From 3a5ffba7c13354c0ad9ba48c8b97ee39ea46a1ba Mon Sep 17 00:00:00 2001 From: pwpiwi Date: Thu, 1 Aug 2019 10:53:26 -0400 Subject: [PATCH 1/1] Implement Originality Signature Check in 'hf mfu info' * add support for elliptic curve 'secp128r1' to mbedtls library * change ecdsa_signature_verify() to allow different curves, signature lengths, and skipping hash * add another public key for Mifare Ultralight EV1 --- CHANGELOG.md | 1 + client/cmdhffido.c | 8 +- client/cmdhfmfu.c | 42 +++-- client/crypto/libpcrypto.c | 295 ++++++++++++++++++++-------------- client/crypto/libpcrypto.h | 9 +- client/fido/fidocore.c | 6 +- common/mbedtls/check_config.h | 1 + common/mbedtls/config.h | 1 + common/mbedtls/ecdsa.c | 2 +- common/mbedtls/ecdsa.h | 2 + common/mbedtls/ecp.c | 30 ++-- common/mbedtls/ecp.h | 1 + common/mbedtls/ecp_curves.c | 41 +++++ 13 files changed, 276 insertions(+), 163 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e740099a..a764787b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added Home (Pos1) and End key bindings to the plot GUI (based on @mcd1992) - Added downlink reference mode option r [ 0 - (or missing) default/fixed bit, 1 - long leading, 2 - leading 0 and 3 - 1 of 4 ] to `lf t55xx detect`, `lf t55xx read`, `lf t55xx write`, and `lf t55xx bruteforce` - Added special option `r 4` to bruteforce, to try all downlink modes (0,1,2 and 3) for each password +- `hf mfu info` now checks the NXP Originality Signature if availabe (piwi) ## [v3.1.0][2018-10-10] diff --git a/client/cmdhffido.c b/client/cmdhffido.c index 8a98cf19..25862445 100644 --- a/client/cmdhffido.c +++ b/client/cmdhffido.c @@ -353,9 +353,9 @@ int CmdHFFidoRegister(const char *cmd) { &buf[1], 65, // user public key NULL, 0); //PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); - res = ecdsa_signature_verify(public_key, xbuf, xbuflen, &buf[hashp], len - hashp); + res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[hashp], len - hashp, true); if (res) { - if (res == -0x4e00) { + if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) { PrintAndLog("Signature is NOT VALID."); } else { PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res)); @@ -579,9 +579,9 @@ int CmdHFFidoAuthenticate(const char *cmd) { data, 32, // challenge parameter NULL, 0); //PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); - res = ecdsa_signature_verify(public_key, xbuf, xbuflen, &buf[5], len - 5); + res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[5], len - 5, true); if (res) { - if (res == -0x4e00) { + if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) { PrintAndLog("Signature is NOT VALID."); } else { PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res)); diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 89e58263..39a00d63 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -24,6 +24,7 @@ #include "util_posix.h" #include "protocols.h" #include "taginfo.h" +#include "crypto/libpcrypto.h" typedef enum TAGTYPE_UL { UNKNOWN = 0x000000, @@ -65,15 +66,6 @@ typedef enum TAGTYPE_UL { #define MAX_MY_D_MOVE 0x25 #define MAX_MY_D_MOVE_LEAN 0x0f -#define PUBLIC_ECDA_KEYLEN 33 -static uint8_t public_ecda_key[PUBLIC_ECDA_KEYLEN] = { - 0x04, 0x49, 0x4e, 0x1a, 0x38, 0x6d, 0x3d, 0x3c, - 0xfe, 0x3d, 0xc1, 0x0e, 0x5d, 0xe6, 0x8a, 0x49, - 0x9b, 0x1c, 0x20, 0x2d, 0xb5, 0xb1, 0x32, 0x39, - 0x3e, 0x89, 0xed, 0x19, 0xfe, 0x5b, 0xe8, 0xbc, - 0x61 -}; - #define KEYS_3DES_COUNT 7 static uint8_t default_3des_keys[KEYS_3DES_COUNT][16] = { { 0x42,0x52,0x45,0x41,0x4b,0x4d,0x45,0x49,0x46,0x59,0x4f,0x55,0x43,0x41,0x4e,0x21 },// 3des std key @@ -95,6 +87,13 @@ static uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = { {0x35,0x1C,0xD0,0x19}, // PACK 0x9A,0x5a -- italian bus (sniffed) }; +// known public keys for the originality check (source: https://github.com/alexbatalov/node-nxp-originality-verifier) +uint8_t public_keys[2][33] = {{0x04,0x49,0x4e,0x1a,0x38,0x6d,0x3d,0x3c,0xfe,0x3d,0xc1,0x0e,0x5d,0xe6,0x8a,0x49,0x9b, // UL and NDEF + 0x1c,0x20,0x2d,0xb5,0xb1,0x32,0x39,0x3e,0x89,0xed,0x19,0xfe,0x5b,0xe8,0xbc,0x61}, + {0x04,0x90,0x93,0x3b,0xdc,0xd6,0xe9,0x9b,0x4e,0x25,0x5e,0x3d,0xa5,0x53,0x89,0xa8,0x27, // UL EV1 + 0x56,0x4e,0x11,0x71,0x8e,0x01,0x72,0x92,0xfa,0xf2,0x32,0x26,0xa9,0x66,0x14,0xb8} +}; + #define MAX_UL_TYPES 17 static uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203, NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_LEAN, FUDAN_UL}; @@ -552,14 +551,20 @@ static int ulev1_print_counters(void) { } -static int ulev1_print_signature( uint8_t *data, uint8_t len){ - PrintAndLogEx(NORMAL, "\n--- Tag Signature"); - PrintAndLogEx(NORMAL, "IC signature public key name : NXP NTAG21x (2013)"); - PrintAndLogEx(NORMAL, "IC signature public key value : %s", sprint_hex(public_ecda_key, PUBLIC_ECDA_KEYLEN)); +static int ulev1_print_signature(TagTypeUL_t tagtype, uint8_t *uid, uint8_t *signature, size_t signature_len){ + uint8_t public_key = 0; + if (tagtype == UL_EV1_48 || tagtype == UL_EV1_128) { + public_key = 1; + } + int res = ecdsa_signature_r_s_verify(MBEDTLS_ECP_DP_SECP128R1, public_keys[public_key], uid, 7, signature, signature_len, false); + bool signature_valid = (res == 0); + + PrintAndLogEx(NORMAL, "\n--- Tag Originality Signature"); + //PrintAndLogEx(NORMAL, "IC signature public key name : NXP NTAG21x 2013"); // don't know if there is other NXP public keys.. :( + PrintAndLogEx(NORMAL, " Signature public key : %s", sprint_hex(public_keys[public_key]+1, sizeof(public_keys[public_key])-1)); PrintAndLogEx(NORMAL, " Elliptic curve parameters : secp128r1"); - PrintAndLogEx(NORMAL, " Tag ECC Signature : %s", sprint_hex(data, len)); - //to do: verify if signature is valid - //PrintAndLogEx(NORMAL, "IC signature status: %s valid", (iseccvalid() )?"":"not"); + PrintAndLogEx(NORMAL, " Tag ECC Signature : %s", sprint_hex(signature, signature_len)); + PrintAndLogEx(NORMAL, " Originality signature check : signature is %svalid", signature_valid?"":"NOT "); return 0; } @@ -725,6 +730,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { uint8_t authlim = 0xff; iso14a_card_select_t card; + uint8_t uid[7]; bool errors = false; uint8_t keybytes[16] = {0x00}; uint8_t *authenticationkey = keybytes; @@ -798,6 +804,8 @@ static int CmdHF14AMfUInfo(const char *Cmd) { PrintAndLogEx(WARNING, "Error: tag didn't answer to READ"); return -1; } else if (len == 16) { + memcpy(uid, data, 3); + memcpy(uid+3, data+4, 4); ul_print_default(data); ndef_print_CC(data+12); } else { @@ -878,7 +886,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { return -1; } if (len == 32) { - ulev1_print_signature( ulev1_signature, sizeof(ulev1_signature)); + ulev1_print_signature(tagtype, uid, ulev1_signature, sizeof(ulev1_signature)); } else { // re-select if (!ul_auth_select( &card, tagtype, hasAuthKey, authenticationkey, pack, sizeof(pack))) { diff --git a/client/crypto/libpcrypto.c b/client/crypto/libpcrypto.c index ebc1e987..b20961d8 100644 --- a/client/crypto/libpcrypto.c +++ b/client/crypto/libpcrypto.c @@ -26,12 +26,13 @@ #include #include + // NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001. int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){ uint8_t iiv[16] = {0}; if (iv) memcpy(iiv, iv, 16); - + mbedtls_aes_context aes; mbedtls_aes_init(&aes); if (mbedtls_aes_setkey_enc(&aes, key, 128)) @@ -43,11 +44,12 @@ int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int l return 0; } + int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){ uint8_t iiv[16] = {0}; if (iv) memcpy(iiv, iv, 16); - + mbedtls_aes_context aes; mbedtls_aes_init(&aes); if (mbedtls_aes_setkey_dec(&aes, key, 128)) @@ -59,164 +61,176 @@ int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int l return 0; } + // NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication. // https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf int aes_cmac(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) { memset(mac, 0x00, 16); - - // NIST 800-38B + + // NIST 800-38B return mbedtls_aes_cmac_prf_128(key, MBEDTLS_AES_BLOCK_SIZE, input, length, mac); } + int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) { uint8_t cmac[16] = {0}; memset(mac, 0x00, 8); - + int res = aes_cmac(iv, key, input, cmac, length); if (res) return res; - - for(int i = 0; i < 8; i++) + + for(int i = 0; i < 8; i++) mac[i] = cmac[i * 2 + 1]; return 0; } + static uint8_t fixed_rand_value[250] = {0}; + static int fixed_rand(void *rng_state, unsigned char *output, size_t len) { if (len <= 250) { memcpy(output, fixed_rand_value, len); } else { memset(output, 0x00, len); } - + return 0; } + int sha256hash(uint8_t *input, int length, uint8_t *hash) { if (!hash || !input) return 1; - + mbedtls_sha256_context sctx; mbedtls_sha256_init(&sctx); - mbedtls_sha256_starts(&sctx, 0); // SHA-256, not 224 + mbedtls_sha256_starts(&sctx, 0); // SHA-256, not 224 mbedtls_sha256_update(&sctx, input, length); - mbedtls_sha256_finish(&sctx, hash); + mbedtls_sha256_finish(&sctx, hash); mbedtls_sha256_free(&sctx); - + return 0; } + int sha512hash(uint8_t *input, int length, uint8_t *hash) { if (!hash || !input) return 1; - + mbedtls_sha512_context sctx; mbedtls_sha512_init(&sctx); mbedtls_sha512_starts(&sctx, 0); //SHA-512, not 384 mbedtls_sha512_update(&sctx, input, length); - mbedtls_sha512_finish(&sctx, hash); + mbedtls_sha512_finish(&sctx, hash); mbedtls_sha512_free(&sctx); - + return 0; } -int ecdsa_init_str(mbedtls_ecdsa_context *ctx, char * key_d, char *key_x, char *key_y) { + +int ecdsa_init_str(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id curveID, char *key_d, char *key_x, char *key_y) { if (!ctx) return 1; - + int res; mbedtls_ecdsa_init(ctx); - res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 - if (res) + res = mbedtls_ecp_group_load(&ctx->grp, curveID); + if (res) return res; - + if (key_d) { res = mbedtls_mpi_read_string(&ctx->d, 16, key_d); - if (res) + if (res) return res; } - + if (key_x && key_y) { res = mbedtls_ecp_point_read_string(&ctx->Q, 16, key_x, key_y); - if (res) + if (res) return res; } - + return 0; } -int ecdsa_init(mbedtls_ecdsa_context *ctx, uint8_t * key_d, uint8_t *key_xy) { + +int ecdsa_init(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy) { if (!ctx) return 1; - + int res; mbedtls_ecdsa_init(ctx); - res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 - if (res) + res = mbedtls_ecp_group_load(&ctx->grp, curveID); + if (res) return res; - + + size_t keylen = (ctx->grp.nbits + 7 ) / 8; if (key_d) { - res = mbedtls_mpi_read_binary(&ctx->d, key_d, 32); - if (res) + res = mbedtls_mpi_read_binary(&ctx->d, key_d, keylen); + if (res) return res; } - + if (key_xy) { - res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, 32 * 2 + 1); - if (res) + res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, keylen * 2 + 1); + if (res) return res; } - + return 0; } -int ecdsa_key_create(uint8_t * key_d, uint8_t *key_xy) { + +int ecdsa_key_create(mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy) { int res; mbedtls_ecdsa_context ctx; - ecdsa_init(&ctx, NULL, NULL); + ecdsa_init(&ctx, curveID, NULL, NULL); - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; const char *pers = "ecdsaproxmark"; - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); + mbedtls_entropy_init(&entropy); + mbedtls_ctr_drbg_init(&ctr_drbg); - res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers)); + res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers)); if (res) - goto exit; + goto exit; - res = mbedtls_ecdsa_genkey(&ctx, MBEDTLS_ECP_DP_SECP256R1, mbedtls_ctr_drbg_random, &ctr_drbg); + res = mbedtls_ecdsa_genkey(&ctx, curveID, mbedtls_ctr_drbg_random, &ctr_drbg); if (res) goto exit; - res = mbedtls_mpi_write_binary(&ctx.d, key_d, 32); + size_t keylen = (ctx.grp.nbits + 7) / 8; + res = mbedtls_mpi_write_binary(&ctx.d, key_d, keylen); if (res) goto exit; - size_t keylen = 0; + size_t public_keylen = 0; uint8_t public_key[200] = {0}; - res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &keylen, public_key, sizeof(public_key)); + res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &public_keylen, public_key, sizeof(public_key)); if (res) goto exit; - - if (keylen != 65) { // 0x04 + + if (public_keylen != 1 + 2 * keylen) { // 0x04 res = 1; goto exit; } - memcpy(key_xy, public_key, 65); + memcpy(key_xy, public_key, public_keylen); exit: - mbedtls_entropy_free(&entropy); - mbedtls_ctr_drbg_free(&ctr_drbg); + mbedtls_entropy_free(&entropy); + mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ecdsa_free(&ctx); return res; } + char *ecdsa_get_error(int ret) { static char retstr[300]; memset(retstr, 0x00, sizeof(retstr)); @@ -224,111 +238,149 @@ char *ecdsa_get_error(int ret) { return retstr; } -int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen) { + +int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, mbedtls_ecp_group_id curveID, uint8_t *key, size_t keylen) { int res = 0; size_t realkeylen = 0; - if (keylen < 65) - return 1; - + mbedtls_ecdsa_context ctx; mbedtls_ecdsa_init(&ctx); - - res = mbedtls_ecp_group_load(&ctx.grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 + + res = mbedtls_ecp_group_load(&ctx.grp, curveID); if (res) goto exit; - + + size_t private_keylen = (ctx.grp.nbits + 7) / 8; + if (keylen < 1 + 2 * private_keylen) { + res = 1; + goto exit; + } + res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk) ); if (res) goto exit; - + res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen); - if (realkeylen != 65) + if (realkeylen != 1 + 2 * private_keylen) res = 2; exit: mbedtls_ecdsa_free(&ctx); return res; } -int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) { + +int ecdsa_signature_create(mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen, bool hash) { int res; *signaturelen = 0; - - uint8_t shahash[32] = {0}; + + uint8_t shahash[32] = {0}; res = sha256hash(input, length, shahash); if (res) return res; - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; const char *pers = "ecdsaproxmark"; - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); + mbedtls_entropy_init(&entropy); + mbedtls_ctr_drbg_init(&ctr_drbg); - res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers)); + res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers)); if (res) - goto exit; + goto exit; + + mbedtls_ecdsa_context ctx; + ecdsa_init(&ctx, curveID, key_d, key_xy); + res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg); - mbedtls_ecdsa_context ctx; - ecdsa_init(&ctx, key_d, key_xy); - res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg); - exit: - mbedtls_ctr_drbg_free(&ctr_drbg); + mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ecdsa_free(&ctx); return res; } -int ecdsa_signature_create_test(char * key_d, char *key_x, char *key_y, char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) { + +int ecdsa_signature_create_test(mbedtls_ecp_group_id curveID, char *key_d, char *key_x, char *key_y, char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) { int res; *signaturelen = 0; - - uint8_t shahash[32] = {0}; + + uint8_t shahash[32] = {0}; res = sha256hash(input, length, shahash); if (res) return res; int rndlen = 0; param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen); - - mbedtls_ecdsa_context ctx; - ecdsa_init_str(&ctx, key_d, key_x, key_y); + + mbedtls_ecdsa_context ctx; + ecdsa_init_str(&ctx, curveID, key_d, key_x, key_y); res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL); - + mbedtls_ecdsa_free(&ctx); return res; } -int ecdsa_signature_verify_keystr(char *key_x, char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) { + +int ecdsa_signature_verify_keystr(mbedtls_ecp_group_id curveID, char *key_x, char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash) { int res; - uint8_t shahash[32] = {0}; + uint8_t shahash[32] = {0}; res = sha256hash(input, length, shahash); if (res) return res; - mbedtls_ecdsa_context ctx; - ecdsa_init_str(&ctx, NULL, key_x, key_y); - res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen); - + mbedtls_ecdsa_context ctx; + ecdsa_init_str(&ctx, curveID, NULL, key_x, key_y); + res = mbedtls_ecdsa_read_signature(&ctx, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen); + mbedtls_ecdsa_free(&ctx); return res; } -int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) { + +int ecdsa_signature_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash) { int res; - uint8_t shahash[32] = {0}; - res = sha256hash(input, length, shahash); - if (res) - return res; + uint8_t shahash[32] = {0}; + if (hash) { + res = sha256hash(input, length, shahash); + if (res) + return res; + } + + mbedtls_ecdsa_context ctx; + res = ecdsa_init(&ctx, curveID, NULL, key_xy); + res = mbedtls_ecdsa_read_signature(&ctx, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen); - mbedtls_ecdsa_context ctx; - ecdsa_init(&ctx, NULL, key_xy); - res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen); - mbedtls_ecdsa_free(&ctx); return res; } + +int ecdsa_signature_r_s_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *r_s, size_t r_s_len, bool hash) { + int res; + uint8_t signature[MBEDTLS_ECDSA_MAX_LEN]; + size_t signature_len; + + // convert r & s to ASN.1 signature + mbedtls_mpi r, s; + mbedtls_mpi_init(&r); + mbedtls_mpi_init(&s); + mbedtls_mpi_read_binary(&r, r_s, r_s_len/2); + mbedtls_mpi_read_binary(&s, r_s + r_s_len/2, r_s_len/2); + + res = ecdsa_signature_to_asn1(&r, &s, signature, &signature_len); + if (res < 0) { + return res; + } + + res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, signature_len, hash); + + mbedtls_mpi_free(&r); + mbedtls_mpi_free(&s); + + return res; +} + + #define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96" #define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19" #define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09" @@ -339,45 +391,46 @@ int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t int ecdsa_nist_test(bool verbose) { int res; uint8_t input[] = "Example of ECDSA with P-256"; + mbedtls_ecp_group_id curveID = MBEDTLS_ECP_DP_SECP256R1; int length = strlen((char *)input); - uint8_t signature[300] = {0}; - size_t siglen = 0; + uint8_t signature[300] = {0}; + size_t siglen = 0; // NIST ecdsa test if (verbose) printf(" ECDSA NIST test: "); // make signature - res = ecdsa_signature_create_test(T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen); + res = ecdsa_signature_create_test(curveID, T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen); // printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen)); - if (res) + if (res) goto exit; // check vectors - uint8_t rval[300] = {0}; - uint8_t