diff --git a/CHANGELOG.md b/CHANGELOG.md index 3857b2a3d..b38c4eae9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Add ECC support / check for NID_secp128r1 (@pwpiwi) - Add some more default keys (ollibolli) - Fix T55x7 Downlink timings backward compatible (@mwalker33) - Add proper Makefile halting when using incompatible STANDALONE and PLATFORM vars (@doegox) @@ -153,7 +154,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Change `lf indala demod` - refactoring (@iceman1001) - Change - handling fault bit markers (7) and partial nibbles in hex printing (@doegox) - Change - printing of fault bit markers (7) using a dot (@doegox) - - Change `sc upgrade` - firmware file integrity check (@piwi) + - Change `sc upgrade` - firmware file integrity check (@pwpiwi) - Fix `data rawdemod am` - last bit was missing (@doegox) - Fix `hf 15 dump f` - also selects tag first (@iceman1001) - Fix `hf iclass clone` - missing fileclose (@iceman1001) @@ -161,8 +162,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Change `lf hitag sim` - loads bin/eml/json (@iceman1001) - Change `lf hitag reader 21` - saves in bin/eml/json (@iceman1001) - Change `lf hitag` - refactoring (@iceman1001) - - Change `lf hitag` - refactoring (@piwi) - - Fix `lf hitag` - generic fix for missing clock init (@piwi) + - Change `lf hitag` - refactoring (@pwpiwi) + - Fix `lf hitag` - generic fix for missing clock init (@pwpiwi) - Fix fsk sim operations on deviceside - avoid division by zero (@doegox) - Fix `hf mf fchk` - condition always false (@doegox) - Fix `lf t55xx recoverpw` - shift as u32 (@doegox) diff --git a/client/cmdhffido.c b/client/cmdhffido.c index 39b080dca..f7db54b00 100644 --- a/client/cmdhffido.c +++ b/client/cmdhffido.c @@ -209,7 +209,7 @@ static int CmdHFFidoRegister(const char *cmd) { if (paramsPlain) { memset(cdata, 0x00, 32); CLIGetStrWithReturn(6, cdata, &chlen); - if (chlen > 16) { + if (chlen && chlen > 16) { PrintAndLogEx(ERR, "ERROR: challenge parameter length in ASCII mode must be less than 16 chars instead of: %d", chlen); return 1; } @@ -227,7 +227,7 @@ static int CmdHFFidoRegister(const char *cmd) { if (paramsPlain) { memset(adata, 0x00, 32); CLIGetStrWithReturn(7, adata, &applen); - if (applen > 16) { + if (applen && applen > 16) { PrintAndLogEx(ERR, "ERROR: application parameter length in ASCII mode must be less than 16 chars instead of: %d", applen); return 1; } @@ -346,15 +346,15 @@ static int CmdHFFidoRegister(const char *cmd) { &buf[1], 65, // user public key NULL, 0); //PrintAndLogEx(NORMAL, "--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); - res = ecdsa_signature_verify(public_key, xbuf, xbuflen, &buf[hashp], len - hashp); + res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[hashp], len - hashp, true); if (res) { - if (res == -0x4e00) { - PrintAndLogEx(WARNING, "Signature is NOT VALID."); + if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) { + PrintAndLogEx(WARNING, "Signature is" _RED_("NOT VALID") ); } else { PrintAndLogEx(WARNING, "Other signature check error: %x %s", (res < 0) ? -res : res, ecdsa_get_error(res)); } } else { - PrintAndLogEx(SUCCESS, "Signature is OK."); + PrintAndLogEx(SUCCESS, "Signature is" _GREEN_("OK")); } } else { @@ -473,7 +473,7 @@ static int CmdHFFidoAuthenticate(const char *cmd) { if (paramsPlain) { memset(hdata, 0x00, 32); CLIGetStrWithReturn(9, hdata, &hdatalen); - if (hdatalen > 16) { + if (hdatalen && hdatalen > 16) { PrintAndLogEx(ERR, "ERROR: challenge parameter length in ASCII mode must be less than 16 chars instead of: %d", hdatalen); return 1; } @@ -490,7 +490,7 @@ static int CmdHFFidoAuthenticate(const char *cmd) { if (paramsPlain) { memset(hdata, 0x00, 32); CLIGetStrWithReturn(11, hdata, &hdatalen); - if (hdatalen > 16) { + if (hdatalen && hdatalen > 16) { PrintAndLogEx(ERR, "ERROR: application parameter length in ASCII mode must be less than 16 chars instead of: %d", hdatalen); return 1; } @@ -572,15 +572,15 @@ static int CmdHFFidoAuthenticate(const char *cmd) { data, 32, // challenge parameter NULL, 0); //PrintAndLogEx(NORMAL, "--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); - res = ecdsa_signature_verify(public_key, xbuf, xbuflen, &buf[5], len - 5); + res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[5], len - 5, true); if (res) { - if (res == -0x4e00) { - PrintAndLogEx(WARNING, "Signature is NOT VALID."); + if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) { + PrintAndLogEx(WARNING, "Signature is" _RED_("NOT VALID.") ); } else { PrintAndLogEx(WARNING, "Other signature check error: %x %s", (res < 0) ? -res : res, ecdsa_get_error(res)); } } else { - PrintAndLogEx(SUCCESS, "Signature is OK."); + PrintAndLogEx(SUCCESS, "Signature is" _GREEN_("OK") ); } } else { PrintAndLogEx(WARNING, "No public