git.zerfleddert.de Git - proxmark3-svn/blame_incremental

... / ...

Commit	Line	Data
	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2018 Merlok
	3	// Copyright (C) 2018 drHatson
	4	//
	5	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	6	// at your option, any later version. See the LICENSE.txt file for the text of
	7	// the license.
	8	//-----------------------------------------------------------------------------
	9	// crypto commands
	10	//-----------------------------------------------------------------------------
	11
	12	#include "crypto/libpcrypto.h"
	13	#include <stdlib.h>
	14	#include <unistd.h>
	15	#include <string.h>
	16	#include <mbedtls/asn1.h>
	17	#include <mbedtls/aes.h>
	18	#include <mbedtls/cmac.h>
	19	#include <mbedtls/pk.h>
	20	#include <mbedtls/ecdsa.h>
	21	#include <mbedtls/sha256.h>
	22	#include <mbedtls/sha512.h>
	23	#include <mbedtls/ctr_drbg.h>
	24	#include <mbedtls/entropy.h>
	25	#include <mbedtls/error.h>
	26	#include <crypto/asn1utils.h>
	27	#include <util.h>
	28
	29
	30	// NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
	31	int aes_encode(uint8_t iv, uint8_t key, uint8_t input, uint8_t output, int length){
	32	uint8_t iiv[16] = {0};
	33	if (iv)
	34	memcpy(iiv, iv, 16);
	35
	36	mbedtls_aes_context aes;
	37	mbedtls_aes_init(&aes);
	38	if (mbedtls_aes_setkey_enc(&aes, key, 128))
	39	return 1;
	40	if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, length, iiv, input, output))
	41	return 2;
	42	mbedtls_aes_free(&aes);
	43
	44	return 0;
	45	}
	46
	47
	48	int aes_decode(uint8_t iv, uint8_t key, uint8_t input, uint8_t output, int length){
	49	uint8_t iiv[16] = {0};
	50	if (iv)
	51	memcpy(iiv, iv, 16);
	52
	53	mbedtls_aes_context aes;
	54	mbedtls_aes_init(&aes);
	55	if (mbedtls_aes_setkey_dec(&aes, key, 128))
	56	return 1;
	57	if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, length, iiv, input, output))
	58	return 2;
	59	mbedtls_aes_free(&aes);
	60
	61	return 0;
	62	}
	63
	64
	65	// NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
	66	// https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf
	67	int aes_cmac(uint8_t iv, uint8_t key, uint8_t input, uint8_t mac, int length) {
	68	memset(mac, 0x00, 16);
	69
	70	// NIST 800-38B
	71	return mbedtls_aes_cmac_prf_128(key, MBEDTLS_AES_BLOCK_SIZE, input, length, mac);
	72	}
	73
	74
	75	int aes_cmac8(uint8_t iv, uint8_t key, uint8_t input, uint8_t mac, int length) {
	76	uint8_t cmac[16] = {0};
	77	memset(mac, 0x00, 8);
	78
	79	int res = aes_cmac(iv, key, input, cmac, length);
	80	if (res)
	81	return res;
	82
	83	for(int i = 0; i < 8; i++)
	84	mac[i] = cmac[i * 2 + 1];
	85
	86	return 0;
	87	}
	88
	89
	90	static uint8_t fixed_rand_value[250] = {0};
	91
	92	static int fixed_rand(void rng_state, unsigned char output, size_t len) {
	93	if (len <= 250) {
	94	memcpy(output, fixed_rand_value, len);
	95	} else {
	96	memset(output, 0x00, len);
	97	}
	98
	99	return 0;
	100	}
	101
	102
	103	int sha256hash(uint8_t input, int length, uint8_t hash) {
	104	if (!hash \|\| !input)
	105	return 1;
	106
	107	mbedtls_sha256_context sctx;
	108	mbedtls_sha256_init(&sctx);
	109	mbedtls_sha256_starts(&sctx, 0); // SHA-256, not 224
	110	mbedtls_sha256_update(&sctx, input, length);
	111	mbedtls_sha256_finish(&sctx, hash);
	112	mbedtls_sha256_free(&sctx);
	113
	114	return 0;
	115	}
	116
	117
	118	int sha512hash(uint8_t input, int length, uint8_t hash) {
	119	if (!hash \|\| !input)
	120	return 1;
	121
	122	mbedtls_sha512_context sctx;
	123	mbedtls_sha512_init(&sctx);
	124	mbedtls_sha512_starts(&sctx, 0); //SHA-512, not 384
	125	mbedtls_sha512_update(&sctx, input, length);
	126	mbedtls_sha512_finish(&sctx, hash);
	127	mbedtls_sha512_free(&sctx);
	128
	129	return 0;
	130	}
	131
	132
	133	int ecdsa_init_str(mbedtls_ecdsa_context ctx, mbedtls_ecp_group_id curveID, char key_d, char key_x, char key_y) {
	134	if (!ctx)
	135	return 1;
	136
	137	int res;
	138
	139	mbedtls_ecdsa_init(ctx);
	140	res = mbedtls_ecp_group_load(&ctx->grp, curveID);
	141	if (res)
	142	return res;
	143
	144	if (key_d) {
	145	res = mbedtls_mpi_read_string(&ctx->d, 16, key_d);
	146	if (res)
	147	return res;
	148	}
	149
	150	if (key_x && key_y) {
	151	res = mbedtls_ecp_point_read_string(&ctx->Q, 16, key_x, key_y);
	152	if (res)
	153	return res;
	154	}
	155
	156	return 0;
	157	}
	158
	159
	160	int ecdsa_init(mbedtls_ecdsa_context ctx, mbedtls_ecp_group_id curveID, uint8_t key_d, uint8_t *key_xy) {
	161	if (!ctx)
	162	return 1;
	163
	164	int res;
	165
	166	mbedtls_ecdsa_init(ctx);
	167	res = mbedtls_ecp_group_load(&ctx->grp, curveID);
	168	if (res)
	169	return res;
	170
	171	size_t keylen = (ctx->grp.nbits + 7 ) / 8;
	172	if (key_d) {
	173	res = mbedtls_mpi_read_binary(&ctx->d, key_d, keylen);
	174	if (res)
	175	return res;
	176	}
	177
	178	if (key_xy) {
	179	res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, keylen * 2 + 1);
	180	if (res)
	181	return res;
	182	}
	183
	184	return 0;
	185	}
	186
	187
	188	int ecdsa_key_create(mbedtls_ecp_group_id curveID, uint8_t key_d, uint8_t key_xy) {
	189	int res;
	190	mbedtls_ecdsa_context ctx;
	191	ecdsa_init(&ctx, curveID, NULL, NULL);
	192
	193
	194	mbedtls_entropy_context entropy;
	195	mbedtls_ctr_drbg_context ctr_drbg;
	196	const char *pers = "ecdsaproxmark";
	197
	198	mbedtls_entropy_init(&entropy);
	199	mbedtls_ctr_drbg_init(&ctr_drbg);
	200
	201	res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
	202	if (res)
	203	goto exit;
	204
	205	res = mbedtls_ecdsa_genkey(&ctx, curveID, mbedtls_ctr_drbg_random, &ctr_drbg);
	206	if (res)
	207	goto exit;
	208
	209	size_t keylen = (ctx.grp.nbits + 7) / 8;
	210	res = mbedtls_mpi_write_binary(&ctx.d, key_d, keylen);
	211	if (res)
	212	goto exit;
	213
	214	size_t public_keylen = 0;
	215	uint8_t public_key[200] = {0};
	216	res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &public_keylen, public_key, sizeof(public_key));
	217	if (res)
	218	goto exit;
	219
	220	if (public_keylen != 1 + 2 * keylen) { // 0x04 <key x><key y>
	221	res = 1;
	222	goto exit;
	223	}
	224	memcpy(key_xy, public_key, public_keylen);
	225
	226	exit:
	227	mbedtls_entropy_free(&entropy);
	228	mbedtls_ctr_drbg_free(&ctr_drbg);
	229	mbedtls_ecdsa_free(&ctx);
	230	return res;
	231	}
	232
	233
	234	char *ecdsa_get_error(int ret) {
	235	static char retstr[300];
	236	memset(retstr, 0x00, sizeof(retstr));
	237	mbedtls_strerror(ret, retstr, sizeof(retstr));
	238	return retstr;
	239	}
	240
	241
	242	int ecdsa_public_key_from_pk(mbedtls_pk_context pk, mbedtls_ecp_group_id curveID, uint8_t key, size_t keylen) {
	243	int res = 0;
	244	size_t realkeylen = 0;
	245
	246	mbedtls_ecdsa_context ctx;
	247	mbedtls_ecdsa_init(&ctx);
	248
	249	res = mbedtls_ecp_group_load(&ctx.grp, curveID);
	250	if (res)
	251	goto exit;
	252
	253	size_t private_keylen = (ctx.grp.nbits + 7) / 8;
	254	if (keylen < 1 + 2 * private_keylen) {
	255	res = 1;
	256	goto exit;
	257	}
	258
	259	res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk) );
	260	if (res)
	261	goto exit;
	262
	263	res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen);
	264	if (realkeylen != 1 + 2 * private_keylen)
	265	res = 2;
	266	exit:
	267	mbedtls_ecdsa_free(&ctx);
	268	return res;
	269	}
	270
	271
	272	int ecdsa_signature_create(mbedtls_ecp_group_id curveID, uint8_t key_d, uint8_t key_xy, uint8_t input, int length, uint8_t signature, size_t *signaturelen, bool hash) {
	273	int res;
	274	*signaturelen = 0;
	275
	276	uint8_t shahash[32] = {0};
	277	res = sha256hash(input, length, shahash);
	278	if (res)
	279	return res;
	280
	281	mbedtls_entropy_context entropy;
	282	mbedtls_ctr_drbg_context ctr_drbg;
	283	const char *pers = "ecdsaproxmark";
	284
	285	mbedtls_entropy_init(&entropy);
	286	mbedtls_ctr_drbg_init(&ctr_drbg);
	287
	288	res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
	289	if (res)
	290	goto exit;
	291
	292	mbedtls_ecdsa_context ctx;
	293	ecdsa_init(&ctx, curveID, key_d, key_xy);
	294	res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg);
	295
	296	exit:
	297	mbedtls_ctr_drbg_free(&ctr_drbg);
	298	mbedtls_ecdsa_free(&ctx);
	299	return res;
	300	}
	301
	302
	303	int ecdsa_signature_create_test(mbedtls_ecp_group_id curveID, char key_d, char key_x, char key_y, char random, uint8_t input, int length, uint8_t signature, size_t *signaturelen) {
	304	int res;
	305	*signaturelen = 0;
	306
	307	uint8_t shahash[32] = {0};
	308	res = sha256hash(input, length, shahash);
	309	if (res)
	310	return res;
	311
	312	int rndlen = 0;
	313	param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen);
	314
	315	mbedtls_ecdsa_context ctx;
	316	ecdsa_init_str(&ctx, curveID, key_d, key_x, key_y);
	317	res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL);
	318
	319	mbedtls_ecdsa_free(&ctx);
	320	return res;
	321	}
	322
	323
	324	int ecdsa_signature_verify_keystr(mbedtls_ecp_group_id curveID, char key_x, char key_y, uint8_t input, int length, uint8_t signature, size_t signaturelen, bool hash) {
	325	int res;
	326	uint8_t shahash[32] = {0};
	327	res = sha256hash(input, length, shahash);
	328	if (res)
	329	return res;
	330
	331	mbedtls_ecdsa_context ctx;
	332	ecdsa_init_str(&ctx, curveID, NULL, key_x, key_y);
	333	res = mbedtls_ecdsa_read_signature(&ctx, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen);
	334
	335	mbedtls_ecdsa_free(&ctx);
	336	return res;
	337	}
	338
	339
	340	int ecdsa_signature_verify(mbedtls_ecp_group_id curveID, uint8_t key_xy, uint8_t input, int length, uint8_t *signature, size_t signaturelen, bool hash) {
	341	int res;
	342	uint8_t shahash[32] = {0};
	343	if (hash) {
	344	res = sha256hash(input, length, shahash);
	345	if (res)
	346	return res;
	347	}
	348
	349	mbedtls_ecdsa_context ctx;
	350	res = ecdsa_init(&ctx, curveID, NULL, key_xy);
	351	res = mbedtls_ecdsa_read_signature(&ctx, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen);
	352
	353	mbedtls_ecdsa_free(&ctx);
	354	return res;
	355	}
	356
	357
	358	int ecdsa_signature_r_s_verify(mbedtls_ecp_group_id curveID, uint8_t key_xy, uint8_t input, int length, uint8_t *r_s, size_t r_s_len, bool hash) {
	359	int res;
	360	uint8_t signature[MBEDTLS_ECDSA_MAX_LEN];
	361	size_t signature_len;
	362
	363	// convert r & s to ASN.1 signature
	364	mbedtls_mpi r, s;
	365	mbedtls_mpi_init(&r);
	366	mbedtls_mpi_init(&s);
	367	mbedtls_mpi_read_binary(&r, r_s, r_s_len/2);
	368	mbedtls_mpi_read_binary(&s, r_s + r_s_len/2, r_s_len/2);
	369
	370	res = ecdsa_signature_to_asn1(&r, &s, signature, &signature_len);
	371	if (res < 0) {
	372	return res;
	373	}
	374
	375	res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, signature_len, hash);
	376
	377	mbedtls_mpi_free(&r);
	378	mbedtls_mpi_free(&s);
	379
	380	return res;
	381	}
	382
	383
	384	#define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96"
	385	#define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19"
	386	#define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09"
	387	#define T_K "7A1A7E52797FC8CAAA435D2A4DACE39158504BF204FBE19F14DBB427FAEE50AE"
	388	#define T_R "2B42F576D07F4165FF65D1F3B1500F81E44C316F1F0B3EF57325B69ACA46104F"
	389	#define T_S "DC42C2122D6392CD3E3A993A89502A8198C1886FE69D262C4B329BDB6B63FAF1"
	390
	391	int ecdsa_nist_test(bool verbose) {
	392	int res;
	393	uint8_t input[] = "Example of ECDSA with P-256";
	394	mbedtls_ecp_group_id curveID = MBEDTLS_ECP_DP_SECP256R1;
	395	int length = strlen((char *)input);
	396	uint8_t signature[300] = {0};
	397	size_t siglen = 0;
	398
	399	// NIST ecdsa test
	400	if (verbose)
	401	printf(" ECDSA NIST test: ");
	402	// make signature
	403	res = ecdsa_signature_create_test(curveID, T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen);
	404	// printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen));
	405	if (res)
	406	goto exit;
	407
	408	// check vectors
	409	uint8_t rval[300] = {0};
	410	uint8_t sval[300] = {0};
	411	res = ecdsa_asn1_get_signature(signature, siglen, rval, sval);
	412	if (res)
	413	goto exit;
	414
	415	int slen = 0;
	416	uint8_t rval_s[33] = {0};
	417	param_gethex_to_eol(T_R, 0, rval_s, sizeof(rval_s), &slen);
	418	uint8_t sval_s[33] = {0};
	419	param_gethex_to_eol(T_S, 0, sval_s, sizeof(sval_s), &slen);
	420	if (strncmp((char )rval, (char )rval_s, 32) \|\| strncmp((char )sval, (char )sval_s, 32)) {
	421	printf("R or S check error\n");
	422	res = 100;
	423	goto exit;
	424	}
	425
	426	// verify signature
	427	res = ecdsa_signature_verify_keystr(curveID, T_Q_X, T_Q_Y, input, length, signature, siglen, true);
	428	if (res)
	429	goto exit;
	430
	431	// verify wrong signature
	432	input[0] ^= 0xFF;
	433	res = ecdsa_signature_verify_keystr(curveID, T_Q_X, T_Q_Y, input, length, signature, siglen, true);
	434	if (!res) {
	435	res = 1;
	436	goto exit;
	437	}
	438	if (verbose)
	439	printf("passed\n");
	440
	441	// random ecdsa test
	442	if (verbose)
	443	printf(" ECDSA binary signature create/check test: ");
	444
	445	uint8_t key_d[32] = {0};
	446	uint8_t key_xy[32 * 2 + 2] = {0};
	447	memset(signature, 0x00, sizeof(signature));
	448	siglen = 0;
	449
	450	res = ecdsa_key_create(curveID, key_d, key_xy);
	451	if (res)
	452	goto exit;
	453
	454	res = ecdsa_signature_create(curveID, key_d, key_xy, input, length, signature, &siglen, true);
	455	if (res)
	456	goto exit;
	457
	458	res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, siglen, true);
	459	if (res)
	460	goto exit;
	461
	462	input[0] ^= 0xFF;
	463	res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, siglen, true);
	464	if (!res)
	465	goto exit;
	466
	467	if (verbose)
	468	printf("passed\n\n");
	469
	470	return 0;
	471	exit:
	472	if (verbose)
	473	printf("failed\n\n");
	474	return res;
	475	}