sval[300] = {0}; + uint8_t rval[300] = {0}; + uint8_t sval[300] = {0}; res = ecdsa_asn1_get_signature(signature, siglen, rval, sval); if (res) goto exit; - + int slen = 0; uint8_t rval_s[33] = {0}; param_gethex_to_eol(T_R, 0, rval_s, sizeof(rval_s), &slen); - uint8_t sval_s[33] = {0}; + uint8_t sval_s[33] = {0}; param_gethex_to_eol(T_S, 0, sval_s, sizeof(sval_s), &slen); if (strncmp((char *)rval, (char *)rval_s, 32) || strncmp((char *)sval, (char *)sval_s, 32)) { printf("R or S check error\n"); res = 100; goto exit; } - + // verify signature - res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen); - if (res) + res = ecdsa_signature_verify_keystr(curveID, T_Q_X, T_Q_Y, input, length, signature, siglen, true); + if (res) goto exit; - + // verify wrong signature input[0] ^= 0xFF; - res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen); + res = ecdsa_signature_verify_keystr(curveID, T_Q_X, T_Q_Y, input, length, signature, siglen, true); if (!res) { res = 1; goto exit; @@ -393,27 +446,27 @@ int ecdsa_nist_test(bool verbose) { uint8_t key_xy[32 * 2 + 2] = {0}; memset(signature, 0x00, sizeof(signature)); siglen = 0; - - res = ecdsa_key_create(key_d, key_xy); - if (res) + + res = ecdsa_key_create(curveID, key_d, key_xy); + if (res) goto exit; - res = ecdsa_signature_create(key_d, key_xy, input, length, signature, &siglen); - if (res) + res = ecdsa_signature_create(curveID, key_d, key_xy, input, length, signature, &siglen, true); + if (res) goto exit; - res = ecdsa_signature_verify(key_xy, input, length, signature, siglen); - if (res) + res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, siglen, true); + if (res) goto exit; input[0] ^= 0xFF; - res = ecdsa_signature_verify(key_xy, input, length, signature, siglen); - if (!res) + res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, siglen, true); + if (!res) goto exit; - + if (verbose) printf("passed\n\n"); - + return 0; exit: if (verbose) diff --git a/client/crypto/libpcrypto.h b/client/crypto/libpcrypto.h index 7e70cbfc..e29f92b4 100644 --- a/client/crypto/libpcrypto.h +++ b/client/crypto/libpcrypto.h @@ -24,10 +24,11 @@ extern int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, in extern int sha256hash(uint8_t *input, int length, uint8_t *hash); extern int sha512hash(uint8_t *input, int length, uint8_t *hash); -extern int ecdsa_key_create(uint8_t * key_d, uint8_t *key_xy); -extern int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen); -extern int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen); -extern int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen); +extern int ecdsa_key_create(mbedtls_ecp_group_id curveID, uint8_t * key_d, uint8_t *key_xy); +extern int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, mbedtls_ecp_group_id curveID, uint8_t *key, size_t keylen); +extern int ecdsa_signature_create(mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen, bool hash); +extern int ecdsa_signature_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash); +extern int ecdsa_signature_r_s_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *r_s, size_t r_s_len, bool hash); extern char *ecdsa_get_error(int ret); extern int ecdsa_nist_test(bool verbose); diff --git a/client/fido/fidocore.c b/client/fido/fidocore.c index 6e021ea6..6af7671a 100644 --- a/client/fido/fidocore.c +++ b/client/fido/fidocore.c @@ -279,7 +279,7 @@ int FIDOCheckDERAndGetKey(uint8_t *der, size_t derLen, bool verbose, uint8_t *pu } // get public key - res = ecdsa_public_key_from_pk(&cert.pk, publicKey, publicKeyMaxLen); + res = ecdsa_public_key_from_pk(&cert.pk, MBEDTLS_ECP_DP_SECP256R1, publicKey, publicKeyMaxLen); if (res) { PrintAndLog("ERROR: getting public key from certificate 0x%x - %s", (res<0)?