From 7aa27cfefb5ff7c3a5b827b3543313b5386b7604 Mon Sep 17 00:00:00 2001 From: Bjoern Kerler Date: Sun, 12 Apr 2020 17:10:27 +0200 Subject: [PATCH] Auth of des, 3des and aes working. --- armsrc/desfire_crypto_disabled.h | 18 - client/cmdhfmfdes.c | 394 ++++++++++- .../mifare/desfire_crypto.c | 632 +++++++++++++++++- client/mifare/desfire_crypto.h | 139 ++++ include/mifare.h | 5 +- 5 files changed, 1132 insertions(+), 56 deletions(-) delete mode 100644 armsrc/desfire_crypto_disabled.h rename armsrc/desfire_crypto_disabled.c => client/mifare/desfire_crypto.c (56%) create mode 100644 client/mifare/desfire_crypto.h diff --git a/armsrc/desfire_crypto_disabled.h b/armsrc/desfire_crypto_disabled.h deleted file mode 100644 index 23043b30d..000000000 --- a/armsrc/desfire_crypto_disabled.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef __DESFIRE_CRYPTO_H -#define __DESFIRE_CRYPTO_H - -#include "common.h" -#include "desfire.h" - -void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings); -void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings); -void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size); -void mifare_cypher_blocks_chained(desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation); -size_t key_block_size(const desfirekey_t key); -size_t padded_data_length(const size_t nbytes, const size_t block_size); -size_t maced_data_length(const desfirekey_t key, const size_t nbytes); -size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int communication_settings); -void cmac_generate_subkeys(desfirekey_t key); -void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac); - -#endif diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 357d82e65..c10f97160 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -19,6 +19,7 @@ #include "cmdhw.h" #include "cmdhf14a.h" #include "mbedtls/des.h" +#include "mbedtls/aes.h" #include "crypto/libpcrypto.h" #include "protocols.h" #include "mifare.h" // desfire raw command options @@ -28,6 +29,11 @@ #include "emv/emvcore.h" // APDU logging #include "util_posix.h" // msleep #include "mifare/mifare4.h" // MIFARE Authenticate / MAC +#include "mifare/desfire_crypto.h" +#include "crapto1/crapto1.h" + +struct desfire_key defaultkey = {0}; +static desfirekey_t sessionkey = &defaultkey; uint8_t key_zero_data[16] = { 0x00 }; uint8_t key_ones_data[16] = { 0x01 }; @@ -331,6 +337,7 @@ static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_l int res = DESFIRESendApdu(select, true, *apdu, data, sizeof(data), &resplen, sw); if (res != PM3_SUCCESS) { PrintAndLogEx(DEBUG, "%s", GetErrorString(res, sw)); + DropField(); return res; } if (dest != NULL) { @@ -340,11 +347,7 @@ static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_l pos += resplen; if (!readalldata) { if (*sw == status(MFDES_ADDITIONAL_FRAME)) { - apdu->INS = MFDES_ABORT_TRANSACTION; - apdu->Lc = 0; - apdu->P1 = 0; - apdu->P2 = 0; - res = DESFIRESendApdu(false, true, *apdu, data, sizeof(data), &resplen, sw); + *recv_len=pos; return PM3_SUCCESS; } return res; @@ -359,6 +362,7 @@ static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_l res = DESFIRESendApdu(false, true, *apdu, data, sizeof(data), &resplen, sw); if (res != PM3_SUCCESS) { PrintAndLogEx(DEBUG, "%s", GetErrorString(res, sw)); + DropField(); return res; } @@ -397,13 +401,303 @@ static nxp_cardtype_t getCardType(uint8_t major, uint8_t minor) { return UNKNOWN; } +int get_desfire_auth(mfdes_authinput_t* payload,mfdes_auth_res_t* rpayload) +{ + // 3 different way to authenticate AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32) + // 4 different crypto arg1 DES, 3DES, 3K3DES, AES + // 3 different communication modes, PLAIN,MAC,CRYPTO + + mbedtls_aes_context ctx; + + uint8_t keybytes[24]; + // Crypt constants + uint8_t IV[16] = {0x00}; + uint8_t RndA[16] = {0x00}; + uint8_t RndB[16] = {0x00}; + uint8_t encRndB[16] = {0x00}; + uint8_t rotRndB[16] = {0x00}; //RndB' + uint8_t both[32+1] = {0x00}; // ek/dk_keyNo(RndA+RndB') + + // Generate Random Value + uint32_t ng=msclock(); + uint32_t value = prng_successor(ng, 32); + num_to_bytes(value, 4, &RndA[0]); + value = prng_successor(ng, 32); + num_to_bytes(value, 4, &RndA[4]); + value = prng_successor(ng, 32); + num_to_bytes(value, 4, &RndA[8]); + value = prng_successor(ng, 32); + num_to_bytes(value, 4, &RndA[12]); + + // Default Keys + uint8_t PICC_MASTER_KEY8[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + uint8_t PICC_MASTER_KEY16[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + uint8_t PICC_MASTER_KEY24[24] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + //uint8_t null_key_data16[16] = {0x00}; + //uint8_t new_key_data8[8] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77}; + //uint8_t new_key_data16[16] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF}; + + + // Part 1 + if (payload->key == NULL) { + if (payload->algo == MFDES_AUTH_DES) { + memcpy(keybytes, PICC_MASTER_KEY8, 8); + } else if (payload->algo == MFDES_ALGO_AES || payload->algo == MFDES_ALGO_3DES) { + memcpy(keybytes, PICC_MASTER_KEY16, 16); + } else if (payload->algo == MFDES_ALGO_3DES) { + memcpy(keybytes, PICC_MASTER_KEY24, 24); + } + } else { + memcpy(keybytes, payload->key, payload->keylen); + } + + struct desfire_key defaultkey = {0}; + desfirekey_t key = &defaultkey; + + if (payload->algo == MFDES_ALGO_AES) { + mbedtls_aes_init(&ctx); + Desfire_aes_key_new(keybytes, key); + } else if (payload->algo == MFDES_ALGO_3DES) { + Desfire_3des_key_new_with_version(keybytes, key); + } else if (payload->algo == MFDES_ALGO_DES) { + Desfire_des_key_new(keybytes, key); + } else if (payload->algo == MFDES_ALGO_3K3DES) { + Desfire_3k3des_key_new_with_version(keybytes, key); + } + + uint8_t subcommand = MFDES_AUTHENTICATE; + + if (payload->mode == MFDES_AUTH_AES) + subcommand = MFDES_AUTHENTICATE_AES; + else if (payload->mode == MFDES_AUTH_ISO) + subcommand = MFDES_AUTHENTICATE_ISO; + + int recv_len = 0; + uint16_t sw = 0; + uint8_t recv_data[256]={0}; + + if (payload->mode != MFDES_AUTH_PICC) { + // Let's send our auth command + uint8_t data[] = {payload->keyno}; + sAPDU apdu = {0x90, subcommand, 0x00, 0x00, 0x01, data}; + int res = send_desfire_cmd(&apdu, false, recv_data, &recv_len, &sw, 0, false); + if (res != PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "Sending auth command %02X " _RED_("failed"),subcommand); + return PM3_ESOFT; + } + } else if (payload->mode == MFDES_AUTH_PICC) { + /*cmd[0] = AUTHENTICATE; + cmd[1] = payload->keyno; + len = DesfireAPDU(cmd, 2, resp); + */ + } + + if (!recv_len) { + PrintAndLogEx(ERR,"Authentication failed. Card timeout."); + return PM3_ESOFT; + } + + if (sw!=status(MFDES_ADDITIONAL_FRAME)) { + PrintAndLogEx(ERR,"Authentication failed. Invalid key number."); + return PM3_ESOFT; + } + + int expectedlen = 8; + if (payload->algo == MFDES_ALGO_AES || payload->algo == MFDES_ALGO_3K3DES) { + expectedlen = 16; + } + + if (recv_len != expectedlen) { + PrintAndLogEx(ERR,"Authentication failed. Length of answer %d doesn't match algo length %d.", recv_len, expectedlen); + return PM3_ESOFT; + } + int rndlen=recv_len; + + // Part 2 + if (payload->mode != MFDES_AUTH_PICC) { + memcpy(encRndB, recv_data, rndlen); + } else { + memcpy(encRndB, recv_data + 2, rndlen); + } + + + // Part 3 + if (payload->algo == MFDES_ALGO_AES) { + if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) { + PrintAndLogEx(ERR,"mbedtls_aes_setkey_dec failed"); + return PM3_ESOFT; + } + mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_DECRYPT, rndlen, IV, encRndB, RndB); + } + else if (payload->algo == MFDES_ALGO_DES) + des_dec(RndB, encRndB, key->data); + else if (payload->algo == MFDES_ALGO_3DES) + tdes_nxp_receive(encRndB, RndB, rndlen, key->data, IV,2); + else if (payload->algo == MFDES_ALGO_3K3DES) { + tdes_nxp_receive(encRndB, RndB, rndlen, key->data, IV,3); + } + + if (g_debugMode>1){ + PrintAndLogEx(INFO,"encRndB: %s",sprint_hex(encRndB,8)); + PrintAndLogEx(INFO,"RndB: %s",sprint_hex(RndB,8)); + } + + // - Rotate RndB by 8 bits + memcpy(rotRndB, RndB, rndlen); + rol(rotRndB, rndlen); + + uint8_t encRndA[16] = {0x00}; + + // - Encrypt our response + if (payload->mode == MFDES_AUTH_DES || payload->mode == MFDES_AUTH_PICC) { + des_dec(encRndA, RndA, key->data); + memcpy(both, encRndA, rndlen); + + for (int x = 0; x < rndlen; x++) { + rotRndB[x] = rotRndB[x] ^ encRndA[x]; + } + + des_dec(encRndB, rotRndB, key->data); + memcpy(both + rndlen, encRndB, rndlen); + } else if (payload->mode == MFDES_AUTH_ISO) { + if (payload->algo == MFDES_ALGO_3DES) { + uint8_t tmp[16] = {0x00}; + memcpy(tmp, RndA, rndlen); + memcpy(tmp + rndlen, rotRndB, rndlen); + if (g_debugMode>1) { + PrintAndLogEx(INFO, "rotRndB: %s", sprint_hex(rotRndB, rndlen)); + PrintAndLogEx(INFO, "Both: %s", sprint_hex(tmp, 16)); + } + tdes_nxp_send(tmp, both, 16, key->data, IV,2); + if (g_debugMode>1) { + PrintAndLogEx(INFO, "EncBoth: %s", sprint_hex(both, 16)); + } + } else if (payload->algo == MFDES_ALGO_3K3DES) { + uint8_t tmp[32] = {0x00}; + memcpy(tmp, RndA, rndlen); + memcpy(tmp + rndlen, rotRndB, rndlen); + if (g_debugMode>1) { + PrintAndLogEx(INFO, "rotRndB: %s", sprint_hex(rotRndB, rndlen)); + PrintAndLogEx(INFO, "Both3k3: %s", sprint_hex(tmp, 32)); + } + tdes_nxp_send(tmp, both, 32, key->data, IV,3); + if (g_debugMode>1) { + PrintAndLogEx(INFO, "EncBoth: %s", sprint_hex(both, 32)); + } + } + } else if (payload->mode == MFDES_AUTH_AES) { + uint8_t tmp[32] = {0x00}; + memcpy(tmp, RndA, rndlen); + memcpy(tmp + rndlen, rotRndB, rndlen); + if (g_debugMode>1) { + PrintAndLogEx(INFO, "rotRndB: %s", sprint_hex(rotRndB, rndlen)); + PrintAndLogEx(INFO, "Both3k3: %s", sprint_hex(tmp, 32)); + } + if (payload->algo == MFDES_ALGO_AES) { + if (mbedtls_aes_setkey_enc(&ctx, key->data, 128) != 0) { + PrintAndLogEx(ERR,"mbedtls_aes_setkey_enc failed"); + return PM3_ESOFT; + } + mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT, 32, IV, tmp, both); + if (g_debugMode>1) { + PrintAndLogEx(INFO, "EncBoth: %s", sprint_hex(both, 32)); + } + } + } + + int bothlen = 16; + if (payload->algo == MFDES_ALGO_AES || payload->algo == MFDES_ALGO_3K3DES) { + bothlen = 32; + } + if (payload->mode != MFDES_AUTH_PICC) { + sAPDU apdu = {0x90, MFDES_ADDITIONAL_FRAME, 0x00, 0x00, bothlen, both}; + int res = send_desfire_cmd(&apdu, false, recv_data, &recv_len, &sw, 0, false); + if (res != PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "Sending auth command %02X " _RED_("failed"),subcommand); + return PM3_ESOFT; + } + } else { + /*cmd[0] = ADDITIONAL_FRAME; + memcpy(cmd + 1, both, 16); + len = DesfireAPDU(cmd, 1 + 16, resp); + + if (res != PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "Sending auth command %02X " _RED_("failed"),subcommand); + return PM3_ESOFT; + }*/ + } + + if (!recv_len) { + PrintAndLogEx(ERR,"Authentication failed. Card timeout."); + return PM3_ESOFT; + } + + if (payload->mode != MFDES_AUTH_PICC) { + if (sw!=status(MFDES_S_OPERATION_OK)) { + PrintAndLogEx(ERR,"Authentication failed."); + return PM3_ESOFT; + } + } else { + /*if (resp[1] != 0x00) { + PrintAndLogEx(ERR,"Authentication failed. Card timeout."); + return PM3_ESOFT; + }*/ + } + + // Part 4 + Desfire_session_key_new(RndA, RndB, key, sessionkey); + + if (payload->mode != MFDES_AUTH_PICC) { + memcpy(encRndA, recv_data, rndlen); + } else { + memcpy(encRndA, recv_data + 2, rndlen); + } + + if (payload->mode == MFDES_AUTH_DES || payload->mode == MFDES_AUTH_ISO || payload->mode == MFDES_AUTH_PICC) { + if (payload->algo == MFDES_ALGO_DES) + des_dec(encRndA, encRndA, key->data); + else if (payload->algo == MFDES_ALGO_3DES) + tdes_nxp_receive(encRndA, encRndA, rndlen, key->data, IV,2); + else if (payload->algo == MFDES_ALGO_3K3DES) + tdes_nxp_receive(encRndA, encRndA, rndlen, key->data, IV,3); + } else if (payload->mode == MFDES_AUTH_AES) { + if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) { + PrintAndLogEx(ERR,"mbedtls_aes_setkey_dec failed"); + return PM3_ESOFT; + } + mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_DECRYPT, rndlen, IV, encRndA, encRndA); + } + + rol(RndA, rndlen); + for (int x = 0; x < rndlen; x++) { + if (RndA[x] != encRndA[x]) { + PrintAndLogEx(ERR,"Authentication failed. Cannot verify Session Key."); + if (g_debugMode>1){ + PrintAndLogEx(INFO,"Expected_RndA : %s", sprint_hex(RndA, rndlen)); + PrintAndLogEx(INFO,"Generated_RndA : %s", sprint_hex(encRndA, rndlen)); + } + return PM3_ESOFT; + } + } + + rpayload->sessionkeylen = payload->keylen; + memcpy(rpayload->sessionkey, sessionkey->data, rpayload->sessionkeylen); + return PM3_SUCCESS; +} + // -- test if card supports 0x0A static int test_desfire_authenticate() { uint8_t data[] = {0x00}; sAPDU apdu = {0x90, MFDES_AUTHENTICATE, 0x00, 0x00, 0x01, data}; // 0x0A, KEY 0 int recv_len = 0; uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0, false); + int res=send_desfire_cmd(&apdu, true, NULL, &recv_len, &sw, 0, false); + if (res==PM3_SUCCESS) + if (sw==status(MFDES_ADDITIONAL_FRAME)) { + DropField(); + return res; + } + return res; } // -- test if card supports 0x1A @@ -412,7 +706,13 @@ static int test_desfire_authenticate_iso() { sAPDU apdu = {0x90, MFDES_AUTHENTICATE_ISO, 0x00, 0x00, 0x01, data}; // 0x1A, KEY 0 int recv_len = 0; uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0, false); + int res=send_desfire_cmd(&apdu, true, NULL, &recv_len, &sw, 0, false); + if (res==PM3_SUCCESS) + if (sw==status(MFDES_ADDITIONAL_FRAME)) { + DropField(); + return res; + } + return res; } // -- test if card supports 0xAA @@ -421,7 +721,13 @@ static int test_desfire_authenticate_aes() { sAPDU apdu = {0x90, MFDES_AUTHENTICATE_AES, 0x00, 0x00, 0x01, data}; // 0xAA, KEY 0 int recv_len = 0; uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0, false); + int res=send_desfire_cmd(&apdu, true, NULL, &recv_len, &sw, 0, false); + if (res==PM3_SUCCESS) + if (sw==status(MFDES_ADDITIONAL_FRAME)) { + DropField(); + return res; + } + return res; } // --- GET FREE MEM @@ -1013,7 +1319,7 @@ static int CmdHF14ADesDeleteApp(const char *Cmd) { uint8_t aid[3] = {0}; CLIGetHexWithReturn(1, aid, &aidlength); CLIParserFree(); - + swap24(aid); if (aidlength < 3) { PrintAndLogEx(ERR, "AID must have 3 bytes length."); return PM3_EINVARG; @@ -1488,14 +1794,16 @@ static int CmdHF14ADesAuth(const char *Cmd) { CLIParserInit("hf mfdes auth", "Authenticates Mifare DESFire using Key", - "Usage:\n\t-m Auth type (1=normal, 2=iso, 3=aes)\n\t-t Crypt algo (1=DES, 2=3DES, 3=2K3DES, 4=3K3DES, 5=AES)\n\t-a aid (3 bytes)\n\t-n keyno\n\t-k key (8-24 bytes)\n\n" - "Example:\n\thf mfdes auth -m 3 -t 5 -a 838001 -n 0 -k 00000000000000000000000000000000\n" + "Usage:\n\t-m Auth type (1=normal, 2=iso, 3=aes)\n\t-t Crypt algo (1=DES, 2=3DES(2K2DES), 3=3K3DES, 5=AES)\n\t-a aid (3 bytes)\n\t-n keyno\n\t-k key (8-24 bytes)\n\n" + "Example:\n\thf mfdes auth -m 3 -t 4 -a 808301 -n 0 -k 00000000000000000000000000000000 (AES)" + "\n\thf mfdes auth -m 2 -t 2 -a 000000 -n 0 -k 00000000000000000000000000000000 (3DES)" + "\n\thf mfdes auth -m 1 -t 1 -a 000000 -n 0 -k 0000000000000000 (DES)" ); void *argtable[] = { arg_param_begin, arg_int0("mM", "type", "Auth type (1=normal, 2=iso, 3=aes, 4=picc)", NULL), - arg_int0("tT", "algo", "Crypt algo (1=DES, 2=3DES, 3=2K3DES, 4=3K3DES, 5=AES)", NULL), + arg_int0("tT", "algo", "Crypt algo (1=DES, 2=3DES(2K2DES), 4=3K3DES, 5=AES)", NULL), arg_strx0("aA", "aid", "", "AID used for authentification (HEX 3 bytes)"), arg_int0("nN", "keyno", "Key number used for authentification", NULL), arg_str0("kK", "key", "", "Key for checking (HEX 16 bytes)"), @@ -1536,7 +1844,7 @@ static int CmdHF14ADesAuth(const char *Cmd) { } break; case MFDES_AUTH_ISO: - if (cmdAuthAlgo != MFDES_ALGO_2K3DES && cmdAuthAlgo != MFDES_ALGO_3K3DES) { + if (cmdAuthAlgo != MFDES_ALGO_3DES && cmdAuthAlgo != MFDES_ALGO_3K3DES) { PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth iso mode"); return PM3_EINVARG; } @@ -1559,13 +1867,9 @@ static int CmdHF14ADesAuth(const char *Cmd) { } switch (cmdAuthAlgo) { - case MFDES_ALGO_2K3DES: - keylength = 16; - PrintAndLogEx(NORMAL, "2 key 3DES selected"); - break; case MFDES_ALGO_3DES: keylength = 16; - PrintAndLogEx(NORMAL, "3DES selected"); + PrintAndLogEx(NORMAL, "2 key 3DES selected"); break; case MFDES_ALGO_3K3DES: keylength = 24; @@ -1605,7 +1909,7 @@ static int CmdHF14ADesAuth(const char *Cmd) { payload.mode = cmdAuthMode; payload.algo = cmdAuthAlgo; payload.keyno = cmdKeyNo; - SendCommandNG(CMD_HF_DESFIRE_AUTH1, (uint8_t *)&payload, sizeof(payload)); + /*SendCommandNG(CMD_HF_DESFIRE_AUTH1, (uint8_t *)&payload, sizeof(payload)); PacketResponseNG resp; @@ -1614,15 +1918,15 @@ static int CmdHF14ADesAuth(const char *Cmd) { DropField(); return PM3_ETIMEOUT; } - - uint8_t isOK = (resp.status == PM3_SUCCESS); - if (isOK) { - struct mfdes_auth_res *rpayload = (struct mfdes_auth_res *)&resp.data.asBytes; + */ + mfdes_auth_res_t rpayload; + if (get_desfire_auth(&payload,&rpayload)==PM3_SUCCESS) + { PrintAndLogEx(SUCCESS, " Key : " _GREEN_("%s"), sprint_hex(key, keylength)); - PrintAndLogEx(SUCCESS, " SESSION : " _GREEN_("%s"), sprint_hex(rpayload->sessionkey, keylength)); + PrintAndLogEx(SUCCESS, " SESSION : " _GREEN_("%s"), sprint_hex(rpayload.sessionkey, keylength)); PrintAndLogEx(INFO, "-------------------------------------------------------------"); } else { - PrintAndLogEx(WARNING, _RED_("Auth command failed, reason: %d."), resp.status); + return PM3_ESOFT; } PrintAndLogEx(INFO, "-------------------------------------------------------------"); return PM3_SUCCESS; @@ -1633,8 +1937,48 @@ static int CmdHF14ADesList(const char *Cmd) { return CmdTraceList("des"); } +static int CmdTest(const char *Cmd) { + (void)Cmd; // Cmd is not used so far + uint8_t IV[8]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; + uint8_t key[16]={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; + + /*[=] encRndB: 1A BE 10 8D 09 E0 18 13 + [=] RndB: 57 9B 94 21 40 2C C6 D7 + [=] 3keyenc: 6E 6A EB 86 6E 6A EB 86 9B 94 21 40 2C C6 D7 00 + 6E 6A EB 86 6E 6A EB 86 9B 94 21 40 2C C6 D7 57 + [=] Both: 32 B2 E4 1A 14 CF 8B 34 B4 F9 30 43 5B 68 A3 FD + [=] RndA: 6E 6A EB 86 6E 6A EB 86 + */ + + uint8_t encRndB[8]={0x1A,0xBE,0x10,0x8D,0x09,0xE0,0x18,0x13}; + /* + * RndB_enc: DE 50 F9 23 10 CA F5 A5 + * RndB: 4C 64 7E 56 72 E2 A6 51 + * RndB_rot: 64 7E 56 72 E2 A6 51 4C + * RndA: C9 6C E3 5E 4D 60 87 F2 + * RndAB: C9 6C E3 5E 4D 60 87 F2 64 7E 56 72 E2 A6 51 4C + * RndAB_enc: E0 06 16 66 87 04 D5 54 9C 8D 6A 13 A0 F8 FC ED + */ + uint8_t RndB[8]={0}; + uint8_t RndA[8]={0x6E,0x6A,0xEB,0x86,0x6E,0x6A,0xEB,0x86}; + tdes_nxp_receive(encRndB, RndB, 8, key, IV,2); + uint8_t rotRndB[8]={0}; + memcpy(rotRndB, RndB, 8); + rol(rotRndB, 8); + uint8_t tmp[16] = {0x00}; + uint8_t both[16] = {0x00}; + memcpy(tmp, RndA, 8); + memcpy(tmp + 8, rotRndB, 8); + PrintAndLogEx(INFO,"3keyenc: %s",sprint_hex(tmp,16)); + PrintAndLogEx(SUCCESS, " Res : " _GREEN_("%s"), sprint_hex(IV,8)); + tdes_nxp_send(tmp, both, 16, key, IV,2); + PrintAndLogEx(SUCCESS, " Res : " _GREEN_("%s"), sprint_hex(both,16)); + return PM3_SUCCESS; +} + static command_t CommandTable[] = { {"help", CmdHelp, AlwaysAvailable, "This help"}, + {"test", CmdTest, AlwaysAvailable, "Test"}, {"info", CmdHF14ADesInfo, IfPm3Iso14443a, "Tag information"}, {"list", CmdHF14ADesList, AlwaysAvailable, "List DESFire (ISO 14443A) history"}, {"enum", CmdHF14ADesEnumApplications, IfPm3Iso14443a, "Tries enumerate all applications"}, diff --git a/armsrc/desfire_crypto_disabled.c b/client/mifare/desfire_crypto.c similarity index 56% rename from armsrc/desfire_crypto_disabled.c rename to client/mifare/desfire_crypto.c index 02896afa8..da0dc5d4b 100644 --- a/armsrc/desfire_crypto_disabled.c +++ b/client/mifare/desfire_crypto.c @@ -25,13 +25,625 @@ * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication * May 2005 */ +#include "desfire_crypto.h" +#include +#include #include -#include "desfire_crypto_disabled.h" +#include "commonutil.h" #include "crc32.h" -#include "printf.h" -#include "desfire.h" -#include "iso14443a.h" #include "mbedtls/aes.h" +//#include "mbedtls/des.h" +#include "ui.h" +#include "crc.h" +#include "crc16.h" // crc16 ccitt + +const uint8_t sbox[256] = { + /* S-box 1 */ + 0xE4, 0xD1, 0x2F, 0xB8, 0x3A, 0x6C, 0x59, 0x07, + 0x0F, 0x74, 0xE2, 0xD1, 0xA6, 0xCB, 0x95, 0x38, + 0x41, 0xE8, 0xD6, 0x2B, 0xFC, 0x97, 0x3A, 0x50, + 0xFC, 0x82, 0x49, 0x17, 0x5B, 0x3E, 0xA0, 0x6D, + /* S-box 2 */ + 0xF1, 0x8E, 0x6B, 0x34, 0x97, 0x2D, 0xC0, 0x5A, + 0x3D, 0x47, 0xF2, 0x8E, 0xC0, 0x1A, 0x69, 0xB5, + 0x0E, 0x7B, 0xA4, 0xD1, 0x58, 0xC6, 0x93, 0x2F, + 0xD8, 0xA1, 0x3F, 0x42, 0xB6, 0x7C, 0x05, 0xE9, + /* S-box 3 */ + 0xA0, 0x9E, 0x63, 0xF5, 0x1D, 0xC7, 0xB4, 0x28, + 0xD7, 0x09, 0x34, 0x6A, 0x28, 0x5E, 0xCB, 0xF1, + 0xD6, 0x49, 0x8F, 0x30, 0xB1, 0x2C, 0x5A, 0xE7, + 0x1A, 0xD0, 0x69, 0x87, 0x4F, 0xE3, 0xB5, 0x2C, + /* S-box 4 */ + 0x7D, 0xE3, 0x06, 0x9A, 0x12, 0x85, 0xBC, 0x4F, + 0xD8, 0xB5, 0x6F, 0x03, 0x47, 0x2C, 0x1A, 0xE9, + 0xA6, 0x90, 0xCB, 0x7D, 0xF1, 0x3E, 0x52, 0x84, + 0x3F, 0x06, 0xA1, 0xD8, 0x94, 0x5B, 0xC7, 0x2E, + /* S-box 5 */ + 0x2C, 0x41, 0x7A, 0xB6, 0x85, 0x3F, 0xD0, 0xE9, + 0xEB, 0x2C, 0x47, 0xD1, 0x50, 0xFA, 0x39, 0x86, + 0x42, 0x1B, 0xAD, 0x78, 0xF9, 0xC5, 0x63, 0x0E, + 0xB8, 0xC7, 0x1E, 0x2D, 0x6F, 0x09, 0xA4, 0x53, + /* S-box 6 */ + 0xC1, 0xAF, 0x92, 0x68, 0x0D, 0x34, 0xE7, 0x5B, + 0xAF, 0x42, 0x7C, 0x95, 0x61, 0xDE, 0x0B, 0x38, + 0x9E, 0xF5, 0x28, 0xC3, 0x70, 0x4A, 0x1D, 0xB6, + 0x43, 0x2C, 0x95, 0xFA, 0xBE, 0x17, 0x60, 0x8D, + /* S-box 7 */ + 0x4B, 0x2E, 0xF0, 0x8D, 0x3C, 0x97, 0x5A, 0x61, + 0xD0, 0xB7, 0x49, 0x1A, 0xE3, 0x5C, 0x2F, 0x86, + 0x14, 0xBD, 0xC3, 0x7E, 0xAF, 0x68, 0x05, 0x92, + 0x6B, 0xD8, 0x14, 0xA7, 0x95, 0x0F, 0xE2, 0x3C, + /* S-box 8 */ + 0xD2, 0x84, 0x6F, 0xB1, 0xA9, 0x3E, 0x50, 0xC7, + 0x1F, 0xD8, 0xA3, 0x74, 0xC5, 0x6B, 0x0E, 0x92, + 0x7B, 0x41, 0x9C, 0xE2, 0x06, 0xAD, 0xF3, 0x58, + 0x21, 0xE7, 0x4A, 0x8D, 0xFC, 0x90, 0x35, 0x6B +}; + +const uint8_t e_permtab[] = { + 4, 6, /* 4 bytes in 6 bytes out*/ + 32, 1, 2, 3, 4, 5, + 4, 5, 6, 7, 8, 9, + 8, 9, 10, 11, 12, 13, + 12, 13, 14, 15, 16, 17, + 16, 17, 18, 19, 20, 21, + 20, 21, 22, 23, 24, 25, + 24, 25, 26, 27, 28, 29, + 28, 29, 30, 31, 32, 1 +}; + +const uint8_t p_permtab[] = { + 4, 4, /* 32 bit -> 32 bit */ + 16, 7, 20, 21, + 29, 12, 28, 17, + 1, 15, 23, 26, + 5, 18, 31, 10, + 2, 8, 24, 14, + 32, 27, 3, 9, + 19, 13, 30, 6, + 22, 11, 4, 25 +}; + +const uint8_t ip_permtab[] = { + 8, 8, /* 64 bit -> 64 bit */ + 58, 50, 42, 34, 26, 18, 10, 2, + 60, 52, 44, 36, 28, 20, 12, 4, + 62, 54, 46, 38, 30, 22, 14, 6, + 64, 56, 48, 40, 32, 24, 16, 8, + 57, 49, 41, 33, 25, 17, 9, 1, + 59, 51, 43, 35, 27, 19, 11, 3, + 61, 53, 45, 37, 29, 21, 13, 5, + 63, 55, 47, 39, 31, 23, 15, 7 +}; + +const uint8_t inv_ip_permtab[] = { + 8, 8, /* 64 bit -> 64 bit */ + 40, 8, 48, 16, 56, 24, 64, 32, + 39, 7, 47, 15, 55, 23, 63, 31, + 38, 6, 46, 14, 54, 22, 62, 30, + 37, 5, 45, 13, 53, 21, 61, 29, + 36, 4, 44, 12, 52, 20, 60, 28, + 35, 3, 43, 11, 51, 19, 59, 27, + 34, 2, 42, 10, 50, 18, 58, 26, + 33, 1, 41, 9, 49, 17, 57, 25 +}; + +const uint8_t pc1_permtab[] = { + 8, 7, /* 64 bit -> 56 bit*/ + 57, 49, 41, 33, 25, 17, 9, + 1, 58, 50, 42, 34, 26, 18, + 10, 2, 59, 51, 43, 35, 27, + 19, 11, 3, 60, 52, 44, 36, + 63, 55, 47, 39, 31, 23, 15, + 7, 62, 54, 46, 38, 30, 22, + 14, 6, 61, 53, 45, 37, 29, + 21, 13, 5, 28, 20, 12, 4 +}; + +const uint8_t pc2_permtab[] = { + 7, 6, /* 56 bit -> 48 bit */ + 14, 17, 11, 24, 1, 5, + 3, 28, 15, 6, 21, 10, + 23, 19, 12, 4, 26, 8, + 16, 7, 27, 20, 13, 2, + 41, 52, 31, 37, 47, 55, + 30, 40, 51, 45, 33, 48, + 44, 49, 39, 56, 34, 53, + 46, 42, 50, 36, 29, 32 +}; + +const uint8_t splitin6bitword_permtab[] = { + 8, 8, /* 64 bit -> 64 bit */ + 64, 64, 1, 6, 2, 3, 4, 5, + 64, 64, 7, 12, 8, 9, 10, 11, + 64, 64, 13, 18, 14, 15, 16, 17, + 64, 64, 19, 24, 20, 21, 22, 23, + 64, 64, 25, 30, 26, 27, 28, 29, + 64, 64, 31, 36, 32, 33, 34, 35, + 64, 64, 37, 42, 38, 39, 40, 41, + 64, 64, 43, 48, 44, 45, 46, 47 +}; + +const uint8_t shiftkey_permtab[] = { + 7, 7, /* 56 bit -> 56 bit */ + 2, 3, 4, 5, 6, 7, 8, 9, + 10, 11, 12, 13, 14, 15, 16, 17, + 18, 19, 20, 21, 22, 23, 24, 25, + 26, 27, 28, 1, + 30, 31, 32, 33, 34, 35, 36, 37, + 38, 39, 40, 41, 42, 43, 44, 45, + 46, 47, 48, 49, 50, 51, 52, 53, + 54, 55, 56, 29 +}; + +const uint8_t shiftkeyinv_permtab[] = { + 7, 7, + 28, 1, 2, 3, 4, 5, 6, 7, + 8, 9, 10, 11, 12, 13, 14, 15, + 16, 17, 18, 19, 20, 21, 22, 23, + 24, 25, 26, 27, + 56, 29, 30, 31, 32, 33, 34, 35, + 36, 37, 38, 39, 40, 41, 42, 43, + 44, 45, 46, 47, 48, 49, 50, 51, + 52, 53, 54, 55 +}; + +/* +1 0 +1 0 +2 1 +2 1 +2 1 +2 1 +2 1 +2 1 +---- +1 0 +2 1 +2 1 +2 1 +2 1 +2 1 +2 1 +1 0 +*/ +#define ROTTABLE 0x7EFC +#define ROTTABLE_INV 0x3F7E +/******************************************************************************/ + +void permute(const uint8_t *ptable, const uint8_t *in, uint8_t *out) { + uint8_t ob; /* in-bytes and out-bytes */ + uint8_t byte, bit; /* counter for bit and byte */ + ob = ptable[1]; + ptable = &(ptable[2]); + for (byte = 0; byte < ob; ++byte) { + uint8_t t = 0; + for (bit = 0; bit < 8; ++bit) { + uint8_t x = *ptable++ - 1; + t <<= 1; + if ((in[x / 8]) & (0x80 >> (x % 8))) { + t |= 0x01; + } + } + out[byte] = t; + } +} + +/******************************************************************************/ + +void changeendian32(uint32_t *a) { + *a = (*a & 0x000000FF) << 24 | + (*a & 0x0000FF00) << 8 | + (*a & 0x00FF0000) >> 8 | + (*a & 0xFF000000) >> 24; +} + +/******************************************************************************/ +static inline +void shiftkey(uint8_t *key) { + uint8_t k[7]; + memcpy(k, key, 7); + permute((uint8_t *)shiftkey_permtab, k, key); +} + +/******************************************************************************/ +static inline +void shiftkey_inv(uint8_t *key) { + uint8_t k[7]; + memcpy(k, key, 7); + permute((uint8_t *)shiftkeyinv_permtab, k, key); + +} + +/******************************************************************************/ +static inline +uint64_t splitin6bitwords(uint64_t a) { + uint64_t ret = 0; + a &= 0x0000ffffffffffffLL; + permute((uint8_t *)splitin6bitword_permtab, (uint8_t *)&a, (uint8_t *)&ret); + return ret; +} + +/******************************************************************************/ + +static inline +uint8_t substitute(uint8_t a, uint8_t *sbp) { + uint8_t x; + x = sbp[a >> 1]; + x = (a & 1) ? x & 0x0F : x >> 4; + return x; + +} + +/******************************************************************************/ + +uint32_t des_f(uint32_t r, uint8_t *kr) { + uint8_t i; + uint32_t t = 0, ret; + uint64_t data = 0; + uint8_t *sbp; /* sboxpointer */ + permute((uint8_t *)e_permtab, (uint8_t *)&r, (uint8_t *)&data); + for (i = 0; i < 6; ++i) + ((uint8_t *)&data)[i] ^= kr[i]; + + /* Sbox substitution */ + data = splitin6bitwords(data); + sbp = (uint8_t *)sbox; + for (i = 0; i < 8; ++i) { + uint8_t x; + x = substitute(((uint8_t *)&data)[i], sbp); + t <<= 4; + t |= x; + sbp += 32; + } + changeendian32(&t); + + permute((uint8_t *)p_permtab, (uint8_t *)&t, (uint8_t *)&ret); + + return ret; +} + +/******************************************************************************/ + +typedef struct { + union { + uint8_t v8[8]; + uint32_t v32[2]; + } d; +} des_data_t; +#define R (des_data.d.v32[1]) +#define L (des_data.d.v32[0]) + +void des_enc(void *out, const void *in, const void *key) { + + uint8_t kr[6], k[7]; + uint8_t i; + des_data_t des_data; + + permute((uint8_t *)ip_permtab, (uint8_t *)in, des_data.d.v8); + permute((uint8_t *)pc1_permtab, (const uint8_t *)key, k); + + for (i = 0; i < 8; ++i) { + shiftkey(k); + if (ROTTABLE & ((1 << ((i << 1) + 0)))) + shiftkey(k); + permute((uint8_t *)pc2_permtab, k, kr); + L ^= des_f(R, kr); + + shiftkey(k); + if (ROTTABLE & ((1 << ((i << 1) + 1)))) + shiftkey(k); + permute((uint8_t *)pc2_permtab, k, kr); + R ^= des_f(L, kr); + + } + /* L <-> R*/ + R ^= L; + L ^= R; + R ^= L; + + permute((uint8_t *)inv_ip_permtab, des_data.d.v8, (uint8_t *)out); +} + +/******************************************************************************/ + +void des_dec(void *out, const void *in, const void *key) { + + uint8_t kr[6], k[7]; + int8_t i; + des_data_t des_data; + + permute((uint8_t *)ip_permtab, (uint8_t *)in, des_data.d.v8); + permute((uint8_t *)pc1_permtab, (const uint8_t *)key, k); + for (i = 7; i >= 0; --i) { + + permute((uint8_t *)pc2_permtab, k, kr); + L ^= des_f(R, kr); + shiftkey_inv(k); + if (ROTTABLE & ((1 << ((i << 1) + 1)))) { + shiftkey_inv(k); + } + + permute((uint8_t *)pc2_permtab, k, kr); + R ^= des_f(L, kr); + shiftkey_inv(k); + if (ROTTABLE & ((1 << ((i << 1) + 0)))) { + shiftkey_inv(k); + } + + } + /* L <-> R*/ + R ^= L; + L ^= R; + R ^= L; + + permute((uint8_t *)inv_ip_permtab, des_data.d.v8, (uint8_t *)out); +} + +#undef R +#undef L +/******************************************************************************/ + +#ifndef AddCrc14A +# define AddCrc14A(data, len) compute_crc(CRC_14443_A, (data), (len), (data)+(len), (data)+(len)+1) +#endif + +#define htole32(x) (x) +#define CRC32_PRESET 0xFFFFFFFF + +static void crc32_byte(uint32_t *crc, const uint8_t value); + +static void crc32_byte(uint32_t *crc, const uint8_t value) { + /* x32 + x26 + x23 + x22 + x16 + x12 + x11 + x10 + x8 + x7 + x5 + x4 + x2 + x + 1 */ + const uint32_t poly = 0xEDB88320; + + *crc ^= value; + for (int current_bit = 7; current_bit >= 0; current_bit--) { + int bit_out = (*crc) & 0x00000001; + *crc >>= 1; + if (bit_out) + *crc ^= poly; + } +} + +void crc32_ex(const uint8_t *data, const size_t len, uint8_t *crc) { + uint32_t desfire_crc = CRC32_PRESET; + for (size_t i = 0; i < len; i++) { + crc32_byte(&desfire_crc, data[i]); + } + + *((uint32_t *)(crc)) = htole32(desfire_crc); +} + +void crc32_append(uint8_t *data, const size_t len) { + crc32_ex(data, len, data + len); +} + +static inline void update_key_schedules(desfirekey_t key); + +static inline void update_key_schedules(desfirekey_t key) { + // DES_set_key ((DES_cblock *)key->data, &(key->ks1)); + // DES_set_key ((DES_cblock *)(key->data + 8), &(key->ks2)); + // if (T_3K3DES == key->type) { + // DES_set_key ((DES_cblock *)(key->data + 16), &(key->ks3)); + // } +} + +/******************************************************************************/ + +/*void des_enc(void *out, const void *in, const void *key) { + mbedtls_des_context ctx; + mbedtls_des_setkey_enc(&ctx, key); + mbedtls_des_crypt_ecb(&ctx, in, out); + mbedtls_des_free(&ctx); +} + +void des_dec(void *out, const void *in, const void *key) { + mbedtls_des_context ctx; + mbedtls_des_setkey_dec(&ctx, key); + mbedtls_des_crypt_ecb(&ctx, in, out); + mbedtls_des_free(&ctx); +} +*/ + +void tdes_3key_enc(void *out, void *in, const void *key) { + des_enc(out, in, (uint8_t *)key + 0); + des_dec(out, out, (uint8_t *)key + 8); + des_enc(out, out, (uint8_t *)key + 16); +} + +void tdes_3key_dec(void *out, void *in, const uint8_t *key) { + des_dec(out, in, (uint8_t *)key + 16); + des_enc(out, out, (uint8_t *)key + 8); + des_dec(out, out, (uint8_t *)key + 0); +} + +void tdes_2key_enc(void *out, void *in, const void *key) { + des_enc(out, in, (uint8_t *)key + 0); + des_dec(out, out, (uint8_t *)key + 8); + des_enc(out, out, (uint8_t *)key + 0); +} + +void tdes_2key_dec(void *out, void *in, const uint8_t *key) { + des_dec(out, in, (uint8_t *)key + 0); + des_enc(out, out, (uint8_t *)key + 8); + des_dec(out, out, (uint8_t *)key + 0); +} + +void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) { + + if (length % 8) return; + + uint8_t i; + unsigned char temp[8]; + uint8_t *tin = (uint8_t *) in; + uint8_t *tout = (uint8_t *) out; + + while (length > 0) { + memcpy(temp, tin, 8); + + if (keymode==2) tdes_2key_dec(tout,tin,key); + else if (keymode==3) tdes_3key_dec(tout,tin,key); + + for (i = 0; i < 8; i++) + tout[i] = (unsigned char)(tout[i] ^ iv[i]); + + memcpy(iv, temp, 8); + + tin += 8; + tout += 8; + length -= 8; + } +} + +void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) { + + if (length % 8) return; + + uint8_t i; + uint8_t *tin = (uint8_t *) in; + uint8_t *tout = (uint8_t *) out; + + while (length > 0) { + for (i = 0; i < 8; i++) + tin[i] = (unsigned char)(tin[i] ^ iv[i]); + + if (keymode==2) tdes_2key_enc(tout,tin,key); + else if (keymode==3) tdes_3key_enc(tout,tin,key); + + memcpy(iv, tout, 8); + + tin += 8; + tout += 8; + length -= 8; + } +} + + + +void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key) { + uint8_t data[8]; + memcpy(data, value, 8); + for (int n = 0; n < 8; n++) + data[n] &= 0xfe; + Desfire_des_key_new_with_version(data, key); +} + +void Desfire_des_key_new_with_version(const uint8_t value[8], desfirekey_t key) { + if (key != NULL) { + key->type = T_DES; + memcpy(key->data, value, 8); + memcpy(key->data + 8, value, 8); + update_key_schedules(key); + } +} + +void Desfire_3des_key_new(const uint8_t value[16], desfirekey_t key) { + uint8_t data[16]; + memcpy(data, value, 16); + for (int n = 0; n < 8; n++) + data[n] &= 0xfe; + for (int n = 8; n < 16; n++) + data[n] |= 0x01; + Desfire_3des_key_new_with_version(data, key); +} + +void Desfire_3des_key_new_with_version(const uint8_t value[16], desfirekey_t key) { + if (key != NULL) { + key->type = T_3DES; + memcpy(key->data, value, 16); + update_key_schedules(key); + } +} + +void Desfire_3k3des_key_new(const uint8_t value[24], desfirekey_t key) { + uint8_t data[24]; + memcpy(data, value, 24); + for (int n = 0; n < 8; n++) + data[n] &= 0xfe; + Desfire_3k3des_key_new_with_version(data, key); +} + +void Desfire_3k3des_key_new_with_version(const uint8_t value[24], desfirekey_t key) { + if (key != NULL) { + key->type = T_3K3DES; + memcpy(key->data, value, 24); + update_key_schedules(key); + } +} + +void Desfire_aes_key_new(const uint8_t value[16], desfirekey_t key) { + Desfire_aes_key_new_with_version(value, 0, key); +} + +void Desfire_aes_key_new_with_version(const uint8_t value[16], uint8_t version, desfirekey_t key) { + + if (key != NULL) { + memcpy(key->data, value, 16); + key->type = T_AES; + key->aes_version = version; + } +} + +uint8_t Desfire_key_get_version(desfirekey_t key) { + uint8_t version = 0; + + for (int n = 0; n < 8; n++) { + version |= ((key->data[n] & 1) << (7 - n)); + } + return version; +} + +void Desfire_key_set_version(desfirekey_t key, uint8_t version) { + for (int n = 0; n < 8; n++) { + uint8_t version_bit = ((version & (1 << (7 - n))) >> (7 - n)); + key->data[n] &= 0xfe; + key->data[n] |= version_bit; + if (key->type == T_DES) { + key->data[n + 8] = key->data[n]; + } else { + // Write ~version to avoid turning a 3DES key into a DES key + key->data[n + 8] &= 0xfe; + key->data[n + 8] |= ~version_bit; + } + } +} + +void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfirekey_t authkey, desfirekey_t key) { + + uint8_t buffer[24]; + + switch (authkey->type) { + case T_DES: + memcpy(buffer, rnda, 4); + memcpy(buffer + 4, rndb, 4); + Desfire_des_key_new_with_version(buffer, key); + break; + case T_3DES: + memcpy(buffer, rnda, 4); + memcpy(buffer + 4, rndb, 4); + memcpy(buffer + 8, rnda + 4, 4); + memcpy(buffer + 12, rndb + 4, 4); + Desfire_3des_key_new_with_version(buffer, key); + break; + case T_3K3DES: + memcpy(buffer, rnda, 4); + memcpy(buffer + 4, rndb, 4); + memcpy(buffer + 8, rnda + 6, 4); + memcpy(buffer + 12, rndb + 6, 4); + memcpy(buffer + 16, rnda + 12, 4); + memcpy(buffer + 20, rndb + 12, 4); + Desfire_3k3des_key_new(buffer, key); + break; + case T_AES: + memcpy(buffer, rnda, 4); + memcpy(buffer + 4, rndb, 4); + memcpy(buffer + 8, rnda + 12, 4); + memcpy(buffer + 12, rndb + 12, 4); + Desfire_aes_key_new(buffer, key); + break; + } +} static void xor(const uint8_t *ivect, uint8_t *data, const size_t len); static size_t key_macing_length(desfirekey_t key); @@ -449,7 +1061,7 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes do { uint16_t crc_16 = 0x00; - uint32_t crc; + uint32_t crc=0x00; switch (DESFIRE(tag)->authentication_scheme) { case AS_LEGACY: AddCrc14A((uint8_t *)res, end_crc_pos); @@ -508,7 +1120,7 @@ void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes break; default: - Dbprintf("Unknown communication settings"); + PrintAndLogEx(ERR,"Unknown communication settings"); *nbytes = -1; res = NULL; break; @@ -548,26 +1160,26 @@ void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT); // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT); // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT); - tdes_enc(edata, data, key->data); + tdes_2key_enc(edata, data, key->data); break; case MCO_DECYPHER: // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT); // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT); // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT); - tdes_dec(data, edata, key->data); + tdes_2key_dec(data, edata, key->data); break; } break; case T_3K3DES: switch (operation) { case MCO_ENCYPHER: - tdes_enc(edata, data, key->data); + tdes_3key_enc(edata, data, key->data); // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT); // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT); // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT); break; case MCO_DECYPHER: - tdes_dec(data, edata, key->data); + tdes_3key_enc(data, edata, key->data); // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_DECRYPT); // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT); // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT); diff --git a/client/mifare/desfire_crypto.h b/client/mifare/desfire_crypto.h new file mode 100644 index 000000000..e1d37d1af --- /dev/null +++ b/client/mifare/desfire_crypto.h @@ -0,0 +1,139 @@ +#ifndef __DESFIRE_CRYPTO_H +#define __DESFIRE_CRYPTO_H + +#include "common.h" +#include "mifare.h" // structs +//#include "../../armsrc/printf.h" +//#include "../../armsrc/desfire.h" +//#include "../../armsrc/iso14443a.h" + + +#define MAX_CRYPTO_BLOCK_SIZE 16 +/* Mifare DESFire EV1 Application crypto operations */ +#define APPLICATION_CRYPTO_DES 0x00 +#define APPLICATION_CRYPTO_3K3DES 0x40 +#define APPLICATION_CRYPTO_AES 0x80 + +#define MAC_LENGTH 4 +#define CMAC_LENGTH 8 + +typedef enum { + MCD_SEND, + MCD_RECEIVE +} MifareCryptoDirection; + +typedef enum { + MCO_ENCYPHER, + MCO_DECYPHER +} MifareCryptoOperation; + +#define MDCM_MASK 0x000F + +#define CMAC_NONE 0 + +// Data send to the PICC is used to update the CMAC +#define CMAC_COMMAND 0x010 +// Data received from the PICC is used to update the CMAC +#define CMAC_VERIFY 0x020 + +// MAC the command (when MDCM_MACED) +#define MAC_COMMAND 0x100 +// The command returns a MAC to verify (when MDCM_MACED) +#define MAC_VERIFY 0x200 + +#define ENC_COMMAND 0x1000 +#define NO_CRC 0x2000 + +#define MAC_MASK 0x0F0 +#define CMAC_MACK 0xF00 + +/* Communication mode */ +#define MDCM_PLAIN 0x00 +#define MDCM_MACED 0x01 +#define MDCM_ENCIPHERED 0x03 + +/* Error code managed by the library */ +#define CRYPTO_ERROR 0x01 + +enum DESFIRE_CRYPTOALGO { + T_DES = 0x00, + T_3DES = 0x01, //aka 2K3DES + T_3K3DES = 0x02, + T_AES = 0x03 +}; + +enum DESFIRE_AUTH_SCHEME { + AS_LEGACY, + AS_NEW +}; + + + +#define DESFIRE_KEY(key) ((struct desfire_key *) key) +struct desfire_key { + enum DESFIRE_CRYPTOALGO type; + uint8_t data[24]; + uint8_t cmac_sk1[24]; + uint8_t cmac_sk2[24]; + uint8_t aes_version; +}; +typedef struct desfire_key *desfirekey_t; + +#define DESFIRE(tag) ((struct desfire_tag *) tag) +struct desfire_tag { + iso14a_card_select_t info; + int active; + uint8_t last_picc_error; + uint8_t last_internal_error; + uint8_t last_pcd_error; + desfirekey_t session_key; + enum DESFIRE_AUTH_SCHEME authentication_scheme; + uint8_t authenticated_key_no; + + uint8_t ivect[MAX_CRYPTO_BLOCK_SIZE]; + uint8_t cmac[16]; + uint8_t *crypto_buffer; + size_t crypto_buffer_size; + uint32_t selected_application; +}; +typedef struct desfire_tag *desfiretag_t; + +typedef unsigned long DES_KS[16][2]; /* Single-key DES key schedule */ +typedef unsigned long DES3_KS[48][2]; /* Triple-DES key schedule */ + +extern int Asmversion; /* 1 if we're linked with an asm version, 0 if C */ + +void crc32_ex(const uint8_t *data, const size_t len, uint8_t *crc); +void crc32_append(uint8_t *data, const size_t len); + +void des_enc(void *out, const void *in, const void *key); +void des_dec(void *out, const void *in, const void *key); +void tdes_enc(void *out, void *in, const void *key); +void tdes_dec(void *out, void *in, const uint8_t *key); +void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode); +void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode); +void Desfire_des_key_new(const uint8_t value[8], desfirekey_t key); +void Desfire_3des_key_new(const uint8_t value[16], desfirekey_t key); +void Desfire_des_key_new_with_version(const uint8_t value[8], desfirekey_t key); +void Desfire_3des_key_new_with_version(const uint8_t value[16], desfirekey_t key); +void Desfire_3k3des_key_new(const uint8_t value[24], desfirekey_t key); +void Desfire_3k3des_key_new_with_version(const uint8_t value[24], desfirekey_t key); +void Desfire_2k3des_key_new_with_version(const uint8_t value[16], desfirekey_t key); +void Desfire_aes_key_new(const uint8_t value[16], desfirekey_t key); +void Desfire_aes_key_new_with_version(const uint8_t value[16], uint8_t version, desfirekey_t key); +uint8_t Desfire_key_get_version(desfirekey_t key); +void Desfire_key_set_version(desfirekey_t key, uint8_t version); +void Desfire_session_key_new(const uint8_t rnda[], const uint8_t rndb[], desfirekey_t authkey, desfirekey_t key); + +void *mifare_cryto_preprocess_data(desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings); +void *mifare_cryto_postprocess_data(desfiretag_t tag, void *data, size_t *nbytes, int communication_settings); +void mifare_cypher_single_block(desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size); +void mifare_cypher_blocks_chained(desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation); +size_t key_block_size(const desfirekey_t key); +size_t padded_data_length(const size_t nbytes, const size_t block_size); +size_t maced_data_length(const desfirekey_t key, const size_t nbytes); +size_t enciphered_data_length(const desfiretag_t tag, const size_t nbytes, int communication_settings); +void cmac_generate_subkeys(desfirekey_t key); +void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac); + +#endif diff --git a/include/mifare.h b/include/mifare.h index 5cca91cbc..1066b2d2b 100644 --- a/include/mifare.h +++ b/include/mifare.h @@ -90,9 +90,8 @@ typedef enum { typedef enum { MFDES_ALGO_DES = 1, MFDES_ALGO_3DES = 2, - MFDES_ALGO_2K3DES = 3, - MFDES_ALGO_3K3DES = 4, - MFDES_ALGO_AES = 5 + MFDES_ALGO_3K3DES = 3, + MFDES_ALGO_AES = 4 } mifare_des_authalgo_t;