search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2654 from Antiklesys/master
[RRG-proxmark3.git] / armsrc / desfire_crypto.c
blob24da627479e5a947b4e4e4ec4a32364b813b2c5e
1 //-----------------------------------------------------------------------------
2 // Borrowed initially from https://github.com/nfc-tools/libfreefare
3 // Copyright (C) 2010, Romain Tartiere.
4 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
5 //
6 // This program is free software: you can redistribute it and/or modify
7 // it under the terms of the GNU General Public License as published by
8 // the Free Software Foundation, either version 3 of the License, or
9 // (at your option) any later version.
10 //
11 // This program is distributed in the hope that it will be useful,
12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 // GNU General Public License for more details.
15 //
16 // See LICENSE.txt for the text of the license.
17 //-----------------------------------------------------------------------------
18 /*
19 * This implementation was written based on information provided by the
20 * following documents:
21 *
22 * NIST Special Publication 800-38B
23 * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
24 * May 2005
25 */
26 #include "desfire_crypto.h"
27 #include <stdlib.h>
28 #include <stdio.h>
29 #include <string.h>
30 #include "commonutil.h"
31 #include "crc32.h"
32 #include "crc.h"
33 #include "crc16.h" // crc16 ccitt
34 #include "nprintf.h"
35 #include "iso14443a.h"
36 #include "dbprint.h"
37 #include "BigBuf.h"
38
39 #ifndef AddCrc14A
40 # define AddCrc14A(data, len) compute_crc(CRC_14443_A, (data), (len), (data)+(len), (data)+(len)+1)
41 #endif
42
43 static mbedtls_des_context ctx;
44 static mbedtls_des3_context ctx3;
45 static mbedtls_aes_context actx;
46
47 static void update_key_schedules(desfirekey_t key);
48
49 static void update_key_schedules(desfirekey_t key) {
50 // DES_set_key ((DES_cblock *)key->data, &(key->ks1));
51 // DES_set_key ((DES_cblock *)(key->data + 8), &(key->ks2));
52 // if (T_3K3DES == key->type) {
53 // DES_set_key ((DES_cblock *)(key->data + 16), &(key->ks3));
54 // }
55 }
56
57 /******************************************************************************/
58 void des_encrypt(void *out, const void *in, const void *key) {
59 mbedtls_des_setkey_enc(&ctx, key);
60 mbedtls_des_crypt_ecb(&ctx, in, out);
61 }
62
63 void des_decrypt(void *out, const void *in, const void *key) {
64 mbedtls_des_setkey_dec(&ctx, key);
65 mbedtls_des_crypt_ecb(&ctx, in, out);
66 }
67
68 void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode) {
69
70 // must be even blocks of 8 bytes.
71 if (length % 8) {
72 return;
73 }
74
75 if (keymode == 2) {
76 mbedtls_des3_set2key_dec(&ctx3, key);
77 } else {
78 mbedtls_des3_set3key_dec(&ctx3, key);
79 }
80
81 unsigned char temp[8];
82 uint8_t *tin = (uint8_t *) in;
83 uint8_t *tout = (uint8_t *) out;
84
85 while (length > 0) {
86
87 memcpy(temp, tin, 8);
88
89 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
90
91 for (uint8_t i = 0; i < 8; i++) {
92 tout[i] ^= iv[i];
93 }
94
95 memcpy(iv, temp, 8);
96
97 tin += 8;
98 tout += 8;
99 length -= 8;
100 }
101 }
102
103 void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode) {
104
105 // must be even blocks of 8 bytes.
