search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
reworked "lf em 4x50 chk" to use dynamic memory for dictionary
[RRG-proxmark3.git] / armsrc / desfire_crypto.c
blobc32d6e4df8d7d83d9997417bfc9097a3ac5660a4
1 /*-
2 * Copyright (C) 2010, Romain Tartiere.
3 *
4 * This program is free software: you can redistribute it and/or modify it
5 * under the terms of the GNU Lesser General Public License as published by the
6 * Free Software Foundation, either version 3 of the License, or (at your
7 * option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
12 * more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>
16 *
17 * $Id$
18 */
19
20 /*
21 * This implementation was written based on information provided by the
22 * following documents:
23 *
24 * NIST Special Publication 800-38B
25 * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
26 * May 2005
27 */
28 #include "desfire_crypto.h"
29 #include <stdlib.h>
30 #include <stdio.h>
31 #include <string.h>
32 #include "commonutil.h"
33 #include "crc32.h"
34 #include "crc.h"
35 #include "crc16.h" // crc16 ccitt
36 #include "printf.h"
37 #include "iso14443a.h"
38 #include "dbprint.h"
39 #include "BigBuf.h"
40
41 #ifndef AddCrc14A
42 # define AddCrc14A(data, len) compute_crc(CRC_14443_A, (data), (len), (data)+(len), (data)+(len)+1)
43 #endif
44
45 static mbedtls_des_context ctx;
46 static mbedtls_des3_context ctx3;
47 static mbedtls_aes_context actx;
48
49 static void update_key_schedules(desfirekey_t key);
50
51 static void update_key_schedules(desfirekey_t key) {
52 // DES_set_key ((DES_cblock *)key->data, &(key->ks1));
53 // DES_set_key ((DES_cblock *)(key->data + 8), &(key->ks2));
54 // if (T_3K3DES == key->type) {
55 // DES_set_key ((DES_cblock *)(key->data + 16), &(key->ks3));
56 // }
57 }
58
59 /******************************************************************************/
60 void des_encrypt(void *out, const void *in, const void *key) {
61 mbedtls_des_setkey_enc(&ctx, key);
62 mbedtls_des_crypt_ecb(&ctx, in, out);
63 }
64
65 void des_decrypt(void *out, const void *in, const void *key) {
66 mbedtls_des_setkey_dec(&ctx, key);
67 mbedtls_des_crypt_ecb(&ctx, in, out);
68 }
69
70 void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
71 if (length % 8) return;
72 if (keymode == 2) mbedtls_des3_set2key_dec(&ctx3, key);
73 else mbedtls_des3_set3key_dec(&ctx3, key);
74
75 uint8_t i;
76 unsigned char temp[8];
77 uint8_t *tin = (uint8_t *) in;
78 uint8_t *tout = (uint8_t *) out;
79
80 while (length > 0) {
81 memcpy(temp, tin, 8);
82
83 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
84
85 for (i = 0; i < 8; i++)
86 tout[i] = (unsigned char)(tout[i] ^ iv[i]);
87
88 memcpy(iv, temp, 8);
89
90 tin += 8;
91 tout += 8;
92 length -= 8;
93 }
94 }
95
96 void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
97 if (length % 8) return;
98 if (keymode == 2) mbedtls_des3_set2key_enc(&ctx3, key);
99 else mbedtls_des3_set3key_enc(&ctx3, key);
100
101 uint8_t i;
102 uint8_t *tin = (uint8_t *) in;
103 uint8_t *tout = (uint8_t *) out;
104
105 while (length > 0) {
106 for (i = 0; i < 8; i++) {
107 tin[i] = (unsigned char)(tin[i] ^ iv[i]);
108 }
109
110 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
111
112 memcpy(iv, tout, 8);
113
114 tin += 8;
115 tout += 8;
116 length -= 8;
117 }
118 }
119
120
121
122 void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key) {
123 uint8_t data[8];
124 memcpy(data, value, 8);
125 for (int n = 0; n < 8; n++) {
126 data[n] &= 0xFE;
127 }
