search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / armsrc / desfire_crypto.c
blob782466be268ea210406aff5cd99b0be8dc70fbd4
1 /*-
2 * Copyright (C) 2010, Romain Tartiere.
3 *
4 * This program is free software: you can redistribute it and/or modify it
5 * under the terms of the GNU Lesser General Public License as published by the
6 * Free Software Foundation, either version 3 of the License, or (at your
7 * option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
12 * more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>
16 *
17 * $Id$
18 */
19
20 /*
21 * This implementation was written based on information provided by the
22 * following documents:
23 *
24 * NIST Special Publication 800-38B
25 * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
26 * May 2005
27 */
28 #include "desfire_crypto.h"
29 #include <stdlib.h>
30 #include <stdio.h>
31 #include <string.h>
32 #include "commonutil.h"
33 #include "crc32.h"
34 #include "crc.h"
35 #include "crc16.h" // crc16 ccitt
36 #include "printf.h"
37 #include "iso14443a.h"
38 #include "dbprint.h"
39 #include "BigBuf.h"
40
41 #ifndef AddCrc14A
42 # define AddCrc14A(data, len) compute_crc(CRC_14443_A, (data), (len), (data)+(len), (data)+(len)+1)
43 #endif
44
45 static mbedtls_des_context ctx;
46 static mbedtls_des3_context ctx3;
47 static mbedtls_aes_context actx;
48
49 static void update_key_schedules(desfirekey_t key);
50
51 static void update_key_schedules(desfirekey_t key) {
52 // DES_set_key ((DES_cblock *)key->data, &(key->ks1));
53 // DES_set_key ((DES_cblock *)(key->data + 8), &(key->ks2));
54 // if (T_3K3DES == key->type) {
55 // DES_set_key ((DES_cblock *)(key->data + 16), &(key->ks3));
56 // }
57 }
58
59 /******************************************************************************/
60 void des_encrypt(void *out, const void *in, const void *key) {
61 mbedtls_des_setkey_enc(&ctx, key);
62 mbedtls_des_crypt_ecb(&ctx, in, out);
63 }
64
65 void des_decrypt(void *out, const void *in, const void *key) {
66 mbedtls_des_setkey_dec(&ctx, key);
67 mbedtls_des_crypt_ecb(&ctx, in, out);
68 }
69
70 void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
71 if (length % 8) return;
72 if (keymode == 2) mbedtls_des3_set2key_dec(&ctx3, key);
73 else mbedtls_des3_set3key_dec(&ctx3, key);
74
75 uint8_t i;
76 unsigned char temp[8];
77 uint8_t *tin = (uint8_t *) in;
78 uint8_t *tout = (uint8_t *) out;
79
80 while (length > 0) {
81 memcpy(temp, tin, 8);
82
83 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
84
85 for (i = 0; i < 8; i++)
86 tout[i] = (unsigned char)(tout[i] ^ iv[i]);
87
88 memcpy(iv, temp, 8);
89
90 tin += 8;
91 tout += 8;
92 length -= 8;
93 }
94 }
95
96 void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) {
97 if (length % 8) return;
98 if (keymode == 2) mbedtls_des3_set2key_enc(&ctx3, key);
99 else mbedtls_des3_set3key_enc(&ctx3, key);
100
101 uint8_t i;
102 uint8_t *tin = (uint8_t *) in;
103 uint8_t *tout = (uint8_t *) out;
104
105 while (length > 0) {
106 for (i = 0; i < 8; i++)
107 tin[i] = (unsigned char)(tin[i] ^ iv[i]);
108
109 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
110
111 memcpy(iv, tout, 8);
112
113 tin += 8;
114 tout += 8;
115 length -= 8;
116 }
117 }
118
119
120
121 void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key) {
122 uint8_t data[8];
123 memcpy(data, value, 8);
124 for (int n = 0; n < 8; n++)
125 data[n] &= 0xfe;
126 Desfire_des_key_new_with_version(data, key);
127 }
128
129 void Desfire_des_key_new_with_version(const uint8_t value[8], desfirekey_t key) {
130 if (key != NULL) {
131 key->type = T_DES;
132 memcpy(key->data, value, 8);
133 memcpy(key->data + 8, value, 8);
134 update_key_schedules(key);
135 }
136 }
137
138 void Desfire_3des_key_new(const uint8_t value[16], desfirekey_t key) {
139 uint8_t data[16];
140 memcpy(data, value, 16);
141 for (int n = 0; n < 8; n++)
142 data[n] &= 0xfe;
143 for (int n = 8; n < 16; n++)
144 data[n] |= 0x01;
145 Desfire_3des_key_new_with_version(data, key);
146 }
147
148 void Desfire_3des_key_new_with_version(const uint8_t value[16], desfirekey_t key) {
149 if (key != NULL) {
150 key->type = T_3DES;
151 memcpy(key->data, value, 16);
152 update_key_schedules(key);
153 }
154 }
155
156 void Desfire_3k3des_key_new(const uint8_t value[24], desfirekey_t key) {
157 uint8_t data[24];
158 memcpy(data, value, 24);
159 for (int n = 0; n < 8; n++)
160 data[n] &= 0xfe;
161 Desfire_3k3des_key_new_with_version(data, key);
162 }
163
164 void Desfire_3k3des_key_new_with_version(const uint8_t value[24], desfirekey_t key) {
165 if (key != NULL) {
166 key->type = T_3K3DES;
167 memcpy(key->data, value, 24);
168 update_key_schedules(key);
169 }
170 }
171
172 void Desfire_aes_key_new(const uint8_t value[16], desfirekey_t key) {
173 Desfire_aes_key_new_with_version(value, 0, key);
174 }
175
176 void Desfire_aes_key_new_with_version(const uint8_t value[16], uint8_t version, desfirekey_t key) {
177
178 if (key != NULL) {
179 memcpy(key->data, value, 16);
180 key->type = T_AES;
181 key->aes_version = version;
182 }
183 }
184
185 uint8_t Desfire_key_get_version(desfirekey_t key) {
186 uint8_t version = 0;
187
188 for (int n = 0; n < 8; n++) {
189 version |= ((key->data[n] & 1) << (7 - n));
190 }
191 return version;
192 }
193
194 void Desfire_key_set_version(desfirekey_t key, uint8_t version) {
195 for (int n = 0; n < 8; n++) {
196 uint8_t version_bit = ((version & (1 << (7 - n))) >> (7 - n));
197 key->data[n] &= 0xfe;
198 key->data[n] |= version_bit;
199 if (key->type == T_DES) {
200 key->data[n + 8] = key->data[n];
201 } else {
202 // Write ~version to avoid turning a 3DES key into a DES key
203 key->data[n + 8] &= 0xfe;
204 key->data[n + 8] |= ~version_bit;
205 }
206 }
207 }
208
209 void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfirekey_t authkey, desfirekey_t key) {
210
211 uint8_t buffer[24];
212
213 switch (authkey->type) {
214 case T_DES:
215 memcpy(buffer, rnda, 4);
216 memcpy(buffer + 4, rndb, 4);
217 Desfire_des_key_new_with_version(buffer, key);
218 break;
219 case T_3DES:
220 memcpy(buffer, rnda, 4);
221 memcpy(buffer + 4, rndb, 4);
222 memcpy(buffer + 8, rnda + 4, 4);
223 memcpy(buffer + 12, rndb + 4, 4);
224 Desfire_3des_key_new_with_version(buffer, key);
225 break;
226 case T_3K3DES:
227 memcpy(buffer, rnda, 4);
228 memcpy(buffer + 4, rndb, 4);
229 memcpy(buffer + 8, rnda + 6, 4);
230 memcpy(buffer + 12, rndb + 6, 4);
231 memcpy(buffer + 16, rnda + 12, 4);
232 memcpy(buffer + 20, rndb + 12, 4);
233 Desfire_3k3des_key_new(buffer, key);
234 break;
235 case T_AES:
236 memcpy(buffer, rnda, 4);
237 memcpy(buffer + 4, rndb, 4);
238 memcpy(buffer + 8, rnda + 12, 4);
239 memcpy(buffer + 12, rndb + 12, 4);
240 Desfire_aes_key_new(buffer, key);
241 break;
242 }
243 }
244
245 static size_t key_macing_length(desfirekey_t key);
246
247 // iceman, see memxor inside string.c, dest/src swapped..