106 if (length % 8) {
107 return;
108 }
109
110 if (keymode == 2) {
111 mbedtls_des3_set2key_enc(&ctx3, key);
112 } else {
113 mbedtls_des3_set3key_enc(&ctx3, key);
114 }
115
116 uint8_t *tin = (uint8_t *) in;
117 uint8_t *tout = (uint8_t *) out;
118
119 while (length > 0) {
120
121 for (uint8_t i = 0; i < 8; i++) {
122 tin[i] ^= iv[i];
123 }
124
125 mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
126
127 memcpy(iv, tout, 8);
128
129 tin += 8;
130 tout += 8;
131 length -= 8;
132 }
133 }
134
135 void aes128_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]) {
136 if (length % 8) return;
137
138 uint8_t *tin = (uint8_t *) in;
139 uint8_t *tout = (uint8_t *) out;
140
141 mbedtls_aes_setkey_dec(&actx, key, 128);
142 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_DECRYPT, length, iv, tin, tout);
143 }
144
145 void aes128_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]) {
146 if (length % 8) return;
147
148 uint8_t *tin = (uint8_t *) in;
149 uint8_t *tout = (uint8_t *) out;
150
151 mbedtls_aes_setkey_enc(&actx, key, 128);
152 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, length, iv, tin, tout);
153 }
154
155 void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key) {
156 uint8_t data[8];
157 memcpy(data, value, 8);
158 for (int n = 0; n < 8; n++) {
159 data[n] &= 0xFE;
160 }
161 Desfire_des_key_new_with_version(data, key);
162 }
163
164 void Desfire_des_key_new_with_version(const uint8_t value[8], desfirekey_t key) {
165 if (key != NULL) {
166 key->type = T_DES;
167 memcpy(key->data, value, 8);
168 memcpy(key->data + 8, value, 8);
169 update_key_schedules(key);
170 }
171 }
172
173 void Desfire_3des_key_new(const uint8_t value[16], desfirekey_t key) {
174 uint8_t data[16];
175 memcpy(data, value, 16);
176 for (int n = 0; n < 8; n++) {
177 data[n] &= 0xFE;
178 }
179 for (int n = 8; n < 16; n++) {
180 data[n] |= 0x01;
181 }
182 Desfire_3des_key_new_with_version(data, key);
183 }
184
185 void Desfire_3des_key_new_with_version(const uint8_t value[16], desfirekey_t key) {
186 if (key != NULL) {
187 key->type = T_3DES;
188 memcpy(key->data, value, 16);
189 update_key_schedules(key);
190 }
191 }
192
193 void Desfire_3k3des_key_new(const uint8_t value[24], desfirekey_t key) {
194 uint8_t data[24];
195 memcpy(data, value, 24);
196 for (int n = 0; n < 8; n++) {
197 data[n] &= 0xFE;
198 }
199 Desfire_3k3des_key_new_with_version(data, key);
200 }
201
202 void Desfire_3k3des_key_new_with_version(const uint8_t value[24], desfirekey_t key) {
203 if (key != NULL) {
204 key->type = T_3K3DES;
205 memcpy(key->data, value, 24);
206 update_key_schedules(key);
207 }
208 }
209
210 void Desfire_aes_key_new(const uint8_t value[16], desfirekey_t key) {
211 Desfire_aes_key_new_with_version(value, 0, key);
212 }
213
214 void Desfire_aes_key_new_with_version(const uint8_t value[16], uint8_t version, desfirekey_t key) {
215
216 if (key != NULL) {
217 memcpy(key->data, value, 16);
218 key->type = T_AES;
219 key->aes_version = version;
220 }
221 }
222
223 uint8_t Desfire_key_get_version(desfirekey_t key) {
224 uint8_t version = 0;
225
226 for (int n = 0; n < 8; n++) {
227 version |= ((key->data[n] & 1) << (7 - n));
228 }
229 return version;
230 }
231
232 void Desfire_key_set_version(desfirekey_t key, uint8_t version) {
233 for (int n = 0; n < 8; n++) {
234 uint8_t version_bit = ((version & (1 << (7 - n))) >> (7 - n));
235 key->data[n] &= 0xFE;
236 key->data[n] |= version_bit;
237 if (key->type == T_DES) {
238 key->data[n + 8] = key->data[n];
239 } else {
240 // Write ~version to avoid turning a 3DES key into a DES key
241 key->data[n + 8] &= 0xFE;
242 key->data[n + 8] |= ~version_bit;
243 }
244 }
245 }
246
247 void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfirekey_t authkey, desfirekey_t key) {
248
249 uint8_t buffer[24];
250
251 switch (authkey->type) {
252 case T_DES:
253 memcpy(buffer, rnda, 4);
254 memcpy(buffer + 4, rndb, 4);
255 Desfire_des_key_new_with_version(buffer, key);
256 break;
257 case T_3DES:
258 memcpy(buffer, rnda, 4);
259 memcpy(buffer + 4, rndb, 4);
260 memcpy(buffer + 8, rnda + 4, 4);
261 memcpy(buffer + 12, rndb + 4, 4);
262 Desfire_3des_key_new_with_version(buffer, key);
263 break;
264 case T_3K3DES:
265 memcpy(buffer, rnda, 4);
266 memcpy(buffer + 4, rndb, 4);
267 memcpy(buffer + 8, rnda + 6, 4);
268 memcpy(buffer + 12, rndb + 6, 4);
269 memcpy(buffer + 16, rnda + 12, 4);
270 memcpy(buffer + 20, rndb + 12, 4);
271 Desfire_3k3des_key_new(buffer, key);
272 break;
273 case T_AES:
274 memcpy(buffer, rnda, 4);
275 memcpy(buffer + 4, rndb, 4);
276 memcpy(buffer + 8, rnda + 12, 4);
277 memcpy(buffer + 12, rndb + 12, 4);
278 Desfire_aes_key_new(buffer, key);
279 break;
280 }
281 }
282
283 static size_t key_macing_length(desfirekey_t key);
284
285 // iceman, see memxor inside string.c, dest/src swapped..
286 static void xor(const uint8_t *ivect, uint8_t *data, const size_t len) {
287 for (size_t i = 0; i < len; i++) {
288 data[i] ^= ivect[i];
289 }
290 }
291
292 void cmac_generate_subkeys(desfirekey_t key) {
293 int kbs = key_block_size(key);
294 const uint8_t R = (kbs == 8) ? 0x1B : 0x87;
295
296 uint8_t l[kbs];
297 memset(l, 0, kbs);
298
299 uint8_t ivect[kbs];
300 memset(ivect, 0, kbs);
301
302 mifare_cypher_blocks_chained(NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);
303
304 bool txor = false;
305
306 // Used to compute CMAC on complete blocks
307 memcpy(key->cmac_sk1, l, kbs);
308
309 txor = l[0] & 0x80;
310
311 lsl(key->cmac_sk1, kbs);
312
313 if (txor) {
314 key->cmac_sk1[kbs - 1] ^= R;
315 }
316
317 // Used to compute CMAC on the last block if non-complete
318 memcpy(key->cmac_sk2, key->cmac_sk1, kbs);
319
320 txor = key->cmac_sk1[0] & 0x80;
321
322 lsl(key->cmac_sk2, kbs);
323
324 if (txor) {
325 key->cmac_sk2[kbs - 1] ^= R;
326 }
327 }
328
329 void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac) {
330 int kbs = key_block_size(key);
331 if (kbs == 0) {
332 return;
333 }
334
335 uint8_t *buffer = BigBuf_malloc(padded_data_length(len, kbs));
336
337 memcpy(buffer, data, len);
338
339 if ((!len) || (len % kbs)) {
340 buffer[len++] = 0x80;
341 while (len % kbs) {
342 buffer[len++] = 0x00;
343 }
344 xor(key->cmac_sk2, buffer + len - kbs, kbs);
345 } else {
346 xor(key->cmac_sk1, buffer + len - kbs, kbs);
347 }
348
349 mifare_cypher_blocks_chained(NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);
350
351 memcpy(cmac, ivect, kbs);
352 //free(buffer);
353 }
354
355 size_t key_block_size(const desfirekey_t key) {
356 if (key == NULL) {
357 return 0;
358 }
359
360 size_t block_size = 8;
361 switch (key->type) {
362 case T_DES:
363 case T_3DES:
364 case T_3K3DES:
365 block_size = 8;
366 break;
367 case T_AES:
368 block_size = 16;
369 break;
370 }
371 return block_size;
372 }
373
374 /*
375 * Size of MACing produced with the key.
376 */
377 static size_t key_macing_length(const desfirekey_t key) {
378 size_t mac_length = DESFIRE_MAC_LENGTH;
379 switch (key->type) {
380 case T_DES:
381 case T_3DES:
382 mac_length = DESFIRE_MAC_LENGTH;
383 break;
384 case T_3K3DES:
385 case T_AES:
386 mac_length = DESFIRE_CMAC_LENGTH;
387 break;
388 }
389 return mac_length;
390 }
391
392 /*
393 * Size required to store nbytes of data in a buffer of size n*block_size.
394 */
395 size_t padded_data_length(const size_t nbytes, const size_t block_size) {
396 if ((!nbytes) || (nbytes % block_size))
397 return ((nbytes / block_size) + 1) * block_size;
398 else
399 return nbytes;
400 }
401
402 /*
403 * Buffer size required to MAC nbytes of data
404 */
405 size_t maced_data_length(const desfirekey_t key, const size_t nbytes) {
406 return nbytes + key_macing_length(key);
407 }
408 /*
409 * Buffer size required to encipher nbytes of data and a two bytes CRC.
410 */
411 size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int communication_settings) {
412 size_t crc_length = 0;
413 if (!(communication_settings & NO_CRC)) {
414 switch (DESFIRE(tag)->authentication_scheme) {
415 case AS_LEGACY:
416 crc_length = 2;
417 break;
418 case AS_NEW:
419 crc_length = 4;
420 break;
421 }
422 }
423
424 size_t block_size = DESFIRE(tag)->session_key ? key_block_size(DESFIRE(tag)->session_key) : 1;
425
426 return padded_data_length(nbytes + crc_length, block_size);
427 }
428
429 void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings) {
430 uint8_t *res = data;
431 uint8_t mac[4];
432 size_t edl;
433 bool append_mac = true;
434 desfirekey_t key = DESFIRE(tag)->session_key;
435
436 if (!key)
437 return data;
438
439 switch (communication_settings & MDCM_MASK) {
440 case MDCM_PLAIN:
441 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
442 break;
443
444 /*
445 * When using new authentication methods, PLAIN data transmission from
446 * the PICC to the PCD are CMACed, so we have to maintain the
447 * cryptographic initialisation vector up-to-date to check data
448 * integrity later.
449 *
450 * The only difference with CMACed data transmission is that the CMAC
451 * is not appended to the data send by the PCD to the PICC.
452 */
453
454 append_mac = false;
455
456 /* pass through */
457 case MDCM_MACED:
458 switch (DESFIRE(tag)->authentication_scheme) {
459 case AS_LEGACY:
460 if (!(communication_settings & MAC_COMMAND))
461 break;
462
463 /* pass through */
464 edl = padded_data_length(*nbytes - offset, key_block_size(DESFIRE(tag)->session_key)) + offset;
465
466 // Fill in the crypto buffer with data ...
467 memcpy(res, data, *nbytes);
468 // ... and 0 padding
469 memset(res + *nbytes, 0, edl - *nbytes);
470
471 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);
472
473 memcpy(mac, res + edl - 8, 4);
474
475 // Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
476 memcpy(res, data, *nbytes);
477
478 if (!(communication_settings & MAC_COMMAND))
479 break;
480 // Append MAC
481 size_t bla = maced_data_length(DESFIRE(tag)->session_key, *nbytes - offset) + offset;
482 (void)bla++;
483
484 memcpy(res + *nbytes, mac, 4);
485
486 *nbytes += 4;
487 break;
488 case AS_NEW:
489 if (!(communication_settings & CMAC_COMMAND))
490 break;
491 cmac(key, DESFIRE(tag)->ivect, res, *nbytes, DESFIRE(tag)->cmac);
492
493 if (append_mac) {
494 size_t len = maced_data_length(key, *nbytes);
495 (void)++len;
496 memcpy(res, data, *nbytes);
497 memcpy(res + *nbytes, DESFIRE(tag)->cmac, DESFIRE_CMAC_LENGTH);
498 *nbytes += DESFIRE_CMAC_LENGTH;
499 }
500 break;
501 }
502
503 break;
504 case MDCM_ENCIPHERED:
505 /* |<-------------- data -------------->|
506 * |<--- offset -->| |
507 * +---------------+--------------------+-----+---------+
508 * | CMD + HEADERS | DATA TO BE SECURED | CRC | PADDING |
509 * +---------------+--------------------+-----+---------+ ----------------
510 * | |<~~~~v~~~~~~~~~~~~~>| ^ | | (DES / 3DES)
511 * | | `---- crc16() ----' | |
512 * | | | ^ | | ----- *or* -----
513 * |<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>| ^ | | (3K3DES / AES)
514 * | `---- crc32() ----' | |
515 * | | ---- *then* ----
516 * |<---------------------------------->|
517 * encypher()/decypher()
518 */
519
520 if (!(communication_settings & ENC_COMMAND))
521 break;
522 edl = enciphered_data_length(tag, *nbytes - offset, communication_settings) + offset;
523
524 // Fill in the crypto buffer with data ...
525 memcpy(res, data, *nbytes);
526 if (!(communication_settings & NO_CRC)) {
527 // ... CRC ...
528 switch (DESFIRE(tag)->authentication_scheme) {
529 case AS_LEGACY:
530 AddCrc14A(res + offset, *nbytes - offset);
531 *nbytes += 2;
532 break;
533 case AS_NEW:
534 crc32_append(res, *nbytes);
535 *nbytes += 4;
536 break;
537 }
538 }
539 // ... and padding
540 memset(res + *nbytes, 0, edl - *nbytes);
541
542 *nbytes = edl;
543
544 mifare_cypher_blocks_chained(tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
545 break;
546 default:
547
548 *nbytes = -1;
549 res = NULL;
550 break;
551 }
552
553 return res;
554
555 }
556
557 void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings) {
558 void *res = data;
559 uint8_t first_cmac_byte = 0x00;
560
561 desfirekey_t key = DESFIRE(tag)->session_key;
562
563 if (!key) {
564 return data;
565 }
566
567 // Return directly if we just have a status code.
568 if (1 == *nbytes) {
569 return res;
570 }
571
572 switch (communication_settings & MDCM_MASK) {
573 case MDCM_PLAIN: {
574
575 if (AS_LEGACY == DESFIRE(tag)->authentication_scheme) {
576 break;
577 }
578 }
579 /* pass through */
580 case MDCM_MACED: {
581 switch (DESFIRE(tag)->authentication_scheme) {
582 case AS_LEGACY: {
583
584 if ((communication_settings & MAC_VERIFY) == MAC_VERIFY) {
585
586 *nbytes -= key_macing_length(key);
587
588 if (*nbytes == 0) {
589 *nbytes = -1;
590 res = NULL;
591 #ifdef WITH_DEBUG
592 Dbprintf("No room for MAC!");
593 #endif
594 break;
595 }
596
597 size_t edl = enciphered_data_length(tag, *nbytes - 1, communication_settings);
598 uint8_t edata[edl];
599 memset(edata, 0, sizeof(edata));
600 memcpy(edata, data, *nbytes - 1);
601
602 mifare_cypher_blocks_chained(tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);
603
604 if (0 != memcmp((uint8_t *)data + *nbytes - 1, edata + edl - 8, 4)) {
605 #ifdef WITH_DEBUG
606 Dbprintf("MACing not verified");
607 hexdump((uint8_t *)data + *nbytes - 1, key_macing_length(key), "Expect ", 0);
608 hexdump(edata + edl - 8, key_macing_length(key), "Actual ", 0);
609 #endif
610 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
611 *nbytes = -1;
612 res = NULL;
613 }
614 }
615 break;
616 }
617 case AS_NEW: {
618
619 if ((communication_settings & CMAC_COMMAND) != CMAC_COMMAND) {
620 break;
621 }
622
623 int n = 0;
624
625 if ((communication_settings & CMAC_VERIFY) == CMAC_VERIFY) {
626 if (*nbytes < 9) {
627 *nbytes = -1;
628 res = NULL;
629 break;
630 }
631 first_cmac_byte = ((uint8_t *)data)[*nbytes - 9];
632 ((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes - 1];
633
634 n = 8;
635 }
636
637 cmac(key, DESFIRE(tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE(tag)->cmac);
638
639 if ((communication_settings & CMAC_VERIFY) == CMAC_VERIFY) {
640
641 ((uint8_t *)data)[*nbytes - 9] = first_cmac_byte;
642
643 if (0 != memcmp(DESFIRE(tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) {
644 #ifdef WITH_DEBUG
645 Dbprintf("CMAC NOT verified :-(");
646 hexdump((uint8_t *)data + *nbytes - 9, 8, "Expect ", 0);
647 hexdump(DESFIRE(tag)->cmac, 8, "Actual ", 0);
648 #endif
649 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
650 *nbytes = -1;
651 res = NULL;
652 } else {
653 *nbytes -= 8;
654 }
655 }
656 break;
657 }
658 }
659 break;
660 }
661 case MDCM_ENCIPHERED: {
662 (*nbytes)--;
663 bool verified = false;
664 int crc_pos = 0x00;
665 int end_crc_pos = 0x00;
666 uint8_t x;
667
668 /*
669 * AS_LEGACY:
670 * ,-----------------+-------------------------------+--------+
671 * \ BLOCK n-1 | BLOCK n | STATUS |
672 * / PAYLOAD | CRC0 | CRC1 | 0x80? | 0x000000000000 | 0x9100 |
673 * `-----------------+-------------------------------+--------+
674 *
675 * <------------ DATA ------------>
676 * FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
677 *
678 * AS_NEW:
679 * ,-------------------------------+-----------------------------------------------+--------+
680 * \ BLOCK n-1 | BLOCK n | STATUS |
681 * / PAYLOAD | CRC0 | CRC1 | CRC2 | CRC3 | 0x80? | 0x0000000000000000000000000000 | 0x9100 |
682 * `-------------------------------+-----------------------------------------------+--------+
683 * <----------------------------------- DATA ------------------------------------->|
684 *
685 * <----------------- DATA ---------------->
686 * FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
687 * `------------------'
688 */
689
690 mifare_cypher_blocks_chained(tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);
691
692 /*
693 * Look for the CRC and ensure it is followed by NULL padding. We
694 * can't start by the end because the CRC is supposed to be 0 when
695 * verified, and accumulating 0's in it should not change it.
696 */
697 switch (DESFIRE(tag)->authentication_scheme) {
698 case AS_LEGACY: {
699 crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
700 if (crc_pos < 0) {
701 crc_pos = 0; // Single block
702 }
703 break;
704 }
705 case AS_NEW: {
706 /* Move status between payload and CRC */
707 res = DESFIRE(tag)->crypto_buffer;
708 memcpy(res, data, *nbytes);
709
710 crc_pos = (*nbytes) - 16 - 3;
711 if (crc_pos < 0) {
712 crc_pos = 0; // Single block
713 }
714
715 memcpy((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos);
716 ((uint8_t *)res)[crc_pos] = 0x00;
717 crc_pos++;
718 *nbytes += 1;
719 break;
720 }
721 }
722
723 do {
724 uint16_t crc_16 = 0x00;
725 uint32_t crc = 0x00;
726
727 switch (DESFIRE(tag)->authentication_scheme) {
728 case AS_LEGACY: {
729 AddCrc14A((uint8_t *)res, end_crc_pos);
730 end_crc_pos = crc_pos + 2;
731 crc = crc_16;
732 break;
733 }
734 case AS_NEW: {
735 end_crc_pos = crc_pos + 4;
736 crc32_ex(res, end_crc_pos, (uint8_t *)&crc);
737 break;
738 }
739 }
740
741 if (crc == 0) {
742 verified = true;
743 for (int n = end_crc_pos; n < *nbytes - 1; n++) {
744 uint8_t byte = ((uint8_t *)res)[n];
745 if (!((0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos))))
746 verified = false;
747 }
748 }
749
750 if (verified) {
751
752 *nbytes = crc_pos;
753
754 switch (DESFIRE(tag)->authentication_scheme) {
755 case AS_LEGACY: {
756 ((uint8_t *)data)[(*nbytes)++] = 0x00;
757 break;
758 }
759 case AS_NEW: {
760 /* The status byte was already before the CRC */
761 break;
762 }
763 }
764
765 } else {
766 switch (DESFIRE(tag)->authentication_scheme) {
767 case AS_LEGACY: {
768 break;
769 }
770 case AS_NEW: {
771 x = ((uint8_t *)res)[crc_pos - 1];
772 ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
773 ((uint8_t *)res)[crc_pos] = x;
774 break;
775 }
776 }
777 crc_pos++;
778 }
779
780 } while (verified == false && (end_crc_pos < *nbytes));
781
782 if (verified == false) {
783 #ifdef WITH_DEBUG
784 /* FIXME In some configurations, the file is transmitted PLAIN */
785 Dbprintf("CRC not verified in decyphered stream");
786 #endif
787 DESFIRE(tag)->last_pcd_error = CRYPTO_ERROR;
788 *nbytes = -1;
789 res = NULL;
790 }
791 break;
792 }
793 default: {
794 Dbprintf("Unknown communication settings");
795 *nbytes = -1;
796 res = NULL;
797 break;
798 }
799 }
800 return res;
801 }
802
803
804 void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size) {
805 uint8_t ovect[DESFIRE_MAX_CRYPTO_BLOCK_SIZE];
806 if (direction == MCD_SEND) {
807 xor(ivect, data, block_size);
808 } else {
809 memcpy(ovect, data, block_size);
810 }
811
812 uint8_t edata[DESFIRE_MAX_CRYPTO_BLOCK_SIZE] = {0};
813
814 switch (key->type) {
815 case T_DES:
816 switch (operation) {
817 case MCO_ENCYPHER:
818 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
819 des_encrypt(edata, data, key->data);
820 break;
821 case MCO_DECYPHER:
822 //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
823 des_decrypt(edata, data, key->data);
824 break;
825 }
826 break;
827 case T_3DES:
828 switch (operation) {
829 case MCO_ENCYPHER:
830 mbedtls_des3_set2key_enc(&ctx3, key->data);
831 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
832 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
833 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
834 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
835 break;
836 case MCO_DECYPHER:
837 mbedtls_des3_set2key_dec(&ctx3, key->data);
838 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
839 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
840 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
841 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
842 break;
843 }
844 break;
845 case T_3K3DES:
846 switch (operation) {
847 case MCO_ENCYPHER:
848 mbedtls_des3_set3key_enc(&ctx3, key->data);
849 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
850 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
851 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT);
852 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT);
853 break;
854 case MCO_DECYPHER:
855 mbedtls_des3_set3key_dec(&ctx3, key->data);
856 mbedtls_des3_crypt_ecb(&ctx3, data, edata);
857 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_DECRYPT);
858 // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT);
859 // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
860 break;
861 }
862 break;
863 case T_AES:
864 switch (operation) {
865 case MCO_ENCYPHER: {
866 mbedtls_aes_init(&actx);
867 mbedtls_aes_setkey_enc(&actx, key->data, 128);
868 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_ENCRYPT, sizeof(edata), ivect, data, edata);
869 break;
870 }
871 case MCO_DECYPHER: {
872 mbedtls_aes_init(&actx);
873 mbedtls_aes_setkey_dec(&actx, key->data, 128);
874 mbedtls_aes_crypt_cbc(&actx, MBEDTLS_AES_DECRYPT, sizeof(edata), ivect, edata, data);
875 break;
876 }
877 }
878 break;
879 }
880
881 memcpy(data, edata, block_size);
882
883 if (direction == MCD_SEND) {
884 memcpy(ivect, data, block_size);
885 } else {
886 xor(ivect, data, block_size);
887 memcpy(ivect, ovect, block_size);
888 }
889 }
890
891 /*
892 * This function performs all CBC cyphering / deciphering.
893 *
894 * The tag argument may be NULL, in which case both key and ivect shall be set.
895 * When using the tag session_key and ivect for processing data, these
896 * arguments should be set to NULL.
897 *
898 * Because the tag may contain additional data, one may need to call this
899 * function with tag, key and ivect defined.
900 */
901 void mifare_cypher_blocks_chained(desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
902 size_t block_size;
903
904 if (tag) {
905 if (key == NULL) {
906 key = DESFIRE(tag)->session_key;
907 }
908 if (ivect == NULL) {
909 ivect = DESFIRE(tag)->ivect;
910 }
911
912 switch (DESFIRE(tag)->authentication_scheme) {
913 case AS_LEGACY:
914 memset(ivect, 0, DESFIRE_MAX_CRYPTO_BLOCK_SIZE);
915 break;
916 case AS_NEW:
917 break;
918 }
919 }
920
921 block_size = key_block_size(key);
922
923 size_t offset = 0;
924 while (offset < data_size) {
925 mifare_cypher_single_block(key, data + offset, ivect, direction, operation, block_size);
926 offset += block_size;
927 }
928 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware