
128	*/
129	size_t padded_data_length (const size_t nbytes, const size_t block_size) {
130	if ((!nbytes) \|\| (nbytes % block_size))
131	return ((nbytes / block_size) + 1) * block_size;
132	else
133	return nbytes;
134	}
135
136	/*
137	* Buffer size required to MAC nbytes of data
138	*/
139	size_t maced_data_length (const desfirekey_t key, const size_t nbytes) {
140	return nbytes + key_macing_length (key);
141	}
142	/*
143	* Buffer size required to encipher nbytes of data and a two bytes CRC.
144	*/
145	size_t enciphered_data_length (const desfiretag_t tag, const size_t nbytes, int communication_settings) {
146	size_t crc_length = 0;
147	if (!(communication_settings & NO_CRC)) {
148	switch (DESFIRE(tag)->authentication_scheme) {
149	case AS_LEGACY:
150	crc_length = 2;
151	break;
152	case AS_NEW:
153	crc_length = 4;
154	break;
155	}
156	}
157
158	size_t block_size = DESFIRE(tag)->session_key ? key_block_size (DESFIRE(tag)->session_key) : 1;
159
160	return padded_data_length (nbytes + crc_length, block_size);
161	}
162
163	void* mifare_cryto_preprocess_data (desfiretag_t tag, void data, size_t nbytes, off_t offset, int communication_settings) {
164	uint8_t *res = data;
165	uint8_t mac[4];
166	size_t edl;
167	bool append_mac = true;
168	desfirekey_t key = DESFIRE(tag)->session_key;
169
170	if (!key)
171	return data;
172
173	switch (communication_settings & MDCM_MASK) {
174	case MDCM_PLAIN:
175	if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
176	break;
177
178	/*
179	* When using new authentication methods, PLAIN data transmission from
180	* the PICC to the PCD are CMACed, so we have to maintain the
181	* cryptographic initialisation vector up-to-date to check data
182	* integrity later.
183	*
184	* The only difference with CMACed data transmission is that the CMAC
185	* is not apended to the data send by the PCD to the PICC.
186	*/
187
188	append_mac = false;
189
190	/* pass through */
191	case MDCM_MACED:
192	switch (DESFIRE(tag)->authentication_scheme) {
193	case AS_LEGACY:
194	if (!(communication_settings & MAC_COMMAND))
195	break;
196
197	/* pass through */
198	edl = padded_data_length (*nbytes - offset, key_block_size (DESFIRE(tag)->session_key)) + offset;
199
200	// Fill in the crypto buffer with data ...
201	memcpy (res, data, *nbytes);
202	// ... and 0 padding
203	memset (res + nbytes, 0, edl - nbytes);
204
205	mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);
206
207	memcpy (mac, res + edl - 8, 4);
208
209	// Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
210	memcpy (res, data, *nbytes);
211
212	if (!(communication_settings & MAC_COMMAND))
213	break;
214	// Append MAC
215	size_t bla = maced_data_length (DESFIRE(tag)->session_key, *nbytes - offset) + offset;
216	bla++;
217
218	memcpy (res + *nbytes, mac, 4);
219
220	*nbytes += 4;
221	break;
222	case AS_NEW:
223	if (!(communication_settings & CMAC_COMMAND))
224	break;
225	cmac (key, DESFIRE (tag)->ivect, res, *nbytes, DESFIRE (tag)->cmac);
226
227	if (append_mac) {
228	maced_data_length (key, *nbytes);
229
230	memcpy (res, data, *nbytes);
231	memcpy (res + *nbytes, DESFIRE (tag)->cmac, CMAC_LENGTH);
232	*nbytes += CMAC_LENGTH;
233	}
234	break;
235	}
236
237	break;
238	case MDCM_ENCIPHERED:
239	/* \|<-------------- data -------------->\|
240	* \|<--- offset -->\| \|
241	* +---------------+--------------------+-----+---------+
242	* \| CMD + HEADERS \| DATA TO BE SECURED \| CRC \| PADDING \|
243	* +---------------+--------------------+-----+---------+ ----------------
244	* \| \|<~~~~v~~~~~~~~~~~~~>\| ^ \| \| (DES / 3DES)
245	* \| \| `---- crc16() ----' \| \|
246	* \| \| \| ^ \| \| ----- or -----
247	* \|<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>\| ^ \| \| (3K3DES / AES)
248	* \| `---- crc32() ----' \| \|
249	* \| \| ---- then ----
250	* \|<---------------------------------->\|
251	* encypher()/decypher()
252	*/
253
254	if (!(communication_settings & ENC_COMMAND))
255	break;
256	edl = enciphered_data_length (tag, *nbytes - offset, communication_settings) + offset;
257
258	// Fill in the crypto buffer with data ...
259	memcpy (res, data, *nbytes);
260	if (!(communication_settings & NO_CRC)) {
261	// ... CRC ...
262	switch (DESFIRE (tag)->authentication_scheme) {
263	case AS_LEGACY:
264	AppendCrc14443a(res + offset, *nbytes - offset);
265	*nbytes += 2;
266	break;
267	case AS_NEW:
268	crc32_append (res, *nbytes);
269	*nbytes += 4;
270	break;
271	}
272	}
273	// ... and padding
274	memset (res + nbytes, 0, edl - nbytes);
275
276	*nbytes = edl;
277
278	mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
279	break;
280	default:
281
282	*nbytes = -1;
283	res = NULL;
284	break;
285	}
286
287	return res;
288
289	}
290
291	void* mifare_cryto_postprocess_data (desfiretag_t tag, void data, ssize_t nbytes, int communication_settings)
292	{
293	void *res = data;
294	size_t edl;
295	void *edata = NULL;
296	uint8_t first_cmac_byte = 0x00;
297
298	desfirekey_t key = DESFIRE(tag)->session_key;
299
300	if (!key)
301	return data;
302
303	// Return directly if we just have a status code.
304	if (1 == *nbytes)
305	return res;
306
307	switch (communication_settings & MDCM_MASK) {
308	case MDCM_PLAIN:
309
310	if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
311	break;
312
313	/* pass through */
314	case MDCM_MACED:
315	switch (DESFIRE (tag)->authentication_scheme) {
316	case AS_LEGACY:
317	if (communication_settings & MAC_VERIFY) {
318	*nbytes -= key_macing_length (key);
319	if (*nbytes <= 0) {
320	*nbytes = -1;
321	res = NULL;
322	#ifdef WITH_DEBUG
8d0a3e87	323	Dbprintf ("No room for MAC!");
f38a1528	324	#endif
	325	break;
	326	}
	327
	328	edl = enciphered_data_length (tag, *nbytes - 1, communication_settings);
	329	edata = malloc (edl);
	330
	331	memcpy (edata, data, *nbytes - 1);
	332	memset ((uint8_t )edata + nbytes - 1, 0, edl - *nbytes + 1);
	333
	334	mifare_cypher_blocks_chained (tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);
	335
	336	if (0 != memcmp ((uint8_t )data + nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
	337	#ifdef WITH_DEBUG
8d0a3e87	338	Dbprintf ("MACing not verified");
f38a1528	339	hexdump ((uint8_t )data + nbytes - 1, key_macing_length (key), "Expect ", 0);
	340	hexdump ((uint8_t *)edata + edl - 8, key_macing_length (key), "Actual ", 0);
	341	#endif
	342	DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
	343	*nbytes = -1;
	344	res = NULL;
	345	}
	346	}
	347	break;
	348	case AS_NEW:
	349	if (!(communication_settings & CMAC_COMMAND))
	350	break;
	351	if (communication_settings & CMAC_VERIFY) {
	352	if (*nbytes < 9) {
	353	*nbytes = -1;
	354	res = NULL;
	355	break;
	356	}
	357	first_cmac_byte = ((uint8_t )data)[nbytes - 9];
	358	((uint8_t )data)[nbytes - 9] = ((uint8_t )data)[nbytes-1];
	359	}
	360
	361	int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
	362	cmac (key, DESFIRE (tag)->ivect, ((uint8_t )data), nbytes - n, DESFIRE (tag)->cmac);
	363
	364	if (communication_settings & CMAC_VERIFY) {
	365	((uint8_t )data)[nbytes - 9] = first_cmac_byte;
	366	if (0 != memcmp (DESFIRE (tag)->cmac, (uint8_t )data + nbytes - 9, 8)) {
	367	#ifdef WITH_DEBUG
8d0a3e87	368	Dbprintf ("CMAC NOT verified :-(");
f38a1528	369	hexdump ((uint8_t )data + nbytes - 9, 8, "Expect ", 0);
	370	hexdump (DESFIRE (tag)->cmac, 8, "Actual ", 0);
	371	#endif
	372	DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
	373	*nbytes = -1;
	374	res = NULL;
	375	} else {
	376	*nbytes -= 8;
	377	}
	378	}
	379	break;
	380	}
	381
	382	free (edata);
	383
	384	break;
	385	case MDCM_ENCIPHERED:
	386	(*nbytes)--;
	387	bool verified = false;
	388	int crc_pos = 0x00;
	389	int end_crc_pos = 0x00;
	390	uint8_t x;
	391
	392	/*
	393	* AS_LEGACY:
	394	* ,-----------------+-------------------------------+--------+
	395	* \ BLOCK n-1 \| BLOCK n \| STATUS \|
	396	* / PAYLOAD \| CRC0 \| CRC1 \| 0x80? \| 0x000000000000 \| 0x9100 \|
	397	* `-----------------+-------------------------------+--------+
	398	*
	399	* <------------ DATA ------------>
	400	* FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
	401	*
	402	* AS_NEW:
	403	* ,-------------------------------+-----------------------------------------------+--------+
	404	* \ BLOCK n-1 \| BLOCK n \| STATUS \|
	405	* / PAYLOAD \| CRC0 \| CRC1 \| CRC2 \| CRC3 \| 0x80? \| 0x0000000000000000000000000000 \| 0x9100 \|
	406	* `-------------------------------+-----------------------------------------------+--------+
	407	* <----------------------------------- DATA ------------------------------------->\|
	408	*
	409	* <----------------- DATA ---------------->
	410	* FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
	411	* `------------------'
	412	*/
	413
	414	mifare_cypher_blocks_chained (tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);
	415
	416	/*
	417	* Look for the CRC and ensure it is followed by NULL padding. We
	418	* can't start by the end because the CRC is supposed to be 0 when
	419	* verified, and accumulating 0's in it should not change it.
	420	*/
	421	switch (DESFIRE (tag)->authentication_scheme) {
	422	case AS_LEGACY:
	423	crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
	424	if (crc_pos < 0) {
	425	/* Single block */
	426	crc_pos = 0;
	427	}
	428	break;
	429	case AS_NEW:
	430	/* Move status between payload and CRC */
	431	res = DESFIRE (tag)->crypto_buffer;
	432	memcpy (res, data, *nbytes);
433
434	crc_pos = (*nbytes) - 16 - 3;
435	if (crc_pos < 0) {
436	/* Single block */
437	crc_pos = 0;
438	}
439	memcpy ((uint8_t )res + crc_pos + 1, (uint8_t )res + crc_pos, *nbytes - crc_pos);
440	((uint8_t *)res)[crc_pos] = 0x00;
441	crc_pos++;
442	*nbytes += 1;
443	break;
444	}
445
446	do {
447	uint16_t crc16 =0x00;
448	uint32_t crc;
449	switch (DESFIRE (tag)->authentication_scheme) {
450	case AS_LEGACY:
451	end_crc_pos = crc_pos + 2;
452	AppendCrc14443a (res, end_crc_pos);
453
454	//
455
456
457	crc = crc16;
458	break;
459	case AS_NEW:
460	end_crc_pos = crc_pos + 4;
461	crc32 (res, end_crc_pos, (uint8_t *)&crc);
462	break;
463	}
464	if (!crc) {
465	verified = true;
466	for (int n = end_crc_pos; n < *nbytes - 1; n++) {
467	uint8_t byte = ((uint8_t *)res)[n];
468	if (!( (0x00 == byte) \|\| ((0x80 == byte) && (n == end_crc_pos)) ))
469	verified = false;
470	}
471	}
472	if (verified) {
473	*nbytes = crc_pos;
474	switch (DESFIRE (tag)->authentication_scheme) {
475	case AS_LEGACY:
476	((uint8_t )data)[(nbytes)++] = 0x00;
477	break;
478	case AS_NEW:
479	/* The status byte was already before the CRC */
480	break;
481	}
482	} else {
483	switch (DESFIRE (tag)->authentication_scheme) {
484	case AS_LEGACY:
485	break;
486	case AS_NEW:
487	x = ((uint8_t *)res)[crc_pos - 1];
488	((uint8_t )res)[crc_pos - 1] = ((uint8_t )res)[crc_pos];
489	((uint8_t *)res)[crc_pos] = x;
490	break;
491	}
492	crc_pos++;
493	}
494	} while (!verified && (end_crc_pos < *nbytes));
495
496	if (!verified) {
497	#ifdef WITH_DEBUG
498	/* FIXME In some configurations, the file is transmitted PLAIN */
499	Dbprintf("CRC not verified in decyphered stream");
500	#endif
501	DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
502	*nbytes = -1;
503	res = NULL;
504	}
505
506	break;
507	default:
508	Dbprintf("Unknown communication settings");
509	*nbytes = -1;
510	res = NULL;
511	break;
512
513	}
514	return res;
515	}
516
517
518	void mifare_cypher_single_block (desfirekey_t key, uint8_t data, uint8_t ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size)
519	{
520	uint8_t ovect[MAX_CRYPTO_BLOCK_SIZE];
521
522	if (direction == MCD_SEND) {
523	xor (ivect, data, block_size);
524	} else {
525	memcpy (ovect, data, block_size);
526	}
527
528	uint8_t edata[MAX_CRYPTO_BLOCK_SIZE];
529
530	switch (key->type) {
531	case T_DES:
532	switch (operation) {
533	case MCO_ENCYPHER:
534	//DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
535	des_enc(edata, data, key->data);
536	break;
537	case MCO_DECYPHER:
538	//DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
539	des_dec(edata, data, key->data);
540	break;
541	}
542	break;
543	case T_3DES:
544	switch (operation) {
545	case MCO_ENCYPHER:
546	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
547	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_DECRYPT);
548	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
549	tdes_enc(edata,data, key->data);
550	break;
551	case MCO_DECYPHER:
552	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
553	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_ENCRYPT);
554	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
555	tdes_dec(data, edata, key->data);
556	break;
557	}
558	break;
559	case T_3K3DES:
560	switch (operation) {
561	case MCO_ENCYPHER:
562	tdes_enc(edata,data, key->data);
563	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
564	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_DECRYPT);
565	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks3), DES_ENCRYPT);
566	break;
567	case MCO_DECYPHER:
568	tdes_dec(data, edata, key->data);
569	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks3), DES_DECRYPT);
570	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_ENCRYPT);
571	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
572	break;
573	}
574	break;
575	case T_AES:
576	switch (operation)
577	{
578	case MCO_ENCYPHER:
579	{
580	AesCtx ctx;
581	AesCtxIni(&ctx, ivect, key->data, KEY128,CBC);
582	AesEncrypt(&ctx, data, edata, sizeof(data) );
583	break;
584	}
585	case MCO_DECYPHER:
586	{
587	AesCtx ctx;
588	AesCtxIni(&ctx, ivect, key->data, KEY128,CBC);
589	AesDecrypt(&ctx, edata, data, sizeof(edata));
590	break;
591	}
592	}
593	break;
594	}
595
596	memcpy (data, edata, block_size);
597
598	if (direction == MCD_SEND) {
599	memcpy (ivect, data, block_size);
600	} else {
601	xor (ivect, data, block_size);
602	memcpy (ivect, ovect, block_size);
603	}
604	}
605
606	/*
607	* This function performs all CBC cyphering / deciphering.
608	*
609	* The tag argument may be NULL, in which case both key and ivect shall be set.
610	* When using the tag session_key and ivect for processing data, these
611	* arguments should be set to NULL.
612	*
613	* Because the tag may contain additional data, one may need to call this
614	* function with tag, key and ivect defined.
615	*/
616	void mifare_cypher_blocks_chained (desfiretag_t tag, desfirekey_t key, uint8_t ivect, uint8_t data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
617	size_t block_size;
618
619	if (tag) {
620	if (!key)
621	key = DESFIRE (tag)->session_key;
622	if (!ivect)
623	ivect = DESFIRE (tag)->ivect;
624
625	switch (DESFIRE (tag)->authentication_scheme) {
626	case AS_LEGACY:
627	memset (ivect, 0, MAX_CRYPTO_BLOCK_SIZE);
628	break;
629	case AS_NEW:
630	break;
631	}
632	}
633
634	block_size = key_block_size (key);
635
636	size_t offset = 0;
637	while (offset < data_size) {
638	mifare_cypher_single_block (key, data + offset, ivect, direction, operation, block_size);
639	offset += block_size;
640	}
641	}