248 static void xor(const uint8_t *ivect, uint8_t *data, const size_t len) {
249 for (size_t i = 0; i < len; i++) {
250 data[i] ^= ivect[i];
251 }
252 }
253
254 void cmac_generate_subkeys(desfirekey_t key) {
255 int kbs = key_block_size(key);
256 const uint8_t R = (kbs == 8) ? 0x1B : 0x87;
257
258 uint8_t l[kbs];
259 memset(l, 0, kbs);
260
261 uint8_t ivect[kbs];
262 memset(ivect, 0, kbs);
263
264 mifare_cypher_blocks_chained(NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);
265
266 bool txor = false;
267
268 // Used to compute CMAC on complete blocks
269 memcpy(key->cmac_sk1, l, kbs);
270 txor = l[0] & 0x80;
271 lsl(key->cmac_sk1, kbs);
272 if (txor)
273 key->cmac_sk1[kbs - 1] ^= R;
274
275 // Used to compute CMAC on the last block if non-complete
276 memcpy(key->cmac_sk2, key->cmac_sk1, kbs);
277 txor = key->cmac_sk1[0] & 0x80;
278 lsl(key->cmac_sk2, kbs);
279 if (txor)
280 key->cmac_sk2[kbs - 1] ^= R;
281 }
282
283 void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac) {
284 int kbs = key_block_size(key);
285 if (kbs == 0)
286 return;
287
288 uint8_t *buffer = BigBuf_malloc(padded_data_length(len, kbs));
289
290 memcpy(buffer, data, len);
291
292 if ((!len) || (len % kbs)) {
293 buffer[len++] = 0x80;
294 while (len % kbs) {
295 buffer[len++] = 0x00;
296 }
297 xor(key->cmac_sk2, buffer + len - kbs, kbs);
298 } else {
299 xor(key->cmac_sk1, buffer + len - kbs, kbs);
300 }
301
302 mifare_cypher_blocks_chained(NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);
303
304 memcpy(cmac, ivect, kbs);
305 //free(buffer);
306 }
307
308 size_t key_block_size(const desfirekey_t key) {
309 if (key == NULL)
310 return 0;
311 size_t block_size = 8;
312 switch (key->type) {
313 case T_DES:
314 case T_3DES:
315 case T_3K3DES:
316 block_size = 8;
317 break;
318 case T_AES:
319 block_size = 16;
320 break;
321 }
322 return block_size;
323 }
324
325 /*
326 * Size of MACing produced with the key.
327 */
328 static size_t key_macing_length(const desfirekey_t key) {
329 size_t mac_length = MAC_LENGTH;
330 switch (key->type) {
331 case T_DES:
332 case T_3DES:
333 mac_length = MAC_LENGTH;
334 break;
335 case T_3K3DES:
336 case T_AES:
337 mac_length = CMAC_LENGTH;
338 break;
339 }
340 return mac_length;
341 }
342
343 /*
344 * Size required to store nbytes of data in a buffer of size n*block_size.
345 */
346 size_t padded_data_length(const size_t nbytes, const size_t block_size) {
347 if ((!nbytes) || (nbytes % block_size))
348 return ((nbytes / block_size) + 1) * block_size;
349 else
350 return nbytes;
351 }
352
353 /*
354 * Buffer size required to MAC nbytes of data
355 */
356 size_t maced_data_length(const desfirekey_t key, const size_t nbytes) {
357 return nbytes + key_macing_length(key);
358 }
359 /*
360 * Buffer size required to encipher nbytes of data and a two bytes CRC.