-res:res, ecdsa_get_error(res)); } else { @@ -396,9 +396,9 @@ int FIDO2CheckSignature(json_t *root, uint8_t *publickey, uint8_t *sign, size_t clientDataHash, 32, // Hash of the serialized client data. "$.ClientDataHash" from json NULL, 0); //PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); - res = ecdsa_signature_verify(publickey, xbuf, xbuflen, sign, signLen); + res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, publickey, xbuf, xbuflen, sign, signLen, true); if (res) { - if (res == -0x4e00) { + if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) { PrintAndLog("Signature is NOT VALID."); } else { PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res)); diff --git a/common/mbedtls/check_config.h b/common/mbedtls/check_config.h index a4fa7bdd..b395844d 100644 --- a/common/mbedtls/check_config.h +++ b/common/mbedtls/check_config.h @@ -115,6 +115,7 @@ #endif #if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \ + !defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \ diff --git a/common/mbedtls/config.h b/common/mbedtls/config.h index dfda7ca4..278b2163 100644 --- a/common/mbedtls/config.h +++ b/common/mbedtls/config.h @@ -645,6 +645,7 @@ * * Comment macros to disable the curve and functions for it */ +#define MBEDTLS_ECP_DP_SECP128R1_ENABLED #define MBEDTLS_ECP_DP_SECP192R1_ENABLED #define MBEDTLS_ECP_DP_SECP224R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED diff --git a/common/mbedtls/ecdsa.c b/common/mbedtls/ecdsa.c index e97e6cb4..1145bcc2 100644 --- a/common/mbedtls/ecdsa.c +++ b/common/mbedtls/ecdsa.c @@ -291,7 +291,7 @@ cleanup: /* * Convert a signature (given by context) to ASN.1 */ -static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, +int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen ) { int ret; diff --git a/common/mbedtls/ecdsa.h b/common/mbedtls/ecdsa.h index a56cc0a5..426a19cd 100644 --- a/common/mbedtls/ecdsa.h +++ b/common/mbedtls/ecdsa.h @@ -334,6 +334,8 @@ void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ); */ void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ); +int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen ); + #ifdef __cplusplus } #endif diff --git a/common/mbedtls/ecp.c b/common/mbedtls/ecp.c index 028c7fe3..925c024c 100644 --- a/common/mbedtls/ecp.c +++ b/common/mbedtls/ecp.c @@ -84,7 +84,8 @@ static unsigned long add_count, dbl_count, mul_count; #endif -#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) || \ + defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \ @@ -128,39 +129,42 @@ typedef enum static const mbedtls_ecp_curve_info ecp_supported_curves[] = { #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) - { MBEDTLS_ECP_DP_SECP521R1, 25, 521, "secp521r1" }, + { MBEDTLS_ECP_DP_SECP521R1, 25, 521, "secp521r1" }, #endif #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) - { MBEDTLS_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" }, + { MBEDTLS_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" }, #endif #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - { MBEDTLS_ECP_DP_SECP384R1, 24, 384, "secp384r1" }, + { MBEDTLS_ECP_DP_SECP384R1, 24, 384, "secp384r1" }, #endif #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) - { MBEDTLS_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" }, + { MBEDTLS_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" }, #endif #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - { MBEDTLS_ECP_DP_SECP256R1, 23, 256, "secp256r1" }, + { MBEDTLS_ECP_DP_SECP256R1, 23, 256, "secp256r1" }, #endif #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) - { MBEDTLS_ECP_DP_SECP256K1, 22, 256, "secp256k1" }, + { MBEDTLS_ECP_DP_SECP256K1, 22, 256, "secp256k1" }, #endif #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) - { MBEDTLS_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" }, + { MBEDTLS_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" }, #endif #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) - { MBEDTLS_ECP_DP_SECP224R1, 21, 224, "secp224r1" }, + { MBEDTLS_ECP_DP_SECP224R1, 21, 224, "secp224r1" }, #endif #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) - { MBEDTLS_ECP_DP_SECP224K1, 20, 224, "secp224k1" }, + { MBEDTLS_ECP_DP_SECP224K1, 20, 224, "secp224k1" }, #endif #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) - { MBEDTLS_ECP_DP_SECP192R1, 19, 192, "secp192r1" }, + { MBEDTLS_ECP_DP_SECP192R1, 19, 192, "secp192r1" }, #endif #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) - { MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" }, + { MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" }, #endif - { MBEDTLS_ECP_DP_NONE, 0, 0, NULL }, +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) + { MBEDTLS_ECP_DP_SECP128R1, 0xFE00, 128, "secp128r1" }, +#endif + { MBEDTLS_ECP_DP_NONE, 0, 0, NULL }, }; #define ECP_NB_CURVES sizeof( ecp_supported_curves ) / \ diff --git a/common/mbedtls/ecp.h b/common/mbedtls/ecp.h index 1821a72f..725d52b6 100644 --- a/common/mbedtls/ecp.h +++ b/common/mbedtls/ecp.h @@ -82,6 +82,7 @@ typedef enum MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */ MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */ MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */ + MBEDTLS_ECP_DP_SECP128R1, /*!< Domain parameters for the 128-bit curve used for NXP originality check. */ } mbedtls_ecp_group_id; /** diff --git a/common/mbedtls/ecp_curves.c b/common/mbedtls/ecp_curves.c index 01efe8ba..bc0cbd5b 100644 --- a/common/mbedtls/ecp_curves.c +++ b/common/mbedtls/ecp_curves.c @@ -84,6 +84,42 @@ * to be directly usable in MPIs */ +/* + * Domain parameters for secp128r1 + */ +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) +static const mbedtls_mpi_uint secp128r1_p[] = { + // 2^128 - 2^97 - 1 // TODO + BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ), +}; +static const mbedtls_mpi_uint secp128r1_a[] = { + // FFFFFFFDFFFFFFFF FFFFFFFFFFFFFFFC + BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ), +}; +static const mbedtls_mpi_uint secp128r1_b[] = { + // E87579C11079F43D D824993C2CEE5ED3 + BYTES_TO_T_UINT_8( 0xD3, 0x5E, 0xEE, 0x2C, 0x3C, 0x99, 0x24, 0xD8 ), + BYTES_TO_T_UINT_8( 0x3D, 0xF4, 0x79, 0x10, 0xC1, 0x79, 0x75, 0xE8 ), +}; +static const mbedtls_mpi_uint secp128r1_gx[] = { + // 161FF7528B899B2D 0C28607CA52C5B86 + BYTES_TO_T_UINT_8( 0x86, 0x5B, 0x2C, 0xA5, 0x7C, 0x60, 0x28, 0x0C ), + BYTES_TO_T_UINT_8( 0x2D, 0x9B, 0x89, 0x8B, 0x52, 0xF7, 0x1F, 0x16 ), +}; +static const mbedtls_mpi_uint secp128r1_gy[] = { + // CF5AC8395BAFEB13 C02DA292DDED7A83 + BYTES_TO_T_UINT_8( 0x83, 0x7A, 0xED, 0xDD, 0x92, 0xA2, 0x2D, 0xC0 ), + BYTES_TO_T_UINT_8( 0x13, 0xEB, 0xAF, 0x5B, 0x39, 0xC8, 0x5A, 0xCF ), +}; +static const mbedtls_mpi_uint secp128r1_n[] = { + // FFFFFFFE00000000 75A30D1B9038A115 + BYTES_TO_T_UINT_8( 0x15, 0xA1, 0x38, 0x90, 0x1B, 0x0D, 0xA3, 0x75 ), + BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF ), +}; +#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */ + /* * Domain parameters for secp192r1 */ @@ -754,6 +790,11 @@ int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id ) switch( id ) { +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) + case MBEDTLS_ECP_DP_SECP128R1: + grp->modp = NULL; + return( LOAD_GROUP_A( secp128r1 ) ); +#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */ #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) case MBEDTLS_ECP_DP_SECP192R1: NIST_MODP( p192 ); -- 2.39.5