search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Release v4.15864 - Radium
[RRG-proxmark3.git] / armsrc / desfire_crypto.c
blob84361e2c349f87cd6e92bd8a0cf09d71ce5a7c57
1 //-----------------------------------------------------------------------------
2 // Borrowed initially from https://github.com/nfc-tools/libfreefare
3 // Copyright (C) 2010, Romain Tartiere.
4 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
5 //
6 // This program is free software: you can redistribute it and/or modify
7 // it under the terms of the GNU General Public License as published by
8 // the Free Software Foundation, either version 3 of the License, or
9 // (at your option) any later version.
10 //
11 // This program is distributed in the hope that it will be useful,
12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 // GNU General Public License for more details.
15 //
16 // See LICENSE.txt for the text of the license.
17 //-----------------------------------------------------------------------------
18 /*
19 * This implementation was written based on information provided by the
20 * following documents:
21 *
22 * NIST Special Publication 800-38B
23 * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
24 * May 2005
25 */
26 #include "desfire_crypto.h"
27 #include <stdlib.h>
28 #include <stdio.h>
29 #include <string.h>
30 #include "commonutil.h"
31 #include "crc32.h"
32 #include "crc.h"
33 #include "crc16.h" // crc16 ccitt
34 #include "printf.h"
35 #include "iso14443a.h"
36 #include "dbprint.h"
37 #include "BigBuf.h"
38
39 #ifndef AddCrc14A
40 # define AddCrc14A(data, len) compute_crc(CRC_14443_A, (data), (len), (data)+(len), (data)+(len)+1)
41 #endif
42
43 static mbedtls_des_context ctx;
44 static mbedtls_des3_context ctx3;
45 static mbedtls_aes_context actx;
46
47 static void update_key_schedules(desfirekey_t key);
48
49 static void update_key_schedules(desfirekey_t key) {
50 // DES_set_key ((DES_cblock *)key->data, &(key->ks1));
51 // DES_set_key ((DES_cblock *)(key->data + 8), &(key->ks2));
52 // if (T_3K3DES == key->type) {
53 // DES_set_key ((DES_cblock *)(key->data + 16), &(key->ks3));
54 // }
55 }
56
57 /******************************************************************************/
58 void des_encrypt(void *out, const void *in, const void *key) {
59 mbedtls_des_setkey_enc(&ctx, key);
60 mbedtls_des_crypt_ecb(&ctx, in, out);
61 }
62
63 void des_decrypt(void *out, const void *in, const void *key) {
64 mbedtls_des_setkey_dec(&ctx, key);
65 mbedtls_des_crypt_ecb(&ctx, in, out);
66 }
67
68 void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
69 if (length % 8) return;
70 if (keymode == 2)
71 mbedtls_des3_set2key_dec(&ctx3, key);
72 else
73 mbedtls_des3_set3key_dec(&ctx3, key);
74
75 uint8_t i;
76 unsigned char temp[8];
77 uint8_t *tin = (uint8_t *) in;
78 uint8_t *tout = (uint8_t *) out;
79
80 while (length > 0) {
81 memcpy(temp, tin, 8);
82
83 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
84
85 for (i = 0; i < 8; i++)
86 tout[i] = (unsigned char)(tout[i] ^ iv[i]);
87
88 memcpy(iv, temp, 8);
89
90 tin += 8;
91 tout += 8;
92 length -= 8;
93 }
94 }
95
96 void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
97 if (length % 8) return;
98 if (keymode == 2)
99 mbedtls_des3_set2key_enc(&ctx3, key);
100 else
101 mbedtls_des3_set3key_enc(&ctx3, key);
102
103 uint8_t i;
104 uint8_t *tin = (uint8_t *) in;
105 uint8_t *tout = (uint8_t *) out;
106
107 while (length > 0) {
108 for (i = 0; i < 8; i++) {
109 tin[i] = (unsigned char)(tin[i] ^ iv[i]);
110 }
111
112 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
113
114 memcpy(iv, tout, 8);
115
116 tin += 8;
117 tout += 8;
118 length -= 8;
119 }
120 }