key provided. can't check signature."); diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index df760f187..e2f3565e3 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -42,7 +42,7 @@ static int usage_hf_mfu_info(void) { PrintAndLogEx(NORMAL, " hf mfu info"); PrintAndLogEx(NORMAL, " hf mfu info k 00112233445566778899AABBCCDDEEFF"); PrintAndLogEx(NORMAL, " hf mfu info k AABBCCDD"); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_dump(void) { @@ -63,7 +63,7 @@ static int usage_hf_mfu_dump(void) { PrintAndLogEx(NORMAL, " hf mfu dump n myfile"); PrintAndLogEx(NORMAL, " hf mfu dump k 00112233445566778899AABBCCDDEEFF"); PrintAndLogEx(NORMAL, " hf mfu dump k AABBCCDD\n"); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_restore(void) { @@ -81,7 +81,7 @@ static int usage_hf_mfu_restore(void) { PrintAndLogEx(NORMAL, " hf mfu restore s f myfile"); PrintAndLogEx(NORMAL, " hf mfu restore k AABBCCDD s f myfile\n"); PrintAndLogEx(NORMAL, " hf mfu restore k AABBCCDD s e r f myfile\n"); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_rdbl(void) { @@ -96,7 +96,7 @@ static int usage_hf_mfu_rdbl(void) { PrintAndLogEx(NORMAL, " hf mfu rdbl b 0"); PrintAndLogEx(NORMAL, " hf mfu rdbl b 0 k 00112233445566778899AABBCCDDEEFF"); PrintAndLogEx(NORMAL, " hf mfu rdbl b 0 k AABBCCDD\n"); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_wrbl(void) { @@ -111,7 +111,7 @@ static int usage_hf_mfu_wrbl(void) { PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, " hf mfu wrbl b 0 d 01234567"); PrintAndLogEx(NORMAL, " hf mfu wrbl b 0 d 01234567 k AABBCCDD\n"); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_eload(void) { @@ -126,7 +126,7 @@ static int usage_hf_mfu_eload(void) { PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, " sample: hf mfu eload u filename"); PrintAndLogEx(NORMAL, " hf mfu eload u filename 57"); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_sim(void) { @@ -141,8 +141,7 @@ static int usage_hf_mfu_sim(void) { PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, " hf mfu sim t 7"); PrintAndLogEx(NORMAL, " hf mfu sim t 7 u 1122344556677\n"); - - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_ucauth(void) { @@ -157,7 +156,7 @@ static int usage_hf_mfu_ucauth(void) { PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, " hf mfu cauth k"); PrintAndLogEx(NORMAL, " hf mfu cauth k 3"); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_ucsetpwd(void) { @@ -167,7 +166,7 @@ static int usage_hf_mfu_ucsetpwd(void) { PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, " hf mfu setpwd 000102030405060708090a0b0c0d0e0f"); PrintAndLogEx(NORMAL, ""); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_ucsetuid(void) { @@ -178,7 +177,7 @@ static int usage_hf_mfu_ucsetuid(void) { PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, " hf mfu setuid 11223344556677"); PrintAndLogEx(NORMAL, ""); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_gendiverse(void) { @@ -191,7 +190,7 @@ static int usage_hf_mfu_gendiverse(void) { PrintAndLogEx(NORMAL, " hf mfu gen r"); PrintAndLogEx(NORMAL, " hf mfu gen 11223344"); PrintAndLogEx(NORMAL, ""); - return 0; + return PM3_SUCCESS; } static int usage_hf_mfu_pwdgen(void) { @@ -206,17 +205,9 @@ static int usage_hf_mfu_pwdgen(void) { PrintAndLogEx(NORMAL, " hf mfu pwdgen 11223344556677"); PrintAndLogEx(NORMAL, " hf mfu pwdgen t"); PrintAndLogEx(NORMAL, ""); - return 0; + return PM3_SUCCESS; } -#define PUBLIC_ECDA_KEYLEN 33 -uint8_t public_ecda_key[PUBLIC_ECDA_KEYLEN] = { - 0x04, 0x49, 0x4e, 0x1a, 0x38, 0x6d, 0x3d, 0x3c, - 0xfe, 0x3d, 0xc1, 0x0e, 0x5d, 0xe6, 0x8a, 0x49, - 0x9b, 0x1c, 0x20, 0x2d, 0xb5, 0xb1, 0x32, 0x39, - 0x3e, 0x89, 0xed, 0x19, 0xfe, 0x5b, 0xe8, 0xbc, - 0x61 -}; #define KEYS_3DES_COUNT 7 uint8_t default_3des_keys[KEYS_3DES_COUNT][16] = { @@ -234,6 +225,27 @@ uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = { {0xFF, 0xFF, 0xFF, 0xFF}, // PACK 0x00,0x00 -- factory default }; +#define PUBLIC_ECDA_KEYLEN 33 + +// known public keys for the originality check (source: https://github.com/alexbatalov/node-nxp-originality-verifier) +// ref: AN11350 NTAG 21x Originality Signature Validation +// ref: AN11341 MIFARE Ultralight EV1 Originality Signature Validation +uint8_t public_keys[2][PUBLIC_ECDA_KEYLEN] = { + // UL, NTAG21x and NDEF + { 0x04,0x49,0x4e,0x1a,0x38,0x6d,0x3d,0x3c, + 0xfe,0x3d,0xc1,0x0e,0x5d,0xe6,0x8a,0x49, + 0x9b,0x1c,0x20,0x2d,0xb5,0xb1,0x32,0x39, + 0x3e,0x89,0xed,0x19,0xfe,0x5b,0xe8,0xbc,0x61 + }, + // UL EV1 + { 0x04,0x90,0x93,0x3b,0xdc,0xd6,0xe9,0x9b, + 0x4e,0x25,0x5e,0x3d,0xa5,0x53,0x89,0xa8, + 0x27,0x56,0x4e,0x11,0x71,0x8e,0x01,0x72, + 0x92,0xfa,0xf2,0x32,0x26,0xa9,0x66,0x14,0xb8 + } +}; + + #define MAX_UL_TYPES 22 uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = { UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, @@ -555,20 +567,20 @@ static int ul_auth_select(iso14a_card_select_t *card, TagTypeUL_t tagtype, bool //will select card automatically and close connection on error if (!ulc_authentication(authkey, false)) { PrintAndLogEx(WARNING, "Authentication Failed UL-C"); - return 0; + return PM3_ESOFT; } } else { - if (!ul_select(card)) return 0; + if (!ul_select(card)) return PM3_ESOFT; if (hasAuthKey) { if (ulev1_requestAuthentication(authkey, pack, packSize) == -1) { DropField(); PrintAndLogEx(WARNING, "Authentication Failed UL-EV1/NTAG"); - return 0; + return PM3_ESOFT; } } } - return 1; + return PM3_SUCCESS; } static int ulev1_getVersion(uint8_t *response, uint16_t responseLength) { @@ -642,25 +654,25 @@ static int ul_print_default(uint8_t *data) { if (uid[0] == 0x05 && ((uid[1] & 0xf0) >> 4) == 2) { // is infineon and 66RxxP uint8_t chip = (data[8] & 0xC7); // 11000111 mask, bit 3,4,5 RFU switch (chip) { - case 0xc2: + case 0xC2: PrintAndLogEx(NORMAL, " IC type : SLE 66R04P 770 Bytes"); break; //77 pages - case 0xc4: + case 0xC4: PrintAndLogEx(NORMAL, " IC type : SLE 66R16P 2560 Bytes"); break; //256 pages - case 0xc6: + case 0xC6: PrintAndLogEx(NORMAL, " IC type : SLE 66R32P 5120 Bytes"); break; //512 pages /2 sectors } } // CT (cascade tag byte) 0x88 xor SN0 xor SN1 xor SN2 - int crc0 = 0x88 ^ data[0] ^ data[1] ^ data[2]; + int crc0 = 0x88 ^ uid[0] ^ uid[1] ^ uid[2]; if (data[3] == crc0) PrintAndLogEx(NORMAL, " BCC0 : %02X, Ok", data[3]); else PrintAndLogEx(NORMAL, " BCC0 : %02X, crc should be %02X", data[3], crc0); - int crc1 = data[4] ^ data[5] ^ data[6] ^ data[7]; + int crc1 = uid[3] ^ uid[4] ^ uid[5] ^ uid[6]; if (data[8] == crc1) PrintAndLogEx(NORMAL, " BCC1 : %02X, Ok", data[8]); else @@ -678,13 +690,13 @@ static int ul_print_default(uint8_t *data) { sprint_bin(data + 12, 4) ); - return 0; + return PM3_SUCCESS; } static int ndef_print_CC(uint8_t *data) { // no NDEF message if (data[0] != 0xE1) - return -1; + return PM3_ESOFT; //NFC Forum Type 1,2,3,4 // @@ -763,7 +775,7 @@ static int ndef_print_CC(uint8_t *data) { PrintAndLogEx(NORMAL, " x - %02X : %s lock block", lb, (lb) ? "support" : "don\'t support"); PrintAndLogEx(NORMAL, " xx - %02X : RFU (%s)", mlrule, (mlrule == 0) ? _GREEN_("OK") : _RED_("Fail")); PrintAndLogEx(NORMAL, " x - %02X : IC %s multiple block reads", mbread, (mbread) ? "support" : "don\'t support"); - return 0; + return PM3_SUCCESS; } int ul_print_type(uint32_t tagtype, uint8_t spaces) { @@ -823,7 +835,7 @@ int ul_print_type(uint32_t tagtype, uint8_t spaces) { PrintAndLogEx(NORMAL, "%sTYPE : FUDAN Ultralight Compatible (or other compatible) %s", spacer, (tagtype & MAGIC) ? "" : ""); else PrintAndLogEx(NORMAL, "%sTYPE : Unknown %06x", spacer, tagtype); - return 0; + return PM3_SUCCESS; } static int ulc_print_3deskey(uint8_t *data) { @@ -832,7 +844,7 @@ static int ulc_print_3deskey(uint8_t *data) { PrintAndLogEx(NORMAL, " deskey2 [46/0x2E] : %s [s]", sprint_hex(data + 8, 4), sprint_ascii(data + 8, 4)); PrintAndLogEx(NORMAL, " deskey2 [47/0x2F] : %s [s]", sprint_hex(data + 12, 4), sprint_ascii(data + 12, 4)); PrintAndLogEx(NORMAL, "\n 3des key : %s", sprint_hex(SwapEndian64(data, 16, 8), 16)); - return 0; + return PM3_SUCCESS; } static int ulc_print_configuration(uint8_t *data) { @@ -855,7 +867,7 @@ static int ulc_print_configuration(uint8_t *data) { sprint_hex(data + 12, 4), (data[12] & 1) ? "write access restricted" : "read and write access restricted" ); - return 0; + return PM3_SUCCESS; } static int ulev1_print_configuration(uint32_t tagtype, uint8_t *data, uint8_t startPage) { @@ -961,7 +973,7 @@ static int ulev1_print_configuration(uint32_t tagtype, uint8_t *data, uint8_t st PrintAndLogEx(NORMAL, " PWD [%u/0x%02X] : %s- (cannot be read)", startPage + 2, startPage + 2, sprint_hex(data + 8, 4)); PrintAndLogEx(NORMAL, " PACK [%u/0x%02X] : %s - (cannot be read)", startPage + 3, startPage + 3, sprint_hex(data + 12, 2)); PrintAndLogEx(NORMAL, " RFU [%u/0x%02X] : %s- (cannot be read)", startPage + 3, startPage + 3, sprint_hex(data + 14, 2)); - return 0; + return PM3_SUCCESS; } static int ulev1_print_counters() { @@ -980,16 +992,21 @@ static int ulev1_print_counters() { return len; } -static int ulev1_print_signature(uint8_t *data, uint8_t len) { +static int ulev1_print_signature(TagTypeUL_t tagtype, uint8_t *uid, uint8_t *signature, size_t signature_len){ + uint8_t public_key = 0; + if (tagtype == UL_EV1_48 || tagtype == UL_EV1_128) { + public_key = 1; + } + int res = ecdsa_signature_r_s_verify(MBEDTLS_ECP_DP_SECP128R1, public_keys[public_key], uid, 7, signature, signature_len, false); + bool is_valid = (res == 0); + PrintAndLogEx(NORMAL, "\n--- Tag Signature"); - PrintAndLogEx(NORMAL, "IC signature public key name : NXP NTAG21x (2013)"); - PrintAndLogEx(NORMAL, "IC signature public key value : %s", sprint_hex(public_ecda_key, PUBLIC_ECDA_KEYLEN)); - PrintAndLogEx(NORMAL, " Elliptic curve parameters : secp128r1"); - PrintAndLogEx(NORMAL, " Tag ECC Signature : %s", sprint_hex(data, len)); - //to do: verify if signature is valid - // only UID is signed. - //PrintAndLogEx(NORMAL, "IC signature status: %s valid", (iseccvalid() )?"":"not"); - return 0; + PrintAndLogEx(NORMAL, "IC signature public key name : NXP NTAG21x (2013)"); + PrintAndLogEx(NORMAL, "IC signature public key value : %s", sprint_hex(public_keys[public_key], PUBLIC_ECDA_KEYLEN)); + PrintAndLogEx(NORMAL, " Elliptic curve parameters : NID_secp128r1"); + PrintAndLogEx(NORMAL, " TAG IC Signature : %s", sprint_hex(signature, signature_len)); + PrintAndLogEx(NORMAL, "Signature verified %s", (is_valid) ? _GREEN_("successful") : _RED_("failed") ); + return PM3_SUCCESS; } static int ulev1_print_version(uint8_t *data) { @@ -1002,7 +1019,7 @@ static int ulev1_print_version(uint8_t *data) { PrintAndLogEx(NORMAL, " Minor version : %02X", data[5]); PrintAndLogEx(NORMAL, " Size : %s", getUlev1CardSizeStr(data[6])); PrintAndLogEx(NORMAL, " Protocol type : %02X %s", data[7], (data[7] == 0x3) ? "(ISO14443-3 Compliant)" : ""); - return 0; + return PM3_SUCCESS; } /* @@ -1185,6 +1202,8 @@ static int CmdHF14AMfUInfo(const char *Cmd) { uint8_t *key = pwd; uint8_t pack[4] = {0, 0, 0, 0}; int len; + uint8_t uid[7]; + char tempStr[50]; while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { @@ -1217,7 +1236,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { if (errors) return usage_hf_mfu_info(); TagTypeUL_t tagtype = GetHF14AMfU_Type(); - if (tagtype == UL_ERROR) return -1; + if (tagtype == UL_ERROR) return PM3_ESOFT; PrintAndLogEx(NORMAL, "\n--- Tag Information ---------"); PrintAndLogEx(NORMAL, "-------------------------------------------------------------"); @@ -1226,15 +1245,17 @@ static int CmdHF14AMfUInfo(const char *Cmd) { // Swap endianness if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4); - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; // read pages 0,1,2,3 (should read 4pages) status = ul_read(0, data, sizeof(data)); if (status == -1) { DropField(); PrintAndLogEx(ERR, "Error: tag didn't answer to READ"); - return status; + return PM3_ESOFT; } else if (status == 16) { + memcpy(uid, data, 3); + memcpy(uid + 3, data + 4, 4); ul_print_default(data); ndef_print_CC(data + 12); } else { @@ -1250,7 +1271,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { if (status == -1) { PrintAndLogEx(ERR, "Error: tag didn't answer to READ UL-C"); DropField(); - return status; + return PM3_ESOFT; } if (status == 16) ulc_print_configuration(ulc_conf); @@ -1264,14 +1285,14 @@ static int CmdHF14AMfUInfo(const char *Cmd) { if (status == -1) { DropField(); PrintAndLogEx(ERR, "Error: tag didn't answer to READ magic"); - return status; + return PM3_ESOFT; } if (status == 16) ulc_print_3deskey(ulc_deskey); } else { DropField(); // if we called info with key, just return - if (hasAuthKey) return 1; + if (hasAuthKey) return PM3_SUCCESS; // also try to diversify default keys.. look into CmdHF14AMfGenDiverseKeys PrintAndLogEx(INFO, "Trying some default 3des keys"); @@ -1282,10 +1303,10 @@ static int CmdHF14AMfUInfo(const char *Cmd) { uint8_t keySwap[16]; memcpy(keySwap, SwapEndian64(key, 16, 8), 16); ulc_print_3deskey(keySwap); - return 1; + return PM3_SUCCESS; } } - return 1; + return PM3_SUCCESS; } } @@ -1295,7 +1316,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { if ((tagtype & (UL_EV1_48 | UL_EV1_128 | UL_EV1))) { if (ulev1_print_counters() != 3) { // failed - re-select - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; } } @@ -1308,12 +1329,13 @@ static int CmdHF14AMfUInfo(const char *Cmd) { if (status == -1) { PrintAndLogEx(ERR, "Error: tag didn't answer to READ SIGNATURE"); DropField(); - return status; + return PM3_ESOFT; } - if (status == 32) ulev1_print_signature(ulev1_signature, sizeof(ulev1_signature)); - else { + if (status == 32) { + ulev1_print_signature(tagtype, uid, ulev1_signature, sizeof(ulev1_signature)); + } else { // re-select - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; } } @@ -1324,12 +1346,12 @@ static int CmdHF14AMfUInfo(const char *Cmd) { if (status == -1) { PrintAndLogEx(ERR, "Error: tag didn't answer to GETVERSION"); DropField(); - return status; + return PM3_ESOFT; } else if (status == 10) { ulev1_print_version(version); } else { locked = true; - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; } uint8_t startconfigblock = 0; @@ -1348,7 +1370,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { if (status == -1) { PrintAndLogEx(ERR, "Error: tag didn't answer to READ EV1"); DropField(); - return status; + return PM3_ESOFT; } else if (status == 16) { // save AUTHENTICATION LIMITS for later: authlim = (ulev1_conf[4] & 0x07); @@ -1375,7 +1397,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { goto out; } - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; // test pwd gen B num_to_bytes(ul_ev1_pwdgenB(card.uid), 4, key); @@ -1385,7 +1407,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { goto out; } - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; // test pwd gen C num_to_bytes(ul_ev1_pwdgenC(card.uid), 4, key); @@ -1395,7 +1417,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { goto out; } - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; // test pwd gen D num_to_bytes(ul_ev1_pwdgenD(card.uid), 4, key); @@ -1405,7 +1427,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { goto out; } - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; for (uint8_t i = 0; i < KEYS_PWD_COUNT; ++i) { key = default_pwd_pack[i]; @@ -1414,7 +1436,7 @@ static int CmdHF14AMfUInfo(const char *Cmd) { PrintAndLogEx(SUCCESS, "Found a default password: %s || Pack: %02X %02X", sprint_hex(key, 4), pack[0], pack[1]); break; } else { - if (!ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + if (ul_auth_select(&card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack)) == PM3_ESOFT) return PM3_ESOFT; } } if (len < 1) PrintAndLogEx(WARNING, "password not known"); @@ -1424,7 +1446,7 @@ out: DropField(); if (locked) PrintAndLogEx(FAILED, "\nTag appears to be locked, try using the key to get more info"); PrintAndLogEx(NORMAL, ""); - return 1; + return PM3_SUCCESS; } // diff --git a/client/crypto/libpcrypto.c b/client/crypto/libpcrypto.c index 775080c42..3bdbb46ae 100644 --- a/client/crypto/libpcrypto.c +++ b/client/crypto/libpcrypto.c @@ -121,14 +121,14 @@ int sha512hash(uint8_t *input, int length, uint8_t *hash) { return 0; } -static int ecdsa_init_str(mbedtls_ecdsa_context *ctx, const char *key_d, const char *key_x, const char *key_y) { +static int ecdsa_init_str(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id curveid, const char *key_d, const char *key_x, const char *key_y) { if (!ctx) return 1; int res; mbedtls_ecdsa_init(ctx); - res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 + res = mbedtls_ecp_group_load(&ctx->grp, curveid); if (res) return res; @@ -147,25 +147,26 @@ static int ecdsa_init_str(mbedtls_ecdsa_context *ctx, const char *key_d, const c return 0; } -static int ecdsa_init(mbedtls_ecdsa_context *ctx, uint8_t *key_d, uint8_t *key_xy) { +static int ecdsa_init(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id curveid, uint8_t *key_d, uint8_t *key_xy) { if (!ctx) return 1; int res; mbedtls_ecdsa_init(ctx); - res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 + res = mbedtls_ecp_group_load(&ctx->grp, curveid); if (res) return res; + size_t keylen = (ctx->grp.nbits + 7 ) / 8; if (key_d) { - res = mbedtls_mpi_read_binary(&ctx->d, key_d, 32); + res = mbedtls_mpi_read_binary(&ctx->d, key_d, keylen); if (res) return res; } if (key_xy) { - res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, 32 * 2 + 1); + res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, keylen * 2 + 1); if (res) return res; } @@ -173,10 +174,10 @@ static int ecdsa_init(mbedtls_ecdsa_context *ctx, uint8_t *key_d, uint8_t *key_x return 0; } -int ecdsa_key_create(uint8_t *key_d, uint8_t *key_xy) { +int ecdsa_key_create(mbedtls_ecp_group_id curveid, uint8_t *key_d, uint8_t *key_xy) { int res; mbedtls_ecdsa_context ctx; - ecdsa_init(&ctx, NULL, NULL); + ecdsa_init(&ctx, curveid, NULL, NULL); mbedtls_entropy_context entropy; @@ -190,25 +191,26 @@ int ecdsa_key_create(uint8_t *key_d, uint8_t *key_xy) { if (res) goto exit; - res = mbedtls_ecdsa_genkey(&ctx, MBEDTLS_ECP_DP_SECP256R1, mbedtls_ctr_drbg_random, &ctr_drbg); + res = mbedtls_ecdsa_genkey(&ctx, curveid, mbedtls_ctr_drbg_random, &ctr_drbg); if (res) goto exit; - res = mbedtls_mpi_write_binary(&ctx.d, key_d, 32); + size_t keylen = (ctx.grp.nbits + 7) / 8; + res = mbedtls_mpi_write_binary(&ctx.d, key_d, keylen); if (res) goto exit; - size_t keylen = 0; + size_t public_keylen = 0; uint8_t public_key[200] = {0}; - res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &keylen, public_key, sizeof(public_key)); + res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &public_keylen, public_key, sizeof(public_key)); if (res) goto exit; - if (keylen != 65) { // 0x04 + if (public_keylen != 1 + 2 * keylen) { // 0x04 res = 1; goto exit; } - memcpy(key_xy, public_key, 65); + memcpy(key_xy, public_key, public_keylen); exit: mbedtls_entropy_free(&entropy); @@ -224,32 +226,36 @@ char *ecdsa_get_error(int ret) { return retstr; } -int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen) { +int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, mbedtls_ecp_group_id curveid, uint8_t *key, size_t keylen) { int res = 0; size_t realkeylen = 0; - if (keylen < 65) - return 1; mbedtls_ecdsa_context ctx; mbedtls_ecdsa_init(&ctx); - res = mbedtls_ecp_group_load(&ctx.grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 + res = mbedtls_ecp_group_load(&ctx.grp, curveid); if (res) goto exit; + size_t private_keylen = (ctx.grp.nbits + 7) / 8; + if (keylen < 1 + 2 * private_keylen) { + res = 1; + goto exit; + } + res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk)); if (res) goto exit; res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen); - if (realkeylen != 65) + if (realkeylen != 1 + 2 * private_keylen) res = 2; exit: mbedtls_ecdsa_free(&ctx); return res; } -int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) { +int ecdsa_signature_create(mbedtls_ecp_group_id curveid, uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen, bool hash) { int res; *signaturelen = 0; @@ -270,8 +276,18 @@ int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int goto exit; mbedtls_ecdsa_context ctx; - ecdsa_init(&ctx, key_d, key_xy); - res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg); + ecdsa_init(&ctx, curveid, key_d, key_xy); + res = mbedtls_ecdsa_write_signature( + &ctx, + MBEDTLS_MD_SHA256, + hash ? shahash : input, + hash ? sizeof(shahash) : length, + signature, + signaturelen, + mbedtls_ctr_drbg_random, + &ctr_drbg + ); + exit: mbedtls_ctr_drbg_free(&ctr_drbg); @@ -279,7 +295,7 @@ exit: return res; } -static int ecdsa_signature_create_test(const char *key_d, const char *key_x, const char *key_y, const char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) { +static int ecdsa_signature_create_test(mbedtls_ecp_group_id curveid, const char *key_d, const char *key_x, const char *key_y, const char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) { int res; *signaturelen = 0; @@ -292,14 +308,14 @@ static int ecdsa_signature_create_test(const char *key_d, const char *key_x, con param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen); mbedtls_ecdsa_context ctx; - ecdsa_init_str(&ctx, key_d, key_x, key_y); + ecdsa_init_str(&ctx, curveid, key_d, key_x, key_y); res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL); mbedtls_ecdsa_free(&ctx); return res; } -static int ecdsa_signature_verify_keystr(const char *key_x, const char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) { +static int ecdsa_signature_verify_keystr(mbedtls_ecp_group_id curveid, const char *key_x, const char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash) { int res; uint8_t shahash[32] = {0}; res = sha256hash(input, length, shahash); @@ -307,28 +323,69 @@ static int ecdsa_signature_verify_keystr(const char *key_x, const char *key_y, u return res; mbedtls_ecdsa_context ctx; - ecdsa_init_str(&ctx, NULL, key_x, key_y); - res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen); + ecdsa_init_str(&ctx, curveid, NULL, key_x, key_y); + res = mbedtls_ecdsa_read_signature( + &ctx, + hash ? shahash : input, + hash ? sizeof(shahash) : length, + signature, + signaturelen + ); mbedtls_ecdsa_free(&ctx); return res; } -int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) { +int ecdsa_signature_verify(mbedtls_ecp_group_id curveid, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash) { int res; uint8_t shahash[32] = {0}; + if (hash) { res = sha256hash(input, length, shahash); if (res) return res; + } mbedtls_ecdsa_context ctx; - ecdsa_init(&ctx, NULL, key_xy); - res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen); + res = ecdsa_init(&ctx, curveid, NULL, key_xy); + res = mbedtls_ecdsa_read_signature( + &ctx, + hash ? shahash : input, + hash ? sizeof(shahash) : length, + signature, + signaturelen + ); mbedtls_ecdsa_free(&ctx); return res; } + +int ecdsa_signature_r_s_verify(mbedtls_ecp_group_id curveid, uint8_t *key_xy, uint8_t *input, int length, uint8_t *r_s, size_t r_s_len, bool hash) { + int res; + uint8_t signature[MBEDTLS_ECDSA_MAX_LEN]; + size_t signature_len; + + // convert r & s to ASN.1 signature + mbedtls_mpi r, s; + mbedtls_mpi_init(&r); + mbedtls_mpi_init(&s); + mbedtls_mpi_read_binary(&r, r_s, r_s_len/2); + mbedtls_mpi_read_binary(&s, r_s + r_s_len/2, r_s_len/2); + + res = ecdsa_signature_to_asn1(&r, &s, signature, &signature_len); + if (res < 0) { + return res; + } + + res = ecdsa_signature_verify(curveid, key_xy, input, length, signature, signature_len, hash); + + mbedtls_mpi_free(&r); + mbedtls_mpi_free(&s); + + return res; +} + + #define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96" #define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19" #define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09" @@ -339,6 +396,7 @@ int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t int ecdsa_nist_test(bool verbose) { int res; uint8_t input[] = "Example of ECDSA with P-256"; + mbedtls_ecp_group_id curveid = MBEDTLS_ECP_DP_SECP256R1; int length = strlen((char *)input); uint8_t signature[300] = {0}; size_t siglen = 0; @@ -347,7 +405,7 @@ int ecdsa_nist_test(bool verbose) { if (verbose) printf(" ECDSA NIST test: "); // make signature - res = ecdsa_signature_create_test(T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen); + res = ecdsa_signature_create_test(curveid, T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen); // printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen)); if (res) goto exit; @@ -371,13 +429,13 @@ int ecdsa_nist_test(bool verbose) { } // verify signature - res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen); + res = ecdsa_signature_verify_keystr(curveid, T_Q_X, T_Q_Y, input, length, signature, siglen, true); if (res) goto exit; // verify wrong signature input[0] ^= 0xFF; - res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen); + res = ecdsa_signature_verify_keystr(curveid, T_Q_X, T_Q_Y, input, length, signature, siglen, true); if (!res) { res = 1; goto exit; @@ -394,20 +452,20 @@ int ecdsa_nist_test(bool verbose) { memset(signature, 0x00, sizeof(signature)); siglen = 0; - res = ecdsa_key_create(key_d, key_xy); + res = ecdsa_key_create(curveid, key_d, key_xy); if (res) goto exit; - res = ecdsa_signature_create(key_d, key_xy, input, length, signature, &siglen); + res = ecdsa_signature_create(curveid, key_d, key_xy, input, length, signature, &siglen, true); if (res) goto exit; - res = ecdsa_signature_verify(key_xy, input, length, signature, siglen); + res = ecdsa_signature_verify(curveid, key_xy, input, length, signature, siglen, true); if (res) goto exit; input[0] ^= 0xFF; - res = ecdsa_signature_verify(key_xy, input, length, signature, siglen); + res = ecdsa_signature_verify(curveid, key_xy, input, length, signature, siglen, true); if (!res) goto exit; diff --git a/client/crypto/libpcrypto.h b/client/crypto/libpcrypto.h index 38d37b66a..90c389636 100644 --- a/client/crypto/libpcrypto.h +++ b/client/crypto/libpcrypto.h @@ -24,10 +24,12 @@ int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int lengt int sha256hash(uint8_t *input, int length, uint8_t *hash); int sha512hash(uint8_t *input, int length, uint8_t *hash); -int ecdsa_key_create(uint8_t *key_d, uint8_t *key_xy); -int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen); -int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen); -int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen); +int ecdsa_key_create(mbedtls_ecp_group_id curveid, uint8_t * key_d, uint8_t *key_xy); +int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, mbedtls_ecp_group_id curveid, uint8_t *key, size_t keylen); +int ecdsa_signature_create(mbedtls_ecp_group_id curveid, uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen, bool hash); +int ecdsa_signature_verify(mbedtls_ecp_group_id curveid, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash); +int ecdsa_signature_r_s_verify(mbedtls_ecp_group_id curveid, uint8_t *key_xy, uint8_t *input, int length, uint8_t *r_s, size_t r_s_len, bool hash); + char *ecdsa_get_error(int ret); int ecdsa_nist_test(bool verbose); diff --git a/client/fido/fidocore.c b/client/fido/fidocore.c index c356c3456..ecfefaa79 100644 --- a/client/fido/fidocore.c +++ b/client/fido/fidocore.c @@ -262,7 +262,7 @@ int FIDOCheckDERAndGetKey(uint8_t *der, size_t derLen, bool verbose, uint8_t *pu } // get public key - res = ecdsa_public_key_from_pk(&cert.pk, publicKey, publicKeyMaxLen); + res = ecdsa_public_key_from_pk(&cert.pk, MBEDTLS_ECP_DP_SECP256R1, publicKey, publicKeyMaxLen); if (res) { PrintAndLogEx(ERR, "ERROR: getting public key from certificate 0x%x - %s", (res < 0) ? -res : res, ecdsa_get_error(res)); } else { @@ -381,10 +381,10 @@ static int FIDO2CheckSignature(json_t *root, uint8_t *publickey, uint8_t *sign, clientDataHash, 32, // Hash of the serialized client data. "$.ClientDataHash" from json NULL, 0); //PrintAndLogEx(NORMAL, "--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); - res = ecdsa_signature_verify(publickey, xbuf, xbuflen, sign, signLen); + res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, publickey, xbuf, xbuflen, sign, signLen, true); if (res) { - if (res == -0x4e00) { - PrintAndLogEx(WARNING, "Signature is NOT VALID."); + if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) { + PrintAndLogEx(WARNING, "Signature is " _RED_("NOT VALID") ); } else { PrintAndLogEx(WARNING, "Other signature check error: %x %s", (res < 0) ? -res : res, ecdsa_get_error(res)); } diff --git a/common/mbedtls/check_config.h b/common/mbedtls/check_config.h index a4fa7bdde..b395844d5 100644 --- a/common/mbedtls/check_config.h +++ b/common/mbedtls/check_config.h @@ -115,6 +115,7 @@ #endif #if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \ + !defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \ diff --git a/common/mbedtls/config.h b/common/mbedtls/config.h index 9f4b19c5e..707c493d7 100644 --- a/common/mbedtls/config.h +++ b/common/mbedtls/config.h @@ -645,6 +645,7 @@ * * Comment macros to disable the curve and functions for it */ +#define MBEDTLS_ECP_DP_SECP128R1_ENABLED #define MBEDTLS_ECP_DP_SECP192R1_ENABLED #define MBEDTLS_ECP_DP_SECP224R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED diff --git a/common/mbedtls/ecdsa.c b/common/mbedtls/ecdsa.c index 2fac6d875..388466162 100644 --- a/common/mbedtls/ecdsa.c +++ b/common/mbedtls/ecdsa.c @@ -286,7 +286,7 @@ cleanup: /* * Convert a signature (given by context) to ASN.1 */ -static int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s, +int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen) { int ret; unsigned char buf[MBEDTLS_ECDSA_MAX_LEN]; diff --git a/common/mbedtls/ecdsa.h b/common/mbedtls/ecdsa.h index 0371e8c36..b3bf1b110 100644 --- a/common/mbedtls/ecdsa.h +++ b/common/mbedtls/ecdsa.h @@ -334,6 +334,8 @@ void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx); */ void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx); +int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen ); + #ifdef __cplusplus } #endif diff --git a/common/mbedtls/ecp.c b/common/mbedtls/ecp.c index 896801dd7..3a2b48804 100644 --- a/common/mbedtls/ecp.c +++ b/common/mbedtls/ecp.c @@ -84,7 +84,8 @@ static unsigned long add_count, dbl_count, mul_count; #endif -#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) || \ + defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \ @@ -157,6 +158,9 @@ static const mbedtls_ecp_curve_info ecp_supported_curves[] = { #endif #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) { MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" }, +#endif +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) + { MBEDTLS_ECP_DP_SECP128R1, 0xFE00, 128, "secp128r1" }, #endif { MBEDTLS_ECP_DP_NONE, 0, 0, NULL }, }; diff --git a/common/mbedtls/ecp.h b/common/mbedtls/ecp.h index f7ca89493..4c2592a9e 100644 --- a/common/mbedtls/ecp.h +++ b/common/mbedtls/ecp.h @@ -81,6 +81,7 @@ typedef enum { MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */ MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */ MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */ + MBEDTLS_ECP_DP_SECP128R1, /*!< Domain parameters for the 128-bit curve used for NXP originality check. */ } mbedtls_ecp_group_id; /** diff --git a/common/mbedtls/ecp_curves.c b/common/mbedtls/ecp_curves.c index 2fd9a2daf..dcb79aeba 100644 --- a/common/mbedtls/ecp_curves.c +++ b/common/mbedtls/ecp_curves.c @@ -84,6 +84,42 @@ * to be directly usable in MPIs */ +/* + * Domain parameters for secp128r1 + */ +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) +static const mbedtls_mpi_uint secp128r1_p[] = { + // 2^128 - 2^97 - 1 // TODO + BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ), +}; +static const mbedtls_mpi_uint secp128r1_a[] = { + // FFFFFFFDFFFFFFFF FFFFFFFFFFFFFFFC + BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ), + BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ), +}; +static const mbedtls_mpi_uint secp128r1_b[] = { + // E87579C11079F43D D824993C2CEE5ED3 + BYTES_TO_T_UINT_8( 0xD3, 0x5E, 0xEE, 0x2C, 0x3C, 0x99, 0x24, 0xD8 ), + BYTES_TO_T_UINT_8( 0x3D, 0xF4, 0x79, 0x10, 0xC1, 0x79, 0x75, 0xE8 ), +}; +static const mbedtls_mpi_uint secp128r1_gx[] = { + // 161FF7528B899B2D 0C28607CA52C5B86 + BYTES_TO_T_UINT_8( 0x86, 0x5B, 0x2C, 0xA5, 0x7C, 0x60, 0x28, 0x0C ), + BYTES_TO_T_UINT_8( 0x2D, 0x9B, 0x89, 0x8B, 0x52, 0xF7, 0x1F, 0x16 ), +}; +static const mbedtls_mpi_uint secp128r1_gy[] = { + // CF5AC8395BAFEB13 C02DA292DDED7A83 + BYTES_TO_T_UINT_8( 0x83, 0x7A, 0xED, 0xDD, 0x92, 0xA2, 0x2D, 0xC0 ), + BYTES_TO_T_UINT_8( 0x13, 0xEB, 0xAF, 0x5B, 0x39, 0xC8, 0x5A, 0xCF ), +}; +static const mbedtls_mpi_uint secp128r1_n[] = { + // FFFFFFFE00000000 75A30D1B9038A115 + BYTES_TO_T_UINT_8( 0x15, 0xA1, 0x38, 0x90, 0x1B, 0x0D, 0xA3, 0x75 ), + BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF ), +}; +#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */ + /* * Domain parameters for secp192r1 */ @@ -747,6 +783,11 @@ int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id) { grp->id = id; switch (id) { +#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) + case MBEDTLS_ECP_DP_SECP128R1: + grp->modp = NULL; + return( LOAD_GROUP_A( secp128r1 ) ); +#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */ #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) case MBEDTLS_ECP_DP_SECP192R1: NIST_MODP(p192);