From c8813a01238462b69f92bbc8c911201409c38edc Mon Sep 17 00:00:00 2001
From: merlokk <807634+merlokk@users.noreply.github.com>
Date: Sat, 14 Aug 2021 09:27:03 +0300
Subject: [PATCH] LRPEvalLRP ok

---
 client/src/mifare/desfiretest.c | 57 +++++++++++++++++++++++++++++++++
 client/src/mifare/lrpcrypto.c   | 15 +++++++++
 client/src/mifare/lrpcrypto.h   |  2 +-
 3 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c
index 210cff5a6..cc8de88aa 100644
--- a/client/src/mifare/desfiretest.c
+++ b/client/src/mifare/desfiretest.c
@@ -530,6 +530,62 @@ static bool TestLRPUpdatedKeys(void) {
     return res;
 }
 
+// https://www.nxp.com/docs/en/application-note/AN12304.pdf
+// 3.2 LRP Eval, page 13
+static bool TestLRPEval(void) {
+    bool res = true;
+
+    LRPContext ctx = {0};
+
+    uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0};
+    uint8_t key[] = {0x56, 0x78, 0x26, 0xB8, 0xDA, 0x8E, 0x76, 0x84, 0x32, 0xA9, 0x54, 0x8D, 0xBE, 0x4A, 0xA3, 0xA0};
+    uint8_t iv[] = {0x13, 0x59};
+    LRPSetKey(&ctx, key, 2, false);
+    LRPEvalLRP(&ctx, iv, sizeof(iv) * 2, true, y);
+    
+    uint8_t y1[] = {0x1B, 0xA2, 0xC0, 0xC5, 0x78, 0x99, 0x6B, 0xC4, 0x97, 0xDD, 0x18, 0x1C, 0x68, 0x85, 0xA9, 0xDD};
+    res = res && (memcmp(y, y1, sizeof(y1)) == 0);
+    
+    uint8_t key2[] = {0xB6, 0x55, 0x57, 0xCE, 0x0E, 0x9B, 0x4C, 0x58, 0x86, 0xF2, 0x32, 0x20, 0x01, 0x13, 0x56, 0x2B};
+    uint8_t iv2[] = {0xBB, 0x4F, 0xCF, 0x27, 0xC9, 0x40, 0x76, 0xF7, 0x56, 0xAB, 0x03, 0x0D};
+    LRPSetKey(&ctx, key2, 1, false);
+    LRPEvalLRP(&ctx, iv2, sizeof(iv2) * 2, false, y);
+    
+    uint8_t y2[] = {0x6F, 0xDF, 0xA8, 0xD2, 0xA6, 0xAA, 0x84, 0x76, 0xBF, 0x94, 0xE7, 0x1F, 0x25, 0x63, 0x7F, 0x96};
+    res = res && (memcmp(y, y2, sizeof(y2)) == 0);
+
+    uint8_t key3[] = {0xC4, 0x8A, 0x8E, 0x8B, 0x16, 0x57, 0x16, 0x45, 0xA1, 0x55, 0x78, 0x25, 0xAA, 0x66, 0xAC, 0x91};
+    uint8_t iv3[] = {0x1F, 0x0B, 0x7C, 0x0D, 0xB1, 0x28, 0x89, 0xCA, 0x43, 0x6C, 0xAB, 0xB7, 0x8B, 0xE4, 0x2F, 0x90};
+    LRPSetKey(&ctx, key3, 3, false);
+    LRPEvalLRP(&ctx, iv3, sizeof(iv3) * 2 - 1, true, y);
+    
+    uint8_t y3[] = {0x51, 0x29, 0x6B, 0x5E, 0x6D, 0x3B, 0x8D, 0xB8, 0xA1, 0xA7, 0x39, 0x97, 0x60, 0xA1, 0x91, 0x89};
+    res = res && (memcmp(y, y3, sizeof(y3)) == 0);
+
+    uint8_t key4[] = {0x54, 0x9C, 0x67, 0xEC, 0xD6, 0x0E, 0x84, 0x8F, 0x77, 0x39, 0x90, 0x99, 0x0C, 0xAC, 0x68, 0x1E};
+    uint8_t iv4[] = {0x47, 0x5B, 0xB4, 0x18, 0x78, 0xEB, 0x17, 0x46, 0x8F, 0x7A, 0x68, 0x84, 0x7D, 0xDD, 0x3B, 0xAC};
+    LRPSetKey(&ctx, key4, 3, false);
+    LRPEvalLRP(&ctx, iv4, sizeof(iv4) * 2, true, y);
+    
+    uint8_t y4[] = {0xC3, 0xB5, 0xEE, 0x74, 0xA7, 0x22, 0xE7, 0x84, 0x88, 0x7C, 0x4C, 0x9F, 0xDB, 0x49, 0x78, 0x55};
+    res = res && (memcmp(y, y4, sizeof(y4)) == 0);
+
+    uint8_t key5[] = {0x80, 0x6A, 0x50, 0x53, 0x0D, 0x77, 0x35, 0xB4, 0x0A, 0xC4, 0xEF, 0x16, 0x38, 0xE8, 0xAD, 0x6A};
+    uint8_t iv5[] = {0xD4, 0x13, 0x77, 0x64, 0x71, 0x6D, 0xBC, 0x8C, 0x57, 0x9B, 0xEA, 0xB7, 0xE7, 0x67, 0x54, 0xE0};
+    LRPSetKey(&ctx, key5, 3, false);
+    LRPEvalLRP(&ctx, iv5, sizeof(iv5) * 2 - 1, false, y);
+    
+    uint8_t y5[] = {0xCF, 0x99, 0x13, 0x92, 0xF0, 0x36, 0x93, 0x50, 0xA7, 0xE2, 0x1B, 0xE5, 0x2F, 0x74, 0x88, 0x21};
+    res = res && (memcmp(y, y5, sizeof(y5)) == 0);
+
+    if (res)
+        PrintAndLogEx(INFO, "LRP eval.......... " _GREEN_("passed"));
+    else
+        PrintAndLogEx(ERR,  "LRP eval.......... " _RED_("fail"));
+
+    return res;
+}
+
 bool DesfireTest(bool verbose) {
     bool res = true;
 
@@ -550,6 +606,7 @@ bool DesfireTest(bool verbose) {
     res = res && TestTransSessionKeys();
     res = res && TestLRPPlaintexts();
     res = res && TestLRPUpdatedKeys();
+    res = res && TestLRPEval();
 
     PrintAndLogEx(INFO, "---------------------------");
     if (res)
diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c
index 033099a81..54d374f22 100644
--- a/client/src/mifare/lrpcrypto.c
+++ b/client/src/mifare/lrpcrypto.c
@@ -28,6 +28,7 @@
 
 static uint8_t constAA[] = {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa};
 static uint8_t const55[] = {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55};
+static uint8_t const00[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
 
 void LRPClearContext(LRPContext *ctx) {
     memset(ctx->key, 0, CRYPTO_AES128_KEY_SIZE);
@@ -85,3 +86,17 @@ void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount) {
         
     ctx->updatedKeysCount = updatedKeysCount;
 }
+
+// https://www.nxp.com/docs/en/application-note/AN12304.pdf
+// Algorithm 3
+void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y) {
+    memcpy(y, ctx->updatedKeys[ctx->useUpdatedKeyNum], CRYPTO_AES128_KEY_SIZE);
+    
+    for (int i = 0; i < ivlen; i++) {
+        uint8_t nk = (i % 2) ? iv[i / 2] & 0x0f : (iv[i / 2] >> 4) & 0x0f;
+        aes_encode(NULL, y, ctx->plaintexts[nk], y, CRYPTO_AES128_KEY_SIZE);
+    }
+    
+    if (final)
+        aes_encode(NULL, y, const00, y, CRYPTO_AES128_KEY_SIZE);
+}
diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h
index 12e6a40e7..122e06911 100644
--- a/client/src/mifare/lrpcrypto.h
+++ b/client/src/mifare/lrpcrypto.h
@@ -41,6 +41,6 @@ void LRPClearContext(LRPContext *ctx);
 void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitPadding);
 void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount);
 void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount);
-
+void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y);
 
 #endif // __LRPCRYPTO_H