121
122
123
124 void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key) {
125 uint8_t data[8];
126 memcpy(data, value, 8);
127 for (int n = 0; n < 8; n++) {
128 data[n] &= 0xFE;
129 }
130 Desfire_des_key_new_with_version(data, key);
131 }
132
133 void Desfire_des_key_new_with_version(const uint8_t value[8], desfirekey_t key) {
134 if (key != NULL) {
135 key->type = T_DES;
136 memcpy(key->data, value, 8);
137 memcpy(key->data + 8, value, 8);
138 update_key_schedules(key);
139 }
140 }
141
142 void Desfire_3des_key_new(const uint8_t value[16], desfirekey_t key) {
143 uint8_t data[16];
144 memcpy(data, value, 16);
145 for (int n = 0; n < 8; n++) {
146 data[n] &= 0xFE;
147 }
148 for (int n = 8; n < 16; n++) {
149 data[n] |= 0x01;
150 }
151 Desfire_3des_key_new_with_version(data, key);
152 }
153
154 void Desfire_3des_key_new_with_version(const uint8_t value[16], desfirekey_t key) {
155 if (key != NULL) {
156 key->type = T_3DES;
157 memcpy(key->data, value, 16);
158 update_key_schedules(key);
159 }
160 }
161
162 void Desfire_3k3des_key_new(const uint8_t value[24], desfirekey_t key) {
163 uint8_t data[24];
164 memcpy(data, value, 24);
165 for (int n = 0; n < 8; n++) {
166 data[n] &= 0xFE;
167 }
168 Desfire_3k3des_key_new_with_version(data, key);
169 }
170
171 void Desfire_3k3des_key_new_with_version(const uint8_t value[24], desfirekey_t key) {
172 if (key != NULL) {
173 key->type = T_3K3DES;
174 memcpy(key->data, value, 24);
175 update_key_schedules(key);
176 }
177 }
178
179 void Desfire_aes_key_new(const uint8_t value[16], desfirekey_t key) {
180 Desfire_aes_key_new_with_version(value, 0, key);
181 }
182
183 void Desfire_aes_key_new_with_version(const uint8_t value[16], uint8_t version, desfirekey_t key) {
184
185 if (key != NULL) {
186 memcpy(key->data, value, 16);
187 key->type = T_AES;
188 key->aes_version = version;
189 }
190 }
191
192 uint8_t Desfire_key_get_version(desfirekey_t key) {
193 uint8_t version = 0;
194
195 for (int n = 0; n < 8; n++) {
196 version |= ((key->data[n] & 1) << (7 - n));
197 }
198 return version;
199 }
200
201 void Desfire_key_set_version(desfirekey_t key, uint8_t version) {
202 for (int n = 0; n < 8; n++) {
203 uint8_t version_bit = ((version & (1 << (7 - n))) >> (7 - n));
204 key->data[n] &= 0xFE;
205 key->data[n] |= version_bit;
206 if (key->type == T_DES) {
207 key->data[n + 8] = key->data[n];
208 } else {
209 // Write ~version to avoid turning a 3DES key into a DES key
210 key->data[n + 8] &= 0xFE;
211 key->data[n + 8] |= ~version_bit;
212 }
213 }
214 }
215
216 void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfirekey_t authkey, desfirekey_t key) {
217
218 uint8_t buffer[24];
219
220 switch (authkey->type) {
221 case T_DES:
222 memcpy(buffer, rnda, 4);
223 memcpy(buffer + 4, rndb, 4);
224 Desfire_des_key_new_with_version(buffer, key);
225 break;
226 case T_3DES:
227 memcpy(buffer, rnda, 4);
228 memcpy(buffer + 4, rndb, 4);
229 memcpy(buffer + 8, rnda + 4, 4);
230 memcpy(buffer + 12, rndb + 4, 4);
231 Desfire_3des_key_new_with_version(buffer, key);
232 break;
233 case T_3K3DES:
234 memcpy(buffer, rnda, 4);
235 memcpy(buffer + 4, rndb, 4);
236 memcpy(buffer + 8, rnda + 6, 4);
237 memcpy(buffer + 12, rndb + 6, 4);
238 memcpy(buffer + 16, rnda + 12, 4);
239 memcpy(buffer + 20, rndb + 12, 4);
240 Desfire_3k3des_key_new(buffer, key);
241 break;
242 case T_AES:
243 memcpy(buffer, rnda, 4);
244 memcpy(buffer + 4, rndb, 4);
245 memcpy(buffer + 8, rnda + 12, 4);
246 memcpy(buffer + 12, rndb + 12, 4);
247 Desfire_aes_key_new(buffer, key);
248 break;
249 }
250 }
251
252 static size_t key_macing_length(desfirekey_t key);
253
254 // iceman, see memxor inside string.c, dest/src swapped..
255 static void xor(const uint8_t *ivect, uint8_t *data, const size_t len) {
256 for (size_t i = 0; i < len; i++) {
257 data[i] ^= ivect[i];
258 }
259 }
260
261 void cmac_generate_subkeys(desfirekey_t key) {
262 int kbs = key_block_size(key);
263 const uint8_t R = (kbs == 8) ? 0x1B : 0x87;
264
265 uint8_t l[kbs];
266 memset(l, 0, kbs);
267
268 uint8_t ivect[kbs];
269 memset(ivect, 0, kbs);
270
271 mifare_cypher_blocks_chained(NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);
272
273 bool txor = false;
274
275 // Used to compute CMAC on complete blocks
276 memcpy(key->cmac_sk1, l, kbs);
277
278 txor = l[0] & 0x80;
279
280 lsl(key->cmac_sk1, kbs);
281
282 if (txor) {
283 key->cmac_sk1[kbs - 1] ^= R;
284 }
285
286 // Used to compute CMAC on the last block if non-complete
287 memcpy(key->cmac_sk2, key->cmac_sk1, kbs);
288
289 txor = key->cmac_sk1[0] & 0x80;
290
291 lsl(key->cmac_sk2, kbs);
292
293 if (txor) {
294 key->cmac_sk2[kbs - 1] ^= R;
295 }
296 }
297
298 void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac) {
299 int kbs = key_block_size(key);
300 if (kbs == 0) {
301 return;
302 }
303
304 uint8_t *buffer = BigBuf_malloc(padded_data_length(len, kbs));
305
306 memcpy(buffer, data, len);
307
308 if ((!len) || (len % kbs)) {
309 buffer[len++] = 0x80;
310 while (len % kbs) {
311 buffer[len++] = 0x00;
312 }
313 xor(key->cmac_sk2, buffer + len - kbs, kbs);
314 } else {
315 xor(key->cmac_sk1, buffer + len - kbs, kbs);
316 }
317
318 mifare_cypher_blocks_chained(NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);
319
320 memcpy(cmac, ivect, kbs);
321 //free(buffer);
322 }
323
324 size_t key_block_size(const desfirekey_t key) {
325 if (key == NULL) {
326 return 0;
327 }
328
329 size_t block_size = 8;
330 switch (key->type) {
331 case T_DES:
332 case T_3DES:
333 case T_3K3DES:
334 block_size = 8;
335 break;
336 case T_AES:
337 block_size = 16;
338 break;
339 }
340 return block_size;
341 }
342
343 /*
344 * Size of MACing produced with the key.
345 */
346 static size_t key_macing_length(const desfirekey_t key) {
347 size_t mac_length = DESFIRE_MAC_LENGTH;
348 switch (key->type) {
349 case T_DES:
350 case T_3DES:
351 mac_length = DESFIRE_MAC_LENGTH;
352 break;
353 case T_3K3DES:
354 case T_AES:
355 mac_length = DESFIRE_CMAC_LENGTH;
356 break;
357 }
358 return mac_length;
359 }
360
361 /*
362 * Size required to store nbytes of data in a buffer of size n*block_size.
363 */
364 size_t padded_data_length(const size_t nbytes, const size_t block_size) {
365 if ((!nbytes) || (nbytes % block_size))
366 return ((nbytes / block_size) + 1) * block_size;
367 else
368 return nbytes;
369 }
370
371 /*
372 * Buffer size required to MAC nbytes of data
373 */
374 size_t maced_data_length(const desfirekey_t key, const size_t nbytes) {
375 return nbytes + key_macing_length(key);
376 }
377 /*
378 * Buffer size required to encipher nbytes of data and a two bytes CRC.
379 */
380 size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int communication_settings) {
381 size_t crc_length = 0;
382 if (!(communication_settings & NO_CRC)) {
383 switch (DESFIRE(tag)->authentication_scheme) {
384 case AS_LEGACY:
385 crc_length = 2;
386 break;
387 case AS_NEW:
388 crc_length = 4;
389 break;
390 }
391 }
392
393 size_t block_size = DESFIRE(tag)->session_key ? key_block_size(DESFIRE(tag)->session_key) : 1;
394
395 return padded_data_length(nbytes + crc_length, block_size);
396 }
397
398 void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings) {
399 uint8_t *res = data;
400 uint8_t mac[4];
401 size_t edl;
402 bool append_mac = true;
403 desfirekey_t key = DESFIRE(tag)->session_key;
404
405 if (!key)
406 return data;
407
408 switch (communication_settings & MDCM_MASK) {
409 case MDCM_PLAIN:
410 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
411 break;
412
413 /*
414 * When using new authentication methods, PLAIN data transmission from
415 * the PICC to the PCD are CMACed, so we have to maintain the
416 * cryptographic initialisation vector up-to-date to check data
417 * integrity later.
418 *
419 * The only difference with CMACed data transmission is that the CMAC
420 * is not appended to the data send by the PCD to the PICC.
421 */
422
423 append_mac = false;
424
425 /* pass through */
426 case MDCM_MACED:
427 switch (DESFIRE(tag)->authentication_scheme) {
428 case AS_LEGACY:
429 if (!(communication_settings & MAC_COMMAND))
430 break;
431
432 /* pass through */
433 edl = padded_data_length(*nbytes - offset, key_block_size(DESFIRE(tag)->session_key)) + offset;
434
435 // Fill in the crypto buffer with data ...
436 memcpy(res, data, *nbytes);
437 // ... and 0 padding
438 memset(res + *nbytes, 0, edl - *nbytes);
439
440 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);
441
442 memcpy(mac, res + edl - 8, 4);
443
444 // Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
445 memcpy(res, data, *nbytes);
446
447 if (!(communication_settings & MAC_COMMAND))
448 break;
449 // Append MAC
450 size_t bla = maced_data_length(DESFIRE(tag)->session_key, *nbytes - offset) + offset;
451 (void)bla++;
452
453 memcpy(res + *nbytes, mac, 4);
454
455 *nbytes += 4;
456 break;
457 case AS_NEW:
458 if (!(communication_settings & CMAC_COMMAND))
459 break;
460 cmac(key, DESFIRE(tag)->ivect, res, *nbytes, DESFIRE(tag)->cmac);
461
462 if (append_mac) {
463 size_t len = maced_data_length(key, *nbytes);
464 (void)++len;
465 memcpy(res, data, *nbytes);
466 memcpy(res + *nbytes, DESFIRE(tag)->cmac, DESFIRE_CMAC_LENGTH);
467 *nbytes += DESFIRE_CMAC_LENGTH;
468 }
469 break;
470 }
471
472 break;
473 case MDCM_ENCIPHERED:
474 /* |<-------------- data -------------->|
475 * |<--- offset -->| |
476 * +---------------+--------------------+-----+---------+
477 * | CMD + HEADERS | DATA TO BE SECURED | CRC | PADDING |
478 * +---------------+--------------------+-----+---------+ ----------------
479 * | |<~~~~v~~~~~~~~~~~~~>| ^ | | (DES / 3DES)
480 * | | `---- crc16() ----' | |
481 * | | | ^ | | ----- *or* -----
482 * |<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>| ^ | | (3K3DES / AES)
483 * | `---- crc32() ----' | |
484 * | | ---- *then* ----
485 * |<---------------------------------->|
486 * encypher()/decypher()
487 */
488
489 if (!(communication_settings & ENC_COMMAND))
490 break;
491 edl = enciphered_data_length(tag, *nbytes - offset, communication_settings) + offset;
492
493 // Fill in the crypto buffer with data ...
494 memcpy(res, data, *nbytes);
495 if (!(communication_settings & NO_CRC)) {
496 // ... CRC ...
497 switch (DESFIRE(tag)->authentication_scheme) {
498 case AS_LEGACY:
499 AddCrc14A(res + offset, *nbytes - offset);
500 *nbytes += 2;
501 break;
502 case AS_NEW:
503 crc32_append(res, *nbytes);
504 *nbytes += 4;
505 break;
506 }
507 }
508 // ... and padding
509 memset(res + *nbytes, 0, edl - *nbytes);
510
511 *nbytes = edl;
512
513 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
514 break;
515 default:
516
517 *nbytes = -1;
518 res = NULL;
519 break;
520 }
521
522 return res;
523
524 }
525
526 void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings) {
527 void *res = data;
528 void *edata = NULL;
529 uint8_t first_cmac_byte = 0x00;
530
531 desfirekey_t key = DESFIRE(tag)->session_key;
532
533 if (!key)
534 return data;
535
536 // Return directly if we just have a status code.
537 if (1 == *nbytes)
538 return res;
539
540 switch (communication_settings & MDCM_MASK) {
541 case MDCM_PLAIN:
542
543 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
544 break;
545
546 /* pass through */
547 case MDCM_MACED:
548 switch (DESFIRE(tag)->authentication_scheme) {
549 case AS_LEGACY:
550 if (communication_settings & MAC_VERIFY) {
551 *nbytes -= key_macing_length(key);
552 if (*nbytes == 0) {
553 *nbytes = -1;
554 res = NULL;
555 #ifdef WITH_DEBUG
556 Dbprintf("No room for MAC!");
557 #endif
558 break;
559 }
560
561 size_t edl = enciphered_data_length(tag, *nbytes - 1, communication_settings);
562 edata = BigBuf_malloc(edl);
563
564 memcpy(edata, data, *nbytes - 1);
565 memset((uint8_t *)edata + *nbytes - 1, 0, edl - *nbytes + 1);
566
567 mifare_cypher_blocks_chained(tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);
568
569 if (0 != memcmp((uint8_t *)data + *nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
570 #ifdef WITH_DEBUG
571 Dbprintf("MACing not verified");
572 hexdump((uint8_t *)data + *nbytes - 1, key_macing_length(key), "Expect ", 0);
573 hexdump((uint8_t *)edata + edl - 8, key_macing_length(key), "Actual ", 0);
574 #endif
575 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
576 *nbytes = -1;
577 res = NULL;
578 }
579 }
580 break;
581 case AS_NEW:
582 if (!(communication_settings & CMAC_COMMAND))
583 break;
584 if (communication_settings & CMAC_VERIFY) {
585 if (*nbytes < 9) {
586 *nbytes = -1;
587 res = NULL;
588 break;
589 }
590 first_cmac_byte = ((uint8_t *)data)[*nbytes - 9];
591 ((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes - 1];
592 }
593
594 int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
595 cmac(key, DESFIRE(tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE(tag)->cmac);
596
597 if (communication_settings & CMAC_VERIFY) {
598 ((uint8_t *)data)[*nbytes - 9] = first_cmac_byte;
599 if (0 != memcmp(DESFIRE(tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) {
600 #ifdef WITH_DEBUG
601 Dbprintf("CMAC NOT verified :-(");
602 hexdump((uint8_t *)data + *nbytes - 9, 8, "Expect ", 0);
603 hexdump(DESFIRE(tag)->cmac, 8, "Actual ", 0);
604 #endif
605 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
606 *nbytes = -1;
607 res = NULL;
608 } else {
609 *nbytes -= 8;
610 }
611 }
612 break;
613 }
614
615 free(edata);
616
617 break;
618 case MDCM_ENCIPHERED:
619 (*nbytes)--;
620 bool verified = false;
621 int crc_pos = 0x00;
622 int end_crc_pos = 0x00;
623 uint8_t x;
624
625 /*
626 * AS_LEGACY:
627 * ,-----------------+-------------------------------+--------+
628 * \ BLOCK n-1 | BLOCK n | STATUS |
629 * / PAYLOAD | CRC0 | CRC1 | 0x80? | 0x000000000000 | 0x9100 |
630 * `-----------------+-------------------------------+--------+
631 *
632 * <------------ DATA ------------>
633 * FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
634 *
635 * AS_NEW:
636 * ,-------------------------------+-----------------------------------------------+--------+
637 * \ BLOCK n-1 | BLOCK n | STATUS |
638 * / PAYLOAD | CRC0 | CRC1 | CRC2 | CRC3 | 0x80? | 0x0000000000000000000000000000 | 0x9100 |
639 * `-------------------------------+-----------------------------------------------+--------+
640 * <----------------------------------- DATA ------------------------------------->|
641 *
642 * <----------------- DATA ---------------->
643 * FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
644 * `------------------'
645 */
646
647 mifare_cypher_blocks_chained(tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);
648
649 /*
650 * Look for the CRC and ensure it is followed by NULL padding. We
651 * can't start by the end because the CRC is supposed to be 0 when
652 * verified, and accumulating 0's in it should not change it.
653 */
654 switch (DESFIRE(tag)->authentication_scheme) {
655 case AS_LEGACY:
656 crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
657 if (crc_pos < 0) {
658 /* Single block */
659 crc_pos = 0;
660 }
661 break;
662 case AS_NEW:
663 /* Move status between payload and CRC */
664 res = DESFIRE(tag)->crypto_buffer;
665 memcpy(res, data, *nbytes);
666
667 crc_pos = (*nbytes) - 16 - 3;
668 if (crc_pos < 0) {
669 /* Single block */
670 crc_pos = 0;
671 }
672 memcpy((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos);
673 ((uint8_t *)res)[crc_pos] = 0x00;
674 crc_pos++;
675 *nbytes += 1;
676 break;
677 }
678
679 do {
680 uint16_t crc_16 = 0x00;
681 uint32_t crc = 0x00;
682 switch (DESFIRE(tag)->authentication_scheme) {
683 case AS_LEGACY:
684 AddCrc14A((uint8_t *)res, end_crc_pos);
685 end_crc_pos = crc_pos + 2;
686 //
687
688
689 crc = crc_16;
690 break;
691 case AS_NEW:
692 end_crc_pos = crc_pos + 4;
693 crc32_ex(res, end_crc_pos, (uint8_t *)&crc);
694 break;
695 }
696 if (!crc) {
697 verified = true;
698 for (int n = end_crc_pos; n < *nbytes - 1; n++) {
699 uint8_t byte = ((uint8_t *)res)[n];
700 if (!((0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos))))
701 verified = false;
702 }
703 }
704 if (verified) {
705 *nbytes = crc_pos;
706 switch (DESFIRE(tag)->authentication_scheme) {
707 case AS_LEGACY:
708 ((uint8_t *)data)[(*nbytes)++] = 0x00;
709 break;
710 case AS_NEW:
711 /* The status byte was already before the CRC */
712 break;
713 }
714 } else {
715 switch (DESFIRE(tag)->authentication_scheme) {
716 case AS_LEGACY:
717 break;
718 case AS_NEW:
719 x = ((uint8_t *)res)[crc_pos - 1];
720 ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
721 ((uint8_t *)res)[crc_pos] = x;
722 break;
723 }
724 crc_pos++;
725 }
726 } while (!verified && (end_crc_pos < *nbytes));
727
728 if (!verified) {
729 #ifdef WITH_DEBUG
730 /* FIXME In some configurations, the file is transmitted PLAIN */
731 Dbprintf("CRC not verified in decyphered stream");
732 #endif
733 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
734 *nbytes = -1;
735 res = NULL;
736 }
737
738 break;
739 default:
740 Dbprintf("Unknown communication settings");
741 *nbytes = -1;
742 res = NULL;
743 break;
744
745 }
746 return res;
747 }
748
749
750 void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size) {
751 uint8_t ovect[DESFIRE_MAX_CRYPTO_BLOCK_SIZE];
752 if (direction == MCD_SEND) {
753 xor(ivect, data, block_size);
754 } else {
755 memcpy(ovect, data, block_size);
756 }
757
758 uint8_t edata[DESFIRE_MAX_CRYPTO_BLOCK_SIZE];
759
760 switch (key->type) {
761 case T_DES:
762 switch (operation) {
763 case MCO_ENCYPHER:
764 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
765 des_encrypt(edata, data, key->data);
766 break;
767 case MCO_DECYPHER:
768 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
769 des_decrypt(edata, data, key->data);
770 break;
771 }
772 break;
773 case T_3DES:
774 switch (operation) {
775 case MCO_ENCYPHER:
776 mbedtls_des3_set2key_enc(&ctx3, key->data);
777 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
778 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
779 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
780 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
781 break;
782 case MCO_DECYPHER:
783 mbedtls_des3_set2key_dec(&ctx3, key->data);
784 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
785 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
786 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
787 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
788 break;
789 }
790 break;
791 case T_3K3DES:
792 switch (operation) {
793 case MCO_ENCYPHER:
794 mbedtls_des3_set3key_enc(&ctx3, key->data);
795 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
796 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
797 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
798 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT);
799 break;
800 case MCO_DECYPHER:
801 mbedtls_des3_set3key_dec(&ctx3, key->data);
802 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
803 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_DECRYPT);
804 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
805 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
806 break;
807 }
808 break;
809 case T_AES:
810 switch (operation) {
811 case MCO_ENCYPHER: {
812 mbedtls_aes_init(&actx);
813 mbedtls_aes_setkey_enc(&actx, key->data, 128);
814 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, sizeof(edata), ivect, data, edata);
815 break;
816 }
817 case MCO_DECYPHER: {
818 mbedtls_aes_init(&actx);
819 mbedtls_aes_setkey_dec(&actx, key->data, 128);
820 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_DECRYPT, sizeof(edata), ivect, edata, data);
821 break;
822 }
823 }
824 break;
825 }
826
827 memcpy(data, edata, block_size);
828
829 if (direction == MCD_SEND) {
830 memcpy(ivect, data, block_size);
831 } else {
832 xor(ivect, data, block_size);
833 memcpy(ivect, ovect, block_size);
834 }
835 }
836
837 /*
838 * This function performs all CBC cyphering / deciphering.
839 *
840 * The tag argument may be NULL, in which case both key and ivect shall be set.
841 * When using the tag session_key and ivect for processing data, these
842 * arguments should be set to NULL.
843 *
844 * Because the tag may contain additional data, one may need to call this
845 * function with tag, key and ivect defined.
846 */
847 void mifare_cypher_blocks_chained(desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
848 size_t block_size;
849
850 if (tag) {
851 if (key == NULL) {
852 key = DESFIRE(tag)->session_key;
853 }
854 if (ivect == NULL) {
855 ivect = DESFIRE(tag)->ivect;
856 }
857
858 switch (DESFIRE(tag)->authentication_scheme) {
859 case AS_LEGACY:
860 memset(ivect, 0, DESFIRE_MAX_CRYPTO_BLOCK_SIZE);
861 break;
862 case AS_NEW:
863 break;
864 }
865 }
866
867 block_size = key_block_size(key);
868
869 size_t offset = 0;
870 while (offset < data_size) {
871 mifare_cypher_single_block(key, data + offset, ivect, direction, operation, block_size);
872 offset += block_size;
873 }
874 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware