[proxmark3-svn] / armsrc / desfire_crypto.c

/*-
 * Copyright (C) 2010, Romain Tartiere.
 * 
 * This program is free software: you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as published by the
 * Free Software Foundation, either version 3 of the License, or (at your
 * option) any later version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
 * more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 * 
 * $Id$
 */

/*
 * This implementation was written based on information provided by the
 * following documents:
 *
 * NIST Special Publication 800-38B
 * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
 * May 2005
 */
#include "desfire_crypto.h"

static void xor (const uint8_t *ivect, uint8_t *data, const size_t len);
static size_t key_macing_length (desfirekey_t key);

static void xor (const uint8_t *ivect, uint8_t *data, const size_t len) {
    for (size_t i = 0; i < len; i++) {
        data[i] ^= ivect[i];
    }
}

void cmac_generate_subkeys ( desfirekey_t key) {
    int kbs = key_block_size (key);
    const uint8_t R = (kbs == 8) ? 0x1B : 0x87;

    uint8_t l[kbs];
    memset (l, 0, kbs);

    uint8_t ivect[kbs];
    memset (ivect, 0, kbs);

    mifare_cypher_blocks_chained (NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);

    bool xor = false;

    // Used to compute CMAC on complete blocks
    memcpy (key->cmac_sk1, l, kbs);
    xor = l[0] & 0x80;
    lsl (key->cmac_sk1, kbs);
    if (xor)
        key->cmac_sk1[kbs-1] ^= R;

    // Used to compute CMAC on the last block if non-complete
    memcpy (key->cmac_sk2, key->cmac_sk1, kbs);
    xor = key->cmac_sk1[0] & 0x80;
    lsl (key->cmac_sk2, kbs);
    if (xor)
        key->cmac_sk2[kbs-1] ^= R;
}

void cmac (const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac) {
    int kbs = key_block_size (key);
    uint8_t *buffer = malloc (padded_data_length (len, kbs));

    memcpy (buffer, data, len);

    if ((!len) || (len % kbs)) {
        buffer[len++] = 0x80;
        while (len % kbs) {
            buffer[len++] = 0x00;
        }
        xor (key->cmac_sk2, buffer + len - kbs, kbs);
    } else {
        xor (key->cmac_sk1, buffer + len - kbs, kbs);
    }

    mifare_cypher_blocks_chained (NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);

    memcpy (cmac, ivect, kbs);
	free(buffer);
}

size_t key_block_size (const desfirekey_t key) {
    size_t block_size = 8;

    switch (key->type) {
		case T_DES:
		case T_3DES:
		case T_3K3DES:
			block_size = 8;
			break;
		case T_AES:
			block_size = 16;
			break;
    }

    return block_size;
}

/*
 * Size of MACing produced with the key.
 */
static size_t key_macing_length (const desfirekey_t key) {
    size_t mac_length = MAC_LENGTH;

    switch (key->type) {
    case T_DES:
    case T_3DES:
        mac_length = MAC_LENGTH;
        break;
    case T_3K3DES:
    case T_AES:
        mac_length = CMAC_LENGTH;
        break;
    }

    return mac_length;
}

/*
 * Size required to store nbytes of data in a buffer of size n*block_size.
 */
size_t padded_data_length (const size_t nbytes, const size_t block_size) {
    if ((!nbytes) || (nbytes % block_size))
        return ((nbytes / block_size) + 1) * block_size;
    else
        return nbytes;
}

/*
 * Buffer size required to MAC nbytes of data
 */
size_t maced_data_length (const desfirekey_t key, const size_t nbytes) {
    return nbytes + key_macing_length (key);
}
/*
 * Buffer size required to encipher nbytes of data and a two bytes CRC.
 */
size_t enciphered_data_length (const desfiretag_t tag, const size_t nbytes, int communication_settings) {
    size_t crc_length = 0;
    if (!(communication_settings & NO_CRC)) {
        switch (DESFIRE(tag)->authentication_scheme) {
        case AS_LEGACY:
            crc_length = 2;
            break;
        case AS_NEW:
            crc_length = 4;
            break;
        }
    }

    size_t block_size = DESFIRE(tag)->session_key ? key_block_size (DESFIRE(tag)->session_key) : 1;

    return padded_data_length (nbytes + crc_length, block_size);
}

void* mifare_cryto_preprocess_data (desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings) {
    uint8_t *res = data;
    uint8_t mac[4];
    size_t edl;
    bool append_mac = true;
    desfirekey_t key = DESFIRE(tag)->session_key;

    if (!key)
        return data;

    switch (communication_settings & MDCM_MASK) {
    case MDCM_PLAIN:
        if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
            break;

        /*
         * When using new authentication methods, PLAIN data transmission from
         * the PICC to the PCD are CMACed, so we have to maintain the
         * cryptographic initialisation vector up-to-date to check data
         * integrity later.
         *
         * The only difference with CMACed data transmission is that the CMAC
         * is not apended to the data send by the PCD to the PICC.
         */

        append_mac = false;

        /* pass through */
    case MDCM_MACED:
        switch (DESFIRE(tag)->authentication_scheme) {
        case AS_LEGACY:
            if (!(communication_settings & MAC_COMMAND))
                break;

            /* pass through */
            edl = padded_data_length (*nbytes - offset, key_block_size (DESFIRE(tag)->session_key)) + offset;

            // Fill in the crypto buffer with data ...
            memcpy (res, data, *nbytes);
            // ... and 0 padding
            memset (res + *nbytes, 0, edl - *nbytes);

            mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);

            memcpy (mac, res + edl - 8, 4);

            // Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
            memcpy (res, data, *nbytes);

            if (!(communication_settings & MAC_COMMAND))
                break;
            // Append MAC
            size_t bla = maced_data_length (DESFIRE(tag)->session_key, *nbytes - offset) + offset;
			bla++;

            memcpy (res + *nbytes, mac, 4);

            *nbytes += 4;
            break;
        case AS_NEW:
            if (!(communication_settings & CMAC_COMMAND))
                break;
            cmac (key, DESFIRE (tag)->ivect, res, *nbytes, DESFIRE (tag)->cmac);

            if (append_mac) {
                size_t len = maced_data_length (key, *nbytes);
				++len;
                memcpy (res, data, *nbytes);
                memcpy (res + *nbytes, DESFIRE (tag)->cmac, CMAC_LENGTH);
                *nbytes += CMAC_LENGTH;
            }
            break;
        }

        break;
    case MDCM_ENCIPHERED:
        /*  |<-------------- data -------------->|
         *  |<--- offset -->|                    |
         *  +---------------+--------------------+-----+---------+
         *  | CMD + HEADERS | DATA TO BE SECURED | CRC | PADDING |
         *  +---------------+--------------------+-----+---------+ ----------------
         *  |               |<~~~~v~~~~~~~~~~~~~>|  ^  |         |   (DES / 3DES)
         *  |               |     `---- crc16() ----'  |         |
         *  |               |                    |  ^  |         | ----- *or* -----
         *  |<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>|  ^  |         |  (3K3DES / AES)
         *                  |     `---- crc32() ----'  |         |
         *                  |                                    | ---- *then* ----
         *                  |<---------------------------------->|
         *                            encypher()/decypher()
         */

            if (!(communication_settings & ENC_COMMAND))
                break;
            edl = enciphered_data_length (tag, *nbytes - offset, communication_settings) + offset;

            // Fill in the crypto buffer with data ...
            memcpy (res, data, *nbytes);
            if (!(communication_settings & NO_CRC)) {
                // ... CRC ...
                switch (DESFIRE (tag)->authentication_scheme) {
                case AS_LEGACY:
                    AppendCrc14443a(res + offset, *nbytes - offset);
                    *nbytes += 2;
                    break;
                case AS_NEW:
                    crc32_append (res, *nbytes);
                    *nbytes += 4;
                    break;
                }
            }
            // ... and padding
            memset (res + *nbytes, 0, edl - *nbytes);

            *nbytes = edl;

            mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
        break;
    default:

        *nbytes = -1;
        res = NULL;
        break;
    }

    return res;

}

void* mifare_cryto_postprocess_data (desfiretag_t tag, void *data, size_t *nbytes, int communication_settings)
{
    void *res = data;
    size_t edl;
    void *edata = NULL;
    uint8_t first_cmac_byte = 0x00;

    desfirekey_t key = DESFIRE(tag)->session_key;

    if (!key)
        return data;

    // Return directly if we just have a status code.
    if (1 == *nbytes)
        return res;

    switch (communication_settings & MDCM_MASK) {
    case MDCM_PLAIN:

        if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
            break;

        /* pass through */
    case MDCM_MACED:
        switch (DESFIRE (tag)->authentication_scheme) {
        case AS_LEGACY:
            if (communication_settings & MAC_VERIFY) {
                *nbytes -= key_macing_length (key);
                if (*nbytes <= 0) {
                    *nbytes = -1;
                    res = NULL;
#ifdef WITH_DEBUG
                    Dbprintf ("No room for MAC!");
#endif
                    break;
                }

                edl = enciphered_data_length (tag, *nbytes - 1, communication_settings);
                edata = malloc (edl);

                memcpy (edata, data, *nbytes - 1);
                memset ((uint8_t *)edata + *nbytes - 1, 0, edl - *nbytes + 1);

                mifare_cypher_blocks_chained (tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);

                if (0 != memcmp ((uint8_t *)data + *nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
#ifdef WITH_DEBUG
                    Dbprintf ("MACing not verified");
                    hexdump ((uint8_t *)data + *nbytes - 1, key_macing_length (key), "Expect ", 0);
                    hexdump ((uint8_t *)edata + edl - 8, key_macing_length (key), "Actual ", 0);
#endif
                    DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
                    *nbytes = -1;
                    res = NULL;
                }
            }
            break;
        case AS_NEW:
            if (!(communication_settings & CMAC_COMMAND))
                break;
            if (communication_settings & CMAC_VERIFY) {
                if (*nbytes < 9) {
                    *nbytes = -1;
                    res = NULL;
                    break;
                }
                first_cmac_byte = ((uint8_t *)data)[*nbytes - 9];
                ((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes-1];
            }

            int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
            cmac (key, DESFIRE (tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE (tag)->cmac);

            if (communication_settings & CMAC_VERIFY) {
                ((uint8_t *)data)[*nbytes - 9] = first_cmac_byte;
                if (0 != memcmp (DESFIRE (tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) {
#ifdef WITH_DEBUG
                    Dbprintf ("CMAC NOT verified :-(");
                    hexdump ((uint8_t *)data + *nbytes - 9, 8, "Expect ", 0);
                    hexdump (DESFIRE (tag)->cmac, 8, "Actual ", 0);
#endif
                    DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
                    *nbytes = -1;
                    res = NULL;
                } else {
                    *nbytes -= 8;
                }
            }
            break;
        }

        free (edata);

        break;
    case MDCM_ENCIPHERED:
        (*nbytes)--;
        bool verified = false;
        int crc_pos = 0x00;
        int end_crc_pos = 0x00;
        uint8_t x;

        /*
         * AS_LEGACY:
         * ,-----------------+-------------------------------+--------+
         * \     BLOCK n-1   |              BLOCK n          | STATUS |
         * /  PAYLOAD | CRC0 | CRC1 | 0x80? | 0x000000000000 | 0x9100 |
         * `-----------------+-------------------------------+--------+
         *
         *         <------------ DATA ------------>
         * FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
         *
         * AS_NEW:
         * ,-------------------------------+-----------------------------------------------+--------+
         * \                 BLOCK n-1     |                  BLOCK n                      | STATUS |
         * /  PAYLOAD | CRC0 | CRC1 | CRC2 | CRC3 | 0x80? | 0x0000000000000000000000000000 | 0x9100 |
         * `-------------------------------+-----------------------------------------------+--------+
         * <----------------------------------- DATA ------------------------------------->|
         *
         *         <----------------- DATA ---------------->
         * FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
         *                                    `------------------'
         */

        mifare_cypher_blocks_chained (tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);

        /*
         * Look for the CRC and ensure it is followed by NULL padding.  We
         * can't start by the end because the CRC is supposed to be 0 when
         * verified, and accumulating 0's in it should not change it.
         */
        switch (DESFIRE (tag)->authentication_scheme) {
        case AS_LEGACY:
            crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
            if (crc_pos < 0) {
                /* Single block */
                crc_pos = 0;
            }
            break;
        case AS_NEW:
            /* Move status between payload and CRC */
            res = DESFIRE (tag)->crypto_buffer;
            memcpy (res, data, *nbytes);

            crc_pos = (*nbytes) - 16 - 3;
            if (crc_pos < 0) {
                /* Single block */
                crc_pos = 0;
            }
            memcpy ((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos);
            ((uint8_t *)res)[crc_pos] = 0x00;
            crc_pos++;
            *nbytes += 1;
            break;
        }

        do {
            uint16_t crc16 =0x00;
            uint32_t crc;
            switch (DESFIRE (tag)->authentication_scheme) {
            case AS_LEGACY:
                end_crc_pos = crc_pos + 2;
                AppendCrc14443a (res, end_crc_pos);
				
				// 
				
				
                crc = crc16;
                break;
            case AS_NEW:
                end_crc_pos = crc_pos + 4;
                crc32 (res, end_crc_pos, (uint8_t *)&crc);
                break;
            }
            if (!crc) {
                verified = true;
                for (int n = end_crc_pos; n < *nbytes - 1; n++) {
                    uint8_t byte = ((uint8_t *)res)[n];
                    if (!( (0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos)) ))
                        verified = false;
                }
            }
            if (verified) {
                *nbytes = crc_pos;
                switch (DESFIRE (tag)->authentication_scheme) {
                case AS_LEGACY:
                    ((uint8_t *)data)[(*nbytes)++] = 0x00;
                    break;
                case AS_NEW:
                    /* The status byte was already before the CRC */
                    break;
                }
            } else {
                switch (DESFIRE (tag)->authentication_scheme) {
                case AS_LEGACY:
                    break;
                case AS_NEW:
                    x = ((uint8_t *)res)[crc_pos - 1];
                    ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos];
                    ((uint8_t *)res)[crc_pos] = x;
                    break;
                }
                crc_pos++;
            }
        } while (!verified && (end_crc_pos < *nbytes));

        if (!verified) {
#ifdef WITH_DEBUG
            /* FIXME In some configurations, the file is transmitted PLAIN */
            Dbprintf("CRC not verified in decyphered stream");
#endif
            DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
            *nbytes = -1;
            res = NULL;
        }

        break;
    default:
        Dbprintf("Unknown communication settings");
        *nbytes = -1;
        res = NULL;
        break;

    }
    return res;
}


void mifare_cypher_single_block (desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size)
{
    uint8_t ovect[MAX_CRYPTO_BLOCK_SIZE];

    if (direction == MCD_SEND) {
        xor (ivect, data, block_size);
    } else {
        memcpy (ovect, data, block_size);
    }

    uint8_t edata[MAX_CRYPTO_BLOCK_SIZE];

    switch (key->type) {
    case T_DES:
        switch (operation) {
        case MCO_ENCYPHER:
            //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
			des_enc(edata, data, key->data);
            break;
        case MCO_DECYPHER:
            //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
			des_dec(edata, data, key->data);
            break;
        }
        break;
    case T_3DES:
        switch (operation) {
        case MCO_ENCYPHER:			
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
			tdes_enc(edata,data, key->data);
            break;
        case MCO_DECYPHER:
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
			tdes_dec(data, edata, key->data);
            break;
        }
        break;
    case T_3K3DES:
        switch (operation) {
        case MCO_ENCYPHER:
			tdes_enc(edata,data, key->data);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT);
            break;
        case MCO_DECYPHER:
			tdes_dec(data, edata, key->data);        
			// DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks3), DES_DECRYPT);
            // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data,  &(key->ks2), DES_ENCRYPT);
            // DES_ecb_encrypt ((DES_cblock *) data,  (DES_cblock *) edata, &(key->ks1), DES_DECRYPT);
            break;
        }
        break;
    case T_AES:
        switch (operation) 
		{
			case MCO_ENCYPHER:
			{
				AesCtx ctx;
				AesCtxIni(&ctx, ivect, key->data, KEY128,CBC); 
				AesEncrypt(&ctx, data, edata, sizeof(edata) );
				break;
			}
			case MCO_DECYPHER:
			{
				AesCtx ctx;
				AesCtxIni(&ctx, ivect, key->data, KEY128,CBC); 
				AesDecrypt(&ctx, edata, data, sizeof(edata));
				break;
			}
        }
        break;
    }

    memcpy (data, edata, block_size);

    if (direction == MCD_SEND) {
        memcpy (ivect, data, block_size);
    } else {
        xor (ivect, data, block_size);
        memcpy (ivect, ovect, block_size);
    }
}

/*
 * This function performs all CBC cyphering / deciphering.
 *
 * The tag argument may be NULL, in which case both key and ivect shall be set.
 * When using the tag session_key and ivect for processing data, these
 * arguments should be set to NULL.
 *
 * Because the tag may contain additional data, one may need to call this
 * function with tag, key and ivect defined.
 */
void mifare_cypher_blocks_chained (desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
    size_t block_size;

    if (tag) {
        if (!key)
            key = DESFIRE (tag)->session_key;
        if (!ivect)
            ivect = DESFIRE (tag)->ivect;

        switch (DESFIRE (tag)->authentication_scheme) {
			case AS_LEGACY:
				memset (ivect, 0, MAX_CRYPTO_BLOCK_SIZE);
				break;
			case AS_NEW:
				break;
        }
    }

    block_size = key_block_size (key);

    size_t offset = 0;
    while (offset < data_size) {
        mifare_cypher_single_block (key, data + offset, ivect, direction, operation, block_size);
        offset += block_size;
    }
}
Commit	Line	Data
f38a1528	1	/*-
	2	* Copyright (C) 2010, Romain Tartiere.
	3	*
	4	* This program is free software: you can redistribute it and/or modify it
	5	* under the terms of the GNU Lesser General Public License as published by the
	6	* Free Software Foundation, either version 3 of the License, or (at your
	7	* option) any later version.
	8	*
	9	* This program is distributed in the hope that it will be useful, but WITHOUT
	10	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	11	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
	12	* more details.
	13	*
	14	* You should have received a copy of the GNU Lesser General Public License
	15	* along with this program. If not, see <http://www.gnu.org/licenses/>
	16	*
	17	* $Id$
	18	*/
	19
	20	/*
	21	* This implementation was written based on information provided by the
	22	* following documents:
	23	*
	24	* NIST Special Publication 800-38B
	25	* Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
	26	* May 2005
	27	*/
	28	#include "desfire_crypto.h"
	29
7838f4be	30	static void xor (const uint8_t ivect, uint8_t data, const size_t len);
7838f4be	31	static size_t key_macing_length (desfirekey_t key);
f38a1528	32
	33	static void xor (const uint8_t ivect, uint8_t data, const size_t len) {
	34	for (size_t i = 0; i < len; i++) {
	35	data[i] ^= ivect[i];
	36	}
	37	}
	38
	39	void cmac_generate_subkeys ( desfirekey_t key) {
	40	int kbs = key_block_size (key);
	41	const uint8_t R = (kbs == 8) ? 0x1B : 0x87;
	42
	43	uint8_t l[kbs];
	44	memset (l, 0, kbs);
	45
	46	uint8_t ivect[kbs];
	47	memset (ivect, 0, kbs);
	48
	49	mifare_cypher_blocks_chained (NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER);
	50
	51	bool xor = false;
	52
	53	// Used to compute CMAC on complete blocks
	54	memcpy (key->cmac_sk1, l, kbs);
	55	xor = l[0] & 0x80;
	56	lsl (key->cmac_sk1, kbs);
	57	if (xor)
	58	key->cmac_sk1[kbs-1] ^= R;
	59
	60	// Used to compute CMAC on the last block if non-complete
	61	memcpy (key->cmac_sk2, key->cmac_sk1, kbs);
	62	xor = key->cmac_sk1[0] & 0x80;
	63	lsl (key->cmac_sk2, kbs);
	64	if (xor)
	65	key->cmac_sk2[kbs-1] ^= R;
	66	}
	67
	68	void cmac (const desfirekey_t key, uint8_t ivect, const uint8_t data, size_t len, uint8_t *cmac) {
	69	int kbs = key_block_size (key);
	70	uint8_t *buffer = malloc (padded_data_length (len, kbs));
	71
	72	memcpy (buffer, data, len);
	73
	74	if ((!len) \|\| (len % kbs)) {
	75	buffer[len++] = 0x80;
	76	while (len % kbs) {
	77	buffer[len++] = 0x00;
	78	}
	79	xor (key->cmac_sk2, buffer + len - kbs, kbs);
	80	} else {
	81	xor (key->cmac_sk1, buffer + len - kbs, kbs);
	82	}
	83
	84	mifare_cypher_blocks_chained (NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER);
	85
	86	memcpy (cmac, ivect, kbs);
4a71da5a	87	free(buffer);
f38a1528	88	}
	89
	90	size_t key_block_size (const desfirekey_t key) {
	91	size_t block_size = 8;
	92
	93	switch (key->type) {
	94	case T_DES:
	95	case T_3DES:
	96	case T_3K3DES:
	97	block_size = 8;
	98	break;
	99	case T_AES:
	100	block_size = 16;
	101	break;
	102	}
	103
	104	return block_size;
	105	}
	106
	107	/*
	108	* Size of MACing produced with the key.
	109	*/
	110	static size_t key_macing_length (const desfirekey_t key) {
	111	size_t mac_length = MAC_LENGTH;
	112
	113	switch (key->type) {
	114	case T_DES:
	115	case T_3DES:
	116	mac_length = MAC_LENGTH;
	117	break;
	118	case T_3K3DES:
	119	case T_AES:
	120	mac_length = CMAC_LENGTH;
	121	break;
	122	}
	123
	124	return mac_length;
	125	}
	126
	127	/*
	128	* Size required to store nbytes of data in a buffer of size n*block_size.
	129	*/
	130	size_t padded_data_length (const size_t nbytes, const size_t block_size) {
	131	if ((!nbytes) \|\| (nbytes % block_size))
	132	return ((nbytes / block_size) + 1) * block_size;
	133	else
	134	return nbytes;
	135	}
	136
	137	/*
	138	* Buffer size required to MAC nbytes of data
	139	*/
	140	size_t maced_data_length (const desfirekey_t key, const size_t nbytes) {
	141	return nbytes + key_macing_length (key);
	142	}
	143	/*
	144	* Buffer size required to encipher nbytes of data and a two bytes CRC.
	145	*/
	146	size_t enciphered_data_length (const desfiretag_t tag, const size_t nbytes, int communication_settings) {
	147	size_t crc_length = 0;
	148	if (!(communication_settings & NO_CRC)) {
	149	switch (DESFIRE(tag)->authentication_scheme) {
	150	case AS_LEGACY:
	151	crc_length = 2;
152	break;
153	case AS_NEW:
154	crc_length = 4;
155	break;
156	}
157	}
158
159	size_t block_size = DESFIRE(tag)->session_key ? key_block_size (DESFIRE(tag)->session_key) : 1;
160
161	return padded_data_length (nbytes + crc_length, block_size);
162	}
163
60e26e50	164	void* mifare_cryto_preprocess_data (desfiretag_t tag, void data, size_t nbytes, size_t offset, int communication_settings) {
f38a1528	165	uint8_t *res = data;
	166	uint8_t mac[4];
	167	size_t edl;
	168	bool append_mac = true;
	169	desfirekey_t key = DESFIRE(tag)->session_key;
	170
	171	if (!key)
	172	return data;
	173
	174	switch (communication_settings & MDCM_MASK) {
	175	case MDCM_PLAIN:
	176	if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
	177	break;
	178
	179	/*
	180	* When using new authentication methods, PLAIN data transmission from
	181	* the PICC to the PCD are CMACed, so we have to maintain the
	182	* cryptographic initialisation vector up-to-date to check data
	183	* integrity later.
	184	*
	185	* The only difference with CMACed data transmission is that the CMAC
	186	* is not apended to the data send by the PCD to the PICC.
	187	*/
	188
	189	append_mac = false;
	190
	191	/* pass through */
	192	case MDCM_MACED:
	193	switch (DESFIRE(tag)->authentication_scheme) {
	194	case AS_LEGACY:
	195	if (!(communication_settings & MAC_COMMAND))
	196	break;
	197
	198	/* pass through */
	199	edl = padded_data_length (*nbytes - offset, key_block_size (DESFIRE(tag)->session_key)) + offset;
	200
	201	// Fill in the crypto buffer with data ...
	202	memcpy (res, data, *nbytes);
	203	// ... and 0 padding
	204	memset (res + nbytes, 0, edl - nbytes);
	205
	206	mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER);
	207
	208	memcpy (mac, res + edl - 8, 4);
	209
	210	// Copy again provided data (was overwritten by mifare_cypher_blocks_chained)
	211	memcpy (res, data, *nbytes);
	212
	213	if (!(communication_settings & MAC_COMMAND))
	214	break;
	215	// Append MAC
	216	size_t bla = maced_data_length (DESFIRE(tag)->session_key, *nbytes - offset) + offset;
	217	bla++;
	218
	219	memcpy (res + *nbytes, mac, 4);
	220
	221	*nbytes += 4;
	222	break;
	223	case AS_NEW:
	224	if (!(communication_settings & CMAC_COMMAND))
	225	break;
	226	cmac (key, DESFIRE (tag)->ivect, res, *nbytes, DESFIRE (tag)->cmac);
	227
	228	if (append_mac) {
da198be4	229	size_t len = maced_data_length (key, *nbytes);
da198be4	230	++len;
f38a1528	231	memcpy (res, data, *nbytes);
	232	memcpy (res + *nbytes, DESFIRE (tag)->cmac, CMAC_LENGTH);
	233	*nbytes += CMAC_LENGTH;
	234	}
	235	break;
	236	}
	237
	238	break;
	239	case MDCM_ENCIPHERED:
	240	/* \|<-------------- data -------------->\|
	241	* \|<--- offset -->\| \|
	242	* +---------------+--------------------+-----+---------+
	243	* \| CMD + HEADERS \| DATA TO BE SECURED \| CRC \| PADDING \|
	244	* +---------------+--------------------+-----+---------+ ----------------
	245	* \| \|<~~~~v~~~~~~~~~~~~~>\| ^ \| \| (DES / 3DES)
	246	* \| \| `---- crc16() ----' \| \|
	247	* \| \| \| ^ \| \| ----- or -----
	248	* \|<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>\| ^ \| \| (3K3DES / AES)
	249	* \| `---- crc32() ----' \| \|
	250	* \| \| ---- then ----
	251	* \|<---------------------------------->\|
	252	* encypher()/decypher()
	253	*/
	254
	255	if (!(communication_settings & ENC_COMMAND))
	256	break;
	257	edl = enciphered_data_length (tag, *nbytes - offset, communication_settings) + offset;
	258
	259	// Fill in the crypto buffer with data ...
	260	memcpy (res, data, *nbytes);
	261	if (!(communication_settings & NO_CRC)) {
	262	// ... CRC ...
	263	switch (DESFIRE (tag)->authentication_scheme) {
	264	case AS_LEGACY:
	265	AppendCrc14443a(res + offset, *nbytes - offset);
	266	*nbytes += 2;
	267	break;
	268	case AS_NEW:
	269	crc32_append (res, *nbytes);
	270	*nbytes += 4;
	271	break;
	272	}
	273	}
	274	// ... and padding
	275	memset (res + nbytes, 0, edl - nbytes);
	276
	277	*nbytes = edl;
	278
	279	mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER);
	280	break;
	281	default:
	282
	283	*nbytes = -1;
	284	res = NULL;
	285	break;
	286	}
	287
	288	return res;
	289
	290	}
	291
60e26e50	292	void* mifare_cryto_postprocess_data (desfiretag_t tag, void data, size_t nbytes, int communication_settings)
f38a1528	293	{
	294	void *res = data;
	295	size_t edl;
	296	void *edata = NULL;
	297	uint8_t first_cmac_byte = 0x00;
	298
	299	desfirekey_t key = DESFIRE(tag)->session_key;
	300
	301	if (!key)
	302	return data;
	303
	304	// Return directly if we just have a status code.
	305	if (1 == *nbytes)
	306	return res;
	307
	308	switch (communication_settings & MDCM_MASK) {
	309	case MDCM_PLAIN:
	310
	311	if (AS_LEGACY == DESFIRE(tag)->authentication_scheme)
	312	break;
	313
	314	/* pass through */
	315	case MDCM_MACED:
	316	switch (DESFIRE (tag)->authentication_scheme) {
	317	case AS_LEGACY:
	318	if (communication_settings & MAC_VERIFY) {
	319	*nbytes -= key_macing_length (key);
	320	if (*nbytes <= 0) {
	321	*nbytes = -1;
	322	res = NULL;
	323	#ifdef WITH_DEBUG
8d0a3e87	324	Dbprintf ("No room for MAC!");
f38a1528	325	#endif
	326	break;
	327	}
	328
	329	edl = enciphered_data_length (tag, *nbytes - 1, communication_settings);
	330	edata = malloc (edl);
	331
	332	memcpy (edata, data, *nbytes - 1);
	333	memset ((uint8_t )edata + nbytes - 1, 0, edl - *nbytes + 1);
	334
	335	mifare_cypher_blocks_chained (tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER);
	336
	337	if (0 != memcmp ((uint8_t )data + nbytes - 1, (uint8_t *)edata + edl - 8, 4)) {
	338	#ifdef WITH_DEBUG
8d0a3e87	339	Dbprintf ("MACing not verified");
f38a1528	340	hexdump ((uint8_t )data + nbytes - 1, key_macing_length (key), "Expect ", 0);
	341	hexdump ((uint8_t *)edata + edl - 8, key_macing_length (key), "Actual ", 0);
	342	#endif
	343	DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
	344	*nbytes = -1;
	345	res = NULL;
	346	}
	347	}
	348	break;
	349	case AS_NEW:
	350	if (!(communication_settings & CMAC_COMMAND))
	351	break;
	352	if (communication_settings & CMAC_VERIFY) {
	353	if (*nbytes < 9) {
	354	*nbytes = -1;
	355	res = NULL;
	356	break;
	357	}
	358	first_cmac_byte = ((uint8_t )data)[nbytes - 9];
	359	((uint8_t )data)[nbytes - 9] = ((uint8_t )data)[nbytes-1];
	360	}
	361
	362	int n = (communication_settings & CMAC_VERIFY) ? 8 : 0;
	363	cmac (key, DESFIRE (tag)->ivect, ((uint8_t )data), nbytes - n, DESFIRE (tag)->cmac);
	364
	365	if (communication_settings & CMAC_VERIFY) {
	366	((uint8_t )data)[nbytes - 9] = first_cmac_byte;
	367	if (0 != memcmp (DESFIRE (tag)->cmac, (uint8_t )data + nbytes - 9, 8)) {
	368	#ifdef WITH_DEBUG
8d0a3e87	369	Dbprintf ("CMAC NOT verified :-(");
f38a1528	370	hexdump ((uint8_t )data + nbytes - 9, 8, "Expect ", 0);
	371	hexdump (DESFIRE (tag)->cmac, 8, "Actual ", 0);
	372	#endif
	373	DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
	374	*nbytes = -1;
	375	res = NULL;
	376	} else {
	377	*nbytes -= 8;
	378	}
	379	}
	380	break;
	381	}
	382
	383	free (edata);
	384
	385	break;
	386	case MDCM_ENCIPHERED:
	387	(*nbytes)--;
	388	bool verified = false;
	389	int crc_pos = 0x00;
	390	int end_crc_pos = 0x00;
	391	uint8_t x;
	392
	393	/*
	394	* AS_LEGACY:
	395	* ,-----------------+-------------------------------+--------+
	396	* \ BLOCK n-1 \| BLOCK n \| STATUS \|
	397	* / PAYLOAD \| CRC0 \| CRC1 \| 0x80? \| 0x000000000000 \| 0x9100 \|
	398	* `-----------------+-------------------------------+--------+
	399	*
	400	* <------------ DATA ------------>
	401	* FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING
	402	*
	403	* AS_NEW:
	404	* ,-------------------------------+-----------------------------------------------+--------+
	405	* \ BLOCK n-1 \| BLOCK n \| STATUS \|
	406	* / PAYLOAD \| CRC0 \| CRC1 \| CRC2 \| CRC3 \| 0x80? \| 0x0000000000000000000000000000 \| 0x9100 \|
	407	* `-------------------------------+-----------------------------------------------+--------+
	408	* <----------------------------------- DATA ------------------------------------->\|
	409	*
	410	* <----------------- DATA ---------------->
	411	* FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS
	412	* `------------------'
	413	*/
	414
	415	mifare_cypher_blocks_chained (tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER);
	416
	417	/*
	418	* Look for the CRC and ensure it is followed by NULL padding. We
	419	* can't start by the end because the CRC is supposed to be 0 when
	420	* verified, and accumulating 0's in it should not change it.
	421	*/
	422	switch (DESFIRE (tag)->authentication_scheme) {
	423	case AS_LEGACY:
	424	crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks
	425	if (crc_pos < 0) {
	426	/* Single block */
	427	crc_pos = 0;
	428	}
	429	break;
	430	case AS_NEW:
	431	/* Move status between payload and CRC */
	432	res = DESFIRE (tag)->crypto_buffer;
	433	memcpy (res, data, *nbytes);
434
435	crc_pos = (*nbytes) - 16 - 3;
436	if (crc_pos < 0) {
437	/* Single block */
438	crc_pos = 0;
439	}
440	memcpy ((uint8_t )res + crc_pos + 1, (uint8_t )res + crc_pos, *nbytes - crc_pos);
441	((uint8_t *)res)[crc_pos] = 0x00;
442	crc_pos++;
443	*nbytes += 1;
444	break;
445	}
446
447	do {
448	uint16_t crc16 =0x00;
449	uint32_t crc;
450	switch (DESFIRE (tag)->authentication_scheme) {
451	case AS_LEGACY:
452	end_crc_pos = crc_pos + 2;
453	AppendCrc14443a (res, end_crc_pos);
454
455	//
456
457
458	crc = crc16;
459	break;
460	case AS_NEW:
461	end_crc_pos = crc_pos + 4;
462	crc32 (res, end_crc_pos, (uint8_t *)&crc);
463	break;
464	}
465	if (!crc) {
466	verified = true;
467	for (int n = end_crc_pos; n < *nbytes - 1; n++) {
468	uint8_t byte = ((uint8_t *)res)[n];
469	if (!( (0x00 == byte) \|\| ((0x80 == byte) && (n == end_crc_pos)) ))
470	verified = false;
471	}
472	}
473	if (verified) {
474	*nbytes = crc_pos;
475	switch (DESFIRE (tag)->authentication_scheme) {
476	case AS_LEGACY:
477	((uint8_t )data)[(nbytes)++] = 0x00;
478	break;
479	case AS_NEW:
480	/* The status byte was already before the CRC */
481	break;
482	}
483	} else {
484	switch (DESFIRE (tag)->authentication_scheme) {
485	case AS_LEGACY:
486	break;
487	case AS_NEW:
488	x = ((uint8_t *)res)[crc_pos - 1];
489	((uint8_t )res)[crc_pos - 1] = ((uint8_t )res)[crc_pos];
490	((uint8_t *)res)[crc_pos] = x;
491	break;
492	}
493	crc_pos++;
494	}
495	} while (!verified && (end_crc_pos < *nbytes));
496
497	if (!verified) {
498	#ifdef WITH_DEBUG
499	/* FIXME In some configurations, the file is transmitted PLAIN */
500	Dbprintf("CRC not verified in decyphered stream");
501	#endif
502	DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR;
503	*nbytes = -1;
504	res = NULL;
505	}
506
507	break;
508	default:
509	Dbprintf("Unknown communication settings");
510	*nbytes = -1;
511	res = NULL;
512	break;
513
514	}
515	return res;
516	}
517
518
519	void mifare_cypher_single_block (desfirekey_t key, uint8_t data, uint8_t ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size)
520	{
521	uint8_t ovect[MAX_CRYPTO_BLOCK_SIZE];
522
523	if (direction == MCD_SEND) {
524	xor (ivect, data, block_size);
525	} else {
526	memcpy (ovect, data, block_size);
527	}
528
529	uint8_t edata[MAX_CRYPTO_BLOCK_SIZE];
530
531	switch (key->type) {
532	case T_DES:
533	switch (operation) {
534	case MCO_ENCYPHER:
535	//DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
536	des_enc(edata, data, key->data);
537	break;
538	case MCO_DECYPHER:
539	//DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
540	des_dec(edata, data, key->data);
541	break;
542	}
543	break;
544	case T_3DES:
545	switch (operation) {
546	case MCO_ENCYPHER:
547	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
548	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_DECRYPT);
549	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
550	tdes_enc(edata,data, key->data);
551	break;
552	case MCO_DECYPHER:
553	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
554	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_ENCRYPT);
555	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
556	tdes_dec(data, edata, key->data);
557	break;
558	}
559	break;
560	case T_3K3DES:
561	switch (operation) {
562	case MCO_ENCYPHER:
563	tdes_enc(edata,data, key->data);
564	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_ENCRYPT);
565	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_DECRYPT);
566	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks3), DES_ENCRYPT);
567	break;
568	case MCO_DECYPHER:
569	tdes_dec(data, edata, key->data);
570	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks3), DES_DECRYPT);
571	// DES_ecb_encrypt ((DES_cblock ) edata, (DES_cblock ) data, &(key->ks2), DES_ENCRYPT);
572	// DES_ecb_encrypt ((DES_cblock ) data, (DES_cblock ) edata, &(key->ks1), DES_DECRYPT);
573	break;
574	}
575	break;
576	case T_AES:
577	switch (operation)
578	{
579	case MCO_ENCYPHER:
580	{
581	AesCtx ctx;
582	AesCtxIni(&ctx, ivect, key->data, KEY128,CBC);
aacb96d7	583	AesEncrypt(&ctx, data, edata, sizeof(edata) );
f38a1528	584	break;
	585	}
	586	case MCO_DECYPHER:
	587	{
	588	AesCtx ctx;
	589	AesCtxIni(&ctx, ivect, key->data, KEY128,CBC);
	590	AesDecrypt(&ctx, edata, data, sizeof(edata));
	591	break;
	592	}
	593	}
	594	break;
	595	}
	596
	597	memcpy (data, edata, block_size);
	598
	599	if (direction == MCD_SEND) {
	600	memcpy (ivect, data, block_size);
	601	} else {
	602	xor (ivect, data, block_size);
	603	memcpy (ivect, ovect, block_size);
	604	}
	605	}
	606
	607	/*
	608	* This function performs all CBC cyphering / deciphering.
	609	*
	610	* The tag argument may be NULL, in which case both key and ivect shall be set.
	611	* When using the tag session_key and ivect for processing data, these
	612	* arguments should be set to NULL.
	613	*
	614	* Because the tag may contain additional data, one may need to call this
	615	* function with tag, key and ivect defined.
	616	*/
	617	void mifare_cypher_blocks_chained (desfiretag_t tag, desfirekey_t key, uint8_t ivect, uint8_t data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) {
	618	size_t block_size;
	619
	620	if (tag) {
	621	if (!key)
	622	key = DESFIRE (tag)->session_key;
	623	if (!ivect)
	624	ivect = DESFIRE (tag)->ivect;
	625
	626	switch (DESFIRE (tag)->authentication_scheme) {
	627	case AS_LEGACY:
	628	memset (ivect, 0, MAX_CRYPTO_BLOCK_SIZE);
	629	break;
	630	case AS_NEW:
	631	break;
	632	}
	633	}
	634
	635	block_size = key_block_size (key);
	636
	637	size_t offset = 0;
	638	while (offset < data_size) {
	639	mifare_cypher_single_block (key, data + offset, ivect, direction, operation, block_size);
	640	offset += block_size;
	641	}
	642	}