361 */
362 size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int communication_settings) {
363 size_t crc_length = 0;
364 if (!(communication_settings & NO_CRC)) {
365 switch (DESFIRE(tag)->authentication_scheme) {
366 case AS_LEGACY:
367 crc_length = 2;
368 break;
369 case AS_NEW:
370 crc_length = 4;
371 break;
372 }
373 }
374
375 size_t block_size = DESFIRE(tag)->session_key ? key_block_size(DESFIRE(tag)->session_key) : 1;
376
377 return padded_data_length(nbytes + crc_length, block_size);
378 }
379
380 void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings) {
381 uint8_t *res = data;
382 uint8_t mac[4];
383 size_t edl;
384 bool append_mac = true;
385 desfirekey_t key = DESFIRE(tag)->session_key;
386
387 if (!key)
388 return data;
389
390 switch (communication_settings & MDCM_MASK) {
391 case MDCM_PLAIN:
392 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
393 break;
394
395 /*
396 * When using new authentication methods, PLAIN data transmission from
397 * the PICC to the PCD are CMACed, so we have to maintain the
398 * cryptographic initialisation vector up-to-date to check data
399 * integrity later.
400 *
401 * The only difference with CMACed data transmission is that the CMAC
402 * is not apended to the data send by the PCD to the PICC.
403 */
404
405 append_mac = false;
406
407 /* pass through */
408 case MDCM_MACED:
409 switch (DESFIRE(tag)->authentication_scheme) {
410 case AS_LEGACY:
411 if (!(communication_settings & MAC_COMMAND))
412 break;
413
414 /* pass through */
415 edl = padded_data_length(*nbytes - offset, key_block_size(DESFIRE(tag)->session_key)) + offset;
416
417 // Fill in the crypto buffer with data ...
418 memcpy(res, data, *nbytes);
419 // ... and 0 padding
420 memset(res + *nbytes, 0, edl - *nbytes);
421
422 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);
423
424 memcpy(mac, res + edl - 8, 4);
425
426 // Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
427 memcpy(res, data, *nbytes);
428
429 if (!(communication_settings & MAC_COMMAND))
430 break;
431 // Append MAC
432 size_t bla = maced_data_length(DESFIRE(tag)->session_key, *nbytes - offset) + offset;
433 (void)bla++;
434
435 memcpy(res + *nbytes, mac, 4);
436
437 *nbytes += 4;
438 break;
439 case AS_NEW:
440 if (!(communication_settings & CMAC_COMMAND))
441 break;
442 cmac(key, DESFIRE(tag)->ivect, res, *nbytes, DESFIRE(tag)->cmac);
443
444 if (append_mac) {
445 size_t len = maced_data_length(key, *nbytes);
446 (void)++len;
447 memcpy(res, data, *nbytes);
448 memcpy(res + *nbytes, DESFIRE(tag)->cmac, CMAC_LENGTH);
449 *nbytes += CMAC_LENGTH;
450 }
451 break;
452 }
453
454 break;
455 case MDCM_ENCIPHERED:
456 /* |<-------------- data -------------->|
457 * |<--- offset -->| |
458 * +---------------+--------------------+-----+---------+
459 * | CMD + HEADERS | DATA TO BE SECURED | CRC | PADDING |
460 * +---------------+--------------------+-----+---------+ ----------------
461 * | |<~~~~v~~~~~~~~~~~~~>| ^ | | (DES / 3DES)
462 * | | `---- crc16() ----' | |
463 * | | | ^ | | ----- *or* -----
464 * |<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>| ^ | | (3K3DES / AES)
465 * | `---- crc32() ----' | |
466 * | | ---- *then* ----
467 * |<---------------------------------->|
468 * encypher()/decypher()
469 */
470
471 if (!(communication_settings & ENC_COMMAND))
472 break;
473 edl = enciphered_data_length(tag, *nbytes - offset, communication_settings) + offset;
474
475 // Fill in the crypto buffer with data ...
476 memcpy(res, data, *nbytes);
477 if (!(communication_settings & NO_CRC)) {
478 // ... CRC ...
479 switch (DESFIRE(tag)->authentication_scheme) {
480 case AS_LEGACY:
481 AddCrc14A(res + offset, *nbytes - offset);
482 *nbytes += 2;
483 break;
484 case AS_NEW:
485 crc32_append(res, *nbytes);
486 *nbytes += 4;
487 break;
488 }
489 }
490 // ... and padding
491 memset(res + *nbytes, 0, edl - *nbytes);
492
493 *nbytes = edl;
494
495 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
496 break;
497 default:
498
499 *nbytes = -1;
500 res = NULL;
501 break;
502 }
503
504 return res;
505
506 }
507
508 void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings) {
509 void *res = data;
510 void *edata = NULL;
511 uint8_t first_cmac_byte = 0x00;
512
513 desfirekey_t key = DESFIRE(tag)->session_key;
514
515 if (!key)
516 return data;
517
518 // Return directly if we just have a status code.
519 if (1 == *nbytes)
520 return res;
521
522 switch (communication_settings & MDCM_MASK) {
523 case MDCM_PLAIN:
524
525 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
526 break;
527
528 /* pass through */
529 case MDCM_MACED:
530 switch (DESFIRE(tag)->authentication_scheme) {
531 case AS_LEGACY:
532 if (communication_settings & MAC_VERIFY) {
533 *nbytes -= key_macing_length(key);
534 if (*nbytes == 0) {
535 *nbytes = -1;
536 res = NULL;
537 #ifdef WITH_DEBUG
538 Dbprintf("No room for MAC!");
539 #endif
540 break;
541 }
542
543 size_t edl = enciphered_data_length(tag, *nbytes - 1, communication_settings);
544 edata = BigBuf_malloc(edl);
545
546 memcpy(edata, data, *nbytes - 1);
547 memset((uint8_t *)edata + *nbytes - 1, 0, edl - *nbytes + 1);
548
549 mifare_cypher_blocks_chained(tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);
550
551 if (0 != memcmp((uint8_t *)data + *nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
552 #ifdef WITH_DEBUG
553 Dbprintf("MACing not verified");
554 hexdump((uint8_t *)data + *nbytes - 1, key_macing_length(key), "Expect ", 0);
555 hexdump((uint8_t *)edata + edl - 8, key_macing_length(key), "Actual ", 0);
556 #endif
557 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
558 *nbytes = -1;
559 res = NULL;
560 }
561 }
562 break;
563 case AS_NEW:
564 if (!(communication_settings & CMAC_COMMAND))
565 break;
566 if (communication_settings & CMAC_VERIFY) {
567 if (*nbytes < 9) {
568 *nbytes = -1;
569 res = NULL;
570 break;
571 }
572 first_cmac_byte = ((uint8_t *)data)[*nbytes - 9];
573 ((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes - 1];
574 }
575
576 int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
577 cmac(key, DESFIRE(tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE(tag)->cmac);
578
579 if (communication_settings & CMAC_VERIFY) {
580 ((uint8_t *)data)[*nbytes - 9] = first_cmac_byte;
581 if (0 != memcmp(DESFIRE(tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) {
582 #ifdef WITH_DEBUG
583 Dbprintf("CMAC NOT verified :-(");
584 hexdump((uint8_t *)data + *nbytes - 9, 8, "Expect ", 0);
585 hexdump(DESFIRE(tag)->cmac, 8, "Actual ", 0);
586 #endif
587 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
588 *nbytes = -1;
589 res = NULL;
590 } else {
591 *nbytes -= 8;
592 }
593 }
594 break;
595 }
596
597 free(edata);
598
599 break;
600 case MDCM_ENCIPHERED:
601 (*nbytes)--;
602 bool verified = false;
603 int crc_pos = 0x00;
604 int end_crc_pos = 0x00;
605 uint8_t x;
606
607 /*
608 * AS_LEGACY:
609 * ,-----------------+-------------------------------+--------+
610 * \ BLOCK n-1 | BLOCK n | STATUS |
611 * / PAYLOAD | CRC0 | CRC1 | 0x80? | 0x000000000000 | 0x9100 |
