]>
Commit | Line | Data |
---|---|---|
a66fca86 | 1 | /***************************************************************************** |
d60418a0 MHS |
2 | * WARNING |
3 | * | |
4 | * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. | |
5 | * | |
6 | * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL | |
7 | * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, | |
8 | * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. | |
9 | * | |
10 | * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. | |
11 | * | |
12 | ***************************************************************************** | |
13 | * | |
14 | * This file is part of loclass. It is a reconstructon of the cipher engine | |
a66fca86 AD |
15 | * used in iClass, and RFID techology. |
16 | * | |
17 | * The implementation is based on the work performed by | |
18 | * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and | |
19 | * Milosch Meriac in the paper "Dismantling IClass". | |
20 | * | |
21 | * Copyright (C) 2014 Martin Holst Swende | |
22 | * | |
23 | * This is free software: you can redistribute it and/or modify | |
24 | * it under the terms of the GNU General Public License version 2 as published | |
26f202e2 | 25 | * by the Free Software Foundation, or, at your option, any later version. |
a66fca86 AD |
26 | * |
27 | * This file is distributed in the hope that it will be useful, | |
28 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
29 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
30 | * GNU General Public License for more details. | |
31 | * | |
32 | * You should have received a copy of the GNU General Public License | |
d60418a0 MHS |
33 | * along with loclass. If not, see <http://www.gnu.org/licenses/>. |
34 | * | |
35 | * | |
a66fca86 | 36 | ****************************************************************************/ |
d60418a0 | 37 | |
a66fca86 | 38 | /** |
3ad48540 MHS |
39 | |
40 | ||
a66fca86 AD |
41 | From "Dismantling iclass": |
42 | This section describes in detail the built-in key diversification algorithm of iClass. | |
43 | Besides the obvious purpose of deriving a card key from a master key, this | |
44 | algorithm intends to circumvent weaknesses in the cipher by preventing the | |
45 | usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass | |
46 | reader first encrypts the card identity id with the master key K, using single | |
47 | DES. The resulting ciphertext is then input to a function called hash0 which | |
48 | outputs the diversified key k. | |
49 | ||
50 | k = hash0(DES enc (id, K)) | |
51 | ||
52 | Here the DES encryption of id with master key K outputs a cryptogram c | |
53 | of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8 | |
54 | which is used as input to the hash0 function. This function introduces some | |
55 | obfuscation by performing a number of permutations, complement and modulo | |
56 | operations, see Figure 2.5. Besides that, it checks for and removes patterns like | |
57 | similar key bytes, which could produce a strong bias in the cipher. Finally, the | |
58 | output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 . | |
59 | ||
60 | ||
61 | **/ | |
62 | ||
63 | ||
64 | #include <stdint.h> | |
65 | #include <stdbool.h> | |
66 | #include <string.h> | |
a66fca86 | 67 | #include <stdio.h> |
a66fca86 | 68 | #include <inttypes.h> |
3ad48540 MHS |
69 | #include "fileutils.h" |
70 | #include "cipherutils.h" | |
e0991f6a | 71 | #include "mbedtls/des.h" |
a66fca86 AD |
72 | |
73 | uint8_t pi[35] = {0x0F,0x17,0x1B,0x1D,0x1E,0x27,0x2B,0x2D,0x2E,0x33,0x35,0x39,0x36,0x3A,0x3C,0x47,0x4B,0x4D,0x4E,0x53,0x55,0x56,0x59,0x5A,0x5C,0x63,0x65,0x66,0x69,0x6A,0x6C,0x71,0x72,0x74,0x78}; | |
74 | ||
e0991f6a OM |
75 | static mbedtls_des_context ctx_enc = {0}; |
76 | static mbedtls_des_context ctx_dec = {0}; | |
a66fca86 | 77 | |
3ad48540 | 78 | static int debug_print = 0; |
a66fca86 AD |
79 | |
80 | /** | |
81 | * @brief The key diversification algorithm uses 6-bit bytes. | |
82 | * This implementation uses 64 bit uint to pack seven of them into one | |
83 | * variable. When they are there, they are placed as follows: | |
84 | * XXXX XXXX N0 .... N7, occupying the lsat 48 bits. | |
85 | * | |
86 | * This function picks out one from such a collection | |
87 | * @param all | |
88 | * @param n bitnumber | |
89 | * @return | |
90 | */ | |
91 | uint8_t getSixBitByte(uint64_t c, int n) | |
92 | { | |
93 | return (c >> (42-6*n)) & 0x3F; | |
a66fca86 AD |
94 | } |
95 | ||
96 | /** | |
97 | * @brief Puts back a six-bit 'byte' into a uint64_t. | |
98 | * @param c buffer | |
99 | * @param z the value to place there | |
100 | * @param n bitnumber. | |
101 | */ | |
102 | void pushbackSixBitByte(uint64_t *c, uint8_t z, int n) | |
103 | { | |
104 | //0x XXXX YYYY ZZZZ ZZZZ ZZZZ | |
105 | // ^z0 ^z7 | |
106 | //z0: 1111 1100 0000 0000 | |
107 | ||
108 | uint64_t masked = z & 0x3F; | |
109 | uint64_t eraser = 0x3F; | |
110 | masked <<= 42-6*n; | |
111 | eraser <<= 42-6*n; | |
112 | ||
113 | //masked <<= 6*n; | |
114 | //eraser <<= 6*n; | |
115 | ||
116 | eraser = ~eraser; | |
117 | (*c) &= eraser; | |
118 | (*c) |= masked; | |
119 | ||
120 | } | |
3ad48540 MHS |
121 | /** |
122 | * @brief Swaps the z-values. | |
123 | * If the input value has format XYZ0Z1...Z7, the output will have the format | |
124 | * XYZ7Z6...Z0 instead | |
125 | * @param c | |
126 | * @return | |
127 | */ | |
a66fca86 AD |
128 | uint64_t swapZvalues(uint64_t c) |
129 | { | |
130 | uint64_t newz = 0; | |
131 | pushbackSixBitByte(&newz, getSixBitByte(c,0),7); | |
132 | pushbackSixBitByte(&newz, getSixBitByte(c,1),6); | |
133 | pushbackSixBitByte(&newz, getSixBitByte(c,2),5); | |
134 | pushbackSixBitByte(&newz, getSixBitByte(c,3),4); | |
135 | pushbackSixBitByte(&newz, getSixBitByte(c,4),3); | |
136 | pushbackSixBitByte(&newz, getSixBitByte(c,5),2); | |
137 | pushbackSixBitByte(&newz, getSixBitByte(c,6),1); | |
138 | pushbackSixBitByte(&newz, getSixBitByte(c,7),0); | |
139 | newz |= (c & 0xFFFF000000000000); | |
140 | return newz; | |
141 | } | |
142 | ||
143 | /** | |
144 | * @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3 | |
145 | */ | |
146 | uint64_t ck(int i, int j, uint64_t z) | |
147 | { | |
148 | ||
a66fca86 AD |
149 | if(i == 1 && j == -1) |