128 Desfire_des_key_new_with_version(data, key);
129 }
130
131 void Desfire_des_key_new_with_version(const uint8_t value[8], desfirekey_t key) {
132 if (key != NULL) {
133 key->type = T_DES;
134 memcpy(key->data, value, 8);
135 memcpy(key->data + 8, value, 8);
136 update_key_schedules(key);
137 }
138 }
139
140 void Desfire_3des_key_new(const uint8_t value[16], desfirekey_t key) {
141 uint8_t data[16];
142 memcpy(data, value, 16);
143 for (int n = 0; n < 8; n++) {
144 data[n] &= 0xFE;
145 }
146 for (int n = 8; n < 16; n++) {
147 data[n] |= 0x01;
148 }
149 Desfire_3des_key_new_with_version(data, key);
150 }
151
152 void Desfire_3des_key_new_with_version(const uint8_t value[16], desfirekey_t key) {
153 if (key != NULL) {
154 key->type = T_3DES;
155 memcpy(key->data, value, 16);
156 update_key_schedules(key);
157 }
158 }
159
160 void Desfire_3k3des_key_new(const uint8_t value[24], desfirekey_t key) {
161 uint8_t data[24];
162 memcpy(data, value, 24);
163 for (int n = 0; n < 8; n++) {
164 data[n] &= 0xFE;
165 }
166 Desfire_3k3des_key_new_with_version(data, key);
167 }
168
169 void Desfire_3k3des_key_new_with_version(const uint8_t value[24], desfirekey_t key) {
170 if (key != NULL) {
171 key->type = T_3K3DES;
172 memcpy(key->data, value, 24);
173 update_key_schedules(key);
174 }
175 }
176
177 void Desfire_aes_key_new(const uint8_t value[16], desfirekey_t key) {
178 Desfire_aes_key_new_with_version(value, 0, key);
179 }
180
181 void Desfire_aes_key_new_with_version(const uint8_t value[16], uint8_t version, desfirekey_t key) {
182
183 if (key != NULL) {
184 memcpy(key->data, value, 16);
185 key->type = T_AES;
186 key->aes_version = version;
187 }
188 }
189
190 uint8_t Desfire_key_get_version(desfirekey_t key) {
191 uint8_t version = 0;
192
193 for (int n = 0; n < 8; n++) {
194 version |= ((key->data[n] & 1) << (7 - n));
195 }
196 return version;
197 }
198
199 void Desfire_key_set_version(desfirekey_t key, uint8_t version) {
200 for (int n = 0; n < 8; n++) {
201 uint8_t version_bit = ((version & (1 << (7 - n))) >> (7 - n));
202 key->data[n] &= 0xFE;
203 key->data[n] |= version_bit;
204 if (key->type == T_DES) {
205 key->data[n + 8] = key->data[n];
206 } else {
207 // Write ~version to avoid turning a 3DES key into a DES key
208 key->data[n + 8] &= 0xFE;
209 key->data[n + 8] |= ~version_bit;
210 }
211 }
212 }
213
214 void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfirekey_t authkey, desfirekey_t key) {
215
216 uint8_t buffer[24];
217
218 switch (authkey->type) {
219 case T_DES:
220 memcpy(buffer, rnda, 4);
221 memcpy(buffer + 4, rndb, 4);
222 Desfire_des_key_new_with_version(buffer, key);
223 break;
224 case T_3DES:
225 memcpy(buffer, rnda, 4);
226 memcpy(buffer + 4, rndb, 4);
227 memcpy(buffer + 8, rnda + 4, 4);
228 memcpy(buffer + 12, rndb + 4, 4);
229 Desfire_3des_key_new_with_version(buffer, key);
230 break;
231 case T_3K3DES:
232 memcpy(buffer, rnda, 4);
233 memcpy(buffer + 4, rndb, 4);
234 memcpy(buffer + 8, rnda + 6, 4);
235 memcpy(buffer + 12, rndb + 6, 4);
236 memcpy(buffer + 16, rnda + 12, 4);
237 memcpy(buffer + 20, rndb + 12, 4);
238 Desfire_3k3des_key_new(buffer, key);
239 break;
240 case T_AES:
241 memcpy(buffer, rnda, 4);
242 memcpy(buffer + 4, rndb, 4);
243 memcpy(buffer + 8, rnda + 12, 4);
244 memcpy(buffer + 12, rndb + 12, 4);
245 Desfire_aes_key_new(buffer, key);
246 break;
247 }
248 }
249
250 static size_t key_macing_length(desfirekey_t key);
251
252 // iceman, see memxor inside string.c, dest/src swapped..