612 * `-----------------+-------------------------------+--------+
613 *
614 * <------------ DATA ------------>
615 * FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
616 *
617 * AS_NEW:
618 * ,-------------------------------+-----------------------------------------------+--------+
619 * \ BLOCK n-1 | BLOCK n | STATUS |
620 * / PAYLOAD | CRC0 | CRC1 | CRC2 | CRC3 | 0x80? | 0x0000000000000000000000000000 | 0x9100 |
621 * `-------------------------------+-----------------------------------------------+--------+
622 * <----------------------------------- DATA ------------------------------------->|
623 *
624 * <----------------- DATA ---------------->
625 * FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
626 * `------------------'
627 */
628
629 mifare_cypher_blocks_chained(tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);
630
631 /*
632 * Look for the CRC and ensure it is followed by NULL padding. We
633 * can't start by the end because the CRC is supposed to be 0 when
634 * verified, and accumulating 0's in it should not change it.
635 */
636 switch (DESFIRE(tag)->authentication_scheme) {
637 case AS_LEGACY:
638 crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
639 if (crc_pos < 0) {
640 /* Single block */
641 crc_pos = 0;
642 }
643 break;
644 case AS_NEW:
645 /* Move status between payload and CRC */
646 res = DESFIRE(tag)->crypto_buffer;
647 memcpy(res, data, *nbytes);
648
649 crc_pos = (*nbytes) - 16 - 3;
650 if (crc_pos < 0) {
651 /* Single block */
652 crc_pos = 0;
653 }
654 memcpy((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos);
655 ((uint8_t *)res)[crc_pos] = 0x00;
656 crc_pos++;
657 *nbytes += 1;
658 break;
659 }
660
661 do {
662 uint16_t crc_16 = 0x00;
663 uint32_t crc = 0x00;
664 switch (DESFIRE(tag)->authentication_scheme) {
665 case AS_LEGACY:
666 AddCrc14A((uint8_t *)res, end_crc_pos);
667 end_crc_pos = crc_pos + 2;
668 //
669
670
671 crc = crc_16;
672 break;
673 case AS_NEW:
674 end_crc_pos = crc_pos + 4;
675 crc32_ex(res, end_crc_pos, (uint8_t *)&crc);
676 break;
677 }
678 if (!crc) {
679 verified = true;
680 for (int n = end_crc_pos; n < *nbytes - 1; n++) {
681 uint8_t byte = ((uint8_t *)res)[n];
682 if (!((0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos))))
683 verified = false;
684 }
685 }
686 if (verified) {
687 *nbytes = crc_pos;
688 switch (DESFIRE(tag)->authentication_scheme) {
689 case AS_LEGACY:
690 ((uint8_t *)data)[(*nbytes)++] = 0x00;
691 break;
692 case AS_NEW:
693 /* The status byte was already before the CRC */
694 break;
695 }
696 } else {
697 switch (DESFIRE(tag)->authentication_scheme) {
698 case AS_LEGACY:
699 break;
700 case AS_NEW:
701 x = ((uint8_t *)res)[crc_pos - 1];
702 ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
703 ((uint8_t *)res)[crc_pos] = x;
704 break;
705 }
706 crc_pos++;
707 }
708 } while (!verified && (end_crc_pos < *nbytes));
709
710 if (!verified) {
711 #ifdef WITH_DEBUG
712 /* FIXME In some configurations, the file is transmitted PLAIN */
713 Dbprintf("CRC not verified in decyphered stream");
714 #endif
715 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
716 *nbytes = -1;
717 res = NULL;
718 }
719
720 break;
721 default:
722 Dbprintf("Unknown communication settings");
723 *nbytes = -1;
724 res = NULL;
725 break;
726
727 }
728 return res;
729 }
730
731
732 void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size) {
733 uint8_t ovect[MAX_CRYPTO_BLOCK_SIZE];
734 if (direction == MCD_SEND) {
735 xor(ivect, data, block_size);
736 } else {
737 memcpy(ovect, data, block_size);
738 }
739
740 uint8_t edata[MAX_CRYPTO_BLOCK_SIZE];
741
742 switch (key->type) {
743 case T_DES:
744 switch (operation) {
745 case MCO_ENCYPHER:
746 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
747 des_encrypt(edata, data, key->data);
748 break;
749 case MCO_DECYPHER:
750 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
751 des_decrypt(edata, data, key->data);
752 break;
753 }
754 break;
755 case T_3DES:
756 switch (operation) {
757 case MCO_ENCYPHER:
758 mbedtls_des3_set2key_enc(&ctx3, key->data);
759 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
760 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
761 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
762 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
763 break;
764 case MCO_DECYPHER:
765 mbedtls_des3_set2key_dec(&ctx3, key->data);
766 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
767 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
768 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
769 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
770 break;
771 }
772 break;
773 case T_3K3DES:
774 switch (operation) {
775 case MCO_ENCYPHER:
776 mbedtls_des3_set3key_enc(&ctx3, key->data);
777 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
778 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
779 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
780 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT);
781 break;
782 case MCO_DECYPHER:
783 mbedtls_des3_set3key_dec(&ctx3, key->data);
784 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
785 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_DECRYPT);
786 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
787 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
788 break;
789 }
790 break;
791 case T_AES:
792 switch (operation) {
793 case MCO_ENCYPHER: {
794 mbedtls_aes_init(&actx);
795 mbedtls_aes_setkey_enc(&actx, key->data, 128);
796 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, sizeof(edata), ivect, data, edata);
797 break;
798 }
799 case MCO_DECYPHER: {
800 mbedtls_aes_init(&actx);
801 mbedtls_aes_setkey_dec(&actx, key->data, 128);
802 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_DECRYPT, sizeof(edata), ivect, edata, data);
803 break;
804 }
805 }
806 break;
807 }
808
809 memcpy(data, edata, block_size);
810
811 if (direction == MCD_SEND) {
812 memcpy(ivect, data, block_size);
813 } else {
814 xor(ivect, data, block_size);
815 memcpy(ivect, ovect, block_size);
816 }
817 }
818
819 /*
820 * This function performs all CBC cyphering / deciphering.
821 *
822 * The tag argument may be NULL, in which case both key and ivect shall be set.
823 * When using the tag session_key and ivect for processing data, these
824 * arguments should be set to NULL.
825 *
826 * Because the tag may contain additional data, one may need to call this
827 * function with tag, key and ivect defined.
828 */
829 void mifare_cypher_blocks_chained(desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
830 size_t block_size;
831
832 if (tag) {
833 if (!key)
834 key = DESFIRE(tag)->session_key;
835 if (!ivect)
836 ivect = DESFIRE(tag)->ivect;
837
838 switch (DESFIRE(tag)->authentication_scheme) {
839 case AS_LEGACY:
840 memset(ivect, 0, MAX_CRYPTO_BLOCK_SIZE);
841 break;
842 case AS_NEW:
843 break;
844 }
845 }
846
847 block_size = key_block_size(key);
848
849 size_t offset = 0;
850 while (offset < data_size) {
851 mifare_cypher_single_block(key, data + offset, ivect, direction, operation, block_size);
852 offset += block_size;
853 }
854 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware