[proxmark3-svn] / client / crypto / libpcrypto.c

//-----------------------------------------------------------------------------
// Copyright (C) 2018 Merlok
// Copyright (C) 2018 drHatson
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// crypto commands
//-----------------------------------------------------------------------------

#include "crypto/libpcrypto.h"
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <mbedtls/asn1.h>
#include <mbedtls/aes.h>
#include <mbedtls/cmac.h>
#include <mbedtls/pk.h>
#include <mbedtls/ecdsa.h>
#include <mbedtls/sha256.h>
#include <mbedtls/sha512.h>
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#include <mbedtls/error.h>
#include <crypto/asn1utils.h>
#include <util.h>

// NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){
	uint8_t iiv[16] = {0};
	if (iv)
		memcpy(iiv, iv, 16);
	
	mbedtls_aes_context aes;
	mbedtls_aes_init(&aes);
	if (mbedtls_aes_setkey_enc(&aes, key, 128))
		return 1;
	if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, length, iiv, input, output))
		return 2;
	mbedtls_aes_free(&aes);

	return 0;
}

int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){
	uint8_t iiv[16] = {0};
	if (iv)
		memcpy(iiv, iv, 16);
	
	mbedtls_aes_context aes;
	mbedtls_aes_init(&aes);
	if (mbedtls_aes_setkey_dec(&aes, key, 128))
		return 1;
	if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, length, iiv, input, output))
		return 2;
	mbedtls_aes_free(&aes);

	return 0;
}

// NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
// https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf
int aes_cmac(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) {
	memset(mac, 0x00, 16);
	
	//  NIST 800-38B 
	return mbedtls_aes_cmac_prf_128(key, MBEDTLS_AES_BLOCK_SIZE, input, length, mac);
}

int aes_cmac8(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length) {
	uint8_t cmac[16] = {0};
	memset(mac, 0x00, 8);
	
	int res = aes_cmac(iv, key, input, cmac, length);
	if (res)
		return res;
	
	for(int i = 0; i < 8; i++) 
		mac[i] = cmac[i * 2 + 1];

	return 0;
}

static uint8_t fixed_rand_value[250] = {0};
static int fixed_rand(void *rng_state, unsigned char *output, size_t len) {
	if (len <= 250) {
		memcpy(output, fixed_rand_value, len);
	} else {
		memset(output, 0x00, len);
	}
	
	return 0;
}

int sha256hash(uint8_t *input, int length, uint8_t *hash) {
	if (!hash || !input)
		return 1;
	
	mbedtls_sha256_context sctx;
	mbedtls_sha256_init(&sctx);
	mbedtls_sha256_starts(&sctx, 0); // SHA-256, not 224 
	mbedtls_sha256_update(&sctx, input, length);
	mbedtls_sha256_finish(&sctx, hash);	
	mbedtls_sha256_free(&sctx);
	
	return 0;
}

int sha512hash(uint8_t *input, int length, uint8_t *hash) {
	if (!hash || !input)
		return 1;
	
	mbedtls_sha512_context sctx;
	mbedtls_sha512_init(&sctx);
	mbedtls_sha512_starts(&sctx, 0); //SHA-512, not 384
	mbedtls_sha512_update(&sctx, input, length);
	mbedtls_sha512_finish(&sctx, hash);	
	mbedtls_sha512_free(&sctx);
	
	return 0;
}

int ecdsa_init_str(mbedtls_ecdsa_context *ctx, char * key_d, char *key_x, char *key_y) {
	if (!ctx)
		return 1;
	
	int res;

	mbedtls_ecdsa_init(ctx);
	res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
	if (res) 
		return res;
	
	if (key_d) {
		res = mbedtls_mpi_read_string(&ctx->d, 16, key_d);
		if (res) 
			return res;
	}
	
	if (key_x && key_y) {
		res = mbedtls_ecp_point_read_string(&ctx->Q, 16, key_x, key_y);
		if (res) 
			return res;
	}
	
	return 0;
}

int ecdsa_init(mbedtls_ecdsa_context *ctx, uint8_t * key_d, uint8_t *key_xy) {
	if (!ctx)
		return 1;
	
	int res;

	mbedtls_ecdsa_init(ctx);
	res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
	if (res) 
		return res;
	
	if (key_d) {
		res = mbedtls_mpi_read_binary(&ctx->d, key_d, 32);
		if (res) 
			return res;
	}
	
	if (key_xy) {
		res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, 32 * 2 + 1);
		if (res) 
			return res;
	}
	
	return 0;
}

int ecdsa_key_create(uint8_t * key_d, uint8_t *key_xy) {
	int res;
	mbedtls_ecdsa_context ctx;
	ecdsa_init(&ctx, NULL, NULL);


    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
	const char *pers = "ecdsaproxmark";

    mbedtls_entropy_init(&entropy);
    mbedtls_ctr_drbg_init(&ctr_drbg);

    res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
	if (res)
        goto exit;

    res = mbedtls_ecdsa_genkey(&ctx, MBEDTLS_ECP_DP_SECP256R1, mbedtls_ctr_drbg_random, &ctr_drbg);
	if (res)
		goto exit;

	res = mbedtls_mpi_write_binary(&ctx.d, key_d, 32);
	if (res)
		goto exit;

	size_t keylen = 0;
	uint8_t public_key[200] = {0};
	res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &keylen, public_key, sizeof(public_key));
	if (res)
		goto exit;
	
	if (keylen != 65) { // 0x04 <key x 32b><key y 32b>
		res = 1;
		goto exit;
	}
	memcpy(key_xy, public_key, 65);

exit:
    mbedtls_entropy_free(&entropy);
    mbedtls_ctr_drbg_free(&ctr_drbg);
	mbedtls_ecdsa_free(&ctx);
	return res;
}

char *ecdsa_get_error(int ret) {
	static char retstr[300];
	memset(retstr, 0x00, sizeof(retstr));
	mbedtls_strerror(ret, retstr, sizeof(retstr));
	return retstr;
}

int ecdsa_public_key_from_pk(mbedtls_pk_context *pk, uint8_t *key, size_t keylen) {
	int res = 0;
	size_t realkeylen = 0;
	if (keylen < 65) 
		return 1;
	
	mbedtls_ecdsa_context ctx;
	mbedtls_ecdsa_init(&ctx);
	
	res = mbedtls_ecp_group_load(&ctx.grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
	if (res)
		goto exit;
	
	res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk) );
	if (res)
		goto exit;
	
	res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen);
	if (realkeylen != 65)
		res = 2;
exit:
	mbedtls_ecdsa_free(&ctx);
	return res;
}

int ecdsa_signature_create(uint8_t *key_d, uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) {
	int res;
	*signaturelen = 0;
	
	uint8_t shahash[32] = {0}; 
	res = sha256hash(input, length, shahash);
	if (res)
		return res;

    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
	const char *pers = "ecdsaproxmark";

    mbedtls_entropy_init(&entropy);
    mbedtls_ctr_drbg_init(&ctr_drbg);

    res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
	if (res)
        goto exit;

	mbedtls_ecdsa_context ctx;	
	ecdsa_init(&ctx, key_d, key_xy);
	res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg);
	
exit:
    mbedtls_ctr_drbg_free(&ctr_drbg);
	mbedtls_ecdsa_free(&ctx);
	return res;
}

int ecdsa_signature_create_test(char * key_d, char *key_x, char *key_y, char *random, uint8_t *input, int length, uint8_t *signature, size_t *signaturelen) {
	int res;
	*signaturelen = 0;
	
	uint8_t shahash[32] = {0}; 
	res = sha256hash(input, length, shahash);
	if (res)
		return res;

	int rndlen = 0;
	param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen);
	
	mbedtls_ecdsa_context ctx;	
	ecdsa_init_str(&ctx, key_d, key_x, key_y);
	res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL);
	
	mbedtls_ecdsa_free(&ctx);
	return res;
}

int ecdsa_signature_verify_keystr(char *key_x, char *key_y, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) {
	int res;
	uint8_t shahash[32] = {0}; 
	res = sha256hash(input, length, shahash);
	if (res)
		return res;

	mbedtls_ecdsa_context ctx;	
	ecdsa_init_str(&ctx, NULL, key_x, key_y);
	res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen);
	
	mbedtls_ecdsa_free(&ctx);
	return res;
}

int ecdsa_signature_verify(uint8_t *key_xy, uint8_t *input, int length, uint8_t *signature, size_t signaturelen) {
	int res;
	uint8_t shahash[32] = {0}; 
	res = sha256hash(input, length, shahash);
	if (res)
		return res;

	mbedtls_ecdsa_context ctx;	
	ecdsa_init(&ctx, NULL, key_xy);
	res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen);
	
	mbedtls_ecdsa_free(&ctx);
	return res;
}

#define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96"
#define T_Q_X         "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19"
#define T_Q_Y         "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09"
#define T_K           "7A1A7E52797FC8CAAA435D2A4DACE39158504BF204FBE19F14DBB427FAEE50AE"
#define T_R           "2B42F576D07F4165FF65D1F3B1500F81E44C316F1F0B3EF57325B69ACA46104F"
#define T_S           "DC42C2122D6392CD3E3A993A89502A8198C1886FE69D262C4B329BDB6B63FAF1"

int ecdsa_nist_test(bool verbose) {
	int res;
	uint8_t input[] = "Example of ECDSA with P-256";
	int length = strlen((char *)input);
	uint8_t signature[300] = {0}; 
	size_t siglen = 0; 

	// NIST ecdsa test
	if (verbose)
		printf("  ECDSA NIST test: ");
	// make signature
	res = ecdsa_signature_create_test(T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen);
//	printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen));
	if (res) 
		goto exit;

	// check vectors
	uint8_t rval[300] = {0}; 
	uint8_t sval[300] = {0}; 
	res = ecdsa_asn1_get_signature(signature, siglen, rval, sval);
	if (res)
		goto exit;
	
	int slen = 0;
	uint8_t rval_s[33] = {0};
	param_gethex_to_eol(T_R, 0, rval_s, sizeof(rval_s), &slen);
	uint8_t sval_s[33] = {0}; 
	param_gethex_to_eol(T_S, 0, sval_s, sizeof(sval_s), &slen);
	if (strncmp((char *)rval, (char *)rval_s, 32) || strncmp((char *)sval, (char *)sval_s, 32)) {
		printf("R or S check error\n");
		res = 100;
		goto exit;
	}
	
	// verify signature
	res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen);
	if (res) 
		goto exit;
		
	// verify wrong signature
	input[0] ^= 0xFF;
	res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen);
	if (!res) {
		res = 1;
		goto exit;
	}
	if (verbose)
		printf("passed\n");

	// random ecdsa test
	if (verbose)
		printf("  ECDSA binary signature create/check test: ");

	uint8_t key_d[32] = {0};
	uint8_t key_xy[32 * 2 + 2] = {0};
	memset(signature, 0x00, sizeof(signature));
	siglen = 0;
	
	res = ecdsa_key_create(key_d, key_xy);
	if (res) 
		goto exit;

	res = ecdsa_signature_create(key_d, key_xy, input, length, signature, &siglen);
	if (res) 
		goto exit;

	res = ecdsa_signature_verify(key_xy, input, length, signature, siglen);
	if (res) 
		goto exit;

	input[0] ^= 0xFF;
	res = ecdsa_signature_verify(key_xy, input, length, signature, siglen);
	if (!res) 
		goto exit;
	
	if (verbose)
		printf("passed\n\n");
	
	return 0;
exit:
	if (verbose)
		printf("failed\n\n");
	return res;
}
Commit	Line	Data
700d8687 OM	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2018 Merlok
	3	// Copyright (C) 2018 drHatson
	4	//
	5	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	6	// at your option, any later version. See the LICENSE.txt file for the text of
	7	// the license.
	8	//-----------------------------------------------------------------------------
	9	// crypto commands
	10	//-----------------------------------------------------------------------------
	11
	12	#include "crypto/libpcrypto.h"
	13	#include <stdlib.h>
	14	#include <unistd.h>
	15	#include <string.h>
	16	#include <mbedtls/asn1.h>
	17	#include <mbedtls/aes.h>
	18	#include <mbedtls/cmac.h>
6b882a39	19	#include <mbedtls/pk.h>
700d8687 OM	20	#include <mbedtls/ecdsa.h>
700d8687 OM	21	#include <mbedtls/sha256.h>
9f596ec7	22	#include <mbedtls/sha512.h>
700d8687 OM	23	#include <mbedtls/ctr_drbg.h>
	24	#include <mbedtls/entropy.h>
	25	#include <mbedtls/error.h>
	26	#include <crypto/asn1utils.h>
	27	#include <util.h>
	28
	29	// NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001.
	30	int aes_encode(uint8_t iv, uint8_t key, uint8_t input, uint8_t output, int length){
	31	uint8_t iiv[16] = {0};
	32	if (iv)
	33	memcpy(iiv, iv, 16);
	34
	35	mbedtls_aes_context aes;
	36	mbedtls_aes_init(&aes);
	37	if (mbedtls_aes_setkey_enc(&aes, key, 128))
	38	return 1;
	39	if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, length, iiv, input, output))
	40	return 2;
	41	mbedtls_aes_free(&aes);
	42
	43	return 0;
	44	}
	45
	46	int aes_decode(uint8_t iv, uint8_t key, uint8_t input, uint8_t output, int length){
	47	uint8_t iiv[16] = {0};
	48	if (iv)
	49	memcpy(iiv, iv, 16);
	50
	51	mbedtls_aes_context aes;
	52	mbedtls_aes_init(&aes);
	53	if (mbedtls_aes_setkey_dec(&aes, key, 128))
	54	return 1;
	55	if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, length, iiv, input, output))
	56	return 2;
	57	mbedtls_aes_free(&aes);
	58
	59	return 0;
	60	}
	61
	62	// NIST Special Publication 800-38B — Recommendation for block cipher modes of operation: The CMAC mode for authentication.
	63	// https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/AES_CMAC.pdf
	64	int aes_cmac(uint8_t iv, uint8_t key, uint8_t input, uint8_t mac, int length) {
	65	memset(mac, 0x00, 16);
	66
	67	// NIST 800-38B
	68	return mbedtls_aes_cmac_prf_128(key, MBEDTLS_AES_BLOCK_SIZE, input, length, mac);
	69	}
	70
	71	int aes_cmac8(uint8_t iv, uint8_t key, uint8_t input, uint8_t mac, int length) {
	72	uint8_t cmac[16] = {0};
	73	memset(mac, 0x00, 8);
	74
	75	int res = aes_cmac(iv, key, input, cmac, length);
	76	if (res)
	77	return res;
	78
	79	for(int i = 0; i < 8; i++)
	80	mac[i] = cmac[i * 2 + 1];
	81
	82	return 0;
	83	}
	84
	85	static uint8_t fixed_rand_value[250] = {0};
	86	static int fixed_rand(void rng_state, unsigned char output, size_t len) {
87	if (len <= 250) {
88	memcpy(output, fixed_rand_value, len);
89	} else {
90	memset(output, 0x00, len);
91	}
92
93	return 0;
94	}
95
96	int sha256hash(uint8_t input, int length, uint8_t hash) {
97	if (!hash \|\| !input)
98	return 1;
99
100	mbedtls_sha256_context sctx;
101	mbedtls_sha256_init(&sctx);
102	mbedtls_sha256_starts(&sctx, 0); // SHA-256, not 224
103	mbedtls_sha256_update(&sctx, input, length);
104	mbedtls_sha256_finish(&sctx, hash);
105	mbedtls_sha256_free(&sctx);
106
107	return 0;
108	}
109
9f596ec7	110	int sha512hash(uint8_t input, int length, uint8_t hash) {
	111	if (!hash \|\| !input)
	112	return 1;
	113
	114	mbedtls_sha512_context sctx;
	115	mbedtls_sha512_init(&sctx);
	116	mbedtls_sha512_starts(&sctx, 0); //SHA-512, not 384
	117	mbedtls_sha512_update(&sctx, input, length);
	118	mbedtls_sha512_finish(&sctx, hash);
	119	mbedtls_sha512_free(&sctx);
	120
	121	return 0;
	122	}
	123
700d8687 OM	124	int ecdsa_init_str(mbedtls_ecdsa_context ctx, char key_d, char key_x, char key_y) {
	125	if (!ctx)
	126	return 1;
	127
	128	int res;
	129
	130	mbedtls_ecdsa_init(ctx);
	131	res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
	132	if (res)
	133	return res;
	134
	135	if (key_d) {
	136	res = mbedtls_mpi_read_string(&ctx->d, 16, key_d);
	137	if (res)
	138	return res;
	139	}
	140
	141	if (key_x && key_y) {
	142	res = mbedtls_ecp_point_read_string(&ctx->Q, 16, key_x, key_y);
	143	if (res)
	144	return res;
	145	}
	146
	147	return 0;
	148	}
	149
	150	int ecdsa_init(mbedtls_ecdsa_context ctx, uint8_t key_d, uint8_t *key_xy) {
	151	if (!ctx)
	152	return 1;
	153
	154	int res;
	155
	156	mbedtls_ecdsa_init(ctx);
	157	res = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
	158	if (res)
	159	return res;
	160
	161	if (key_d) {
	162	res = mbedtls_mpi_read_binary(&ctx->d, key_d, 32);
	163	if (res)
	164	return res;
	165	}
	166
	167	if (key_xy) {
	168	res = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, key_xy, 32 * 2 + 1);
	169	if (res)
	170	return res;
	171	}
	172
	173	return 0;
	174	}
	175
	176	int ecdsa_key_create(uint8_t * key_d, uint8_t *key_xy) {
	177	int res;
	178	mbedtls_ecdsa_context ctx;
	179	ecdsa_init(&ctx, NULL, NULL);
	180
	181
	182	mbedtls_entropy_context entropy;
	183	mbedtls_ctr_drbg_context ctr_drbg;
	184	const char *pers = "ecdsaproxmark";
	185
	186	mbedtls_entropy_init(&entropy);
	187	mbedtls_ctr_drbg_init(&ctr_drbg);
188
189	res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
190	if (res)
191	goto exit;
192
193	res = mbedtls_ecdsa_genkey(&ctx, MBEDTLS_ECP_DP_SECP256R1, mbedtls_ctr_drbg_random, &ctr_drbg);
194	if (res)
195	goto exit;
196
197	res = mbedtls_mpi_write_binary(&ctx.d, key_d, 32);
198	if (res)
199	goto exit;
200
201	size_t keylen = 0;
202	uint8_t public_key[200] = {0};
203	res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &keylen, public_key, sizeof(public_key));
204	if (res)
205	goto exit;
206
207	if (keylen != 65) { // 0x04 <key x 32b><key y 32b>
208	res = 1;
209	goto exit;
210	}
211	memcpy(key_xy, public_key, 65);
212
213	exit:
214	mbedtls_entropy_free(&entropy);
215	mbedtls_ctr_drbg_free(&ctr_drbg);
216	mbedtls_ecdsa_free(&ctx);
217	return res;
218	}
219
220	char *ecdsa_get_error(int ret) {
221	static char retstr[300];
222	memset(retstr, 0x00, sizeof(retstr));
223	mbedtls_strerror(ret, retstr, sizeof(retstr));
224	return retstr;
225	}
226
6b882a39 OM	227	int ecdsa_public_key_from_pk(mbedtls_pk_context pk, uint8_t key, size_t keylen) {
	228	int res = 0;
	229	size_t realkeylen = 0;
	230	if (keylen < 65)
	231	return 1;
	232
	233	mbedtls_ecdsa_context ctx;
	234	mbedtls_ecdsa_init(&ctx);
	235
	236	res = mbedtls_ecp_group_load(&ctx.grp, MBEDTLS_ECP_DP_SECP256R1); // secp256r1
	237	if (res)
	238	goto exit;
	239
	240	res = mbedtls_ecdsa_from_keypair(&ctx, mbedtls_pk_ec(*pk) );
	241	if (res)
	242	goto exit;
	243
	244	res = mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &realkeylen, key, keylen);
	245	if (realkeylen != 65)
	246	res = 2;
	247	exit:
	248	mbedtls_ecdsa_free(&ctx);
	249	return res;
	250	}
	251
700d8687 OM	252	int ecdsa_signature_create(uint8_t key_d, uint8_t key_xy, uint8_t input, int length, uint8_t signature, size_t *signaturelen) {
	253	int res;
	254	*signaturelen = 0;
	255
	256	uint8_t shahash[32] = {0};
	257	res = sha256hash(input, length, shahash);
	258	if (res)
	259	return res;
	260
	261	mbedtls_entropy_context entropy;
	262	mbedtls_ctr_drbg_context ctr_drbg;
	263	const char *pers = "ecdsaproxmark";
	264
	265	mbedtls_entropy_init(&entropy);
	266	mbedtls_ctr_drbg_init(&ctr_drbg);
	267
	268	res = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
	269	if (res)
	270	goto exit;
	271
	272	mbedtls_ecdsa_context ctx;
	273	ecdsa_init(&ctx, key_d, key_xy);
	274	res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, mbedtls_ctr_drbg_random, &ctr_drbg);
	275
	276	exit:
	277	mbedtls_ctr_drbg_free(&ctr_drbg);
	278	mbedtls_ecdsa_free(&ctx);
	279	return res;
	280	}
	281
	282	int ecdsa_signature_create_test(char * key_d, char key_x, char key_y, char random, uint8_t input, int length, uint8_t signature, size_t signaturelen) {
	283	int res;
	284	*signaturelen = 0;
	285
	286	uint8_t shahash[32] = {0};
	287	res = sha256hash(input, length, shahash);
	288	if (res)
	289	return res;
	290
	291	int rndlen = 0;
	292	param_gethex_to_eol(random, 0, fixed_rand_value, sizeof(fixed_rand_value), &rndlen);
	293
	294	mbedtls_ecdsa_context ctx;
	295	ecdsa_init_str(&ctx, key_d, key_x, key_y);
	296	res = mbedtls_ecdsa_write_signature(&ctx, MBEDTLS_MD_SHA256, shahash, sizeof(shahash), signature, signaturelen, fixed_rand, NULL);
	297
	298	mbedtls_ecdsa_free(&ctx);
	299	return res;
	300	}
	301
	302	int ecdsa_signature_verify_keystr(char key_x, char key_y, uint8_t input, int length, uint8_t signature, size_t signaturelen) {
	303	int res;
	304	uint8_t shahash[32] = {0};
	305	res = sha256hash(input, length, shahash);
	306	if (res)
	307	return res;
	308
	309	mbedtls_ecdsa_context ctx;
	310	ecdsa_init_str(&ctx, NULL, key_x, key_y);
	311	res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen);
	312
	313	mbedtls_ecdsa_free(&ctx);
	314	return res;
	315	}
316
317	int ecdsa_signature_verify(uint8_t key_xy, uint8_t input, int length, uint8_t *signature, size_t signaturelen) {
318	int res;
319	uint8_t shahash[32] = {0};
320	res = sha256hash(input, length, shahash);
321	if (res)
322	return res;
323
324	mbedtls_ecdsa_context ctx;
325	ecdsa_init(&ctx, NULL, key_xy);
326	res = mbedtls_ecdsa_read_signature(&ctx, shahash, sizeof(shahash), signature, signaturelen);
327
328	mbedtls_ecdsa_free(&ctx);
329	return res;
330	}
331
332	#define T_PRIVATE_KEY "C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96"
333	#define T_Q_X "B7E08AFDFE94BAD3F1DC8C734798BA1C62B3A0AD1E9EA2A38201CD0889BC7A19"
334	#define T_Q_Y "3603F747959DBF7A4BB226E41928729063ADC7AE43529E61B563BBC606CC5E09"
335	#define T_K "7A1A7E52797FC8CAAA435D2A4DACE39158504BF204FBE19F14DBB427FAEE50AE"
336	#define T_R "2B42F576D07F4165FF65D1F3B1500F81E44C316F1F0B3EF57325B69ACA46104F"
337	#define T_S "DC42C2122D6392CD3E3A993A89502A8198C1886FE69D262C4B329BDB6B63FAF1"
338
339	int ecdsa_nist_test(bool verbose) {
340	int res;
341	uint8_t input[] = "Example of ECDSA with P-256";
342	int length = strlen((char *)input);
343	uint8_t signature[300] = {0};
344	size_t siglen = 0;
345
346	// NIST ecdsa test
347	if (verbose)
348	printf(" ECDSA NIST test: ");
349	// make signature
350	res = ecdsa_signature_create_test(T_PRIVATE_KEY, T_Q_X, T_Q_Y, T_K, input, length, signature, &siglen);
351	// printf("res: %x signature[%x]: %s\n", (res<0)?-res:res, siglen, sprint_hex(signature, siglen));
352	if (res)
353	goto exit;
354
355	// check vectors
356	uint8_t rval[300] = {0};
357	uint8_t sval[300] = {0};
358	res = ecdsa_asn1_get_signature(signature, siglen, rval, sval);
359	if (res)
360	goto exit;
361
362	int slen = 0;
363	uint8_t rval_s[33] = {0};
364	param_gethex_to_eol(T_R, 0, rval_s, sizeof(rval_s), &slen);
365	uint8_t sval_s[33] = {0};
366	param_gethex_to_eol(T_S, 0, sval_s, sizeof(sval_s), &slen);
367	if (strncmp((char )rval, (char )rval_s, 32) \|\| strncmp((char )sval, (char )sval_s, 32)) {
368	printf("R or S check error\n");
369	res = 100;
370	goto exit;
371	}
372
373	// verify signature
374	res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen);
375	if (res)
376	goto exit;
377
378	// verify wrong signature
379	input[0] ^= 0xFF;
380	res = ecdsa_signature_verify_keystr(T_Q_X, T_Q_Y, input, length, signature, siglen);
381	if (!res) {
382	res = 1;
383	goto exit;
384	}
385	if (verbose)
386	printf("passed\n");
387
388	// random ecdsa test
389	if (verbose)
390	printf(" ECDSA binary signature create/check test: ");
391
392	uint8_t key_d[32] = {0};
393	uint8_t key_xy[32 * 2 + 2] = {0};
394	memset(signature, 0x00, sizeof(signature));
395	siglen = 0;
396
397	res = ecdsa_key_create(key_d, key_xy);
398	if (res)
399	goto exit;
400
401	res = ecdsa_signature_create(key_d, key_xy, input, length, signature, &siglen);
402	if (res)
403	goto exit;
404
405	res = ecdsa_signature_verify(key_xy, input, length, signature, siglen);
406	if (res)
407	goto exit;
408
409	input[0] ^= 0xFF;
410	res = ecdsa_signature_verify(key_xy, input, length, signature, siglen);
411	if (!res)
412	goto exit;
413
414	if (verbose)
415	printf("passed\n\n");
416
417	return 0;
418	exit:
419	if (verbose)
420	printf("failed\n\n");
421	return res;
422	}