253 static void xor(const uint8_t *ivect, uint8_t *data, const size_t len) {
254 for (size_t i = 0; i < len; i++) {
255 data[i] ^= ivect[i];
256 }
257 }
258
259 void cmac_generate_subkeys(desfirekey_t key) {
260 int kbs = key_block_size(key);
261 const uint8_t R = (kbs == 8) ? 0x1B : 0x87;
262
263 uint8_t l[kbs];
264 memset(l, 0, kbs);
265
266 uint8_t ivect[kbs];
267 memset(ivect, 0, kbs);
268
269 mifare_cypher_blocks_chained(NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);
270
271 bool txor = false;
272
273 // Used to compute CMAC on complete blocks
274 memcpy(key->cmac_sk1, l, kbs);
275
276 txor = l[0] & 0x80;
277
278 lsl(key->cmac_sk1, kbs);
279
280 if (txor) {
281 key->cmac_sk1[kbs - 1] ^= R;
282 }
283
284 // Used to compute CMAC on the last block if non-complete
285 memcpy(key->cmac_sk2, key->cmac_sk1, kbs);
286
287 txor = key->cmac_sk1[0] & 0x80;
288
289 lsl(key->cmac_sk2, kbs);
290
291 if (txor) {
292 key->cmac_sk2[kbs - 1] ^= R;
293 }
294 }
295
296 void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac) {
297 int kbs = key_block_size(key);
298 if (kbs == 0) {
299 return;
300 }
301
302 uint8_t *buffer = BigBuf_malloc(padded_data_length(len, kbs));
303
304 memcpy(buffer, data, len);
305
306 if ((!len) || (len % kbs)) {
307 buffer[len++] = 0x80;
308 while (len % kbs) {
309 buffer[len++] = 0x00;
310 }
311 xor(key->cmac_sk2, buffer + len - kbs, kbs);
312 } else {
313 xor(key->cmac_sk1, buffer + len - kbs, kbs);
314 }
315
316 mifare_cypher_blocks_chained(NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);
317
318 memcpy(cmac, ivect, kbs);
319 //free(buffer);
320 }
321
322 size_t key_block_size(const desfirekey_t key) {
323 if (key == NULL) {
324 return 0;
325 }
326
327 size_t block_size = 8;
328 switch (key->type) {
329 case T_DES:
330 case T_3DES:
331 case T_3K3DES:
332 block_size = 8;
333 break;
334 case T_AES:
335 block_size = 16;
336 break;
337 }
338 return block_size;
339 }
340
341 /*
342 * Size of MACing produced with the key.
343 */
344 static size_t key_macing_length(const desfirekey_t key) {
345 size_t mac_length = MAC_LENGTH;
346 switch (key->type) {
347 case T_DES:
348 case T_3DES:
349 mac_length = MAC_LENGTH;
350 break;
351 case T_3K3DES:
352 case T_AES:
353 mac_length = CMAC_LENGTH;
354 break;
355 }
356 return mac_length;
357 }
358
359 /*
360 * Size required to store nbytes of data in a buffer of size n*block_size.
361 */
362 size_t padded_data_length(const size_t nbytes, const size_t block_size) {
363 if ((!nbytes) || (nbytes % block_size))
364 return ((nbytes / block_size) + 1) * block_size;
365 else
366 return nbytes;
367 }
368
369 /*
370 * Buffer size required to MAC nbytes of data
371 */
372 size_t maced_data_length(const desfirekey_t key, const size_t nbytes) {
373 return nbytes + key_macing_length(key);
374 }
375 /*
376 * Buffer size required to encipher nbytes of data and a two bytes CRC.
377 */
378 size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int communication_settings) {
379 size_t crc_length = 0;
380 if (!(communication_settings & NO_CRC)) {
381 switch (DESFIRE(tag)->authentication_scheme) {
382 case AS_LEGACY:
383 crc_length = 2;
384 break;
385 case AS_NEW:
386 crc_length = 4;
387 break;
388 }
389 }
390
391 size_t block_size = DESFIRE(tag)->session_key ? key_block_size(DESFIRE(tag)->session_key) : 1;
392
393 return padded_data_length(nbytes + crc_length, block_size);
394 }
395
396 void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings) {
397 uint8_t *res = data;
398 uint8_t mac[4];
399 size_t edl;
400 bool append_mac = true;
401 desfirekey_t key = DESFIRE(tag)->session_key;
402
403 if (!key)
404 return data;
405
406 switch (communication_settings & MDCM_MASK) {
407 case MDCM_PLAIN:
408 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
409 break;
410
411 /*
412 * When using new authentication methods, PLAIN data transmission from
413 * the PICC to the PCD are CMACed, so we have to maintain the
414 * cryptographic initialisation vector up-to-date to check data
415 * integrity later.
416 *
417 * The only difference with CMACed data transmission is that the CMAC
418 * is not apended to the data send by the PCD to the PICC.
419 */
420
421 append_mac = false;
422
423 /* pass through */
424 case MDCM_MACED:
425 switch (DESFIRE(tag)->authentication_scheme) {
426 case AS_LEGACY:
427 if (!(communication_settings & MAC_COMMAND))
428 break;
429
430 /* pass through */
431 edl = padded_data_length(*nbytes - offset, key_block_size(DESFIRE(tag)->session_key)) + offset;
432
433 // Fill in the crypto buffer with data ...
434 memcpy(res, data, *nbytes);
435 // ... and 0 padding
436 memset(res + *nbytes, 0, edl - *nbytes);
437
438 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);
439
440 memcpy(mac, res + edl - 8, 4);
441
442 // Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
443 memcpy(res, data, *nbytes);
444
445 if (!(communication_settings & MAC_COMMAND))
446 break;
447 // Append MAC
448 size_t bla = maced_data_length(DESFIRE(tag)->session_key, *nbytes - offset) + offset;
449 (void)bla++;
450
451 memcpy(res + *nbytes, mac, 4);
452
453 *nbytes += 4;
454 break;
455 case AS_NEW:
456 if (!(communication_settings & CMAC_COMMAND))
457 break;
458 cmac(key, DESFIRE(tag)->ivect, res, *nbytes, DESFIRE(tag)->cmac);
459
460 if (append_mac) {
461 size_t len = maced_data_length(key, *nbytes);
462 (void)++len;
463 memcpy(res, data, *nbytes);
464 memcpy(res + *nbytes, DESFIRE(tag)->cmac, CMAC_LENGTH);
465 *nbytes += CMAC_LENGTH;
466 }
467 break;
468 }
469
470 break;
471 case MDCM_ENCIPHERED:
472 /* |<-------------- data -------------->|
473 * |<--- offset -->| |
474 * +---------------+--------------------+-----+---------+
475 * | CMD + HEADERS | DATA TO BE SECURED | CRC | PADDING |
476 * +---------------+--------------------+-----+---------+ ----------------
477 * | |<~~~~v~~~~~~~~~~~~~>| ^ | | (DES / 3DES)
478 * | | `---- crc16() ----' | |
479 * | | | ^ | | ----- *or* -----
480 * |<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>| ^ | | (3K3DES / AES)
481 * | `---- crc32() ----' | |
482 * | | ---- *then* ----
483 * |<---------------------------------->|
484 * encypher()/decypher()
485 */
486
487 if (!(communication_settings & ENC_COMMAND))
488 break;
489 edl = enciphered_data_length(tag, *nbytes - offset, communication_settings) + offset;
490
491 // Fill in the crypto buffer with data ...
492 memcpy(res, data, *nbytes);
493 if (!(communication_settings & NO_CRC)) {
494 // ... CRC ...
495 switch (DESFIRE(tag)->authentication_scheme) {
496 case AS_LEGACY:
497 AddCrc14A(res + offset, *nbytes - offset);
498 *nbytes += 2;
499 break;
500 case AS_NEW:
501 crc32_append(res, *nbytes);
502 *nbytes += 4;
503 break;
504 }
505 }
506 // ... and padding
507 memset(res + *nbytes, 0, edl - *nbytes);
508
509 *nbytes = edl;
510
511 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
512 break;
513 default:
514
515 *nbytes = -1;
516 res = NULL;
517 break;
518 }
519
520 return res;
521
522 }
523
524 void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings) {
525 void *res = data;
526 void *edata = NULL;
527 uint8_t first_cmac_byte = 0x00;
528
529 desfirekey_t key = DESFIRE(tag)->session_key;
530
531 if (!key)
532 return data;
533
534 // Return directly if we just have a status code.
535 if (1 == *nbytes)
536 return res;
537
538 switch (communication_settings & MDCM_MASK) {
539 case MDCM_PLAIN:
540
541 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
542 break;
543
544 /* pass through */
545 case MDCM_MACED:
546 switch (DESFIRE(tag)->authentication_scheme) {
547 case AS_LEGACY:
548 if (communication_settings & MAC_VERIFY) {
549 *nbytes -= key_macing_length(key);
550 if (*nbytes == 0) {
551 *nbytes = -1;
552 res = NULL;
553 #ifdef WITH_DEBUG
554 Dbprintf("No room for MAC!");
555 #endif
556 break;
557 }
558
559 size_t edl = enciphered_data_length(tag, *nbytes - 1, communication_settings);
560 edata = BigBuf_malloc(edl);
561
562 memcpy(edata, data, *nbytes - 1);
563 memset((uint8_t *)edata + *nbytes - 1, 0, edl - *nbytes + 1);
564
565 mifare_cypher_blocks_chained(tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);
566
567 if (0 != memcmp((uint8_t *)data + *nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
568 #ifdef WITH_DEBUG
569 Dbprintf("MACing not verified");
570 hexdump((uint8_t *)data + *nbytes - 1, key_macing_length(key), "Expect ", 0);
571 hexdump((uint8_t *)edata + edl - 8, key_macing_length(key), "Actual ", 0);
572 #endif
573 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
574 *nbytes = -1;
575 res = NULL;
576 }
577 }
578 break;
579 case AS_NEW:
580 if (!(communication_settings & CMAC_COMMAND))
581 break;
582 if (communication_settings & CMAC_VERIFY) {
583 if (*nbytes < 9) {
584 *nbytes = -1;
585 res = NULL;
586 break;
587 }
588 first_cmac_byte = ((uint8_t *)data)[*nbytes - 9];
589 ((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes - 1];
590 }
591
592 int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
593 cmac(key, DESFIRE(tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE(tag)->cmac);
594
595 if (communication_settings & CMAC_VERIFY) {
596 ((uint8_t *)data)[*nbytes - 9] = first_cmac_byte;
597 if (0 != memcmp(DESFIRE(tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) {
598 #ifdef WITH_DEBUG
599 Dbprintf("CMAC NOT verified :-(");
600 hexdump((uint8_t *)data + *nbytes - 9, 8, "Expect ", 0);
601 hexdump(DESFIRE(tag)->cmac, 8, "Actual ", 0);
602 #endif
603 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
604 *nbytes = -1;
605 res = NULL;
606 } else {
607 *nbytes -= 8;
608 }
609 }
610 break;
611 }
612
613 free(edata);
614
615 break;
616 case MDCM_ENCIPHERED:
617 (*nbytes)--;
618 bool verified = false;
619 int crc_pos = 0x00;
620 int end_crc_pos = 0x00;
621 uint8_t x;
622
623 /*
624 * AS_LEGACY:
625 * ,-----------------+-------------------------------+--------+
626 * \ BLOCK n-1 | BLOCK n | STATUS |
627 * / PAYLOAD | CRC0 | CRC1 | 0x80? | 0x000000000000 | 0x9100 |
628 * `-----------------+-------------------------------+--------+
629 *
630 * <------------ DATA ------------>
631 * FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
632 *
633 * AS_NEW:
634 * ,-------------------------------+-----------------------------------------------+--------+
635 * \ BLOCK n-1 | BLOCK n | STATUS |
636 * / PAYLOAD | CRC0 | CRC1 | CRC2 | CRC3 | 0x80? | 0x0000000000000000000000000000 | 0x9100 |
637 * `-------------------------------+-----------------------------------------------+--------+
638 * <----------------------------------- DATA ------------------------------------->|
639 *
640 * <----------------- DATA ---------------->
641 * FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
642 * `------------------'
643 */
644
645 mifare_cypher_blocks_chained(tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);
646
647 /*
648 * Look for the CRC and ensure it is followed by NULL padding. We
649 * can't start by the end because the CRC is supposed to be 0 when
650 * verified, and accumulating 0's in it should not change it.
651 */
652 switch (DESFIRE(tag)->authentication_scheme) {
653 case AS_LEGACY:
654 crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
655 if (crc_pos < 0) {
656 /* Single block */
657 crc_pos = 0;
658 }
659 break;
660 case AS_NEW:
661 /* Move status between payload and CRC */
662 res = DESFIRE(tag)->crypto_buffer;
663 memcpy(res, data, *nbytes);
664
665 crc_pos = (*nbytes) - 16 - 3;
666 if (crc_pos < 0) {
667 /* Single block */
668 crc_pos = 0;
669 }
670 memcpy((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos);
671 ((uint8_t *)res)[crc_pos] = 0x00;
672 crc_pos++;
673 *nbytes += 1;
674 break;
675 }
676
677 do {
678 uint16_t crc_16 = 0x00;
679 uint32_t crc = 0x00;
680 switch (DESFIRE(tag)->authentication_scheme) {
681 case AS_LEGACY:
682 AddCrc14A((uint8_t *)res, end_crc_pos);
683 end_crc_pos = crc_pos + 2;
684 //
685
686
687 crc = crc_16;
688 break;
689 case AS_NEW:
690 end_crc_pos = crc_pos + 4;
691 crc32_ex(res, end_crc_pos, (uint8_t *)&crc);
692 break;
693 }
694 if (!crc) {
695 verified = true;
696 for (int n = end_crc_pos; n < *nbytes - 1; n++) {
697 uint8_t byte = ((uint8_t *)res)[n];
698 if (!((0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos))))
699 verified = false;
700 }
701 }
702 if (verified) {
703 *nbytes = crc_pos;
704 switch (DESFIRE(tag)->authentication_scheme) {
705 case AS_LEGACY:
706 ((uint8_t *)data)[(*nbytes)++] = 0x00;
707 break;
708 case AS_NEW:
709 /* The status byte was already before the CRC */
710 break;
711 }
712 } else {
713 switch (DESFIRE(tag)->authentication_scheme) {
714 case AS_LEGACY:
715 break;
716 case AS_NEW:
717 x = ((uint8_t *)res)[crc_pos - 1];
718 ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
719 ((uint8_t *)res)[crc_pos] = x;
720 break;
721 }
722 crc_pos++;
723 }
724 } while (!verified && (end_crc_pos < *nbytes));
725
726 if (!verified) {
727 #ifdef WITH_DEBUG
728 /* FIXME In some configurations, the file is transmitted PLAIN */
729 Dbprintf("CRC not verified in decyphered stream");
730 #endif
731 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
732 *nbytes = -1;
733 res = NULL;
734 }
735
736 break;
737 default:
738 Dbprintf("Unknown communication settings");
739 *nbytes = -1;
740 res = NULL;
741 break;
742
743 }
744 return res;
745 }
746
747
748 void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size) {
749 uint8_t ovect[MAX_CRYPTO_BLOCK_SIZE];
750 if (direction == MCD_SEND) {
751 xor(ivect, data, block_size);
752 } else {
753 memcpy(ovect, data, block_size);
754 }
755
756 uint8_t edata[MAX_CRYPTO_BLOCK_SIZE];
757
758 switch (key->type) {
759 case T_DES:
760 switch (operation) {
761 case MCO_ENCYPHER:
762 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
763 des_encrypt(edata, data, key->data);
764 break;
765 case MCO_DECYPHER:
766 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
767 des_decrypt(edata, data, key->data);
768 break;
769 }
770 break;
771 case T_3DES:
772 switch (operation) {
773 case MCO_ENCYPHER:
774 mbedtls_des3_set2key_enc(&ctx3, key->data);
775 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
776 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
777 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
778 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
779 break;
780 case MCO_DECYPHER:
781 mbedtls_des3_set2key_dec(&ctx3, key->data);
782 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
783 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
784 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
785 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
786 break;
787 }
788 break;
789 case T_3K3DES:
790 switch (operation) {
791 case MCO_ENCYPHER:
792 mbedtls_des3_set3key_enc(&ctx3, key->data);
793 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
794 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
795 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
796 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT);
797 break;
798 case MCO_DECYPHER:
799 mbedtls_des3_set3key_dec(&ctx3, key->data);
800 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
801 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_DECRYPT);
802 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
803 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
804 break;
805 }
806 break;
807 case T_AES:
808 switch (operation) {
809 case MCO_ENCYPHER: {
810 mbedtls_aes_init(&actx);
811 mbedtls_aes_setkey_enc(&actx, key->data, 128);
812 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, sizeof(edata), ivect, data, edata);
813 break;
814 }
815 case MCO_DECYPHER: {
816 mbedtls_aes_init(&actx);
817 mbedtls_aes_setkey_dec(&actx, key->data, 128);
818 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_DECRYPT, sizeof(edata), ivect, edata, data);
819 break;
820 }
821 }
822 break;
823 }
824
825 memcpy(data, edata, block_size);
826
827 if (direction == MCD_SEND) {
828 memcpy(ivect, data, block_size);
829 } else {
830 xor(ivect, data, block_size);
831 memcpy(ivect, ovect, block_size);
832 }
833 }
834
835 /*
836 * This function performs all CBC cyphering / deciphering.
837 *
838 * The tag argument may be NULL, in which case both key and ivect shall be set.
839 * When using the tag session_key and ivect for processing data, these
840 * arguments should be set to NULL.
841 *
842 * Because the tag may contain additional data, one may need to call this
843 * function with tag, key and ivect defined.
844 */
845 void mifare_cypher_blocks_chained(desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
846 size_t block_size;
847
848 if (tag) {
849 if (key == NULL) {
850 key = DESFIRE(tag)->session_key;
851 }
852 if (ivect == NULL) {
853 ivect = DESFIRE(tag)->ivect;
854 }
855
856 switch (DESFIRE(tag)->authentication_scheme) {
857 case AS_LEGACY:
858 memset(ivect, 0, MAX_CRYPTO_BLOCK_SIZE);
859 break;
860 case AS_NEW:
861 break;
862 }
863 }
864
865 block_size = key_block_size(key);
866
867 size_t offset = 0;
868 while (offset < data_size) {
869 mifare_cypher_single_block(key, data + offset, ivect, direction, operation, block_size);
870 offset += block_size;
871 }
872 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware