From 99bc47c1acf74d0bb6574b0884ce17023491c8c2 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 13 Aug 2021 21:27:46 +0300 Subject: [PATCH 01/15] add module --- client/CMakeLists.txt | 1 + client/Makefile | 1 + client/src/crypto/libpcrypto.h | 3 +++ client/src/mifare/desfirecrypto.h | 1 - client/src/mifare/lrpcrypto.c | 28 ++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.h | 33 +++++++++++++++++++++++++++++++ 6 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 client/src/mifare/lrpcrypto.c create mode 100644 client/src/mifare/lrpcrypto.h diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt index 4eca55906..ec9bebde2 100644 --- a/client/CMakeLists.txt +++ b/client/CMakeLists.txt @@ -228,6 +228,7 @@ set (TARGET_SOURCES ${PM3_ROOT}/client/src/mifare/mifaredefault.c ${PM3_ROOT}/client/src/mifare/mifarehost.c ${PM3_ROOT}/client/src/nfc/ndef.c + ${PM3_ROOT}/client/src/mifare/lrpcrypto.c ${PM3_ROOT}/client/src/mifare/desfirecrypto.c ${PM3_ROOT}/client/src/mifare/desfiresecurechan.c ${PM3_ROOT}/client/src/mifare/desfirecore.c diff --git a/client/Makefile b/client/Makefile index ef9913149..33b624388 100644 --- a/client/Makefile +++ b/client/Makefile @@ -588,6 +588,7 @@ SRCS = mifare/aiddesfire.c \ loclass/cipherutils.c \ loclass/elite_crack.c \ loclass/ikeys.c \ + mifare/lrpcrypto.c \ mifare/desfirecrypto.c \ mifare/desfirecore.c \ mifare/desfiresecurechan.c \ diff --git a/client/src/crypto/libpcrypto.h b/client/src/crypto/libpcrypto.h index c589f61f6..89f13f486 100644 --- a/client/src/crypto/libpcrypto.h +++ b/client/src/crypto/libpcrypto.h @@ -16,6 +16,9 @@ #include #include +#define CRYPTO_AES_BLOCK_SIZE 16 +#define CRYPTO_AES128_KEY_SIZE 16 + void des_encrypt(void *out, const void *in, const void *key); void des_decrypt(void *out, const void *in, const void *key); void des_encrypt_ecb(void *out, const void *in, const int length, const void *key); diff --git a/client/src/mifare/desfirecrypto.h b/client/src/mifare/desfirecrypto.h index df5d22d71..a5de60a87 100644 --- a/client/src/mifare/desfirecrypto.h +++ b/client/src/mifare/desfirecrypto.h @@ -24,7 +24,6 @@ #include "common.h" #include "crypto/libpcrypto.h" -#define CRYPTO_AES_BLOCK_SIZE 16 #define MAX_CRYPTO_BLOCK_SIZE 16 #define DESFIRE_MAX_CRYPTO_BLOCK_SIZE 16 #define DESFIRE_MAX_KEY_SIZE 24 diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c new file mode 100644 index 000000000..3f656d396 --- /dev/null +++ b/client/src/mifare/lrpcrypto.c @@ -0,0 +1,28 @@ +/*- + * Copyright (C) 2021 Merlok + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + * + * $Id$ + */ + +#include "lrpcrypto.h" + +#include +#include +#include +#include "ui.h" +#include "aes.h" +#include "commonutil.h" + diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h new file mode 100644 index 000000000..25369b36d --- /dev/null +++ b/client/src/mifare/lrpcrypto.h @@ -0,0 +1,33 @@ +/*- + * Copyright (C) 2021 Merlok + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + * + * $Id$ + */ + +#ifndef __LRPCRYPTO_H +#define __LRPCRYPTO_H + +#include "common.h" +#include "crypto/libpcrypto.h" + +typedef struct { + uint8_t key[CRYPTO_AES128_KEY_SIZE]; +} LRPContext; + +void LRPSetKey(LRPContext *ctx); + + +#endif // __LRPCRYPTO_H From 442bbd38b540de63887a6843397a333477098653 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 14 Aug 2021 00:22:18 +0300 Subject: [PATCH 02/15] TestLRPPlaintexts --- client/src/mifare/desfiretest.c | 44 ++++++++++++++++++++++++ client/src/mifare/lrpcrypto.c | 59 +++++++++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.h | 15 ++++++++- 3 files changed, 117 insertions(+), 1 deletion(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 174d8bd71..8a2c54fc7 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -16,6 +16,7 @@ #include "crypto/libpcrypto.h" #include "mifare/desfirecrypto.h" +#include "mifare/lrpcrypto.h" static uint8_t CMACData[] = {0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, @@ -474,6 +475,47 @@ static bool TestTransSessionKeys(void) { return res; } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// page 10 +static bool TestLRPPlaintexts(void) { + bool res = true; + + uint8_t key[] = {0x56, 0x78, 0x26, 0xB8, 0xDA, 0x8E, 0x76, 0x84, 0x32, 0xA9, 0x54, 0x8D, 0xBE, 0x4A, 0xA3, 0xA0}; + LRPContext ctx = {0}; + LRPSetKey(&ctx, key, 0, false); + + uint8_t key0[] = {0xAC, 0x20, 0xD3, 0x9F, 0x53, 0x41, 0xFE, 0x98, 0xDF, 0xCA, 0x21, 0xDA, 0x86, 0xBA, 0x79, 0x14}; + res = res && (memcmp(ctx.plaintexts[0], key0, sizeof(key0)) == 0); + + uint8_t key1[] = {0x90, 0x7D, 0xA0, 0x3D, 0x67, 0x24, 0x49, 0x16, 0x69, 0x15, 0xE4, 0x56, 0x3E, 0x08, 0x9D, 0x6D}; + res = res && (memcmp(ctx.plaintexts[1], key1, sizeof(key1)) == 0); + + uint8_t key14[] = {0x37, 0xD7, 0x34, 0xA5, 0x1C, 0x07, 0x6E, 0xB8, 0x03, 0xBD, 0x53, 0x0E, 0x17, 0xEB, 0x87, 0xDC}; + res = res && (memcmp(ctx.plaintexts[14], key14, sizeof(key14)) == 0); + + uint8_t key15[] = {0x71, 0xB4, 0x44, 0xAF, 0x25, 0x7A, 0x93, 0x21, 0x53, 0x11, 0xD7, 0x58, 0xDD, 0x33, 0x32, 0x47}; + res = res && (memcmp(ctx.plaintexts[15], key15, sizeof(key15)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP plaintexts.... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP plaintexts.... " _RED_("fail")); + + return res; +} + +static bool TestLRPUpdatedKeys(void) { + bool res = true; + + + if (res) + PrintAndLogEx(INFO, "LRP updated keys.. " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP updated keys.. " _RED_("fail")); + + return res; +} + bool DesfireTest(bool verbose) { bool res = true; @@ -492,6 +534,8 @@ bool DesfireTest(bool verbose) { res = res && TestEV2IVEncode(); res = res && TestEV2MAC(); res = res && TestTransSessionKeys(); + res = res && TestLRPPlaintexts(); + res = res && TestLRPUpdatedKeys(); PrintAndLogEx(INFO, "---------------------------"); if (res) diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 3f656d396..94f2b36c1 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -26,3 +26,62 @@ #include "aes.h" #include "commonutil.h" +static uint8_t constAA[] = {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa}; +static uint8_t const55[] = {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55}; + +void LRPClearContext(LRPContext *ctx) { + memset(ctx->key, 0, CRYPTO_AES128_KEY_SIZE); + + ctx->useBitPadding = false; + ctx->plaintextsCount = 0; + memset(ctx->plaintexts, 0, LRP_MAX_PLAINTEXTS_SIZE * CRYPTO_AES128_KEY_SIZE); + ctx->updatedKeysCount = 0; + memset(ctx->updatedKeys, 0, LRP_MAX_UPDATED_KEYS_SIZE * CRYPTO_AES128_KEY_SIZE); + ctx->useUpdatedKeyNum = 0; +} + +void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitPadding) { + LRPClearContext(ctx); + + memcpy(ctx->key, key, CRYPTO_AES128_KEY_SIZE); + + LRPGeneratePlaintexts(ctx, 16); + LRPGenerateUpdatedKeys(ctx, 4); + + ctx->useUpdatedKeyNum = updatedKeyNum; + ctx->useBitPadding = useBitPadding; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 1 +void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount) { + if (plaintextsCount > LRP_MAX_PLAINTEXTS_SIZE) + return; + + uint8_t h[CRYPTO_AES128_KEY_SIZE] = {0}; + memcpy(h, ctx->key, CRYPTO_AES128_KEY_SIZE); + + for (int i = 0; i < plaintextsCount; i++) { + aes_encode(NULL, h, const55, h, CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, h, constAA, ctx->plaintexts[i], CRYPTO_AES128_KEY_SIZE); + } + + ctx->plaintextsCount = plaintextsCount; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 2 +void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount) { + if (updatedKeysCount > LRP_MAX_UPDATED_KEYS_SIZE) + return; + + uint8_t h[CRYPTO_AES128_KEY_SIZE] = {0}; + aes_encode(NULL, ctx->key, const55, h, CRYPTO_AES128_KEY_SIZE); + + for (int i = 0; i < updatedKeysCount; i++) { + aes_encode(NULL, h, constAA, ctx->plaintexts[i], CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, h, const55, h, CRYPTO_AES128_KEY_SIZE); + } + + ctx->updatedKeysCount = updatedKeysCount; +} diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h index 25369b36d..12e6a40e7 100644 --- a/client/src/mifare/lrpcrypto.h +++ b/client/src/mifare/lrpcrypto.h @@ -23,11 +23,24 @@ #include "common.h" #include "crypto/libpcrypto.h" +#define LRP_MAX_PLAINTEXTS_SIZE 16 +#define LRP_MAX_UPDATED_KEYS_SIZE 4 + typedef struct { uint8_t key[CRYPTO_AES128_KEY_SIZE]; + + bool useBitPadding; + size_t plaintextsCount; + uint8_t plaintexts[LRP_MAX_PLAINTEXTS_SIZE][CRYPTO_AES128_KEY_SIZE]; + size_t updatedKeysCount; + uint8_t updatedKeys[LRP_MAX_UPDATED_KEYS_SIZE][CRYPTO_AES128_KEY_SIZE]; + size_t useUpdatedKeyNum; } LRPContext; -void LRPSetKey(LRPContext *ctx); +void LRPClearContext(LRPContext *ctx); +void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitPadding); +void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount); +void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount); #endif // __LRPCRYPTO_H From 5df6732a1b64f1fd351761c0ee483de5899678bb Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 14 Aug 2021 00:34:38 +0300 Subject: [PATCH 03/15] LRPGenerateUpdatedKeys ok --- client/src/mifare/desfiretest.c | 30 ++++++++++++++++++++++-------- client/src/mifare/lrpcrypto.c | 4 ++-- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 8a2c54fc7..210cff5a6 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -484,17 +484,17 @@ static bool TestLRPPlaintexts(void) { LRPContext ctx = {0}; LRPSetKey(&ctx, key, 0, false); - uint8_t key0[] = {0xAC, 0x20, 0xD3, 0x9F, 0x53, 0x41, 0xFE, 0x98, 0xDF, 0xCA, 0x21, 0xDA, 0x86, 0xBA, 0x79, 0x14}; - res = res && (memcmp(ctx.plaintexts[0], key0, sizeof(key0)) == 0); + uint8_t pt0[] = {0xAC, 0x20, 0xD3, 0x9F, 0x53, 0x41, 0xFE, 0x98, 0xDF, 0xCA, 0x21, 0xDA, 0x86, 0xBA, 0x79, 0x14}; + res = res && (memcmp(ctx.plaintexts[0], pt0, sizeof(pt0)) == 0); - uint8_t key1[] = {0x90, 0x7D, 0xA0, 0x3D, 0x67, 0x24, 0x49, 0x16, 0x69, 0x15, 0xE4, 0x56, 0x3E, 0x08, 0x9D, 0x6D}; - res = res && (memcmp(ctx.plaintexts[1], key1, sizeof(key1)) == 0); + uint8_t pt1[] = {0x90, 0x7D, 0xA0, 0x3D, 0x67, 0x24, 0x49, 0x16, 0x69, 0x15, 0xE4, 0x56, 0x3E, 0x08, 0x9D, 0x6D}; + res = res && (memcmp(ctx.plaintexts[1], pt1, sizeof(pt1)) == 0); - uint8_t key14[] = {0x37, 0xD7, 0x34, 0xA5, 0x1C, 0x07, 0x6E, 0xB8, 0x03, 0xBD, 0x53, 0x0E, 0x17, 0xEB, 0x87, 0xDC}; - res = res && (memcmp(ctx.plaintexts[14], key14, sizeof(key14)) == 0); + uint8_t pt14[] = {0x37, 0xD7, 0x34, 0xA5, 0x1C, 0x07, 0x6E, 0xB8, 0x03, 0xBD, 0x53, 0x0E, 0x17, 0xEB, 0x87, 0xDC}; + res = res && (memcmp(ctx.plaintexts[14], pt14, sizeof(pt14)) == 0); - uint8_t key15[] = {0x71, 0xB4, 0x44, 0xAF, 0x25, 0x7A, 0x93, 0x21, 0x53, 0x11, 0xD7, 0x58, 0xDD, 0x33, 0x32, 0x47}; - res = res && (memcmp(ctx.plaintexts[15], key15, sizeof(key15)) == 0); + uint8_t pt15[] = {0x71, 0xB4, 0x44, 0xAF, 0x25, 0x7A, 0x93, 0x21, 0x53, 0x11, 0xD7, 0x58, 0xDD, 0x33, 0x32, 0x47}; + res = res && (memcmp(ctx.plaintexts[15], pt15, sizeof(pt15)) == 0); if (res) PrintAndLogEx(INFO, "LRP plaintexts.... " _GREEN_("passed")); @@ -504,9 +504,23 @@ static bool TestLRPPlaintexts(void) { return res; } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// page 12 static bool TestLRPUpdatedKeys(void) { bool res = true; + uint8_t key[] = {0x56, 0x78, 0x26, 0xB8, 0xDA, 0x8E, 0x76, 0x84, 0x32, 0xA9, 0x54, 0x8D, 0xBE, 0x4A, 0xA3, 0xA0}; + LRPContext ctx = {0}; + LRPSetKey(&ctx, key, 0, false); + + uint8_t key0[] = {0x16, 0x3D, 0x14, 0xED, 0x24, 0xED, 0x93, 0x53, 0x73, 0x56, 0x8E, 0xC5, 0x21, 0xE9, 0x6C, 0xF4}; + res = res && (memcmp(ctx.updatedKeys[0], key0, sizeof(key0)) == 0); + + uint8_t key1[] = {0x1C, 0x51, 0x9C, 0x00, 0x02, 0x08, 0xB9, 0x5A, 0x39, 0xA6, 0x5D, 0xB0, 0x58, 0x32, 0x71, 0x88}; + res = res && (memcmp(ctx.updatedKeys[1], key1, sizeof(key1)) == 0); + + uint8_t key2[] = {0xFE, 0x30, 0xAB, 0x50, 0x46, 0x7E, 0x61, 0x78, 0x3B, 0xFE, 0x6B, 0x5E, 0x05, 0x60, 0x16, 0x0E}; + res = res && (memcmp(ctx.updatedKeys[2], key2, sizeof(key2)) == 0); if (res) PrintAndLogEx(INFO, "LRP updated keys.. " _GREEN_("passed")); diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 94f2b36c1..033099a81 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -76,10 +76,10 @@ void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount) { return; uint8_t h[CRYPTO_AES128_KEY_SIZE] = {0}; - aes_encode(NULL, ctx->key, const55, h, CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, ctx->key, constAA, h, CRYPTO_AES128_KEY_SIZE); for (int i = 0; i < updatedKeysCount; i++) { - aes_encode(NULL, h, constAA, ctx->plaintexts[i], CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, h, constAA, ctx->updatedKeys[i], CRYPTO_AES128_KEY_SIZE); aes_encode(NULL, h, const55, h, CRYPTO_AES128_KEY_SIZE); } From c8813a01238462b69f92bbc8c911201409c38edc Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 14 Aug 2021 09:27:03 +0300 Subject: [PATCH 04/15] LRPEvalLRP ok --- client/src/mifare/desfiretest.c | 57 +++++++++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.c | 15 +++++++++ client/src/mifare/lrpcrypto.h | 2 +- 3 files changed, 73 insertions(+), 1 deletion(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 210cff5a6..cc8de88aa 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -530,6 +530,62 @@ static bool TestLRPUpdatedKeys(void) { return res; } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// 3.2 LRP Eval, page 13 +static bool TestLRPEval(void) { + bool res = true; + + LRPContext ctx = {0}; + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + uint8_t key[] = {0x56, 0x78, 0x26, 0xB8, 0xDA, 0x8E, 0x76, 0x84, 0x32, 0xA9, 0x54, 0x8D, 0xBE, 0x4A, 0xA3, 0xA0}; + uint8_t iv[] = {0x13, 0x59}; + LRPSetKey(&ctx, key, 2, false); + LRPEvalLRP(&ctx, iv, sizeof(iv) * 2, true, y); + + uint8_t y1[] = {0x1B, 0xA2, 0xC0, 0xC5, 0x78, 0x99, 0x6B, 0xC4, 0x97, 0xDD, 0x18, 0x1C, 0x68, 0x85, 0xA9, 0xDD}; + res = res && (memcmp(y, y1, sizeof(y1)) == 0); + + uint8_t key2[] = {0xB6, 0x55, 0x57, 0xCE, 0x0E, 0x9B, 0x4C, 0x58, 0x86, 0xF2, 0x32, 0x20, 0x01, 0x13, 0x56, 0x2B}; + uint8_t iv2[] = {0xBB, 0x4F, 0xCF, 0x27, 0xC9, 0x40, 0x76, 0xF7, 0x56, 0xAB, 0x03, 0x0D}; + LRPSetKey(&ctx, key2, 1, false); + LRPEvalLRP(&ctx, iv2, sizeof(iv2) * 2, false, y); + + uint8_t y2[] = {0x6F, 0xDF, 0xA8, 0xD2, 0xA6, 0xAA, 0x84, 0x76, 0xBF, 0x94, 0xE7, 0x1F, 0x25, 0x63, 0x7F, 0x96}; + res = res && (memcmp(y, y2, sizeof(y2)) == 0); + + uint8_t key3[] = {0xC4, 0x8A, 0x8E, 0x8B, 0x16, 0x57, 0x16, 0x45, 0xA1, 0x55, 0x78, 0x25, 0xAA, 0x66, 0xAC, 0x91}; + uint8_t iv3[] = {0x1F, 0x0B, 0x7C, 0x0D, 0xB1, 0x28, 0x89, 0xCA, 0x43, 0x6C, 0xAB, 0xB7, 0x8B, 0xE4, 0x2F, 0x90}; + LRPSetKey(&ctx, key3, 3, false); + LRPEvalLRP(&ctx, iv3, sizeof(iv3) * 2 - 1, true, y); + + uint8_t y3[] = {0x51, 0x29, 0x6B, 0x5E, 0x6D, 0x3B, 0x8D, 0xB8, 0xA1, 0xA7, 0x39, 0x97, 0x60, 0xA1, 0x91, 0x89}; + res = res && (memcmp(y, y3, sizeof(y3)) == 0); + + uint8_t key4[] = {0x54, 0x9C, 0x67, 0xEC, 0xD6, 0x0E, 0x84, 0x8F, 0x77, 0x39, 0x90, 0x99, 0x0C, 0xAC, 0x68, 0x1E}; + uint8_t iv4[] = {0x47, 0x5B, 0xB4, 0x18, 0x78, 0xEB, 0x17, 0x46, 0x8F, 0x7A, 0x68, 0x84, 0x7D, 0xDD, 0x3B, 0xAC}; + LRPSetKey(&ctx, key4, 3, false); + LRPEvalLRP(&ctx, iv4, sizeof(iv4) * 2, true, y); + + uint8_t y4[] = {0xC3, 0xB5, 0xEE, 0x74, 0xA7, 0x22, 0xE7, 0x84, 0x88, 0x7C, 0x4C, 0x9F, 0xDB, 0x49, 0x78, 0x55}; + res = res && (memcmp(y, y4, sizeof(y4)) == 0); + + uint8_t key5[] = {0x80, 0x6A, 0x50, 0x53, 0x0D, 0x77, 0x35, 0xB4, 0x0A, 0xC4, 0xEF, 0x16, 0x38, 0xE8, 0xAD, 0x6A}; + uint8_t iv5[] = {0xD4, 0x13, 0x77, 0x64, 0x71, 0x6D, 0xBC, 0x8C, 0x57, 0x9B, 0xEA, 0xB7, 0xE7, 0x67, 0x54, 0xE0}; + LRPSetKey(&ctx, key5, 3, false); + LRPEvalLRP(&ctx, iv5, sizeof(iv5) * 2 - 1, false, y); + + uint8_t y5[] = {0xCF, 0x99, 0x13, 0x92, 0xF0, 0x36, 0x93, 0x50, 0xA7, 0xE2, 0x1B, 0xE5, 0x2F, 0x74, 0x88, 0x21}; + res = res && (memcmp(y, y5, sizeof(y5)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP eval.......... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP eval.......... " _RED_("fail")); + + return res; +} + bool DesfireTest(bool verbose) { bool res = true; @@ -550,6 +606,7 @@ bool DesfireTest(bool verbose) { res = res && TestTransSessionKeys(); res = res && TestLRPPlaintexts(); res = res && TestLRPUpdatedKeys(); + res = res && TestLRPEval(); PrintAndLogEx(INFO, "---------------------------"); if (res) diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 033099a81..54d374f22 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -28,6 +28,7 @@ static uint8_t constAA[] = {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa}; static uint8_t const55[] = {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55}; +static uint8_t const00[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; void LRPClearContext(LRPContext *ctx) { memset(ctx->key, 0, CRYPTO_AES128_KEY_SIZE); @@ -85,3 +86,17 @@ void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount) { ctx->updatedKeysCount = updatedKeysCount; } + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 3 +void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y) { + memcpy(y, ctx->updatedKeys[ctx->useUpdatedKeyNum], CRYPTO_AES128_KEY_SIZE); + + for (int i = 0; i < ivlen; i++) { + uint8_t nk = (i % 2) ? iv[i / 2] & 0x0f : (iv[i / 2] >> 4) & 0x0f; + aes_encode(NULL, y, ctx->plaintexts[nk], y, CRYPTO_AES128_KEY_SIZE); + } + + if (final) + aes_encode(NULL, y, const00, y, CRYPTO_AES128_KEY_SIZE); +} diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h index 12e6a40e7..122e06911 100644 --- a/client/src/mifare/lrpcrypto.h +++ b/client/src/mifare/lrpcrypto.h @@ -41,6 +41,6 @@ void LRPClearContext(LRPContext *ctx); void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitPadding); void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount); void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount); - +void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y); #endif // __LRPCRYPTO_H From ae3ba512f08b0799db23654f6ea6e5cc5af6c44e Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 14 Aug 2021 11:52:32 +0300 Subject: [PATCH 05/15] LRPIncCounter --- client/src/mifare/desfiretest.c | 32 ++++++++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.c | 20 ++++++++++++++++++++ client/src/mifare/lrpcrypto.h | 2 ++ 3 files changed, 54 insertions(+) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index cc8de88aa..2cd8ba1be 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -586,6 +586,37 @@ static bool TestLRPEval(void) { return res; } +static bool TestLRPIncCounter(void) { + bool res = true; + + uint8_t ctr1[] = {0x00, 0x01}; + LRPIncCounter(ctr1, 4); + uint8_t ctrr1[] = {0x00, 0x02}; + res = res && (memcmp(ctr1, ctrr1, sizeof(ctrr1)) == 0); + + uint8_t ctr2[] = {0x00, 0xf0}; + LRPIncCounter(ctr2, 3); + uint8_t ctrr2[] = {0x01, 0x00}; + res = res && (memcmp(ctr2, ctrr2, sizeof(ctrr2)) == 0); + + uint8_t ctr3[] = {0xff, 0xf0}; + LRPIncCounter(ctr3, 3); + uint8_t ctrr3[] = {0x00, 0x00}; + res = res && (memcmp(ctr3, ctrr3, sizeof(ctrr3)) == 0); + + uint8_t ctr4[] = {0xf0}; + LRPIncCounter(ctr4, 1); + uint8_t ctrr4[] = {0x00}; + res = res && (memcmp(ctr4, ctrr4, sizeof(ctrr4)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP inc counter... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP inc counter... " _RED_("fail")); + + return res; +} + bool DesfireTest(bool verbose) { bool res = true; @@ -607,6 +638,7 @@ bool DesfireTest(bool verbose) { res = res && TestLRPPlaintexts(); res = res && TestLRPUpdatedKeys(); res = res && TestLRPEval(); + res = res && TestLRPIncCounter(); PrintAndLogEx(INFO, "---------------------------"); if (res) diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 54d374f22..217747dc8 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -100,3 +100,23 @@ void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t if (final) aes_encode(NULL, y, const00, y, CRYPTO_AES128_KEY_SIZE); } + +void LRPIncCounter(uint8_t *ctr, size_t ctrlen) { + bool carry = true; + for (int i = ctrlen - 1; i >= 0; i--) { + uint8_t nk = (i % 2) ? ctr[i / 2] & 0x0f : (ctr[i / 2] >> 4) & 0x0f; + + if (carry) + nk++; + + carry = (nk > 0xf); + if (i % 2) + ctr[i / 2] = (ctr[i / 2] & 0xf0) | (nk & 0x0f); + else + ctr[i / 2] = (ctr[i / 2] & 0x0f) | ((nk << 4) & 0xf0); + + if(!carry) + break; + } +} + diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h index 122e06911..a8dbefdb6 100644 --- a/client/src/mifare/lrpcrypto.h +++ b/client/src/mifare/lrpcrypto.h @@ -42,5 +42,7 @@ void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitP void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount); void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount); void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y); +void LRPIncCounter(uint8_t *ctr, size_t ctrlen); +void LRPEncode(LRPContext *ctx, uint8_t *ctr, size_t ctrlen, uint8_t *resp, size_t *resplen); #endif // __LRPCRYPTO_H From e56243501e7a0f4cc2c2b2e25155edd08fcede47 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 14 Aug 2021 12:41:09 +0300 Subject: [PATCH 06/15] LRPEncode ok --- client/src/mifare/desfiretest.c | 27 ++++++++++++++++++++++++ client/src/mifare/lrpcrypto.c | 37 +++++++++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.h | 8 ++++++- 3 files changed, 71 insertions(+), 1 deletion(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 2cd8ba1be..2eb9f703d 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -617,6 +617,32 @@ static bool TestLRPIncCounter(void) { return res; } +static bool TestLRPEncode(void) { + bool res = true; + + uint8_t resp[100] = {0}; + size_t resplen = 0; + + LRPContext ctx = {0}; + + uint8_t key1[] = {0xE0, 0xC4, 0x93, 0x5F, 0xF0, 0xC2, 0x54, 0xCD, 0x2C, 0xEF, 0x8F, 0xDD, 0xC3, 0x24, 0x60, 0xCF}; + uint8_t iv1[] = {0xC3, 0x31, 0x5D, 0xBF}; + LRPSetKeyEx(&ctx, key1, iv1, sizeof(iv1) * 2, 0, true); + uint8_t data1[] = {0x01, 0x2D, 0x7F, 0x16, 0x53, 0xCA, 0xF6, 0x50, 0x3C, 0x6A, 0xB0, 0xC1, 0x01, 0x0E, 0x8C, 0xB0}; + LRPEncode(&ctx, data1, sizeof (data1), resp, &resplen); + uint8_t res1[] = {0xFC, 0xBB, 0xAC, 0xAA, 0x4F, 0x29, 0x18, 0x24, 0x64, 0xF9, 0x9D, 0xE4, 0x10, 0x85, 0x26, 0x6F, + 0x48, 0x0E, 0x86, 0x3E, 0x48, 0x7B, 0xAA, 0xF6, 0x87, 0xB4, 0x3E, 0xD1, 0xEC, 0xE0, 0xD6, 0x23}; + res = res && (resplen == sizeof(res1)); + res = res && (memcmp(resp, res1, sizeof(res1)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP encode........ " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP encode........ " _RED_("fail")); + + return res; +} + bool DesfireTest(bool verbose) { bool res = true; @@ -639,6 +665,7 @@ bool DesfireTest(bool verbose) { res = res && TestLRPUpdatedKeys(); res = res && TestLRPEval(); res = res && TestLRPIncCounter(); + res = res && TestLRPEncode(); PrintAndLogEx(INFO, "---------------------------"); if (res) diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 217747dc8..bff85d289 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -53,6 +53,17 @@ void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitP ctx->useBitPadding = useBitPadding; } +void LRPSetCounter(LRPContext *ctx, uint8_t *counter, size_t counterLenNibbles) { + memcpy(ctx->counter, counter, counterLenNibbles / 2); + ctx->counterLenNibbles = counterLenNibbles; +} + +void LRPSetKeyEx(LRPContext *ctx, uint8_t *key, uint8_t *counter, size_t counterLenNibbles, size_t updatedKeyNum, bool useBitPadding){ + LRPSetKey(ctx, key, updatedKeyNum, useBitPadding); + LRPSetCounter(ctx, counter, counterLenNibbles); +} + + // https://www.nxp.com/docs/en/application-note/AN12304.pdf // Algorithm 1 void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount) { @@ -120,3 +131,29 @@ void LRPIncCounter(uint8_t *ctr, size_t ctrlen) { } } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 4 +void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen) { + *resplen = 0; + + uint8_t xdata[1024] = {0}; + memcpy(xdata, data, datalen); + if (ctx->useBitPadding) { + xdata[datalen] = 0x80; + datalen++; + } + + if (datalen % CRYPTO_AES128_KEY_SIZE) + datalen = datalen + CRYPTO_AES128_KEY_SIZE - (datalen % CRYPTO_AES128_KEY_SIZE); + + if (datalen == 0) + return; + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + for (int i = 0; i < datalen / CRYPTO_AES128_KEY_SIZE; i++) { + LRPEvalLRP(ctx, ctx->counter, ctx->counterLenNibbles, true, y); + aes_encode(NULL, y, &xdata[i * CRYPTO_AES128_KEY_SIZE], &resp[i * CRYPTO_AES128_KEY_SIZE], CRYPTO_AES128_KEY_SIZE); + *resplen += CRYPTO_AES128_KEY_SIZE; + LRPIncCounter(ctx->counter, ctx->counterLenNibbles); + } +} diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h index a8dbefdb6..17e0858f0 100644 --- a/client/src/mifare/lrpcrypto.h +++ b/client/src/mifare/lrpcrypto.h @@ -25,6 +25,7 @@ #define LRP_MAX_PLAINTEXTS_SIZE 16 #define LRP_MAX_UPDATED_KEYS_SIZE 4 +#define LRP_MAX_COUNTER_SIZE (CRYPTO_AES128_KEY_SIZE * 4) typedef struct { uint8_t key[CRYPTO_AES128_KEY_SIZE]; @@ -35,14 +36,19 @@ typedef struct { size_t updatedKeysCount; uint8_t updatedKeys[LRP_MAX_UPDATED_KEYS_SIZE][CRYPTO_AES128_KEY_SIZE]; size_t useUpdatedKeyNum; + + uint8_t counter[LRP_MAX_COUNTER_SIZE]; + size_t counterLenNibbles; // len in bytes * 2 (or * 2 - 1) } LRPContext; void LRPClearContext(LRPContext *ctx); void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitPadding); +void LRPSetKeyEx(LRPContext *ctx, uint8_t *key, uint8_t *counter, size_t counterLenNibbles, size_t updatedKeyNum, bool useBitPadding); +void LRPSetCounter(LRPContext *ctx, uint8_t *counter, size_t counterLenNibbles); void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount); void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount); void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y); void LRPIncCounter(uint8_t *ctr, size_t ctrlen); -void LRPEncode(LRPContext *ctx, uint8_t *ctr, size_t ctrlen, uint8_t *resp, size_t *resplen); +void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); #endif // __LRPCRYPTO_H From b8968e2835f6fb1b8780f11a9f7fafd554ec91bd Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 14 Aug 2021 13:09:57 +0300 Subject: [PATCH 07/15] TestLRPEncode --- client/src/mifare/desfiretest.c | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 2eb9f703d..bd6ba8945 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -635,6 +635,45 @@ static bool TestLRPEncode(void) { res = res && (resplen == sizeof(res1)); res = res && (memcmp(resp, res1, sizeof(res1)) == 0); + uint8_t key2[] = {0xEF, 0xA5, 0xB7, 0x42, 0x9C, 0xD1, 0x53, 0xBF, 0x00, 0x86, 0xDE, 0xF9, 0x00, 0xC0, 0xF2, 0x35}; + uint8_t iv2[] = {0x90, 0x36, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key2, iv2, sizeof(iv2) * 2, 0, false); + uint8_t data2[] = {0xE7, 0xF6, 0x1E, 0x01, 0x2F, 0x4F, 0x32, 0x55, 0x31, 0x2B, 0xA6, 0x8B, 0x1D, 0x2F, 0xDA, 0xBF}; + LRPEncode(&ctx, data2, sizeof (data2), resp, &resplen); + uint8_t res2[] = {0xEA, 0x6E, 0x09, 0xAC, 0x2F, 0xB9, 0x7E, 0x10, 0x2D, 0x8C, 0xA6, 0x4C, 0x1C, 0xBC, 0x0C, 0x0C}; + res = res && (resplen == sizeof(res2)); + res = res && (memcmp(resp, res2, sizeof(res2)) == 0); + + uint8_t key3[] = {0x9D, 0x81, 0x31, 0x34, 0xCF, 0xDE, 0xE9, 0xD5, 0x87, 0x55, 0xDE, 0xAC, 0xD4, 0xAF, 0x72, 0xA7}; + uint8_t iv3[] = {0xFF, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key3, iv3, sizeof(iv3) * 2, 0, true); + uint8_t data3[] = {0x27}; + LRPEncode(&ctx, data3, sizeof (data3), resp, &resplen); + uint8_t res3[] = {0xF5, 0x83, 0x3F, 0xC3, 0x97, 0x35, 0x6E, 0xA3, 0xD9, 0xEC, 0xAD, 0xBB, 0x9F, 0x6F, 0xE4, 0x40}; + res = res && (resplen == sizeof(res3)); + res = res && (memcmp(resp, res3, sizeof(res3)) == 0); + + uint8_t key4[] = {0xF5, 0xC3, 0xE9, 0x9F, 0xB7, 0x5E, 0x31, 0x6B, 0x76, 0x68, 0x9F, 0xC5, 0x46, 0x42, 0x60, 0xCD}; + uint8_t iv4[] = {0x07, 0x97, 0xF6, 0xB7}; + LRPSetKeyEx(&ctx, key4, iv4, sizeof(iv4) * 2, 0, true); + LRPEncode(&ctx, NULL, 0, resp, &resplen); + uint8_t res4[] = {0x93, 0xDC, 0x3E, 0xE1, 0x4B, 0x61, 0x2B, 0xE6, 0xA3, 0xE9, 0xE2, 0xE8, 0x04, 0x0C, 0xDF, 0xCB}; + res = res && (resplen == sizeof(res4)); + res = res && (memcmp(resp, res4, sizeof(res4)) == 0); + + uint8_t key5[] = {0x9B, 0x1E, 0x41, 0x8D, 0xF9, 0x75, 0x2F, 0x37, 0xEB, 0xBD, 0x8E, 0xE8, 0x33, 0xBD, 0xF2, 0xD7}; + uint8_t iv5[] = {0x24, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key5, iv5, sizeof(iv5) * 2, 0, true); + uint8_t data5[] = {0x55, 0x53, 0x4E, 0x15, 0x9F, 0x14, 0xDD, 0x77, 0x31, 0x36, 0x89, 0x88, 0xEE, 0x6D, 0xD7, 0xC6, + 0x11, 0x4E, 0x74, 0x7F, 0x9C, 0x17, 0xA9, 0x1B, 0xBC, 0x12, 0xD6, 0x8C, 0x26, 0x53, 0x1F, 0x2F, + 0xFC, 0xFC}; + LRPEncode(&ctx, data5, sizeof (data5), resp, &resplen); + uint8_t res5[] = {0x15, 0x8B, 0x3B, 0x9C, 0x61, 0x36, 0xFB, 0x71, 0x5C, 0xCF, 0x43, 0x5C, 0xA4, 0xCA, 0xDE, 0x80, + 0x8D, 0x1F, 0x98, 0x43, 0x13, 0x27, 0x06, 0x1A, 0x9A, 0x64, 0xD5, 0x2A, 0x5F, 0xE7, 0xB2, 0x74, + 0x6D, 0x7F, 0x5A, 0x63, 0x3F, 0xC0, 0xCF, 0xE7, 0x85, 0x56, 0x56, 0xAD, 0x3C, 0x6B, 0x94, 0xCF}; + res = res && (resplen == sizeof(res5)); + res = res && (memcmp(resp, res5, sizeof(res5)) == 0); + if (res) PrintAndLogEx(INFO, "LRP encode........ " _GREEN_("passed")); else From 20a3bca52476b2c1b6f1b3b59885e97be165a407 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 14 Aug 2021 13:24:59 +0300 Subject: [PATCH 08/15] LRPDecode --- client/src/mifare/desfiretest.c | 65 +++++++++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.c | 24 ++++++++++++ client/src/mifare/lrpcrypto.h | 1 + 3 files changed, 90 insertions(+) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index bd6ba8945..c615b70c3 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -682,6 +682,70 @@ static bool TestLRPEncode(void) { return res; } +static bool TestLRPDecode(void) { + bool res = true; + + uint8_t resp[100] = {0}; + size_t resplen = 0; + + LRPContext ctx = {0}; + + uint8_t key1[] = {0xE0, 0xC4, 0x93, 0x5F, 0xF0, 0xC2, 0x54, 0xCD, 0x2C, 0xEF, 0x8F, 0xDD, 0xC3, 0x24, 0x60, 0xCF}; + uint8_t iv1[] = {0xC3, 0x31, 0x5D, 0xBF}; + LRPSetKeyEx(&ctx, key1, iv1, sizeof(iv1) * 2, 0, true); + uint8_t data1[] = {0xFC, 0xBB, 0xAC, 0xAA, 0x4F, 0x29, 0x18, 0x24, 0x64, 0xF9, 0x9D, 0xE4, 0x10, 0x85, 0x26, 0x6F, + 0x48, 0x0E, 0x86, 0x3E, 0x48, 0x7B, 0xAA, 0xF6, 0x87, 0xB4, 0x3E, 0xD1, 0xEC, 0xE0, 0xD6, 0x23}; + LRPDecode(&ctx, data1, sizeof (data1), resp, &resplen); + uint8_t res1[] = {0x01, 0x2D, 0x7F, 0x16, 0x53, 0xCA, 0xF6, 0x50, 0x3C, 0x6A, 0xB0, 0xC1, 0x01, 0x0E, 0x8C, 0xB0}; + res = res && (resplen == sizeof(res1)); + res = res && (memcmp(resp, res1, sizeof(res1)) == 0); + + uint8_t key2[] = {0xEF, 0xA5, 0xB7, 0x42, 0x9C, 0xD1, 0x53, 0xBF, 0x00, 0x86, 0xDE, 0xF9, 0x00, 0xC0, 0xF2, 0x35}; + uint8_t iv2[] = {0x90, 0x36, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key2, iv2, sizeof(iv2) * 2, 0, false); + uint8_t data2[] = {0xEA, 0x6E, 0x09, 0xAC, 0x2F, 0xB9, 0x7E, 0x10, 0x2D, 0x8C, 0xA6, 0x4C, 0x1C, 0xBC, 0x0C, 0x0C}; + LRPDecode(&ctx, data2, sizeof (data2), resp, &resplen); + uint8_t res2[] = {0xE7, 0xF6, 0x1E, 0x01, 0x2F, 0x4F, 0x32, 0x55, 0x31, 0x2B, 0xA6, 0x8B, 0x1D, 0x2F, 0xDA, 0xBF}; + res = res && (resplen == sizeof(res2)); + res = res && (memcmp(resp, res2, sizeof(res2)) == 0); + + uint8_t key3[] = {0x9D, 0x81, 0x31, 0x34, 0xCF, 0xDE, 0xE9, 0xD5, 0x87, 0x55, 0xDE, 0xAC, 0xD4, 0xAF, 0x72, 0xA7}; + uint8_t iv3[] = {0xFF, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key3, iv3, sizeof(iv3) * 2, 0, true); + uint8_t data3[] = {0xF5, 0x83, 0x3F, 0xC3, 0x97, 0x35, 0x6E, 0xA3, 0xD9, 0xEC, 0xAD, 0xBB, 0x9F, 0x6F, 0xE4, 0x40}; + LRPDecode(&ctx, data3, sizeof (data3), resp, &resplen); + uint8_t res3[] = {0x27}; + res = res && (resplen == sizeof(res3)); + res = res && (memcmp(resp, res3, sizeof(res3)) == 0); + + uint8_t key4[] = {0xF5, 0xC3, 0xE9, 0x9F, 0xB7, 0x5E, 0x31, 0x6B, 0x76, 0x68, 0x9F, 0xC5, 0x46, 0x42, 0x60, 0xCD}; + uint8_t iv4[] = {0x07, 0x97, 0xF6, 0xB7}; + LRPSetKeyEx(&ctx, key4, iv4, sizeof(iv4) * 2, 0, true); + uint8_t data4[] = {0x93, 0xDC, 0x3E, 0xE1, 0x4B, 0x61, 0x2B, 0xE6, 0xA3, 0xE9, 0xE2, 0xE8, 0x04, 0x0C, 0xDF, 0xCB}; + LRPDecode(&ctx, data4, sizeof(data4), resp, &resplen); + res = res && (resplen == 0); + + uint8_t key5[] = {0x9B, 0x1E, 0x41, 0x8D, 0xF9, 0x75, 0x2F, 0x37, 0xEB, 0xBD, 0x8E, 0xE8, 0x33, 0xBD, 0xF2, 0xD7}; + uint8_t iv5[] = {0x24, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key5, iv5, sizeof(iv5) * 2, 0, true); + uint8_t data5[] = {0x15, 0x8B, 0x3B, 0x9C, 0x61, 0x36, 0xFB, 0x71, 0x5C, 0xCF, 0x43, 0x5C, 0xA4, 0xCA, 0xDE, 0x80, + 0x8D, 0x1F, 0x98, 0x43, 0x13, 0x27, 0x06, 0x1A, 0x9A, 0x64, 0xD5, 0x2A, 0x5F, 0xE7, 0xB2, 0x74, + 0x6D, 0x7F, 0x5A, 0x63, 0x3F, 0xC0, 0xCF, 0xE7, 0x85, 0x56, 0x56, 0xAD, 0x3C, 0x6B, 0x94, 0xCF}; + LRPDecode(&ctx, data5, sizeof (data5), resp, &resplen); + uint8_t res5[] = {0x55, 0x53, 0x4E, 0x15, 0x9F, 0x14, 0xDD, 0x77, 0x31, 0x36, 0x89, 0x88, 0xEE, 0x6D, 0xD7, 0xC6, + 0x11, 0x4E, 0x74, 0x7F, 0x9C, 0x17, 0xA9, 0x1B, 0xBC, 0x12, 0xD6, 0x8C, 0x26, 0x53, 0x1F, 0x2F, + 0xFC, 0xFC}; + res = res && (resplen == sizeof(res5)); + res = res && (memcmp(resp, res5, sizeof(res5)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP decode........ " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP decode........ " _RED_("fail")); + + return res; +} + bool DesfireTest(bool verbose) { bool res = true; @@ -705,6 +769,7 @@ bool DesfireTest(bool verbose) { res = res && TestLRPEval(); res = res && TestLRPIncCounter(); res = res && TestLRPEncode(); + res = res && TestLRPDecode(); PrintAndLogEx(INFO, "---------------------------"); if (res) diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index bff85d289..5f5432487 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -157,3 +157,27 @@ void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, si LRPIncCounter(ctx->counter, ctx->counterLenNibbles); } } + +void LRPDecode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen) { + *resplen = 0; + if (datalen % CRYPTO_AES128_KEY_SIZE) + return; + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + for (int i = 0; i < datalen / CRYPTO_AES128_KEY_SIZE; i++) { + LRPEvalLRP(ctx, ctx->counter, ctx->counterLenNibbles, true, y); + aes_decode(NULL, y, &data[i * CRYPTO_AES128_KEY_SIZE], &resp[i * CRYPTO_AES128_KEY_SIZE], CRYPTO_AES128_KEY_SIZE); + *resplen += CRYPTO_AES128_KEY_SIZE; + LRPIncCounter(ctx->counter, ctx->counterLenNibbles); + } + + // search padding + if (ctx->useBitPadding) { + for (int i = *resplen - 1; i >= *resplen - CRYPTO_AES128_KEY_SIZE; i--) { + if (resp[i] == 0x80) + *resplen = i; + if (resp[i] != 0x00) + break; + } + } +} diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h index 17e0858f0..cccf72437 100644 --- a/client/src/mifare/lrpcrypto.h +++ b/client/src/mifare/lrpcrypto.h @@ -50,5 +50,6 @@ void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount); void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y); void LRPIncCounter(uint8_t *ctr, size_t ctrlen); void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); +void LRPDecode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); #endif // __LRPCRYPTO_H From 5fac4cf1140f3020564e9973aecb4ab8a0aff72a Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sun, 15 Aug 2021 15:21:29 +0300 Subject: [PATCH 09/15] cov 354821 --- client/src/cmdhfmfdes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index c55886f91..e04d27774 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4970,7 +4970,7 @@ static int CmdHF14ADesWriteData(const char *Cmd) { DesfireGenTransSessionKey(trkey, transactionCounter, uid, false, sessionkey); aes_decode(NULL, sessionkey, resp, resp, CRYPTO_AES_BLOCK_SIZE); - PrintAndLogEx(INFO, "Prev reader id [%d]: %s", resplen, sprint_hex(resp, resplen)); + PrintAndLogEx(INFO, "Prev reader id [%zu]: %s", resplen, sprint_hex(resp, resplen)); } readeridpushed = true; From 3c6fdffed33c6d33438ce53c88560496f1d78be2 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Mon, 16 Aug 2021 12:43:46 +0300 Subject: [PATCH 10/15] LRP subkeys works --- client/src/mifare/desfiretest.c | 38 ++++++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.c | 41 +++++++++++++++++++++++++++++++++ client/src/mifare/lrpcrypto.h | 2 ++ 3 files changed, 81 insertions(+) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index c615b70c3..dac1416ec 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -746,6 +746,42 @@ static bool TestLRPDecode(void) { return res; } +static bool TestLRPSubkeys(void) { + bool res = true; + + uint8_t sk1[CRYPTO_AES128_KEY_SIZE] = {0}; + uint8_t sk2[CRYPTO_AES128_KEY_SIZE] = {0}; + + uint8_t key1[] = {0x81, 0x95, 0x08, 0x8C, 0xE6, 0xC3, 0x93, 0x70, 0x8E, 0xBB, 0xE6, 0xC7, 0x91, 0x4E, 0xCB, 0x0B}; + + uint8_t sk1r1[] = {0x16, 0x91, 0x2B, 0x8D, 0x19, 0xD9, 0x4B, 0x2D, 0x4D, 0xA4, 0xFF, 0xA1, 0xCA, 0xD2, 0x18, 0x23}; + uint8_t sk2r1[] = {0x2D, 0x22, 0x57, 0x1A, 0x33, 0xB2, 0x96, 0x5A, 0x9B, 0x49, 0xFF, 0x43, 0x95, 0xA4, 0x30, 0x46}; + + LRPGenSubkeys(key1, sk1, sk2); + res = res && (memcmp(sk1, sk1r1, sizeof(sk1r1)) == 0); + res = res && (memcmp(sk2, sk2r1, sizeof(sk2r1)) == 0); + + + if (res) + PrintAndLogEx(INFO, "LRP subkeys....... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP subkeys....... " _RED_("fail")); + + return res; +} + +static bool TestLRPCMAC(void) { + bool res = true; + + + if (res) + PrintAndLogEx(INFO, "LRP CMAC.......... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP CMAC.......... " _RED_("fail")); + + return res; +} + bool DesfireTest(bool verbose) { bool res = true; @@ -770,6 +806,8 @@ bool DesfireTest(bool verbose) { res = res && TestLRPIncCounter(); res = res && TestLRPEncode(); res = res && TestLRPDecode(); + res = res && TestLRPSubkeys(); + res = res && TestLRPCMAC(); PrintAndLogEx(INFO, "---------------------------"); if (res) diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 5f5432487..4a7e2eb72 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -181,3 +181,44 @@ void LRPDecode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, si } } } + +static bool shiftLeftBe(uint8_t *data, size_t length) { + if (length == 0) + return false; + + bool carry = false; + for (int i = length - 1; i >= 0; i--) { + uint8_t val = data[i]; + val = (val << 1) | ((carry) ? 1 : 0); + carry = ((data[i] & 0x80) != 0); + data[i] = val; + } + return carry; +} + +// GF(2 ^ 128) +// poly x^128 + x ^ 7 + x ^ 2 + x + 1 +// bit: 1000..0010000111 == 0x1 00 00 .. 00 00 87 +static void shiftPolyLeft(uint8_t *data) { + if (shiftLeftBe(data, 16)) + data[15] = data[15] ^ 0x87; +} + +void LRPGenSubkeys(uint8_t *key, uint8_t *sk1, uint8_t *sk2) { + LRPContext ctx = {0}; + LRPSetKey(&ctx, key, 0, true); + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + LRPEvalLRP(&ctx, const00, CRYPTO_AES128_KEY_SIZE * 2, true, y); +PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); + shiftPolyLeft(y); + memcpy(sk1, y, CRYPTO_AES128_KEY_SIZE); +PrintAndLogEx(ERR, "--sk1 %s", sprint_hex(y, 16)); + shiftPolyLeft(y); + memcpy(sk2, y, CRYPTO_AES128_KEY_SIZE); +PrintAndLogEx(ERR, "--sk2 %s", sprint_hex(y, 16)); +} + +void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac) { + +} diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h index cccf72437..fe0334d9d 100644 --- a/client/src/mifare/lrpcrypto.h +++ b/client/src/mifare/lrpcrypto.h @@ -51,5 +51,7 @@ void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t void LRPIncCounter(uint8_t *ctr, size_t ctrlen); void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); void LRPDecode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); +void LRPGenSubkeys(uint8_t *key, uint8_t *sk1, uint8_t *sk2); +void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac); #endif // __LRPCRYPTO_H From 0f987a73cf3206affd16dad6edf64c8c65b60138 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Mon, 16 Aug 2021 13:36:01 +0300 Subject: [PATCH 11/15] cmac one case works --- client/src/mifare/desfiretest.c | 24 ++++++++++++++++++ client/src/mifare/lrpcrypto.c | 43 ++++++++++++++++++++++++++++++--- client/src/mifare/lrpcrypto.h | 3 +++ 3 files changed, 67 insertions(+), 3 deletions(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index dac1416ec..1a4d40d56 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -6,6 +6,9 @@ // the license. //----------------------------------------------------------------------------- // tests for desfire +// +// tests for LRP here: Leakage Resilient Primitive (LRP) Specification, https://www.nxp.com/docs/en/application-note/AN12304.pdf +// //----------------------------------------------------------------------------- #include "desfiretest.h" @@ -746,6 +749,8 @@ static bool TestLRPDecode(void) { return res; } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// 3.4 LRP CMAC static bool TestLRPSubkeys(void) { bool res = true; @@ -770,9 +775,28 @@ static bool TestLRPSubkeys(void) { return res; } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// 3.4 LRP CMAC static bool TestLRPCMAC(void) { bool res = true; + LRPContext ctx = {0}; + uint8_t cmac[CRYPTO_AES128_KEY_SIZE] = {0}; + + uint8_t key1[] = {0x81, 0x95, 0x08, 0x8C, 0xE6, 0xC3, 0x93, 0x70, 0x8E, 0xBB, 0xE6, 0xC7, 0x91, 0x4E, 0xCB, 0x0B}; + LRPSetKey(&ctx, key1, 0, true); + uint8_t data1[] = {0xBB, 0xD5, 0xB8, 0x57, 0x72, 0xC7}; + LRPCMAC(&ctx, data1, sizeof(data1), cmac); + uint8_t cmacres1[] = {0xAD, 0x85, 0x95, 0xE0, 0xB4, 0x9C, 0x5C, 0x0D, 0xB1, 0x8E, 0x77, 0x35, 0x5F, 0x5A, 0xAF, 0xF6}; + res = res && (memcmp(cmac, cmacres1, sizeof(cmacres1)) == 0); + + /*uint8_t key2[] = {0x5A, 0xA9, 0xF6, 0xC6, 0xDE, 0x51, 0x38, 0x11, 0x3D, 0xF5, 0xD6, 0xB6, 0xC7, 0x7D, 0x5D, 0x52}; + LRPSetKey(&ctx, key2, 0, true); + uint8_t data2[] = {0xA4, 0x43, 0x4D, 0x74, 0x0C, 0x2C, 0xB6, 0x65, 0xFE, 0x53, 0x96, 0x95, 0x91, 0x89, 0x38, 0x3F}; + LRPCMAC(&ctx, data2, sizeof(data2), cmac); + uint8_t cmacres2[] = {0xA4, 0x43, 0x4D, 0x74, 0x0C, 0x2C, 0xB6, 0x65, 0xFE, 0x53, 0x96, 0x95, 0x91, 0x89, 0x38, 0x3F}; + res = res && (memcmp(cmac, cmacres2, sizeof(cmacres2)) == 0); +*/ if (res) PrintAndLogEx(INFO, "LRP CMAC.......... " _GREEN_("passed")); diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 4a7e2eb72..0e55b3ca8 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -15,6 +15,9 @@ * along with this program. If not, see * * $Id$ + * + * description here: Leakage Resilient Primitive (LRP) Specification, https://www.nxp.com/docs/en/application-note/AN12304.pdf + * */ #include "lrpcrypto.h" @@ -51,6 +54,9 @@ void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitP ctx->useUpdatedKeyNum = updatedKeyNum; ctx->useBitPadding = useBitPadding; + + memcpy(ctx->counter, const00, CRYPTO_AES128_KEY_SIZE); + ctx->counterLenNibbles = CRYPTO_AES128_KEY_SIZE; } void LRPSetCounter(LRPContext *ctx, uint8_t *counter, size_t counterLenNibbles) { @@ -158,6 +164,8 @@ void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, si } } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 5 void LRPDecode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen) { *resplen = 0; if (datalen % CRYPTO_AES128_KEY_SIZE) @@ -199,7 +207,7 @@ static bool shiftLeftBe(uint8_t *data, size_t length) { // GF(2 ^ 128) // poly x^128 + x ^ 7 + x ^ 2 + x + 1 // bit: 1000..0010000111 == 0x1 00 00 .. 00 00 87 -static void shiftPolyLeft(uint8_t *data) { +static void mulPolyX(uint8_t *data) { if (shiftLeftBe(data, 16)) data[15] = data[15] ^ 0x87; } @@ -211,14 +219,43 @@ void LRPGenSubkeys(uint8_t *key, uint8_t *sk1, uint8_t *sk2) { uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; LRPEvalLRP(&ctx, const00, CRYPTO_AES128_KEY_SIZE * 2, true, y); PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); - shiftPolyLeft(y); + mulPolyX(y); memcpy(sk1, y, CRYPTO_AES128_KEY_SIZE); PrintAndLogEx(ERR, "--sk1 %s", sprint_hex(y, 16)); - shiftPolyLeft(y); + mulPolyX(y); memcpy(sk2, y, CRYPTO_AES128_KEY_SIZE); PrintAndLogEx(ERR, "--sk2 %s", sprint_hex(y, 16)); } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 6 void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac) { + uint8_t sk1[CRYPTO_AES128_KEY_SIZE] = {0}; + uint8_t sk2[CRYPTO_AES128_KEY_SIZE] = {0}; + LRPGenSubkeys(ctx->key, sk1, sk2); + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + size_t clen = 0; + for (int i = 0; i < datalen / CRYPTO_AES128_KEY_SIZE; i++) { + bin_xor(y, &data[i * CRYPTO_AES128_KEY_SIZE], CRYPTO_AES128_KEY_SIZE); + LRPEvalLRP(ctx, y, CRYPTO_AES128_KEY_SIZE * 2, true, y); + clen += CRYPTO_AES128_KEY_SIZE; + } + + size_t bllen = datalen - clen; + // padding + if (bllen > 0) { + uint8_t bl[CRYPTO_AES128_KEY_SIZE] = {0}; + memcpy(bl, &data[clen * CRYPTO_AES128_KEY_SIZE], bllen); + bl[bllen] = 0x80; + bin_xor(y, bl, CRYPTO_AES128_KEY_SIZE); + } + + // if there is more data + if (bllen == 0) + bin_xor(y, sk1, CRYPTO_AES128_KEY_SIZE); + else + bin_xor(y, sk2, CRYPTO_AES128_KEY_SIZE); + + LRPEvalLRP(ctx, y, CRYPTO_AES128_KEY_SIZE * 2, true, cmac); } diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h index fe0334d9d..19a811137 100644 --- a/client/src/mifare/lrpcrypto.h +++ b/client/src/mifare/lrpcrypto.h @@ -15,6 +15,9 @@ * along with this program. If not, see * * $Id$ + * + * description here: Leakage Resilient Primitive (LRP) Specification, https://www.nxp.com/docs/en/application-note/AN12304.pdf + * */ #ifndef __LRPCRYPTO_H From faa6571e9c2691dcff6109a4d97f571fcd7d70ea Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Mon, 16 Aug 2021 13:51:28 +0300 Subject: [PATCH 12/15] add subkeys test --- client/src/mifare/desfiretest.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 1a4d40d56..268fb1383 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -758,14 +758,28 @@ static bool TestLRPSubkeys(void) { uint8_t sk2[CRYPTO_AES128_KEY_SIZE] = {0}; uint8_t key1[] = {0x81, 0x95, 0x08, 0x8C, 0xE6, 0xC3, 0x93, 0x70, 0x8E, 0xBB, 0xE6, 0xC7, 0x91, 0x4E, 0xCB, 0x0B}; - uint8_t sk1r1[] = {0x16, 0x91, 0x2B, 0x8D, 0x19, 0xD9, 0x4B, 0x2D, 0x4D, 0xA4, 0xFF, 0xA1, 0xCA, 0xD2, 0x18, 0x23}; uint8_t sk2r1[] = {0x2D, 0x22, 0x57, 0x1A, 0x33, 0xB2, 0x96, 0x5A, 0x9B, 0x49, 0xFF, 0x43, 0x95, 0xA4, 0x30, 0x46}; LRPGenSubkeys(key1, sk1, sk2); res = res && (memcmp(sk1, sk1r1, sizeof(sk1r1)) == 0); res = res && (memcmp(sk2, sk2r1, sizeof(sk2r1)) == 0); + + uint8_t key2[] = {0x11, 0xED, 0x02, 0x02, 0x25, 0x70, 0xCB, 0x10, 0x50, 0x2B, 0xC1, 0xDA, 0xCF, 0x64, 0xB2, 0x1F}; + uint8_t sk1r2[] = {0x5B, 0x5D, 0x85, 0x36, 0x61, 0xE5, 0x1B, 0xC9, 0x13, 0x77, 0xED, 0xCE, 0xB6, 0x22, 0xBF, 0x6E}; + uint8_t sk2r2[] = {0xB6, 0xBB, 0x0A, 0x6C, 0xC3, 0xCA, 0x37, 0x92, 0x26, 0xEF, 0xDB, 0x9D, 0x6C, 0x45, 0x7E, 0xDC}; + + LRPGenSubkeys(key2, sk1, sk2); + res = res && (memcmp(sk1, sk1r2, sizeof(sk1r2)) == 0); + res = res && (memcmp(sk2, sk2r2, sizeof(sk2r2)) == 0); + uint8_t key3[] = {0x5A, 0xA9, 0xF6, 0xC6, 0xDE, 0x51, 0x38, 0x11, 0x3D, 0xF5, 0xD6, 0xB6, 0xC7, 0x7D, 0x5D, 0x52}; + uint8_t sk1r3[] = {0x2A, 0xE0, 0xEB, 0xD3, 0x76, 0xBC, 0xD4, 0xA2, 0x7B, 0x1C, 0xD4, 0x06, 0xD2, 0x43, 0x1C, 0xF9}; + uint8_t sk2r3[] = {0x55, 0xC1, 0xD7, 0xA6, 0xED, 0x79, 0xA9, 0x44, 0xF6, 0x39, 0xA8, 0x0D, 0xA4, 0x86, 0x39, 0xF2}; + + LRPGenSubkeys(key3, sk1, sk2); + res = res && (memcmp(sk1, sk1r3, sizeof(sk1r3)) == 0); + res = res && (memcmp(sk2, sk2r3, sizeof(sk2r3)) == 0); if (res) PrintAndLogEx(INFO, "LRP subkeys....... " _GREEN_("passed")); From ad4c3d5a901fe06d4048b144b87c48e51c346a73 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Mon, 16 Aug 2021 14:37:40 +0300 Subject: [PATCH 13/15] add corner case cmac test --- client/src/mifare/desfiretest.c | 23 ++++++++++++++++++++++- client/src/mifare/lrpcrypto.c | 18 +++++++++++------- 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 268fb1383..83697cfb7 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -808,10 +808,31 @@ static bool TestLRPCMAC(void) { LRPSetKey(&ctx, key2, 0, true); uint8_t data2[] = {0xA4, 0x43, 0x4D, 0x74, 0x0C, 0x2C, 0xB6, 0x65, 0xFE, 0x53, 0x96, 0x95, 0x91, 0x89, 0x38, 0x3F}; LRPCMAC(&ctx, data2, sizeof(data2), cmac); - uint8_t cmacres2[] = {0xA4, 0x43, 0x4D, 0x74, 0x0C, 0x2C, 0xB6, 0x65, 0xFE, 0x53, 0x96, 0x95, 0x91, 0x89, 0x38, 0x3F}; + uint8_t cmacres2[] = {0x8B, 0x43, 0xAD, 0xF7, 0x67, 0xE4, 0x6B, 0x69, 0x2E, 0x8F, 0x24, 0xE8, 0x37, 0xCB, 0x5E, 0xFC}; res = res && (memcmp(cmac, cmacres2, sizeof(cmacres2)) == 0); */ + uint8_t key3[] = {0x0D, 0x46, 0x55, 0x75, 0x50, 0xCB, 0x31, 0x3F, 0x36, 0xAF, 0xBA, 0x87, 0x62, 0x5D, 0x96, 0x1A}; + LRPSetKey(&ctx, key3, 0, true); + uint8_t data3[] = {0x90}; + LRPCMAC(&ctx, data3, sizeof(data3), cmac); + uint8_t cmacres3[] = {0xF7, 0xC8, 0x55, 0x3D, 0xED, 0x57, 0x48, 0x29, 0xE6, 0xEE, 0x68, 0x11, 0x2C, 0xB3, 0x81, 0x7B}; + res = res && (memcmp(cmac, cmacres3, sizeof(cmacres3)) == 0); + /*uint8_t key4[] = {0x2A, 0x47, 0x3E, 0x38, 0xBB, 0xF4, 0x53, 0x7C, 0x53, 0x97, 0xF4, 0x5A, 0xE4, 0x98, 0xCD, 0x4D}; + LRPSetKey(&ctx, key4, 0, true); + uint8_t data4[] = {0xC2, 0xAC, 0x3D, 0x72, 0x50, 0xEE, 0xF0, 0x23, 0x18, 0xBC, 0x08, 0x4F, 0x29, 0x4B, 0x1A, 0xC7, + 0x22, 0x91, 0xEE, 0x1D, 0xC0, 0x2A, 0xF4, 0x24, 0x94, 0x1C, 0xAA, 0xC6, 0x85, 0xFC, 0xA5, 0x9D, + 0x90, 0x08, 0x67, 0x9B, 0x00, 0xC5, 0x6A, 0x05, 0x62, 0x58, 0x3B, 0xDA, 0xEC, 0x0B, 0xBA}; + LRPCMAC(&ctx, data4, sizeof(data4), cmac); + uint8_t cmacres4[] = {0x66, 0xDC, 0x2B, 0xCE, 0x26, 0x9B, 0x79, 0x3B, 0x4A, 0xCA, 0x1A, 0x4D, 0x04, 0xDD, 0xD6, 0x68}; + res = res && (memcmp(cmac, cmacres4, sizeof(cmacres4)) == 0); +*/ + uint8_t key5[] = {0x63, 0xA0, 0x16, 0x9B, 0x4D, 0x9F, 0xE4, 0x2C, 0x72, 0xB2, 0x78, 0x4C, 0x80, 0x6E, 0xAC, 0x21}; + LRPSetKey(&ctx, key5, 0, true); + LRPCMAC(&ctx, NULL, 0, cmac); + uint8_t cmacres5[] = {0x0E, 0x07, 0xC6, 0x01, 0x97, 0x08, 0x14, 0xA4, 0x17, 0x6F, 0xDA, 0x63, 0x3C, 0x6F, 0xC3, 0xDE}; + res = res && (memcmp(cmac, cmacres5, sizeof(cmacres5)) == 0); + if (res) PrintAndLogEx(INFO, "LRP CMAC.......... " _GREEN_("passed")); else diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 0e55b3ca8..ba5a917d0 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -218,6 +218,7 @@ void LRPGenSubkeys(uint8_t *key, uint8_t *sk1, uint8_t *sk2) { uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; LRPEvalLRP(&ctx, const00, CRYPTO_AES128_KEY_SIZE * 2, true, y); +PrintAndLogEx(ERR, "--k %s", sprint_hex(key, 16)); PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); mulPolyX(y); memcpy(sk1, y, CRYPTO_AES128_KEY_SIZE); @@ -243,19 +244,22 @@ void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac) { } size_t bllen = datalen - clen; - // padding - if (bllen > 0) { + +PrintAndLogEx(ERR, "--bllen %d", bllen); +PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); + // if there is more data + if (bllen == 16) { + bin_xor(y, sk1, CRYPTO_AES128_KEY_SIZE); + } else { + // padding uint8_t bl[CRYPTO_AES128_KEY_SIZE] = {0}; memcpy(bl, &data[clen * CRYPTO_AES128_KEY_SIZE], bllen); bl[bllen] = 0x80; bin_xor(y, bl, CRYPTO_AES128_KEY_SIZE); - } - // if there is more data - if (bllen == 0) - bin_xor(y, sk1, CRYPTO_AES128_KEY_SIZE); - else bin_xor(y, sk2, CRYPTO_AES128_KEY_SIZE); + } LRPEvalLRP(ctx, y, CRYPTO_AES128_KEY_SIZE * 2, true, cmac); +PrintAndLogEx(ERR, "--cmac %s", sprint_hex(cmac, 16)); } From 8558ba639fb86720364a8f015ccd70fbe9399fee Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Mon, 16 Aug 2021 14:55:26 +0300 Subject: [PATCH 14/15] fix block length = 16 case --- client/src/mifare/desfiretest.c | 4 ++-- client/src/mifare/lrpcrypto.c | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 83697cfb7..d3c4d7ada 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -804,13 +804,13 @@ static bool TestLRPCMAC(void) { uint8_t cmacres1[] = {0xAD, 0x85, 0x95, 0xE0, 0xB4, 0x9C, 0x5C, 0x0D, 0xB1, 0x8E, 0x77, 0x35, 0x5F, 0x5A, 0xAF, 0xF6}; res = res && (memcmp(cmac, cmacres1, sizeof(cmacres1)) == 0); - /*uint8_t key2[] = {0x5A, 0xA9, 0xF6, 0xC6, 0xDE, 0x51, 0x38, 0x11, 0x3D, 0xF5, 0xD6, 0xB6, 0xC7, 0x7D, 0x5D, 0x52}; + uint8_t key2[] = {0x5A, 0xA9, 0xF6, 0xC6, 0xDE, 0x51, 0x38, 0x11, 0x3D, 0xF5, 0xD6, 0xB6, 0xC7, 0x7D, 0x5D, 0x52}; LRPSetKey(&ctx, key2, 0, true); uint8_t data2[] = {0xA4, 0x43, 0x4D, 0x74, 0x0C, 0x2C, 0xB6, 0x65, 0xFE, 0x53, 0x96, 0x95, 0x91, 0x89, 0x38, 0x3F}; LRPCMAC(&ctx, data2, sizeof(data2), cmac); uint8_t cmacres2[] = {0x8B, 0x43, 0xAD, 0xF7, 0x67, 0xE4, 0x6B, 0x69, 0x2E, 0x8F, 0x24, 0xE8, 0x37, 0xCB, 0x5E, 0xFC}; res = res && (memcmp(cmac, cmacres2, sizeof(cmacres2)) == 0); -*/ + uint8_t key3[] = {0x0D, 0x46, 0x55, 0x75, 0x50, 0xCB, 0x31, 0x3F, 0x36, 0xAF, 0xBA, 0x87, 0x62, 0x5D, 0x96, 0x1A}; LRPSetKey(&ctx, key3, 0, true); uint8_t data3[] = {0x90}; diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index ba5a917d0..7c249f1ff 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -238,22 +238,27 @@ void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac) { uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; size_t clen = 0; for (int i = 0; i < datalen / CRYPTO_AES128_KEY_SIZE; i++) { + if (datalen - clen <= CRYPTO_AES128_KEY_SIZE) + break; + bin_xor(y, &data[i * CRYPTO_AES128_KEY_SIZE], CRYPTO_AES128_KEY_SIZE); LRPEvalLRP(ctx, y, CRYPTO_AES128_KEY_SIZE * 2, true, y); clen += CRYPTO_AES128_KEY_SIZE; } size_t bllen = datalen - clen; + uint8_t bl[CRYPTO_AES128_KEY_SIZE] = {0}; + memcpy(bl, &data[clen * CRYPTO_AES128_KEY_SIZE], bllen); PrintAndLogEx(ERR, "--bllen %d", bllen); PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); // if there is more data if (bllen == 16) { + bin_xor(y, bl, CRYPTO_AES128_KEY_SIZE); + bin_xor(y, sk1, CRYPTO_AES128_KEY_SIZE); } else { // padding - uint8_t bl[CRYPTO_AES128_KEY_SIZE] = {0}; - memcpy(bl, &data[clen * CRYPTO_AES128_KEY_SIZE], bllen); bl[bllen] = 0x80; bin_xor(y, bl, CRYPTO_AES128_KEY_SIZE); From 9f0e973ad5b1fad1ab13cce29237c959b906a013 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Mon, 16 Aug 2021 15:32:53 +0300 Subject: [PATCH 15/15] fix multi-block cmac, remove debug --- client/src/mifare/desfiretest.c | 12 ++++++++++-- client/src/mifare/lrpcrypto.c | 21 +++++++++------------ 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index d3c4d7ada..1e91d5586 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -818,7 +818,7 @@ static bool TestLRPCMAC(void) { uint8_t cmacres3[] = {0xF7, 0xC8, 0x55, 0x3D, 0xED, 0x57, 0x48, 0x29, 0xE6, 0xEE, 0x68, 0x11, 0x2C, 0xB3, 0x81, 0x7B}; res = res && (memcmp(cmac, cmacres3, sizeof(cmacres3)) == 0); - /*uint8_t key4[] = {0x2A, 0x47, 0x3E, 0x38, 0xBB, 0xF4, 0x53, 0x7C, 0x53, 0x97, 0xF4, 0x5A, 0xE4, 0x98, 0xCD, 0x4D}; + uint8_t key4[] = {0x2A, 0x47, 0x3E, 0x38, 0xBB, 0xF4, 0x53, 0x7C, 0x53, 0x97, 0xF4, 0x5A, 0xE4, 0x98, 0xCD, 0x4D}; LRPSetKey(&ctx, key4, 0, true); uint8_t data4[] = {0xC2, 0xAC, 0x3D, 0x72, 0x50, 0xEE, 0xF0, 0x23, 0x18, 0xBC, 0x08, 0x4F, 0x29, 0x4B, 0x1A, 0xC7, 0x22, 0x91, 0xEE, 0x1D, 0xC0, 0x2A, 0xF4, 0x24, 0x94, 0x1C, 0xAA, 0xC6, 0x85, 0xFC, 0xA5, 0x9D, @@ -826,13 +826,21 @@ static bool TestLRPCMAC(void) { LRPCMAC(&ctx, data4, sizeof(data4), cmac); uint8_t cmacres4[] = {0x66, 0xDC, 0x2B, 0xCE, 0x26, 0x9B, 0x79, 0x3B, 0x4A, 0xCA, 0x1A, 0x4D, 0x04, 0xDD, 0xD6, 0x68}; res = res && (memcmp(cmac, cmacres4, sizeof(cmacres4)) == 0); -*/ + uint8_t key5[] = {0x63, 0xA0, 0x16, 0x9B, 0x4D, 0x9F, 0xE4, 0x2C, 0x72, 0xB2, 0x78, 0x4C, 0x80, 0x6E, 0xAC, 0x21}; LRPSetKey(&ctx, key5, 0, true); LRPCMAC(&ctx, NULL, 0, cmac); uint8_t cmacres5[] = {0x0E, 0x07, 0xC6, 0x01, 0x97, 0x08, 0x14, 0xA4, 0x17, 0x6F, 0xDA, 0x63, 0x3C, 0x6F, 0xC3, 0xDE}; res = res && (memcmp(cmac, cmacres5, sizeof(cmacres5)) == 0); + uint8_t key6[] = {0x95, 0x2F, 0xDE, 0x83, 0x93, 0xC4, 0x5D, 0x23, 0x0A, 0x5B, 0xE9, 0xB3, 0x86, 0x36, 0xD1, 0x54}; + LRPSetKey(&ctx, key6, 0, true); + uint8_t data6[] = {0xD7, 0x80, 0x0E, 0x25, 0x70, 0x01, 0xA7, 0x74, 0xAE, 0x7B, 0xCF, 0xB2, 0xCE, 0x13, 0x07, 0xB5, + 0xB0, 0x44}; + LRPCMAC(&ctx, data6, sizeof(data6), cmac); + uint8_t cmacres6[] = {0x05, 0xF1, 0xCE, 0x30, 0x45, 0x1A, 0x03, 0xA6, 0xE4, 0x68, 0xB3, 0xA5, 0x90, 0x33, 0xA5, 0x54}; + res = res && (memcmp(cmac, cmacres6, sizeof(cmacres6)) == 0); + if (res) PrintAndLogEx(INFO, "LRP CMAC.......... " _GREEN_("passed")); else diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c index 7c249f1ff..113191162 100644 --- a/client/src/mifare/lrpcrypto.c +++ b/client/src/mifare/lrpcrypto.c @@ -107,15 +107,17 @@ void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount) { // https://www.nxp.com/docs/en/application-note/AN12304.pdf // Algorithm 3 void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y) { - memcpy(y, ctx->updatedKeys[ctx->useUpdatedKeyNum], CRYPTO_AES128_KEY_SIZE); + uint8_t ry[CRYPTO_AES128_KEY_SIZE] = {0}; + memcpy(ry, ctx->updatedKeys[ctx->useUpdatedKeyNum], CRYPTO_AES128_KEY_SIZE); for (int i = 0; i < ivlen; i++) { uint8_t nk = (i % 2) ? iv[i / 2] & 0x0f : (iv[i / 2] >> 4) & 0x0f; - aes_encode(NULL, y, ctx->plaintexts[nk], y, CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, ry, ctx->plaintexts[nk], ry, CRYPTO_AES128_KEY_SIZE); } if (final) - aes_encode(NULL, y, const00, y, CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, ry, const00, ry, CRYPTO_AES128_KEY_SIZE); + memcpy(y, ry, CRYPTO_AES128_KEY_SIZE); } void LRPIncCounter(uint8_t *ctr, size_t ctrlen) { @@ -218,14 +220,12 @@ void LRPGenSubkeys(uint8_t *key, uint8_t *sk1, uint8_t *sk2) { uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; LRPEvalLRP(&ctx, const00, CRYPTO_AES128_KEY_SIZE * 2, true, y); -PrintAndLogEx(ERR, "--k %s", sprint_hex(key, 16)); -PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); + mulPolyX(y); memcpy(sk1, y, CRYPTO_AES128_KEY_SIZE); -PrintAndLogEx(ERR, "--sk1 %s", sprint_hex(y, 16)); + mulPolyX(y); memcpy(sk2, y, CRYPTO_AES128_KEY_SIZE); -PrintAndLogEx(ERR, "--sk2 %s", sprint_hex(y, 16)); } // https://www.nxp.com/docs/en/application-note/AN12304.pdf @@ -248,11 +248,9 @@ void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac) { size_t bllen = datalen - clen; uint8_t bl[CRYPTO_AES128_KEY_SIZE] = {0}; - memcpy(bl, &data[clen * CRYPTO_AES128_KEY_SIZE], bllen); + memcpy(bl, &data[clen], bllen); -PrintAndLogEx(ERR, "--bllen %d", bllen); -PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); - // if there is more data + // last block if (bllen == 16) { bin_xor(y, bl, CRYPTO_AES128_KEY_SIZE); @@ -266,5 +264,4 @@ PrintAndLogEx(ERR, "--y %s", sprint_hex(y, 16)); } LRPEvalLRP(ctx, y, CRYPTO_AES128_KEY_SIZE * 2, true, cmac); -PrintAndLogEx(ERR, "--cmac %s", sprint_hex(cmac, 16)); }