| 1 | /***************************************************************************** |
| 2 | * WARNING |
| 3 | * |
| 4 | * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. |
| 5 | * |
| 6 | * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL |
| 7 | * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, |
| 8 | * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. |
| 9 | * |
| 10 | * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. |
| 11 | * |
| 12 | ***************************************************************************** |
| 13 | * |
| 14 | * This file is part of loclass. It is a reconstructon of the cipher engine |
| 15 | * used in iClass, and RFID techology. |
| 16 | * |
| 17 | * The implementation is based on the work performed by |
| 18 | * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and |
| 19 | * Milosch Meriac in the paper "Dismantling IClass". |
| 20 | * |
| 21 | * Copyright (C) 2014 Martin Holst Swende |
| 22 | * |
| 23 | * This is free software: you can redistribute it and/or modify |
| 24 | * it under the terms of the GNU General Public License version 2 as published |
| 25 | * by the Free Software Foundation. |
| 26 | * |
| 27 | * This file is distributed in the hope that it will be useful, |
| 28 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 29 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 30 | * GNU General Public License for more details. |
| 31 | * |
| 32 | * You should have received a copy of the GNU General Public License |
| 33 | * along with loclass. If not, see <http://www.gnu.org/licenses/>. |
| 34 | * |
| 35 | * |
| 36 | * |
| 37 | ****************************************************************************/ |
| 38 | |
| 39 | /** |
| 40 | |
| 41 | |
| 42 | From "Dismantling iclass": |
| 43 | This section describes in detail the built-in key diversification algorithm of iClass. |
| 44 | Besides the obvious purpose of deriving a card key from a master key, this |
| 45 | algorithm intends to circumvent weaknesses in the cipher by preventing the |
| 46 | usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass |
| 47 | reader first encrypts the card identity id with the master key K, using single |
| 48 | DES. The resulting ciphertext is then input to a function called hash0 which |
| 49 | outputs the diversified key k. |
| 50 | |
| 51 | k = hash0(DES enc (id, K)) |
| 52 | |
| 53 | Here the DES encryption of id with master key K outputs a cryptogram c |
| 54 | of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8 |
| 55 | which is used as input to the hash0 function. This function introduces some |
| 56 | obfuscation by performing a number of permutations, complement and modulo |
| 57 | operations, see Figure 2.5. Besides that, it checks for and removes patterns like |
| 58 | similar key bytes, which could produce a strong bias in the cipher. Finally, the |
| 59 | output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 . |
| 60 | |
| 61 | |
| 62 | **/ |
| 63 | |
| 64 | |
| 65 | #include <stdint.h> |
| 66 | #include <stdbool.h> |
| 67 | #include <string.h> |
| 68 | #include <stdio.h> |
| 69 | #include <inttypes.h> |
| 70 | #include "fileutils.h" |
| 71 | #include "cipherutils.h" |
| 72 | #include "des.h" |
| 73 | |
| 74 | uint8_t pi[35] = {0x0F,0x17,0x1B,0x1D,0x1E,0x27,0x2B,0x2D,0x2E,0x33,0x35,0x39,0x36,0x3A,0x3C,0x47,0x4B,0x4D,0x4E,0x53,0x55,0x56,0x59,0x5A,0x5C,0x63,0x65,0x66,0x69,0x6A,0x6C,0x71,0x72,0x74,0x78}; |
| 75 | |
| 76 | static des_context ctx_enc = {DES_ENCRYPT,{0}}; |
| 77 | static des_context ctx_dec = {DES_DECRYPT,{0}}; |
| 78 | |
| 79 | static int debug_print = 0; |
| 80 | |
| 81 | /** |
| 82 | * @brief The key diversification algorithm uses 6-bit bytes. |
| 83 | * This implementation uses 64 bit uint to pack seven of them into one |
| 84 | * variable. When they are there, they are placed as follows: |
| 85 | * XXXX XXXX N0 .... N7, occupying the lsat 48 bits. |
| 86 | * |
| 87 | * This function picks out one from such a collection |
| 88 | * @param all |
| 89 | * @param n bitnumber |
| 90 | * @return |
| 91 | */ |
| 92 | uint8_t getSixBitByte(uint64_t c, int n) |
| 93 | { |
| 94 | return (c >> (42-6*n)) & 0x3F; |
| 95 | } |
| 96 | |
| 97 | /** |
| 98 | * @brief Puts back a six-bit 'byte' into a uint64_t. |
| 99 | * @param c buffer |
| 100 | * @param z the value to place there |
| 101 | * @param n bitnumber. |
| 102 | */ |
| 103 | void pushbackSixBitByte(uint64_t *c, uint8_t z, int n) |
| 104 | { |
| 105 | //0x XXXX YYYY ZZZZ ZZZZ ZZZZ |
| 106 | // ^z0 ^z7 |
| 107 | //z0: 1111 1100 0000 0000 |
| 108 | |
| 109 | uint64_t masked = z & 0x3F; |
| 110 | uint64_t eraser = 0x3F; |
| 111 | masked <<= 42-6*n; |
| 112 | eraser <<= 42-6*n; |
| 113 | |
| 114 | //masked <<= 6*n; |
| 115 | //eraser <<= 6*n; |
| 116 | |
| 117 | eraser = ~eraser; |
| 118 | (*c) &= eraser; |
| 119 | (*c) |= masked; |
| 120 | |
| 121 | } |
| 122 | /** |
| 123 | * @brief Swaps the z-values. |
| 124 | * If the input value has format XYZ0Z1...Z7, the output will have the format |
| 125 | * XYZ7Z6...Z0 instead |
| 126 | * @param c |
| 127 | * @return |
| 128 | */ |
| 129 | uint64_t swapZvalues(uint64_t c) |
| 130 | { |
| 131 | uint64_t newz = 0; |
| 132 | pushbackSixBitByte(&newz, getSixBitByte(c,0),7); |
| 133 | pushbackSixBitByte(&newz, getSixBitByte(c,1),6); |
| 134 | pushbackSixBitByte(&newz, getSixBitByte(c,2),5); |
| 135 | pushbackSixBitByte(&newz, getSixBitByte(c,3),4); |
| 136 | pushbackSixBitByte(&newz, getSixBitByte(c,4),3); |
| 137 | pushbackSixBitByte(&newz, getSixBitByte(c,5),2); |
| 138 | pushbackSixBitByte(&newz, getSixBitByte(c,6),1); |
| 139 | pushbackSixBitByte(&newz, getSixBitByte(c,7),0); |
| 140 | newz |= (c & 0xFFFF000000000000); |
| 141 | return newz; |
| 142 | } |
| 143 | |
| 144 | /** |
| 145 | * @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3 |
| 146 | */ |
| 147 | uint64_t ck(int i, int j, uint64_t z) |
| 148 | { |
| 149 | |
| 150 | if(i == 1 && j == -1) |
| 151 | { |
| 152 | // ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3] |
| 153 | return z; |
| 154 | |
| 155 | }else if( j == -1) |
| 156 | { |
| 157 | // ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] ) |
| 158 | return ck(i-1,i-2, z); |
| 159 | } |
| 160 | |
| 161 | if(getSixBitByte(z,i) == getSixBitByte(z,j)) |
| 162 | { |
| 163 | |
| 164 | //ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ) |
| 165 | uint64_t newz = 0; |
| 166 | int c; |
| 167 | for(c = 0; c < 4 ;c++) |
| 168 | { |
| 169 | uint8_t val = getSixBitByte(z,c); |
| 170 | if(c == i) |
| 171 | { |
| 172 | pushbackSixBitByte(&newz, j, c); |
| 173 | }else |
| 174 | { |
| 175 | pushbackSixBitByte(&newz, val, c); |
| 176 | } |
| 177 | } |
| 178 | return ck(i,j-1,newz); |
| 179 | }else |
| 180 | { |
| 181 | return ck(i,j-1,z); |
| 182 | } |
| 183 | } |
| 184 | /** |
| 185 | |
| 186 | Definition 8. |
| 187 | Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as |
| 188 | check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] ) |
| 189 | |
| 190 | where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as |
| 191 | |
| 192 | ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3] |
| 193 | ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] ) |
| 194 | ck(i, j, z [0] . . . z [3] ) = |
| 195 | ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ), if z [i] = z [j] ; |
| 196 | ck(i, j − 1, z [0] . . . z [3] ), otherwise |
| 197 | |
| 198 | otherwise. |
| 199 | **/ |
| 200 | |
| 201 | uint64_t check(uint64_t z) |
| 202 | { |
| 203 | //These 64 bits are divided as c = x, y, z [0] , . . . , z [7] |
| 204 | |
| 205 | // ck(3, 2, z [0] . . . z [3] ) |
| 206 | uint64_t ck1 = ck(3,2, z ); |
| 207 | |
| 208 | // ck(3, 2, z [4] . . . z [7] ) |
| 209 | uint64_t ck2 = ck(3,2, z << 24); |
| 210 | |
| 211 | //The ck function will place the values |
| 212 | // in the middle of z. |
| 213 | ck1 &= 0x00000000FFFFFF000000; |
| 214 | ck2 &= 0x00000000FFFFFF000000; |
| 215 | |
| 216 | return ck1 | ck2 >> 24; |
| 217 | |
| 218 | } |
| 219 | |
| 220 | void permute(BitstreamIn *p_in, uint64_t z,int l,int r, BitstreamOut* out) |
| 221 | { |
| 222 | if(bitsLeft(p_in) == 0) |
| 223 | { |
| 224 | return; |
| 225 | } |
| 226 | bool pn = tailBit(p_in); |
| 227 | if( pn ) // pn = 1 |
| 228 | { |
| 229 | uint8_t zl = getSixBitByte(z,l); |
| 230 | |
| 231 | push6bits(out, zl+1); |
| 232 | permute(p_in, z, l+1,r, out); |
| 233 | }else // otherwise |
| 234 | { |
| 235 | uint8_t zr = getSixBitByte(z,r); |
| 236 | |
| 237 | push6bits(out, zr); |
| 238 | permute(p_in,z,l,r+1,out); |
| 239 | } |
| 240 | } |
| 241 | void printbegin() |
| 242 | { |
| 243 | if(debug_print <2) |
| 244 | return ; |
| 245 | |
| 246 | prnlog(" | x| y|z0|z1|z2|z3|z4|z5|z6|z7|"); |
| 247 | } |
| 248 | |
| 249 | void printState(char* desc, uint64_t c) |
| 250 | { |
| 251 | if(debug_print < 2) |
| 252 | return ; |
| 253 | |
| 254 | printf("%s : ", desc); |
| 255 | uint8_t x = (c & 0xFF00000000000000 ) >> 56; |
| 256 | uint8_t y = (c & 0x00FF000000000000 ) >> 48; |
| 257 | printf(" %02x %02x", x,y); |
| 258 | int i ; |
| 259 | for(i =0 ; i < 8 ; i++) |
| 260 | { |
| 261 | printf(" %02x", getSixBitByte(c,i)); |
| 262 | } |
| 263 | printf("\n"); |
| 264 | } |
| 265 | |
| 266 | /** |
| 267 | * @brief |
| 268 | *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as |
| 269 | * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where |
| 270 | * z'[i] = (z[i] mod (63-i)) + i i = 0...3 |
| 271 | * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3 |
| 272 | * ẑ = check(z'); |
| 273 | * @param c |
| 274 | * @param k this is where the diversified key is put (should be 8 bytes) |
| 275 | * @return |
| 276 | */ |
| 277 | void hash0(uint64_t c, uint8_t k[8]) |
| 278 | { |
| 279 | c = swapZvalues(c); |
| 280 | |
| 281 | printbegin(); |
| 282 | printState("origin",c); |
| 283 | //These 64 bits are divided as c = x, y, z [0] , . . . , z [7] |
| 284 | // x = 8 bits |
| 285 | // y = 8 bits |
| 286 | // z0-z7 6 bits each : 48 bits |
| 287 | uint8_t x = (c & 0xFF00000000000000 ) >> 56; |
| 288 | uint8_t y = (c & 0x00FF000000000000 ) >> 48; |
| 289 | int n; |
| 290 | uint8_t zn, zn4, _zn, _zn4; |
| 291 | uint64_t zP = 0; |
| 292 | |
| 293 | for(n = 0; n < 4 ; n++) |
| 294 | { |
| 295 | zn = getSixBitByte(c,n); |
| 296 | |
| 297 | zn4 = getSixBitByte(c,n+4); |
| 298 | |
| 299 | _zn = (zn % (63-n)) + n; |
| 300 | _zn4 = (zn4 % (64-n)) + n; |
| 301 | |
| 302 | |
| 303 | pushbackSixBitByte(&zP, _zn,n); |
| 304 | pushbackSixBitByte(&zP, _zn4,n+4); |
| 305 | |
| 306 | } |
| 307 | printState("0|0|z'",zP); |
| 308 | |
| 309 | uint64_t zCaret = check(zP); |
| 310 | printState("0|0|z^",zP); |
| 311 | |
| 312 | |
| 313 | uint8_t p = pi[x % 35]; |
| 314 | |
| 315 | if(x & 1) //Check if x7 is 1 |
| 316 | { |
| 317 | p = ~p; |
| 318 | } |
| 319 | |
| 320 | if(debug_print >= 2) prnlog("p:%02x", p); |
| 321 | |
| 322 | BitstreamIn p_in = { &p, 8,0 }; |
| 323 | uint8_t outbuffer[] = {0,0,0,0,0,0,0,0}; |
| 324 | BitstreamOut out = {outbuffer,0,0}; |
| 325 | permute(&p_in,zCaret,0,4,&out);//returns 48 bits? or 6 8-bytes |
| 326 | |
| 327 | //Out is now a buffer containing six-bit bytes, should be 48 bits |
| 328 | // if all went well |
| 329 | //Shift z-values down onto the lower segment |
| 330 | |
| 331 | uint64_t zTilde = x_bytes_to_num(outbuffer,8); |
| 332 | |
| 333 | zTilde >>= 16; |
| 334 | |
| 335 | printState("0|0|z~", zTilde); |
| 336 | |
| 337 | int i; |
| 338 | int zerocounter =0 ; |
| 339 | for(i =0 ; i < 8 ; i++) |
| 340 | { |
| 341 | |
| 342 | // the key on index i is first a bit from y |
| 343 | // then six bits from z, |
| 344 | // then a bit from p |
| 345 | |
| 346 | // Init with zeroes |
| 347 | k[i] = 0; |
| 348 | // First, place yi leftmost in k |
| 349 | //k[i] |= (y << i) & 0x80 ; |
| 350 | |
| 351 | // First, place y(7-i) leftmost in k |
| 352 | k[i] |= (y << (7-i)) & 0x80 ; |
| 353 | |
| 354 | |
| 355 | |
| 356 | uint8_t zTilde_i = getSixBitByte(zTilde, i); |
| 357 | // zTildeI is now on the form 00XXXXXX |
| 358 | // with one leftshift, it'll be |
| 359 | // 0XXXXXX0 |
| 360 | // So after leftshift, we can OR it into k |
| 361 | // However, when doing complement, we need to |
| 362 | // again MASK 0XXXXXX0 (0x7E) |
| 363 | zTilde_i <<= 1; |
| 364 | |
| 365 | //Finally, add bit from p or p-mod |
| 366 | //Shift bit i into rightmost location (mask only after complement) |
| 367 | uint8_t p_i = p >> i & 0x1; |
| 368 | |
| 369 | if( k[i] )// yi = 1 |
| 370 | { |
| 371 | //printf("k[%d] +1\n", i); |
| 372 | k[i] |= ~zTilde_i & 0x7E; |
| 373 | k[i] |= p_i & 1; |
| 374 | k[i] += 1; |
| 375 | |
| 376 | }else // otherwise |
| 377 | { |
| 378 | k[i] |= zTilde_i & 0x7E; |
| 379 | k[i] |= (~p_i) & 1; |
| 380 | } |
| 381 | if((k[i] & 1 )== 0) |
| 382 | { |
| 383 | zerocounter ++; |
| 384 | } |
| 385 | } |
| 386 | } |
| 387 | /** |
| 388 | * @brief Performs Elite-class key diversification |
| 389 | * @param csn |
| 390 | * @param key |
| 391 | * @param div_key |
| 392 | */ |
| 393 | void diversifyKey(uint8_t csn[8], uint8_t key[8], uint8_t div_key[8]) |
| 394 | { |
| 395 | |
| 396 | // Prepare the DES key |
| 397 | des_setkey_enc( &ctx_enc, key); |
| 398 | |
| 399 | uint8_t crypted_csn[8] = {0}; |
| 400 | |
| 401 | // Calculate DES(CSN, KEY) |
| 402 | des_crypt_ecb(&ctx_enc,csn, crypted_csn); |
| 403 | |
| 404 | //Calculate HASH0(DES)) |
| 405 | uint64_t crypt_csn = x_bytes_to_num(crypted_csn, 8); |
| 406 | //uint64_t crypted_csn_swapped = swapZvalues(crypt_csn); |
| 407 | |
| 408 | hash0(crypt_csn,div_key); |
| 409 | } |
| 410 | |
| 411 | |
| 412 | |
| 413 | |
| 414 | |
| 415 | void testPermute() |
| 416 | { |
| 417 | |
| 418 | uint64_t x = 0; |
| 419 | pushbackSixBitByte(&x,0x00,0); |
| 420 | pushbackSixBitByte(&x,0x01,1); |
| 421 | pushbackSixBitByte(&x,0x02,2); |
| 422 | pushbackSixBitByte(&x,0x03,3); |
| 423 | pushbackSixBitByte(&x,0x04,4); |
| 424 | pushbackSixBitByte(&x,0x05,5); |
| 425 | pushbackSixBitByte(&x,0x06,6); |
| 426 | pushbackSixBitByte(&x,0x07,7); |
| 427 | |
| 428 | uint8_t mres[8] = { getSixBitByte(x, 0), |
| 429 | getSixBitByte(x, 1), |
| 430 | getSixBitByte(x, 2), |
| 431 | getSixBitByte(x, 3), |
| 432 | getSixBitByte(x, 4), |
| 433 | getSixBitByte(x, 5), |
| 434 | getSixBitByte(x, 6), |
| 435 | getSixBitByte(x, 7)}; |
| 436 | printarr("input_perm", mres,8); |
| 437 | |
| 438 | uint8_t p = ~pi[0]; |
| 439 | BitstreamIn p_in = { &p, 8,0 }; |
| 440 | uint8_t outbuffer[] = {0,0,0,0,0,0,0,0}; |
| 441 | BitstreamOut out = {outbuffer,0,0}; |
| 442 | |
| 443 | permute(&p_in, x,0,4, &out); |
| 444 | |
| 445 | uint64_t permuted = x_bytes_to_num(outbuffer,8); |
| 446 | //printf("zTilde 0x%"PRIX64"\n", zTilde); |
| 447 | permuted >>= 16; |
| 448 | |
| 449 | uint8_t res[8] = { getSixBitByte(permuted, 0), |
| 450 | getSixBitByte(permuted, 1), |
| 451 | getSixBitByte(permuted, 2), |
| 452 | getSixBitByte(permuted, 3), |
| 453 | getSixBitByte(permuted, 4), |
| 454 | getSixBitByte(permuted, 5), |
| 455 | getSixBitByte(permuted, 6), |
| 456 | getSixBitByte(permuted, 7)}; |
| 457 | printarr("permuted", res, 8); |
| 458 | } |
| 459 | |
| 460 | //These testcases are |
| 461 | //{ UID , TEMP_KEY, DIV_KEY} using the specific key |
| 462 | typedef struct |
| 463 | { |
| 464 | uint8_t uid[8]; |
| 465 | uint8_t t_key[8]; |
| 466 | uint8_t div_key[8]; |
| 467 | } Testcase; |
| 468 | |
| 469 | |
| 470 | int testDES(Testcase testcase, des_context ctx_enc, des_context ctx_dec) |
| 471 | { |
| 472 | uint8_t des_encrypted_csn[8] = {0}; |
| 473 | uint8_t decrypted[8] = {0}; |
| 474 | uint8_t div_key[8] = {0}; |
| 475 | int retval = des_crypt_ecb(&ctx_enc,testcase.uid,des_encrypted_csn); |
| 476 | retval |= des_crypt_ecb(&ctx_dec,des_encrypted_csn,decrypted); |
| 477 | |
| 478 | if(memcmp(testcase.uid,decrypted,8) != 0) |
| 479 | { |
| 480 | //Decryption fail |
| 481 | prnlog("Encryption <-> Decryption FAIL"); |
| 482 | printarr("Input", testcase.uid, 8); |
| 483 | printarr("Decrypted", decrypted, 8); |
| 484 | retval = 1; |
| 485 | } |
| 486 | |
| 487 | if(memcmp(des_encrypted_csn,testcase.t_key,8) != 0) |
| 488 | { |
| 489 | //Encryption fail |
| 490 | prnlog("Encryption != Expected result"); |
| 491 | printarr("Output", des_encrypted_csn, 8); |
| 492 | printarr("Expected", testcase.t_key, 8); |
| 493 | retval = 1; |
| 494 | } |
| 495 | uint64_t crypted_csn = x_bytes_to_num(des_encrypted_csn,8); |
| 496 | hash0(crypted_csn, div_key); |
| 497 | |
| 498 | if(memcmp(div_key, testcase.div_key ,8) != 0) |
| 499 | { |
| 500 | //Key diversification fail |
| 501 | prnlog("Div key != expected result"); |
| 502 | printarr(" csn ", testcase.uid,8); |
| 503 | printarr("{csn} ", des_encrypted_csn,8); |
| 504 | printarr("hash0 ", div_key, 8); |
| 505 | printarr("Expected", testcase.div_key, 8); |
| 506 | retval = 1; |
| 507 | |
| 508 | } |
| 509 | return retval; |
| 510 | } |
| 511 | bool des_getParityBitFromKey(uint8_t key) |
| 512 | {//The top 7 bits is used |
| 513 | bool parity = ((key & 0x80) >> 7) |
| 514 | ^ ((key & 0x40) >> 6) ^ ((key & 0x20) >> 5) |
| 515 | ^ ((key & 0x10) >> 4) ^ ((key & 0x08) >> 3) |
| 516 | ^ ((key & 0x04) >> 2) ^ ((key & 0x02) >> 1); |
| 517 | return !parity; |
| 518 | } |
| 519 | |
| 520 | |
| 521 | void des_checkParity(uint8_t* key) |
| 522 | { |
| 523 | int i; |
| 524 | int fails =0; |
| 525 | for(i =0 ; i < 8 ; i++) |
| 526 | { |
| 527 | bool parity = des_getParityBitFromKey(key[i]); |
| 528 | if(parity != (key[i] & 0x1)) |
| 529 | { |
| 530 | fails++; |
| 531 | prnlog("[+] parity1 fail, byte %d [%02x] was %d, should be %d",i,key[i],(key[i] & 0x1),parity); |
| 532 | } |
| 533 | } |
| 534 | if(fails) |
| 535 | { |
| 536 | prnlog("[+] parity fails: %d", fails); |
| 537 | }else |
| 538 | { |
| 539 | prnlog("[+] Key syntax is with parity bits inside each byte"); |
| 540 | } |
| 541 | } |
| 542 | |
| 543 | Testcase testcases[] ={ |
| 544 | |
| 545 | {{0x8B,0xAC,0x60,0x1F,0x53,0xB8,0xED,0x11},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 546 | {{0xAE,0x51,0xE5,0x62,0xE7,0x9A,0x99,0x39},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01},{0x04,0x02,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 547 | {{0x9B,0x21,0xE4,0x31,0x6A,0x00,0x29,0x62},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02},{0x06,0x04,0x02,0x08,0x01,0x03,0x05,0x07}}, |
| 548 | {{0x65,0x24,0x0C,0x41,0x4F,0xC2,0x21,0x93},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04},{0x0A,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 549 | {{0x7F,0xEB,0xAE,0x93,0xE5,0x30,0x08,0xBD},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08},{0x12,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 550 | {{0x49,0x7B,0x70,0x74,0x9B,0x35,0x1B,0x83},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10},{0x22,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 551 | {{0x02,0x3C,0x15,0x6B,0xED,0xA5,0x64,0x6C},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20},{0x42,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 552 | {{0xE8,0x37,0xE0,0xE2,0xC6,0x45,0x24,0xF3},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40},{0x02,0x06,0x04,0x08,0x01,0x03,0x05,0x07}}, |
| 553 | {{0xAB,0xBD,0x30,0x05,0x29,0xC8,0xF7,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80},{0x02,0x08,0x06,0x04,0x01,0x03,0x05,0x07}}, |
| 554 | {{0x17,0xE8,0x97,0xF0,0x99,0xB6,0x79,0x31},{0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00},{0x02,0x0C,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 555 | {{0x49,0xA4,0xF0,0x8F,0x5F,0x96,0x83,0x16},{0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00},{0x02,0x14,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 556 | {{0x60,0xF5,0x7E,0x54,0xAA,0x41,0x83,0xD4},{0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00},{0x02,0x24,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 557 | {{0x1D,0xF6,0x3B,0x6B,0x85,0x55,0xF0,0x4B},{0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x00},{0x02,0x44,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 558 | {{0x1F,0xDC,0x95,0x1A,0xEA,0x6B,0x4B,0xB4},{0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00},{0x02,0x04,0x08,0x06,0x01,0x03,0x05,0x07}}, |
| 559 | {{0xEC,0x93,0x72,0xF0,0x3B,0xA9,0xF5,0x0B},{0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00},{0x02,0x04,0x0A,0x08,0x01,0x03,0x05,0x07}}, |
| 560 | {{0xDE,0x57,0x5C,0xBE,0x2D,0x55,0x03,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00},{0x02,0x04,0x0E,0x08,0x01,0x03,0x05,0x07}}, |
| 561 | {{0x1E,0xD2,0xB5,0xCE,0x90,0xC9,0xC1,0xCC},{0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00},{0x02,0x04,0x16,0x08,0x01,0x03,0x05,0x07}}, |
| 562 | {{0xD8,0x65,0x96,0x4E,0xE7,0x74,0x99,0xB8},{0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00},{0x02,0x04,0x26,0x08,0x01,0x03,0x05,0x07}}, |
| 563 | {{0xE3,0x7A,0x29,0x83,0x31,0xD5,0x3A,0x54},{0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00},{0x02,0x04,0x46,0x08,0x01,0x03,0x05,0x07}}, |
| 564 | {{0x3A,0xB5,0x1A,0x34,0x34,0x25,0x12,0xF0},{0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00},{0x02,0x04,0x06,0x0A,0x01,0x03,0x05,0x07}}, |
| 565 | {{0xF2,0x88,0xEE,0x6F,0x70,0x6F,0xC2,0x52},{0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00},{0x02,0x04,0x06,0x0C,0x01,0x03,0x05,0x07}}, |
| 566 | {{0x76,0xEF,0xEB,0x80,0x52,0x43,0x83,0x57},{0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00},{0x02,0x04,0x06,0x10,0x01,0x03,0x05,0x07}}, |
| 567 | {{0x1C,0x09,0x8E,0x3B,0x23,0x23,0x52,0xB5},{0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00},{0x02,0x04,0x06,0x18,0x01,0x03,0x05,0x07}}, |
| 568 | {{0xA9,0x13,0xA2,0xBE,0xCF,0x1A,0xC4,0x9A},{0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00},{0x02,0x04,0x06,0x28,0x01,0x03,0x05,0x07}}, |
| 569 | {{0x25,0x56,0x4B,0xB0,0xC8,0x2A,0xD4,0x27},{0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00},{0x02,0x04,0x06,0x48,0x01,0x03,0x05,0x07}}, |
| 570 | {{0xB1,0x04,0x57,0x3F,0xA7,0x16,0x62,0xD4},{0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x03,0x01,0x05,0x07}}, |
| 571 | {{0x45,0x46,0xED,0xCC,0xE7,0xD3,0x8E,0xA3},{0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x05,0x03,0x01,0x07}}, |
| 572 | {{0x22,0x6D,0xB5,0x35,0xE0,0x5A,0xE0,0x90},{0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x09,0x03,0x05,0x07}}, |
| 573 | {{0xB8,0xF5,0xE5,0x44,0xC5,0x98,0x4A,0xBD},{0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x11,0x03,0x05,0x07}}, |
| 574 | {{0xAC,0x78,0x0A,0x23,0x9E,0xF6,0xBC,0xA0},{0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x21,0x03,0x05,0x07}}, |
| 575 | {{0x46,0x6B,0x2D,0x70,0x41,0x17,0xBF,0x3D},{0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x41,0x03,0x05,0x07}}, |
| 576 | {{0x64,0x44,0x24,0x71,0xA2,0x56,0xDF,0xB5},{0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x05,0x03,0x07}}, |
| 577 | {{0xC4,0x00,0x52,0x24,0xA2,0xD6,0x16,0x7A},{0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x07,0x05,0x03}}, |
| 578 | {{0xD8,0x4A,0x80,0x1E,0x95,0x5B,0x70,0xC4},{0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x0B,0x05,0x07}}, |
| 579 | {{0x08,0x56,0x6E,0xB5,0x64,0xD6,0x47,0x4E},{0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x13,0x05,0x07}}, |
| 580 | {{0x41,0x6F,0xBA,0xA4,0xEB,0xAE,0xA0,0x55},{0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x23,0x05,0x07}}, |
| 581 | {{0x62,0x9D,0xDE,0x72,0x84,0x4A,0x53,0xD5},{0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x43,0x05,0x07}}, |
| 582 | {{0x39,0xD3,0x2B,0x66,0xB8,0x08,0x40,0x2E},{0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x07,0x05}}, |
| 583 | {{0xAF,0x67,0xA9,0x18,0x57,0x21,0xAF,0x8D},{0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x09,0x07}}, |
| 584 | {{0x34,0xBC,0x9D,0xBC,0xC4,0xC2,0x3B,0xC8},{0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x0D,0x07}}, |
| 585 | {{0xB6,0x50,0xF9,0x81,0xF6,0xBF,0x90,0x3C},{0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x15,0x07}}, |
| 586 | {{0x71,0x41,0x93,0xA1,0x59,0x81,0xA5,0x52},{0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x25,0x07}}, |
| 587 | {{0x6B,0x00,0xBD,0x74,0x1C,0x3C,0xE0,0x1A},{0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x45,0x07}}, |
| 588 | {{0x76,0xFD,0x0B,0xD0,0x41,0xD2,0x82,0x5D},{0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x09}}, |
| 589 | {{0xC6,0x3A,0x1C,0x25,0x63,0x5A,0x2F,0x0E},{0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0B}}, |
| 590 | {{0xD9,0x0E,0xD7,0x30,0xE2,0xAD,0xA9,0x87},{0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0F}}, |
| 591 | {{0x6B,0x81,0xC6,0xD1,0x05,0x09,0x87,0x1E},{0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x17}}, |
| 592 | {{0xB4,0xA7,0x1E,0x02,0x54,0x37,0x43,0x35},{0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x27}}, |
| 593 | {{0x45,0x14,0x7C,0x7F,0xE0,0xDE,0x09,0x65},{0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x47}}, |
| 594 | {{0x78,0xB0,0xF5,0x20,0x8B,0x7D,0xF3,0xDD},{0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00},{0xFE,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 595 | {{0x88,0xB3,0x3C,0xE1,0xF7,0x87,0x42,0xA1},{0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0xFC,0x06,0x08,0x01,0x03,0x05,0x07}}, |
| 596 | {{0x11,0x2F,0xB2,0xF7,0xE2,0xB2,0x4F,0x6E},{0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0xFA,0x08,0x01,0x03,0x05,0x07}}, |
| 597 | {{0x25,0x56,0x4E,0xC6,0xEB,0x2D,0x74,0x5B},{0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0xF8,0x01,0x03,0x05,0x07}}, |
| 598 | {{0x7E,0x98,0x37,0xF9,0x80,0x8F,0x09,0x82},{0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0xFF,0x03,0x05,0x07}}, |
| 599 | {{0xF9,0xB5,0x62,0x3B,0xD8,0x7B,0x3C,0x3F},{0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0xFD,0x05,0x07}}, |
| 600 | {{0x29,0xC5,0x2B,0xFA,0xD1,0xFC,0x5C,0xC7},{0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0xFB,0x07}}, |
| 601 | {{0xC1,0xA3,0x09,0x71,0xBD,0x8E,0xAF,0x2F},{0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0xF9}}, |
| 602 | {{0xB6,0xDD,0xD1,0xAD,0xAA,0x15,0x6F,0x29},{0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x03,0x05,0x02,0x07,0x04,0x06,0x08}}, |
| 603 | {{0x65,0x34,0x03,0x19,0x17,0xB3,0xA3,0x96},{0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x08,0x03,0x05,0x07}}, |
| 604 | {{0xF9,0x38,0x43,0x56,0x52,0xE5,0xB1,0xA9},{0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x08,0x03,0x05,0x07}}, |
| 605 | |
| 606 | {{0xA4,0xA0,0xAF,0xDA,0x48,0xB0,0xA1,0x10},{0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x03,0x08,0x05,0x07}}, |
| 607 | {{0x55,0x15,0x8A,0x0D,0x48,0x29,0x01,0xD8},{0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x03,0x05,0x08,0x07}}, |
| 608 | {{0xC4,0x81,0x96,0x7D,0xA3,0xB7,0x73,0x50},{0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x05,0x04,0x06,0x08,0x07}}, |
| 609 | {{0x36,0x73,0xDF,0xC1,0x1B,0x98,0xA8,0x1D},{0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x05,0x06,0x08,0x07}}, |
| 610 | {{0xCE,0xE0,0xB3,0x1B,0x41,0xEB,0x15,0x12},{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x06,0x05,0x08,0x07}}, |
| 611 | {{0},{0},{0}} |
| 612 | }; |
| 613 | |
| 614 | |
| 615 | int testKeyDiversificationWithMasterkeyTestcases() |
| 616 | { |
| 617 | |
| 618 | int error = 0; |
| 619 | int i; |
| 620 | |
| 621 | uint8_t empty[8]={0}; |
| 622 | prnlog("[+} Testing encryption/decryption"); |
| 623 | |
| 624 | for (i = 0; memcmp(testcases+i,empty,8) ; i++) { |
| 625 | error += testDES(testcases[i],ctx_enc, ctx_dec); |
| 626 | } |
| 627 | if(error) |
| 628 | { |
| 629 | prnlog("[+] %d errors occurred (%d testcases)", error, i); |
| 630 | }else |
| 631 | { |
| 632 | prnlog("[+] Hashing seems to work (%d testcases)", i); |
| 633 | } |
| 634 | return error; |
| 635 | } |
| 636 | |
| 637 | |
| 638 | void print64bits(char*name, uint64_t val) |
| 639 | { |
| 640 | printf("%s%08x%08x\n",name,(uint32_t) (val >> 32) ,(uint32_t) (val & 0xFFFFFFFF)); |
| 641 | } |
| 642 | |
| 643 | uint64_t testCryptedCSN(uint64_t crypted_csn, uint64_t expected) |
| 644 | { |
| 645 | int retval = 0; |
| 646 | uint8_t result[8] = {0}; |
| 647 | if(debug_print) prnlog("debug_print %d", debug_print); |
| 648 | if(debug_print) print64bits(" {csn} ", crypted_csn ); |
| 649 | |
| 650 | uint64_t crypted_csn_swapped = swapZvalues(crypted_csn); |
| 651 | |
| 652 | if(debug_print) print64bits(" {csn-revz} ", crypted_csn_swapped); |
| 653 | |
| 654 | hash0(crypted_csn, result); |
| 655 | uint64_t resultbyte = x_bytes_to_num(result,8 ); |
| 656 | if(debug_print) print64bits(" hash0 " , resultbyte ); |
| 657 | |
| 658 | if(resultbyte != expected ) |
| 659 | { |
| 660 | |
| 661 | if(debug_print) { |
| 662 | prnlog("\n[+] FAIL!"); |
| 663 | print64bits(" expected " , expected ); |
| 664 | } |
| 665 | retval = 1; |
| 666 | |
| 667 | }else |
| 668 | { |
| 669 | if(debug_print) prnlog(" [OK]"); |
| 670 | } |
| 671 | return retval; |
| 672 | } |
| 673 | |
| 674 | int testDES2(uint64_t csn, uint64_t expected) |
| 675 | { |
| 676 | uint8_t result[8] = {0}; |
| 677 | uint8_t input[8] = {0}; |
| 678 | |
| 679 | print64bits(" csn ", csn); |
| 680 | x_num_to_bytes(csn, 8,input); |
| 681 | |
| 682 | des_crypt_ecb(&ctx_enc,input, result); |
| 683 | |
| 684 | uint64_t crypt_csn = x_bytes_to_num(result, 8); |
| 685 | print64bits(" {csn} ", crypt_csn ); |
| 686 | print64bits(" expected ", expected ); |
| 687 | |
| 688 | if( expected == crypt_csn ) |
| 689 | { |
| 690 | prnlog("[+] OK"); |
| 691 | return 0; |
| 692 | }else |
| 693 | { |
| 694 | return 1; |
| 695 | } |
| 696 | } |
| 697 | |
| 698 | /** |
| 699 | * These testcases come from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977 |
| 700 | * @brief doTestsWithKnownInputs |
| 701 | * @return |
| 702 | */ |
| 703 | int doTestsWithKnownInputs() |
| 704 | { |
| 705 | |
| 706 | // KSel from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977 |
| 707 | int errors = 0; |
| 708 | prnlog("[+] Testing DES encryption"); |
| 709 | // uint8_t key[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf}; |
| 710 | prnlog("[+] Testing foo"); |
| 711 | uint8_t key[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf}; |
| 712 | |
| 713 | des_setkey_enc( &ctx_enc, key); |
| 714 | testDES2(0xbbbbaaaabbbbeeee,0xd6ad3ca619659e6b); |
| 715 | |
| 716 | prnlog("[+] Testing hashing algorithm"); |
| 717 | |
| 718 | errors += testCryptedCSN(0x0102030405060708,0x0bdd6512073c460a); |
| 719 | errors += testCryptedCSN(0x1020304050607080,0x0208211405f3381f); |
| 720 | errors += testCryptedCSN(0x1122334455667788,0x2bee256d40ac1f3a); |
| 721 | errors += testCryptedCSN(0xabcdabcdabcdabcd,0xa91c9ec66f7da592); |
| 722 | errors += testCryptedCSN(0xbcdabcdabcdabcda,0x79ca5796a474e19b); |
| 723 | errors += testCryptedCSN(0xcdabcdabcdabcdab,0xa8901b9f7ec76da4); |
| 724 | errors += testCryptedCSN(0xdabcdabcdabcdabc,0x357aa8e0979a5b8d); |
| 725 | errors += testCryptedCSN(0x21ba6565071f9299,0x34e80f88d5cf39ea); |
| 726 | errors += testCryptedCSN(0x14e2adfc5bb7e134,0x6ac90c6508bd9ea3); |
| 727 | |
| 728 | if(errors) |
| 729 | { |
| 730 | prnlog("[+] %d errors occurred (9 testcases)", errors); |
| 731 | }else |
| 732 | { |
| 733 | prnlog("[+] Hashing seems to work (9 testcases)" ); |
| 734 | } |
| 735 | return errors; |
| 736 | } |
| 737 | |
| 738 | int readKeyFile(uint8_t key[8]) |
| 739 | { |
| 740 | FILE *f; |
| 741 | int retval = 1; |
| 742 | f = fopen("iclass_key.bin", "rb"); |
| 743 | if (f) |
| 744 | { |
| 745 | if(fread(key, sizeof(uint8_t), 8, f) == 1) |
| 746 | { |
| 747 | retval = 0; |
| 748 | } |
| 749 | fclose(f); |
| 750 | } |
| 751 | return retval; |
| 752 | } |
| 753 | |
| 754 | |
| 755 | int doKeyTests(uint8_t debuglevel) |
| 756 | { |
| 757 | debug_print = debuglevel; |
| 758 | |
| 759 | prnlog("[+] Checking if the master key is present (iclass_key.bin)..."); |
| 760 | uint8_t key[8] = {0}; |
| 761 | if(readKeyFile(key)) |
| 762 | { |
| 763 | prnlog("[+] Master key not present, will not be able to do all testcases"); |
| 764 | }else |
| 765 | { |
| 766 | |
| 767 | //Test if it's the right key... |
| 768 | uint8_t i; |
| 769 | uint8_t j = 0; |
| 770 | for(i =0 ; i < sizeof(key) ; i++) |
| 771 | j += key[i]; |
| 772 | |
| 773 | if(j != 185) |
| 774 | { |
| 775 | prnlog("[+] A key was loaded, but it does not seem to be the correct one. Aborting these tests"); |
| 776 | }else |
| 777 | { |
| 778 | prnlog("[+] Key present"); |
| 779 | |
| 780 | prnlog("[+] Checking key parity..."); |
| 781 | des_checkParity(key); |
| 782 | des_setkey_enc( &ctx_enc, key); |
| 783 | des_setkey_dec( &ctx_dec, key); |
| 784 | // Test hashing functions |
| 785 | prnlog("[+] The following tests require the correct 8-byte master key"); |
| 786 | testKeyDiversificationWithMasterkeyTestcases(); |
| 787 | } |
| 788 | } |
| 789 | prnlog("[+] Testing key diversification with non-sensitive keys..."); |
| 790 | doTestsWithKnownInputs(); |
| 791 | return 0; |
| 792 | } |
| 793 | |
| 794 | /** |
| 795 | |
| 796 | void checkParity2(uint8_t* key) |
| 797 | { |
| 798 | |
| 799 | uint8_t stored_parity = key[7]; |
| 800 | printf("Parity byte: 0x%02x\n", stored_parity); |
| 801 | int i; |
| 802 | int byte; |
| 803 | int fails =0; |
| 804 | BitstreamIn bits = {key, 56, 0}; |
| 805 | |
| 806 | bool parity = 0; |
| 807 | |
| 808 | for(i =0 ; i < 56; i++) |
| 809 | { |
| 810 | |
| 811 | if ( i > 0 && i % 7 == 0) |
| 812 | { |
| 813 | parity = !parity; |
| 814 | bool pbit = stored_parity & (0x80 >> (byte)); |
| 815 | if(parity != pbit) |
| 816 | { |
| 817 | printf("parity2 fail byte %d, should be %d, was %d\n", (i / 7), parity, pbit); |
| 818 | fails++; |
| 819 | } |
| 820 | parity =0 ; |
| 821 | byte = i / 7; |
| 822 | } |
| 823 | parity = parity ^ headBit(&bits); |
| 824 | } |
| 825 | if(fails) |
| 826 | { |
| 827 | printf("parity2 fails: %d\n", fails); |
| 828 | }else |
| 829 | { |
| 830 | printf("Key syntax is with parity bits grouped in the last byte!\n"); |
| 831 | } |
| 832 | } |
| 833 | void modifyKey_put_parity_last(uint8_t * key, uint8_t* output) |
| 834 | { |
| 835 | uint8_t paritybits = 0; |
| 836 | bool parity =0; |
| 837 | BitstreamOut out = { output, 0,0}; |
| 838 | unsigned int bbyte, bbit; |
| 839 | for(bbyte=0; bbyte <8 ; bbyte++ ) |
| 840 | { |
| 841 | for(bbit =0 ; bbit< 7 ; bbit++) |
| 842 | { |
| 843 | bool bit = *(key+bbyte) & (1 << (7-bbit)); |
| 844 | pushBit(&out,bit); |
| 845 | parity ^= bit; |
| 846 | } |
| 847 | bool paritybit = *(key+bbyte) & 1; |
| 848 | paritybits |= paritybit << (7-bbyte); |
| 849 | parity = 0; |
| 850 | |
| 851 | } |
| 852 | output[7] = paritybits; |
| 853 | printf("Parity byte: %02x\n", paritybits); |
| 854 | } |
| 855 | |
| 856 | * @brief Modifies a key with parity bits last, so that it is formed with parity |
| 857 | * bits inside each byte |
| 858 | * @param key |
| 859 | * @param output |
| 860 | |
| 861 | void modifyKey_put_parity_allover(uint8_t * key, uint8_t* output) |
| 862 | { |
| 863 | bool parity =0; |
| 864 | BitstreamOut out = { output, 0,0}; |
| 865 | BitstreamIn in = {key, 0,0}; |
| 866 | unsigned int bbyte, bbit; |
| 867 | for(bbit =0 ; bbit < 56 ; bbit++) |
| 868 | { |
| 869 | |
| 870 | if( bbit > 0 && bbit % 7 == 0) |
| 871 | { |
| 872 | pushBit(&out,!parity); |
| 873 | parity = 0; |
| 874 | } |
| 875 | bool bit = headBit(&in); |
| 876 | pushBit(&out,bit ); |
| 877 | parity ^= bit; |
| 878 | |
| 879 | } |
| 880 | pushBit(&out, !parity); |
| 881 | |
| 882 | |
| 883 | if( des_key_check_key_parity(output)) |
| 884 | { |
| 885 | printf("modifyKey_put_parity_allover fail, DES key invalid parity!"); |
| 886 | } |
| 887 | |
| 888 | } |
| 889 | |
| 890 | */ |
| 891 | |
| 892 | |