github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-22 06:13:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

add NXP originality check

Browse source 
* add support for elliptic curve 'secp128r1' to mbedtls library
* change ecdsa_signature_verify() to allow different curves, signature lengths, and skipping hash
* add originality check in 'hf mfu info'
* add another public key for Mifare Ultralight EV1
This commit is contained in:
pwpiwi 2019-04-25 07:54:35 +02:00
commit e3176fbcbb
12 changed files with 397 additions and 275 deletions
Download patch file Download diff file Expand all files Collapse all files

8
client/cmdhffido.c
View file

@ -353,9 +353,9 @@ int CmdHFFidoRegister(const char *cmd) {
&buf[1], 65, // user public key &buf[1], 65, // user public key
NULL, 0); NULL, 0);
//PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); //PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen));
res = ecdsa_signature_verify(public_key, xbuf, xbuflen, &buf[hashp], len - hashp); res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[hashp], len - hashp, true);
if (res) { if (res) {
if (res == -0x4e00) { if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) {
PrintAndLog("Signature is NOT VALID."); PrintAndLog("Signature is NOT VALID.");
} else { } else {
PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res)); PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res));
@ -579,9 +579,9 @@ int CmdHFFidoAuthenticate(const char *cmd) {
data, 32, // challenge parameter data, 32, // challenge parameter
NULL, 0); NULL, 0);
//PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); //PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen));
res = ecdsa_signature_verify(public_key, xbuf, xbuflen, &buf[5], len - 5); res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, public_key, xbuf, xbuflen, &buf[5], len - 5, true);
if (res) { if (res) {
if (res == -0x4e00) { if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) {
PrintAndLog("Signature is NOT VALID."); PrintAndLog("Signature is NOT VALID.");
} else { } else {
PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res)); PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res));

78
client/cmdhfmfu.c
View file

@ -22,6 +22,7 @@
#include "util.h" #include "util.h"
#include "protocols.h" #include "protocols.h"
#include "taginfo.h" #include "taginfo.h"
#include "crypto/libpcrypto.h"
#define MAX_UL_BLOCKS 0x0f #define MAX_UL_BLOCKS 0x0f
#define MAX_ULC_BLOCKS 0x2b #define MAX_ULC_BLOCKS 0x2b
@ -45,13 +46,12 @@ uint8_t default_3des_keys[KEYS_3DES_COUNT][16] = {
{ 0x49,0x45,0x4D,0x4B,0x41,0x45,0x52,0x42,0x21,0x4E,0x41,0x43,0x55,0x4F,0x59,0x46 },// NFC-key { 0x49,0x45,0x4D,0x4B,0x41,0x45,0x52,0x42,0x21,0x4E,0x41,0x43,0x55,0x4F,0x59,0x46 },// NFC-key
{ 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 },// all ones { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 },// all ones
{ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF },// all FF { 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF },// all FF
{ 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF } // 11 22 33 { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF } // 11 22 33
}; };
#define KEYS_PWD_COUNT 6 #define KEYS_PWD_COUNT 6
uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = { uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = {
{0xFF,0xFF,0xFF,0xFF}, // PACK 0x00,0x00 -- factory default {0xFF,0xFF,0xFF,0xFF}, // PACK 0x00,0x00 -- factory default
{0x4A,0xF8,0x4B,0x19}, // PACK 0xE5,0xBE -- italian bus (sniffed) {0x4A,0xF8,0x4B,0x19}, // PACK 0xE5,0xBE -- italian bus (sniffed)
{0x33,0x6B,0xA1,0x19}, // PACK 0x9c,0x2d -- italian bus (sniffed) {0x33,0x6B,0xA1,0x19}, // PACK 0x9c,0x2d -- italian bus (sniffed)
{0xFF,0x90,0x6C,0xB2}, // PACK 0x12,0x9e -- italian bus (sniffed) {0xFF,0x90,0x6C,0xB2}, // PACK 0x12,0x9e -- italian bus (sniffed)
@ -59,13 +59,20 @@ uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = {
{0x35,0x1C,0xD0,0x19}, // PACK 0x9A,0x5a -- italian bus (sniffed) {0x35,0x1C,0xD0,0x19}, // PACK 0x9A,0x5a -- italian bus (sniffed)
}; };
// known public keys for the originality check (source: https://github.com/alexbatalov/node-nxp-originality-verifier)
uint8_t public_keys[2][33] = {{0x04,0x49,0x4e,0x1a,0x38,0x6d,0x3d,0x3c,0xfe,0x3d,0xc1,0x0e,0x5d,0xe6,0x8a,0x49,0x9b, // UL and NDEF
0x1c,0x20,0x2d,0xb5,0xb1,0x32,0x39,0x3e,0x89,0xed,0x19,0xfe,0x5b,0xe8,0xbc,0x61},
{0x04,0x90,0x93,0x3b,0xdc,0xd6,0xe9,0x9b,0x4e,0x25,0x5e,0x3d,0xa5,0x53,0x89,0xa8,0x27, // UL EV1
0x56,0x4e,0x11,0x71,0x8e,0x01,0x72,0x92,0xfa,0xf2,0x32,0x26,0xa9,0x66,0x14,0xb8}
};
#define MAX_UL_TYPES 18 #define MAX_UL_TYPES 18
uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203, uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203,
NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC, MY_D_MOVE_LEAN, FUDAN_UL}; NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC, MY_D_MOVE_LEAN, FUDAN_UL};
uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, MAX_ULEV1a_BLOCKS, uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, MAX_ULEV1a_BLOCKS,
MAX_ULEV1b_BLOCKS, MAX_NTAG_203, MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, MAX_NTAG_213, MAX_ULEV1b_BLOCKS, MAX_NTAG_203, MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, MAX_NTAG_213,
MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS}; MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS};
static int CmdHelp(const char *Cmd); static int CmdHelp(const char *Cmd);
@ -78,7 +85,7 @@ char *getProductTypeStr( uint8_t id){
switch(id) { switch(id) {
case 3: sprintf(retStr, "%02X, Ultralight", id); break; case 3: sprintf(retStr, "%02X, Ultralight", id); break;
case 4: sprintf(retStr, "%02X, NTAG", id); break; case 4: sprintf(retStr, "%02X, NTAG", id); break;
default: sprintf(retStr, "%02X, unknown", id); break; default: sprintf(retStr, "%02X, unknown", id); break;
} }
return buf; return buf;
@ -502,14 +509,21 @@ static int ulev1_print_counters(){
return len; return len;
} }
static int ulev1_print_signature( uint8_t *data, uint8_t len){
PrintAndLog("\n--- Tag Signature"); static int ulev1_print_signature(TagTypeUL_t tagtype, uint8_t *uid, uint8_t *signature, size_t signature_len){
uint8_t public_key = 0;
if (tagtype == UL_EV1_48 || tagtype == UL_EV1_128) {
public_key = 1;
}
int res = ecdsa_signature_r_s_verify(MBEDTLS_ECP_DP_SECP128R1, public_keys[public_key], uid, 7, signature, signature_len, false);
bool signature_valid = (res == 0);
PrintAndLog("\n--- Tag Originality Signature");
//PrintAndLog("IC signature public key name : NXP NTAG21x 2013"); // don't know if there is other NXP public keys.. :( //PrintAndLog("IC signature public key name : NXP NTAG21x 2013"); // don't know if there is other NXP public keys.. :(
PrintAndLog("IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61"); PrintAndLog(" Signature public key : %s", sprint_hex(public_keys[public_key]+1, sizeof(public_keys[public_key])-1));
PrintAndLog(" Elliptic curve parameters : secp128r1"); PrintAndLog(" Elliptic curve parameters : secp128r1");
PrintAndLog(" Tag ECC Signature : %s", sprint_hex(data, len)); PrintAndLog(" Tag ECC Signature : %s", sprint_hex(signature, signature_len));
//to do: verify if signature is valid PrintAndLog(" Originality signature check : signature is %svalid", signature_valid?"":"NOT ");
//PrintAndLog("IC signature status: %s valid", (iseccvalid() )?"":"not");
return 0; return 0;
} }
@ -662,9 +676,9 @@ uint32_t GetHF14AMfU_Type(void){
uint8_t nib = (card.uid[1] & 0xf0) >> 4; uint8_t nib = (card.uid[1] & 0xf0) >> 4;
switch ( nib ){ switch ( nib ){
// case 0: tagtype = SLE66R35E7; break; //or SLE 66R35E7 - mifare compat... should have different sak/atqa for mf 1k // case 0: tagtype = SLE66R35E7; break; //or SLE 66R35E7 - mifare compat... should have different sak/atqa for mf 1k
case 1: tagtype = MY_D; break; //or SLE 66RxxS ... up to 512 pages of 8 user bytes... case 1: tagtype = MY_D; break; //or SLE 66RxxS ... up to 512 pages of 8 user bytes...
case 2: tagtype = (MY_D_NFC); break; //or SLE 66RxxP ... up to 512 pages of 8 user bytes... (or in nfc mode FF pages of 4 bytes) case 2: tagtype = (MY_D_NFC); break; //or SLE 66RxxP ... up to 512 pages of 8 user bytes... (or in nfc mode FF pages of 4 bytes)
case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //or SLE 66R01P // 38 pages of 4 bytes //notice: we can not currently distinguish between these two case 3: tagtype = (MY_D_MOVE | MY_D_MOVE_NFC); break; //or SLE 66R01P // 38 pages of 4 bytes //notice: we can not currently distinguish between these two
case 7: tagtype = MY_D_MOVE_LEAN; break; //or SLE 66R01L // 16 pages of 4 bytes case 7: tagtype = MY_D_MOVE_LEAN; break; //or SLE 66R01L // 16 pages of 4 bytes
} }
} }
@ -678,6 +692,7 @@ int CmdHF14AMfUInfo(const char *Cmd){
uint8_t authlim = 0xff; uint8_t authlim = 0xff;
uint8_t data[16] = {0x00}; uint8_t data[16] = {0x00};
uint8_t uid[7];
iso14a_card_select_t card; iso14a_card_select_t card;
int status; int status;
bool errors = false; bool errors = false;
@ -688,7 +703,7 @@ int CmdHF14AMfUInfo(const char *Cmd){
uint8_t dataLen = 0; uint8_t dataLen = 0;
uint8_t authenticationkey[16] = {0x00}; uint8_t authenticationkey[16] = {0x00};
uint8_t *authkeyptr = authenticationkey; uint8_t *authkeyptr = authenticationkey;
uint8_t *key; uint8_t *key;
uint8_t pack[4] = {0,0,0,0}; uint8_t pack[4] = {0,0,0,0};
int len = 0; int len = 0;
char tempStr[50]; char tempStr[50];
@ -748,6 +763,8 @@ int CmdHF14AMfUInfo(const char *Cmd){
PrintAndLog("Error: tag didn't answer to READ"); PrintAndLog("Error: tag didn't answer to READ");
return status; return status;
} else if (status == 16) { } else if (status == 16) {
memcpy(uid, data, 3);
memcpy(uid+3, data+4, 4);
ul_print_default(data); ul_print_default(data);
ndef_print_CC(data+12); ndef_print_CC(data+12);
} else { } else {
@ -810,7 +827,7 @@ int CmdHF14AMfUInfo(const char *Cmd){
} }
} }
if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K ))) { if ((tagtype & (UL_EV1_48 | UL_EV1_128 | NTAG_213 | NTAG_215 | NTAG_216 | NTAG_I2C_1K | NTAG_I2C_2K ))) {
uint8_t ulev1_signature[32] = {0x00}; uint8_t ulev1_signature[32] = {0x00};
status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature)); status = ulev1_readSignature( ulev1_signature, sizeof(ulev1_signature));
if ( status == -1 ) { if ( status == -1 ) {
@ -818,8 +835,9 @@ int CmdHF14AMfUInfo(const char *Cmd){
DropField(); DropField();
return status; return status;
} }
if (status == 32) ulev1_print_signature( ulev1_signature, sizeof(ulev1_signature)); if (status == 32) {
else { ulev1_print_signature(tagtype, uid, ulev1_signature, sizeof(ulev1_signature));
} else {
// re-select // re-select
if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1;
} }
@ -1219,7 +1237,7 @@ int CmdHF14AMfUDump(const char *Cmd){
uint8_t dataLen = 0; uint8_t dataLen = 0;
uint8_t cmdp = 0; uint8_t cmdp = 0;
uint8_t authenticationkey[16] = {0x00}; uint8_t authenticationkey[16] = {0x00};
uint8_t *authKeyPtr = authenticationkey; uint8_t *authKeyPtr = authenticationkey;
size_t fileNlen = 0; size_t fileNlen = 0;
bool errors = false; bool errors = false;
bool swapEndian = false; bool swapEndian = false;
@ -1820,16 +1838,16 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
//------------------------------------ //------------------------------------
static command_t CommandTable[] = static command_t CommandTable[] =
{ {
{"help", CmdHelp, 1, "This help"}, {"help", CmdHelp, 1, "This help"},
{"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"}, {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
{"info", CmdHF14AMfUInfo, 0, "Tag information"}, {"info", CmdHF14AMfUInfo, 0, "Tag information"},
{"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C / NTAG tag to binary file"}, {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C / NTAG tag to binary file"},
{"rdbl", CmdHF14AMfURdBl, 0, "Read block"}, {"rdbl", CmdHF14AMfURdBl, 0, "Read block"},
{"wrbl", CmdHF14AMfUWrBl, 0, "Write block"}, {"wrbl", CmdHF14AMfUWrBl, 0, "Write block"},
{"cauth", CmdHF14AMfucAuth, 0, "Authentication - Ultralight C"}, {"cauth", CmdHF14AMfucAuth, 0, "Authentication - Ultralight C"},
{"setpwd", CmdHF14AMfucSetPwd, 1, "Set 3des password - Ultralight-C"}, {"setpwd", CmdHF14AMfucSetPwd, 0, "Set 3des password - Ultralight-C"},
{"setuid", CmdHF14AMfucSetUid, 1, "Set UID - MAGIC tags only"}, {"setuid", CmdHF14AMfucSetUid, 0, "Set UID - MAGIC tags only"},
{"gen", CmdHF14AMfuGenDiverseKeys , 1, "Generate 3des mifare diversified keys"}, {"gen", CmdHF14AMfuGenDiverseKeys , 1, "Generate 3des mifare diversified keys"},
{NULL, NULL, 0, NULL} {NULL, NULL, 0, NULL}
}; };

167
client/crypto/libpcrypto.c
View file

@ -26,6 +26,7 @@
#include <crypto/asn1utils.h> #include <crypto/asn1utils.h>
#include <util.h> #include <util.h>
// NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001. // NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){ int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){
uint8_t iiv[16] = {0}; uint8_t iiv[16] = {0};
@ -43,6 +44,7 @@ int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int l
return 0; return 0;
} }
int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){ int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){
uint8_t iiv[16] = {0}; uint8_t iiv[16] = {0};
if (iv) if (iv)
@ -59,6 +61,7 @@ int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int l
return 0; return 0;
} }
// NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication. // NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
// https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf // https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf
int aes_cmac(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) { int aes_cmac(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) {
@ -68,6 +71,7 @@ int aes_cmac(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length
return mbedtls_aes_cmac_prf_128(key, MBEDTLS_AES_BLOCK_SIZE, input, length, mac); return mbedtls_aes_cmac_prf_128(key, MBEDTLS_AES_BLOCK_SIZE, input, length, mac);
} }
int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) { int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) {
uint8_t cmac[16] = {0}; uint8_t cmac[16] = {0};
memset(mac, 0x00, 8); memset(mac, 0x00, 8);
@ -82,7 +86,9 @@ int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int lengt
return 0; return 0;
} }
static uint8_t fixed_rand_value[250] = {0}; static uint8_t fixed_rand_value[250] = {0};
static int fixed_rand(void *rng_state, unsigned char *output, size_t len) { static int fixed_rand(void *rng_state, unsigned char *output, size_t len) {
if (len <= 250) { if (len <= 250) {
memcpy(output, fixed_rand_value, len); memcpy(output, fixed_rand_value, len);
@ -93,6 +99,7 @@ static int fixed_rand(void *rng_state, unsigned char *output, size_t len) {
return 0; return 0;
} }
int sha256hash(uint8_t *input, int length, uint8_t *hash) { int sha256hash(uint8_t *input, int length, uint8_t *hash) {
if (!hash || !input) if (!hash || !input)
return 1; return 1;
@ -107,6 +114,7 @@ int sha256hash(uint8_t *input, int length, uint8_t *hash) {
return 0; return 0;
} }
int sha512hash(uint8_t *input, int length, uint8_t *hash) { int sha512hash(uint8_t *input, int length, uint8_t *hash) {
if (!hash || !input) if (!hash || !input)
return 1; return 1;
@ -121,14 +129,15 @@ int sha512hash(uint8_t *input, int length, uint8_t *hash) {
return 0; return 0;
} }
int ecdsa_init_str(mbedtls_ecdsa_context *ctx, char * key_d, char *key_x, char *key_y) {
int ecdsa_init_str(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id curveID, char *key_d, char *key_x, char *key_y) {
if (!ctx) if (!ctx)
return 1; return 1;
int res; int res;
mbedtls_ecdsa_init(ctx); mbedtls_ecdsa_init(ctx);
res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 res = mbedtls_ecp_group_load(&ctx->grp, curveID);
if (res) if (res)
return res; return res;
@ -147,25 +156,27 @@ int ecdsa_init_str(mbedtls_ecdsa_context *ctx, char * key_d, char *key_x, char *
return 0; return 0;
} }
int ecdsa_init(mbedtls_ecdsa_context *ctx, uint8_t * key_d, uint8_t *key_xy) {
int ecdsa_init(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy) {
if (!ctx) if (!ctx)
return 1; return 1;
int res; int res;
mbedtls_ecdsa_init(ctx); mbedtls_ecdsa_init(ctx);
res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 res = mbedtls_ecp_group_load(&ctx->grp, curveID);
if (res) if (res)
return res; return res;
size_t keylen = (ctx->grp.nbits + 7 ) / 8;
if (key_d) { if (key_d) {
res = mbedtls_mpi_read_binary(&ctx->d, key_d, 32); res = mbedtls_mpi_read_binary(&ctx->d, key_d, keylen);
if (res) if (res)
return res; return res;
} }
if (key_xy) { if (key_xy) {
res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, 32 * 2 + 1); res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, keylen * 2 + 1);
if (res) if (res)
return res; return res;
} }
@ -173,50 +184,53 @@ int ecdsa_init(mbedtls_ecdsa_context *ctx, uint8_t * key_d, uint8_t *key_xy) {
return 0; return 0;
} }
int ecdsa_key_create(uint8_t * key_d, uint8_t *key_xy) {
int ecdsa_key_create(mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy) {
int res; int res;
mbedtls_ecdsa_context ctx; mbedtls_ecdsa_context ctx;
ecdsa_init(&ctx, NULL, NULL); ecdsa_init(&ctx, curveID, NULL, NULL);
mbedtls_entropy_context entropy; mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "ecdsaproxmark"; const char *pers = "ecdsaproxmark";
mbedtls_entropy_init(&entropy); mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_ctr_drbg_init(&ctr_drbg);
res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers)); res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
if (res)
goto exit;
res = mbedtls_ecdsa_genkey(&ctx, MBEDTLS_ECP_DP_SECP256R1, mbedtls_ctr_drbg_random, &ctr_drbg);
if (res) if (res)
goto exit; goto exit;
res = mbedtls_mpi_write_binary(&ctx.d, key_d, 32); res = mbedtls_ecdsa_genkey(&ctx, curveID, mbedtls_ctr_drbg_random, &ctr_drbg);
if (res) if (res)
goto exit; goto exit;
size_t keylen = 0; size_t keylen = (ctx.grp.nbits + 7) / 8;
res = mbedtls_mpi_write_binary(&ctx.d, key_d, keylen);
if (res)
goto exit;
size_t public_keylen = 0;
uint8_t public_key[200] = {0}; uint8_t public_key[200] = {0};
res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &keylen, public_key, sizeof(public_key)); res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &public_keylen, public_key, sizeof(public_key));
if (res) if (res)
goto exit; goto exit;
if (keylen != 65) { // 0x04 <key x 32b><key y 32b> if (public_keylen != 1 + 2 * keylen) { // 0x04 <key x><key y>
res = 1; res = 1;
goto exit; goto exit;
} }
memcpy(key_xy, public_key, 65); memcpy(key_xy, public_key, public_keylen);
exit: exit:
mbedtls_entropy_free(&entropy); mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ecdsa_free(&ctx); mbedtls_ecdsa_free(&ctx);
return res; return res;
} }
char *ecdsa_get_error(int ret) { char *ecdsa_get_error(int ret) {
static char retstr[300]; static char retstr[300];
memset(retstr, 0x00, sizeof(retstr)); memset(retstr, 0x00, sizeof(retstr));
@ -224,32 +238,38 @@ char *ecdsa_get_error(int ret) {
return retstr; return retstr;
} }
int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen) {
int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, mbedtls_ecp_group_id curveID, uint8_t *key, size_t keylen) {
int res = 0; int res = 0;
size_t realkeylen = 0; size_t realkeylen = 0;
if (keylen < 65)
return 1;
mbedtls_ecdsa_context ctx; mbedtls_ecdsa_context ctx;
mbedtls_ecdsa_init(&ctx); mbedtls_ecdsa_init(&ctx);
res = mbedtls_ecp_group_load(&ctx.grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1 res = mbedtls_ecp_group_load(&ctx.grp, curveID);
if (res) if (res)
goto exit; goto exit;
size_t private_keylen = (ctx.grp.nbits + 7) / 8;
if (keylen < 1 + 2 * private_keylen) {
res = 1;
goto exit;
}
res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk) ); res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk) );
if (res) if (res)
goto exit; goto exit;
res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen); res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen);
if (realkeylen != 65) if (realkeylen != 1 + 2 * private_keylen)
res = 2; res = 2;
exit: exit:
mbedtls_ecdsa_free(&ctx); mbedtls_ecdsa_free(&ctx);
return res; return res;
} }
int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) {
int ecdsa_signature_create(mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen, bool hash) {
int res; int res;
*signaturelen = 0; *signaturelen = 0;
@ -258,28 +278,29 @@ int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int
if (res) if (res)
return res; return res;
mbedtls_entropy_context entropy; mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "ecdsaproxmark"; const char *pers = "ecdsaproxmark";
mbedtls_entropy_init(&entropy); mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_ctr_drbg_init(&ctr_drbg);
res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers)); res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
if (res) if (res)
goto exit; goto exit;
mbedtls_ecdsa_context ctx; mbedtls_ecdsa_context ctx;
ecdsa_init(&ctx, key_d, key_xy); ecdsa_init(&ctx, curveID, key_d, key_xy);
res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg); res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg);
exit: exit:
mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ecdsa_free(&ctx); mbedtls_ecdsa_free(&ctx);
return res; return res;
} }
int ecdsa_signature_create_test(char * key_d, char *key_x, char *key_y, char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) {
int ecdsa_signature_create_test(mbedtls_ecp_group_id curveID, char *key_d, char *key_x, char *key_y, char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) {
int res; int res;
*signaturelen = 0; *signaturelen = 0;
@ -292,14 +313,15 @@ int ecdsa_signature_create_test(char * key_d, char *key_x, char *key_y, char *ra
param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen); param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen);
mbedtls_ecdsa_context ctx; mbedtls_ecdsa_context ctx;
ecdsa_init_str(&ctx, key_d, key_x, key_y); ecdsa_init_str(&ctx, curveID, key_d, key_x, key_y);
res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL); res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL);
mbedtls_ecdsa_free(&ctx); mbedtls_ecdsa_free(&ctx);
return res; return res;
} }
int ecdsa_signature_verify_keystr(char *key_x, char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) {
int ecdsa_signature_verify_keystr(mbedtls_ecp_group_id curveID, char *key_x, char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash) {
int res; int res;
uint8_t shahash[32] = {0}; uint8_t shahash[32] = {0};
res = sha256hash(input, length, shahash); res = sha256hash(input, length, shahash);
@ -307,28 +329,58 @@ int ecdsa_signature_verify_keystr(char *key_x, char *key_y, uint8_t *input, int
return res; return res;
mbedtls_ecdsa_context ctx; mbedtls_ecdsa_context ctx;
ecdsa_init_str(&ctx, NULL, key_x, key_y); ecdsa_init_str(&ctx, curveID, NULL, key_x, key_y);
res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen); res = mbedtls_ecdsa_read_signature(&ctx, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen);
mbedtls_ecdsa_free(&ctx); mbedtls_ecdsa_free(&ctx);
return res; return res;
} }
int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) {
int ecdsa_signature_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash) {
int res; int res;
uint8_t shahash[32] = {0}; uint8_t shahash[32] = {0};
res = sha256hash(input, length, shahash); if (hash) {
if (res) res = sha256hash(input, length, shahash);
return res; if (res)
return res;
}
mbedtls_ecdsa_context ctx; mbedtls_ecdsa_context ctx;
ecdsa_init(&ctx, NULL, key_xy); res = ecdsa_init(&ctx, curveID, NULL, key_xy);
res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen); res = mbedtls_ecdsa_read_signature(&ctx, hash?shahash:input, hash?sizeof(shahash):length, signature, signaturelen);
mbedtls_ecdsa_free(&ctx); mbedtls_ecdsa_free(&ctx);
return res; return res;
} }
int ecdsa_signature_r_s_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *r_s, size_t r_s_len, bool hash) {
int res;
uint8_t signature[MBEDTLS_ECDSA_MAX_LEN];
size_t signature_len;
// convert r & s to ASN.1 signature
mbedtls_mpi r, s;
mbedtls_mpi_init(&r);
mbedtls_mpi_init(&s);
mbedtls_mpi_read_binary(&r, r_s, r_s_len/2);
mbedtls_mpi_read_binary(&s, r_s + r_s_len/2, r_s_len/2);
res = ecdsa_signature_to_asn1(&r, &s, signature, &signature_len);
if (res < 0) {
return res;
}
res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, signature_len, hash);
mbedtls_mpi_free(&r);
mbedtls_mpi_free(&s);
return res;
}
#define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96" #define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96"
#define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19" #define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19"
#define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09" #define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09"
@ -339,6 +391,7 @@ int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t
int ecdsa_nist_test(bool verbose) { int ecdsa_nist_test(bool verbose) {
int res; int res;
uint8_t input[] = "Example of ECDSA with P-256"; uint8_t input[] = "Example of ECDSA with P-256";
mbedtls_ecp_group_id curveID = MBEDTLS_ECP_DP_SECP256R1;
int length = strlen((char *)input); int length = strlen((char *)input);
uint8_t signature[300] = {0}; uint8_t signature[300] = {0};
size_t siglen = 0; size_t siglen = 0;
@ -347,7 +400,7 @@ int ecdsa_nist_test(bool verbose) {
if (verbose) if (verbose)
printf(" ECDSA NIST test: "); printf(" ECDSA NIST test: ");
// make signature // make signature
res = ecdsa_signature_create_test(T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen); res = ecdsa_signature_create_test(curveID, T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen);
// printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen)); // printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen));
if (res) if (res)
goto exit; goto exit;
@ -371,13 +424,13 @@ int ecdsa_nist_test(bool verbose) {
} }
// verify signature // verify signature
res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen); res = ecdsa_signature_verify_keystr(curveID, T_Q_X, T_Q_Y, input, length, signature, siglen, true);
if (res) if (res)
goto exit; goto exit;
// verify wrong signature // verify wrong signature
input[0] ^= 0xFF; input[0] ^= 0xFF;
res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen); res = ecdsa_signature_verify_keystr(curveID, T_Q_X, T_Q_Y, input, length, signature, siglen, true);
if (!res) { if (!res) {
res = 1; res = 1;
goto exit; goto exit;
@ -394,20 +447,20 @@ int ecdsa_nist_test(bool verbose) {
memset(signature, 0x00, sizeof(signature)); memset(signature, 0x00, sizeof(signature));
siglen = 0; siglen = 0;
res = ecdsa_key_create(key_d, key_xy); res = ecdsa_key_create(curveID, key_d, key_xy);
if (res) if (res)
goto exit; goto exit;
res = ecdsa_signature_create(key_d, key_xy, input, length, signature, &siglen); res = ecdsa_signature_create(curveID, key_d, key_xy, input, length, signature, &siglen, true);
if (res) if (res)
goto exit; goto exit;
res = ecdsa_signature_verify(key_xy, input, length, signature, siglen); res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, siglen, true);
if (res) if (res)
goto exit; goto exit;
input[0] ^= 0xFF; input[0] ^= 0xFF;
res = ecdsa_signature_verify(key_xy, input, length, signature, siglen); res = ecdsa_signature_verify(curveID, key_xy, input, length, signature, siglen, true);
if (!res) if (!res)
goto exit; goto exit;

9
client/crypto/libpcrypto.h
View file

@ -24,10 +24,11 @@ extern int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, in
extern int sha256hash(uint8_t *input, int length, uint8_t *hash); extern int sha256hash(uint8_t *input, int length, uint8_t *hash);
extern int sha512hash(uint8_t *input, int length, uint8_t *hash); extern int sha512hash(uint8_t *input, int length, uint8_t *hash);
extern int ecdsa_key_create(uint8_t * key_d, uint8_t *key_xy); extern int ecdsa_key_create(mbedtls_ecp_group_id curveID, uint8_t * key_d, uint8_t *key_xy);
extern int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen); extern int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, mbedtls_ecp_group_id curveID, uint8_t *key, size_t keylen);
extern int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen); extern int ecdsa_signature_create(mbedtls_ecp_group_id curveID, uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen, bool hash);
extern int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen); extern int ecdsa_signature_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen, bool hash);
extern int ecdsa_signature_r_s_verify(mbedtls_ecp_group_id curveID, uint8_t *key_xy, uint8_t *input, int length, uint8_t *r_s, size_t r_s_len, bool hash);
extern char *ecdsa_get_error(int ret); extern char *ecdsa_get_error(int ret);
extern int ecdsa_nist_test(bool verbose); extern int ecdsa_nist_test(bool verbose);

6
client/fido/fidocore.c
View file

@ -279,7 +279,7 @@ int FIDOCheckDERAndGetKey(uint8_t *der, size_t derLen, bool verbose, uint8_t *pu
} }
// get public key // get public key
res = ecdsa_public_key_from_pk(&cert.pk, publicKey, publicKeyMaxLen); res = ecdsa_public_key_from_pk(&cert.pk, MBEDTLS_ECP_DP_SECP256R1, publicKey, publicKeyMaxLen);
if (res) { if (res) {
PrintAndLog("ERROR: getting public key from certificate 0x%x - %s", (res<0)?-res:res, ecdsa_get_error(res)); PrintAndLog("ERROR: getting public key from certificate 0x%x - %s", (res<0)?-res:res, ecdsa_get_error(res));
} else { } else {
@ -396,9 +396,9 @@ int FIDO2CheckSignature(json_t *root, uint8_t *publickey, uint8_t *sign, size_t
clientDataHash, 32, // Hash of the serialized client data. "$.ClientDataHash" from json clientDataHash, 32, // Hash of the serialized client data. "$.ClientDataHash" from json
NULL, 0); NULL, 0);
//PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen)); //PrintAndLog("--xbuf(%d)[%d]: %s", res, xbuflen, sprint_hex(xbuf, xbuflen));
res = ecdsa_signature_verify(publickey, xbuf, xbuflen, sign, signLen); res = ecdsa_signature_verify(MBEDTLS_ECP_DP_SECP256R1, publickey, xbuf, xbuflen, sign, signLen, true);
if (res) { if (res) {
if (res == -0x4e00) { if (res == MBEDTLS_ERR_ECP_VERIFY_FAILED) {
PrintAndLog("Signature is NOT VALID."); PrintAndLog("Signature is NOT VALID.");
} else { } else {
PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res)); PrintAndLog("Other signature check error: %x %s", (res<0)?-res:res, ecdsa_get_error(res));

1
common/mbedtls/check_config.h
View file

@ -115,6 +115,7 @@
#endif #endif
#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \ #if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \
!defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \

1
common/mbedtls/config.h
View file

@ -645,6 +645,7 @@
* *
* Comment macros to disable the curve and functions for it * Comment macros to disable the curve and functions for it
*/ */
#define MBEDTLS_ECP_DP_SECP128R1_ENABLED
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
#define MBEDTLS_ECP_DP_SECP224R1_ENABLED #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED

2
common/mbedtls/ecdsa.c
View file

@ -291,7 +291,7 @@ cleanup:
/* /*
* Convert a signature (given by context) to ASN.1 * Convert a signature (given by context) to ASN.1
*/ */
static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
unsigned char *sig, size_t *slen ) unsigned char *sig, size_t *slen )
{ {
int ret; int ret;

2
common/mbedtls/ecdsa.h
View file

@ -334,6 +334,8 @@ void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
*/ */
void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ); void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen );
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif

30
common/mbedtls/ecp.c
View file

@ -84,7 +84,8 @@
static unsigned long add_count, dbl_count, mul_count; static unsigned long add_count, dbl_count, mul_count;
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ #if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
@ -128,39 +129,42 @@ typedef enum
static const mbedtls_ecp_curve_info ecp_supported_curves[] = static const mbedtls_ecp_curve_info ecp_supported_curves[] =
{ {
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
{ MBEDTLS_ECP_DP_SECP521R1, 25, 521, "secp521r1" }, { MBEDTLS_ECP_DP_SECP521R1, 25, 521, "secp521r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
{ MBEDTLS_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" }, { MBEDTLS_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
{ MBEDTLS_ECP_DP_SECP384R1, 24, 384, "secp384r1" }, { MBEDTLS_ECP_DP_SECP384R1, 24, 384, "secp384r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
{ MBEDTLS_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" }, { MBEDTLS_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
{ MBEDTLS_ECP_DP_SECP256R1, 23, 256, "secp256r1" }, { MBEDTLS_ECP_DP_SECP256R1, 23, 256, "secp256r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
{ MBEDTLS_ECP_DP_SECP256K1, 22, 256, "secp256k1" }, { MBEDTLS_ECP_DP_SECP256K1, 22, 256, "secp256k1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
{ MBEDTLS_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" }, { MBEDTLS_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
{ MBEDTLS_ECP_DP_SECP224R1, 21, 224, "secp224r1" }, { MBEDTLS_ECP_DP_SECP224R1, 21, 224, "secp224r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
{ MBEDTLS_ECP_DP_SECP224K1, 20, 224, "secp224k1" }, { MBEDTLS_ECP_DP_SECP224K1, 20, 224, "secp224k1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
{ MBEDTLS_ECP_DP_SECP192R1, 19, 192, "secp192r1" }, { MBEDTLS_ECP_DP_SECP192R1, 19, 192, "secp192r1" },
#endif #endif
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
{ MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" }, { MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" },
#endif #endif
{ MBEDTLS_ECP_DP_NONE, 0, 0, NULL }, #if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED)
{ MBEDTLS_ECP_DP_SECP128R1, 0xFE00, 128, "secp128r1" },
#endif
{ MBEDTLS_ECP_DP_NONE, 0, 0, NULL },
}; };
#define ECP_NB_CURVES sizeof( ecp_supported_curves ) / \ #define ECP_NB_CURVES sizeof( ecp_supported_curves ) / \

1
common/mbedtls/ecp.h
View file

@ -82,6 +82,7 @@ typedef enum
MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */ MBEDTLS_ECP_DP_SECP224K1, /*!< Domain parameters for 224-bit "Koblitz" curve. */
MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */ MBEDTLS_ECP_DP_SECP256K1, /*!< Domain parameters for 256-bit "Koblitz" curve. */
MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */ MBEDTLS_ECP_DP_CURVE448, /*!< Domain parameters for Curve448. */
MBEDTLS_ECP_DP_SECP128R1, /*!< Domain parameters for the 128-bit curve used for NXP originality check. */
} mbedtls_ecp_group_id; } mbedtls_ecp_group_id;
/** /**

41
common/mbedtls/ecp_curves.c
View file

@ -84,6 +84,42 @@
* to be directly usable in MPIs * to be directly usable in MPIs
*/ */
/*
* Domain parameters for secp128r1
*/
#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED)
static const mbedtls_mpi_uint secp128r1_p[] = {
// 2^128 - 2^97 - 1 // TODO
BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp128r1_a[] = {
// FFFFFFFDFFFFFFFF FFFFFFFFFFFFFFFC
BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp128r1_b[] = {
// E87579C11079F43D D824993C2CEE5ED3
BYTES_TO_T_UINT_8( 0xD3, 0x5E, 0xEE, 0x2C, 0x3C, 0x99, 0x24, 0xD8 ),
BYTES_TO_T_UINT_8( 0x3D, 0xF4, 0x79, 0x10, 0xC1, 0x79, 0x75, 0xE8 ),
};
static const mbedtls_mpi_uint secp128r1_gx[] = {
// 161FF7528B899B2D 0C28607CA52C5B86
BYTES_TO_T_UINT_8( 0x86, 0x5B, 0x2C, 0xA5, 0x7C, 0x60, 0x28, 0x0C ),
BYTES_TO_T_UINT_8( 0x2D, 0x9B, 0x89, 0x8B, 0x52, 0xF7, 0x1F, 0x16 ),
};
static const mbedtls_mpi_uint secp128r1_gy[] = {
// CF5AC8395BAFEB13 C02DA292DDED7A83
BYTES_TO_T_UINT_8( 0x83, 0x7A, 0xED, 0xDD, 0x92, 0xA2, 0x2D, 0xC0 ),
BYTES_TO_T_UINT_8( 0x13, 0xEB, 0xAF, 0x5B, 0x39, 0xC8, 0x5A, 0xCF ),
};
static const mbedtls_mpi_uint secp128r1_n[] = {
// FFFFFFFE00000000 75A30D1B9038A115
BYTES_TO_T_UINT_8( 0x15, 0xA1, 0x38, 0x90, 0x1B, 0x0D, 0xA3, 0x75 ),
BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */
/* /*
* Domain parameters for secp192r1 * Domain parameters for secp192r1
*/ */
@ -754,6 +790,11 @@ int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
switch( id ) switch( id )
{ {
#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED)
case MBEDTLS_ECP_DP_SECP128R1:
grp->modp = NULL;
return( LOAD_GROUP_A( secp128r1 ) );
#endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
case MBEDTLS_ECP_DP_SECP192R1: case MBEDTLS_ECP_DP_SECP192R1:
NIST_MODP( p192 ); NIST_MODP( p192 );