150 | { | |
151 | // ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3] | |
152 | return z; | |
153 | ||
154 | }else if( j == -1) | |
155 | { | |
156 | // ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] ) | |
157 | return ck(i-1,i-2, z); | |
158 | } | |
159 | ||
160 | if(getSixBitByte(z,i) == getSixBitByte(z,j)) | |
161 | { | |
3ad48540 | 162 | |
a66fca86 AD |
163 | //ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ) |
164 | uint64_t newz = 0; | |
165 | int c; | |
a66fca86 AD |
166 | for(c = 0; c < 4 ;c++) |
167 | { | |
168 | uint8_t val = getSixBitByte(z,c); | |
169 | if(c == i) | |
170 | { | |
a66fca86 AD |
171 | pushbackSixBitByte(&newz, j, c); |
172 | }else | |
173 | { | |
174 | pushbackSixBitByte(&newz, val, c); | |
175 | } | |
176 | } | |
177 | return ck(i,j-1,newz); | |
178 | }else | |
179 | { | |
180 | return ck(i,j-1,z); | |
181 | } | |
a66fca86 AD |
182 | } |
183 | /** | |
184 | ||
185 | Definition 8. | |
186 | Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as | |
187 | check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] ) | |
188 | ||
189 | where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as | |
190 | ||
191 | ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3] | |
192 | ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] ) | |
193 | ck(i, j, z [0] . . . z [3] ) = | |
194 | ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ), if z [i] = z [j] ; | |
195 | ck(i, j − 1, z [0] . . . z [3] ), otherwise | |
196 | ||
197 | otherwise. | |
198 | **/ | |
199 | ||
200 | uint64_t check(uint64_t z) | |
201 | { | |
202 | //These 64 bits are divided as c = x, y, z [0] , . . . , z [7] | |
203 | ||
204 | // ck(3, 2, z [0] . . . z [3] ) | |
205 | uint64_t ck1 = ck(3,2, z ); | |
206 | ||
207 | // ck(3, 2, z [4] . . . z [7] ) | |
208 | uint64_t ck2 = ck(3,2, z << 24); | |
3ad48540 MHS |
209 | |
210 | //The ck function will place the values | |
211 | // in the middle of z. | |
a66fca86 AD |
212 | ck1 &= 0x00000000FFFFFF000000; |
213 | ck2 &= 0x00000000FFFFFF000000; | |
214 | ||
215 | return ck1 | ck2 >> 24; | |
216 | ||
217 | } | |
218 | ||
219 | void permute(BitstreamIn *p_in, uint64_t z,int l,int r, BitstreamOut* out) | |
220 | { | |
221 | if(bitsLeft(p_in) == 0) | |
222 | { | |
223 | return; | |
224 | } | |
225 | bool pn = tailBit(p_in); | |
226 | if( pn ) // pn = 1 | |
227 | { | |
228 | uint8_t zl = getSixBitByte(z,l); | |
3ad48540 | 229 | |
a66fca86 AD |
230 | push6bits(out, zl+1); |
231 | permute(p_in, z, l+1,r, out); | |
232 | }else // otherwise | |
233 | { | |
234 | uint8_t zr = getSixBitByte(z,r); | |
3ad48540 | 235 | |
a66fca86 AD |
236 | push6bits(out, zr); |
237 | permute(p_in,z,l,r+1,out); | |
238 | } | |
239 | } | |
a66fca86 AD |
240 | void printbegin() |
241 | { | |
3ad48540 MHS |
242 | if(debug_print <2) |
243 | return ; | |
a66fca86 | 244 | |
3ad48540 | 245 | prnlog(" | x| y|z0|z1|z2|z3|z4|z5|z6|z7|"); |
a66fca86 AD |
246 | } |
247 | ||
3ad48540 | 248 | void printState(char* desc, uint64_t c) |
a66fca86 | 249 | { |
3ad48540 MHS |
250 | if(debug_print < 2) |
251 | return ; | |
a66fca86 AD |
252 | |
253 | printf("%s : ", desc); | |
3ad48540 MHS |
254 | uint8_t x = (c & 0xFF00000000000000 ) >> 56; |
255 | uint8_t y = (c & 0x00FF000000000000 ) >> 48; | |
a66fca86 AD |
256 | printf(" %02x %02x", x,y); |
257 | int i ; | |
258 | for(i =0 ; i < 8 ; i++) | |
259 | { | |
260 | printf(" %02x", getSixBitByte(c,i)); | |
261 | } | |
262 | printf("\n"); | |
263 | } | |
264 | ||
265 | /** | |
266 | * @brief | |
267 | *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as | |
268 | * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where | |
269 | * z'[i] = (z[i] mod (63-i)) + i i = 0...3 | |
270 | * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3 | |
271 | * ẑ = check(z'); | |
272 | * @param c | |
273 | * @param k this is where the diversified key is put (should be 8 bytes) | |
274 | * @return | |
275 | */ | |
3ad48540 | 276 | void hash0(uint64_t c, uint8_t k[8]) |
a66fca86 | 277 | { |
3ad48540 MHS |
278 | c = swapZvalues(c); |
279 | ||
a66fca86 | 280 | printbegin(); |
3ad48540 | 281 | printState("origin",c); |
a66fca86 AD |
282 | //These 64 bits are divided as c = x, y, z [0] , . . . , z [7] |
283 | // x = 8 bits | |
284 | // y = 8 bits | |
285 | // z0-z7 6 bits each : 48 bits | |
286 | uint8_t x = (c & 0xFF00000000000000 ) >> 56; | |
287 | uint8_t y = (c & 0x00FF000000000000 ) >> 48; | |
a66fca86 AD |
288 | int n; |
289 | uint8_t zn, zn4, _zn, _zn4; | |
290 | uint64_t zP = 0; | |
291 | ||
292 | for(n = 0; n < 4 ; n++) | |
293 | { | |
294 | zn = getSixBitByte(c,n); | |
3ad48540 | 295 | |
a66fca86 AD |
296 | zn4 = getSixBitByte(c,n+4); |
297 | ||
298 | _zn = (zn % (63-n)) + n; | |
299 | _zn4 = (zn4 % (64-n)) + n; | |
300 | ||
3ad48540 | 301 | |
a66fca86 AD |
302 | pushbackSixBitByte(&zP, _zn,n); |
303 | pushbackSixBitByte(&zP, _zn4,n+4); | |
304 | ||
305 | } | |
3ad48540 | 306 | printState("0|0|z'",zP); |
a66fca86 AD |
307 | |
308 | uint64_t zCaret = check(zP); | |
3ad48540 | 309 | printState("0|0|z^",zP); |
a66fca86 AD |
310 | |
311 | ||
312 | uint8_t p = pi[x % 35]; | |
313 | ||
314 | if(x & 1) //Check if x7 is 1 | |
315 | { | |
316 | p = ~p; | |
317 | } | |
3ad48540 MHS |
318 | |
319 | if(debug_print >= 2) prnlog("p:%02x", p); | |
a66fca86 AD |
320 | |
321 | BitstreamIn p_in = { &p, 8,0 }; | |
322 | uint8_t outbuffer[] = {0,0,0,0,0,0,0,0}; | |
323 | BitstreamOut out = {outbuffer,0,0}; | |
324 | permute(&p_in,zCaret,0,4,&out);//returns 48 bits? or 6 8-bytes | |
325 | ||
326 | //Out is now a buffer containing six-bit bytes, should be 48 bits | |
327 | // if all went well | |
a66fca86 AD |
328 | //Shift z-values down onto the lower segment |
329 | ||
3ad48540 | 330 | uint64_t zTilde = x_bytes_to_num(outbuffer,8); |
a66fca86 | 331 | |
a66fca86 | 332 | zTilde >>= 16; |
3ad48540 MHS |
333 | |
334 | printState("0|0|z~", zTilde); | |
a66fca86 AD |
335 | |
336 | int i; | |
337 | int zerocounter =0 ; | |
338 | for(i =0 ; i < 8 ; i++) | |
339 | { | |
340 | ||
341 | // the key on index i is first a bit from y | |
342 | // then six bits from z, | |
343 | // then a bit from p | |
344 | ||
345 | // Init with zeroes | |
346 | k[i] = 0; | |
347 | // First, place yi leftmost in k | |
348 | //k[i] |= (y << i) & 0x80 ; | |
349 | ||
350 | // First, place y(7-i) leftmost in k | |
351 | k[i] |= (y << (7-i)) & 0x80 ; | |
352 | ||
3ad48540 | 353 | |
a66fca86 AD |
354 | |
355 | uint8_t zTilde_i = getSixBitByte(zTilde, i); | |
a66fca86 AD |
356 | // zTildeI is now on the form 00XXXXXX |
357 | // with one leftshift, it'll be | |
358 | // 0XXXXXX0 | |
359 | // So after leftshift, we can OR it into k | |
360 | // However, when doing complement, we need to | |
361 | // again MASK 0XXXXXX0 (0x7E) | |
362 | zTilde_i <<= 1; | |
363 | ||
364 | //Finally, add bit from p or p-mod | |
365 | //Shift bit i into rightmost location (mask only after complement) | |
366 | uint8_t p_i = p >> i & 0x1; | |
367 | ||
368 | if( k[i] )// yi = 1 | |
369 | { | |
370 | //printf("k[%d] +1\n", i); | |
371 | k[i] |= ~zTilde_i & 0x7E; | |
372 | k[i] |= p_i & 1; | |
373 | k[i] += 1; | |
374 | ||
375 | }else // otherwise | |
376 | { | |
377 | k[i] |= zTilde_i & 0x7E; | |
378 | k[i] |= (~p_i) & 1; | |
379 | } | |
380 | if((k[i] & 1 )== 0) | |
381 | { | |
382 | zerocounter ++; | |
383 | } | |
384 | } | |
3ad48540 MHS |
385 | } |
386 | /** | |
387 | * @brief Performs Elite-class key diversification | |
388 | * @param csn | |
389 | * @param key | |
390 | * @param div_key | |
391 | */ | |
392 | void diversifyKey(uint8_t csn[8], uint8_t key[8], uint8_t div_key[8]) | |
393 | { | |
394 | ||
395 | // Prepare the DES key | |
e0991f6a | 396 | mbedtls_des_setkey_enc( &ctx_enc, key); |
3ad48540 MHS |
397 | |
398 | uint8_t crypted_csn[8] = {0}; | |
a66fca86 | 399 | |
3ad48540 | 400 | // Calculate DES(CSN, KEY) |
e0991f6a | 401 | mbedtls_des_crypt_ecb(&ctx_enc,csn, crypted_csn); |
3ad48540 MHS |
402 | |
403 | //Calculate HASH0(DES)) | |
9b82de75 MHS |
404 | uint64_t crypt_csn = x_bytes_to_num(crypted_csn, 8); |
405 | //uint64_t crypted_csn_swapped = swapZvalues(crypt_csn); | |
3ad48540 MHS |
406 | |
407 | hash0(crypt_csn,div_key); | |
a66fca86 AD |
408 | } |
409 | ||
3ad48540 MHS |
410 | |
411 | ||
412 | ||
413 | ||
414 | void testPermute() | |
a66fca86 | 415 | { |
3ad48540 MHS |
416 | |
417 | uint64_t x = 0; | |
418 | pushbackSixBitByte(&x,0x00,0); | |
419 | pushbackSixBitByte(&x,0x01,1); | |
420 | pushbackSixBitByte(&x,0x02,2); | |
421 | pushbackSixBitByte(&x,0x03,3); | |
422 | pushbackSixBitByte(&x,0x04,4); | |
423 | pushbackSixBitByte(&x,0x05,5); | |
424 | pushbackSixBitByte(&x,0x06,6); | |
425 | pushbackSixBitByte(&x,0x07,7); | |
426 | ||
427 | uint8_t mres[8] = { getSixBitByte(x, 0), | |
428 | getSixBitByte(x, 1), | |
429 | getSixBitByte(x, 2), | |
430 | getSixBitByte(x, 3), | |
431 | getSixBitByte(x, 4), | |
432 | getSixBitByte(x, 5), | |
433 | getSixBitByte(x, 6), | |
434 | getSixBitByte(x, 7)}; | |
435 | printarr("input_perm", mres,8); | |
436 | ||
437 | uint8_t p = ~pi[0]; | |
438 | BitstreamIn p_in = { &p, 8,0 }; | |
439 | uint8_t outbuffer[] = {0,0,0,0,0,0,0,0}; | |
440 | BitstreamOut out = {outbuffer,0,0}; | |
441 | ||
442 | permute(&p_in, x,0,4, &out); | |
443 | ||
444 | uint64_t permuted = x_bytes_to_num(outbuffer,8); | |
445 | //printf("zTilde 0x%"PRIX64"\n", zTilde); | |
446 | permuted >>= 16; | |
447 | ||
448 | uint8_t res[8] = { getSixBitByte(permuted, 0), | |
449 | getSixBitByte(permuted, 1), | |
450 | getSixBitByte(permuted, 2), | |
451 | getSixBitByte(permuted, 3), | |
452 | getSixBitByte(permuted, 4), | |
453 | getSixBitByte(permuted, 5), | |
454 | getSixBitByte(permuted, 6), | |
455 | getSixBitByte(permuted, 7)}; | |
456 | printarr("permuted", res, 8); | |
a66fca86 AD |
457 | } |
458 | ||
3ad48540 MHS |
459 | //These testcases are |
460 | //{ UID , TEMP_KEY, DIV_KEY} using the specific key | |
461 | typedef struct | |
462 | { | |
463 | uint8_t uid[8]; | |
464 | uint8_t t_key[8]; | |
465 | uint8_t div_key[8]; | |
466 | } Testcase; | |
467 | ||
468 | ||
e0991f6a | 469 | int testDES(Testcase testcase, mbedtls_des_context ctx_enc, mbedtls_des_context ctx_dec) |
3ad48540 MHS |
470 | { |
471 | uint8_t des_encrypted_csn[8] = {0}; | |
472 | uint8_t decrypted[8] = {0}; | |
473 | uint8_t div_key[8] = {0}; | |
e0991f6a OM |
474 | int retval = mbedtls_des_crypt_ecb(&ctx_enc,testcase.uid,des_encrypted_csn); |
475 | retval |= mbedtls_des_crypt_ecb(&ctx_dec,des_encrypted_csn,decrypted); | |
3ad48540 MHS |
476 | |
477 | if(memcmp(testcase.uid,decrypted,8) != 0) | |
478 | { | |
479 | //Decryption fail | |
480 | prnlog("Encryption <-> Decryption FAIL"); | |
481 | printarr("Input", testcase.uid, 8); | |
482 | printarr("Decrypted", decrypted, 8); | |
483 | retval = 1; | |
484 | } | |
485 | ||
486 | if(memcmp(des_encrypted_csn,testcase.t_key,8) != 0) | |
487 | { | |
488 | //Encryption fail | |
489 | prnlog("Encryption != Expected result"); | |
490 | printarr("Output", des_encrypted_csn, 8); | |
491 | printarr("Expected", testcase.t_key, 8); | |
492 | retval = 1; | |
493 | } | |
494 | uint64_t crypted_csn = x_bytes_to_num(des_encrypted_csn,8); | |
495 | hash0(crypted_csn, div_key); | |
a66fca86 | 496 | |
3ad48540 MHS |
497 | if(memcmp(div_key, testcase.div_key ,8) != 0) |
498 | { | |
499 | //Key diversification fail | |
500 | prnlog("Div key != expected result"); | |
501 | printarr(" csn ", testcase.uid,8); | |
502 | printarr("{csn} ", des_encrypted_csn,8); | |
503 | printarr("hash0 ", div_key, 8); | |
504 | printarr("Expected", testcase.div_key, 8); | |
505 | retval = 1; | |
506 | ||
507 | } | |
508 | return retval; | |
509 | } | |
a66fca86 AD |
510 | bool des_getParityBitFromKey(uint8_t key) |
511 | {//The top 7 bits is used | |
512 | bool parity = ((key & 0x80) >> 7) | |
513 | ^ ((key & 0x40) >> 6) ^ ((key & 0x20) >> 5) | |
514 | ^ ((key & 0x10) >> 4) ^ ((key & 0x08) >> 3) | |
515 | ^ ((key & 0x04) >> 2) ^ ((key & 0x02) >> 1); | |
516 | return !parity; | |
517 | } | |
3ad48540 MHS |
518 | |
519 | ||
a66fca86 AD |
520 | void des_checkParity(uint8_t* key) |
521 | { | |
522 | int i; | |
523 | int fails =0; | |
524 | for(i =0 ; i < 8 ; i++) | |
525 | { | |
526 | bool parity = des_getParityBitFromKey(key[i]); | |
527 | if(parity != (key[i] & 0x1)) | |
528 | { | |
529 | fails++; | |
3ad48540 | 530 | prnlog("[+] parity1 fail, byte %d [%02x] was %d, should be %d",i,key[i],(key[i] & 0x1),parity); |
a66fca86 AD |
531 | } |
532 | } | |
533 | if(fails) | |
534 | { | |
3ad48540 | 535 | prnlog("[+] parity fails: %d", fails); |
a66fca86 AD |
536 | }else |
537 | { | |
3ad48540 | 538 | prnlog("[+] Key syntax is with parity bits inside each byte"); |
a66fca86 AD |
539 | } |
540 | } | |
541 | ||
3ad48540 MHS |
542 | Testcase testcases[] ={ |
543 | ||
544 | {{0x8B,0xAC,0x60,0x1F,0x53,0xB8,0xED,0x11},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
545 | {{0xAE,0x51,0xE5,0x62,0xE7,0x9A,0x99,0x39},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01},{0x04,0x02,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
546 | {{0x9B,0x21,0xE4,0x31,0x6A,0x00,0x29,0x62},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02},{0x06,0x04,0x02,0x08,0x01,0x03,0x05,0x07}}, | |
547 | {{0x65,0x24,0x0C,0x41,0x4F,0xC2,0x21,0x93},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04},{0x0A,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
548 | {{0x7F,0xEB,0xAE,0x93,0xE5,0x30,0x08,0xBD},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08},{0x12,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
549 | {{0x49,0x7B,0x70,0x74,0x9B,0x35,0x1B,0x83},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10},{0x22,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
550 | {{0x02,0x3C,0x15,0x6B,0xED,0xA5,0x64,0x6C},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20},{0x42,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
551 | {{0xE8,0x37,0xE0,0xE2,0xC6,0x45,0x24,0xF3},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40},{0x02,0x06,0x04,0x08,0x01,0x03,0x05,0x07}}, | |
552 | {{0xAB,0xBD,0x30,0x05,0x29,0xC8,0xF7,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80},{0x02,0x08,0x06,0x04,0x01,0x03,0x05,0x07}}, | |
553 | {{0x17,0xE8,0x97,0xF0,0x99,0xB6,0x79,0x31},{0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00},{0x02,0x0C,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
554 | {{0x49,0xA4,0xF0,0x8F,0x5F,0x96,0x83,0x16},{0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00},{0x02,0x14,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
555 | {{0x60,0xF5,0x7E,0x54,0xAA,0x41,0x83,0xD4},{0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00},{0x02,0x24,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
556 | {{0x1D,0xF6,0x3B,0x6B,0x85,0x55,0xF0,0x4B},{0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x00},{0x02,0x44,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
557 | {{0x1F,0xDC,0x95,0x1A,0xEA,0x6B,0x4B,0xB4},{0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00},{0x02,0x04,0x08,0x06,0x01,0x03,0x05,0x07}}, | |
558 | {{0xEC,0x93,0x72,0xF0,0x3B,0xA9,0xF5,0x0B},{0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00},{0x02,0x04,0x0A,0x08,0x01,0x03,0x05,0x07}}, | |
559 | {{0xDE,0x57,0x5C,0xBE,0x2D,0x55,0x03,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00},{0x02,0x04,0x0E,0x08,0x01,0x03,0x05,0x07}}, | |
560 | {{0x1E,0xD2,0xB5,0xCE,0x90,0xC9,0xC1,0xCC},{0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00},{0x02,0x04,0x16,0x08,0x01,0x03,0x05,0x07}}, | |
561 | {{0xD8,0x65,0x96,0x4E,0xE7,0x74,0x99,0xB8},{0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00},{0x02,0x04,0x26,0x08,0x01,0x03,0x05,0x07}}, | |
562 | {{0xE3,0x7A,0x29,0x83,0x31,0xD5,0x3A,0x54},{0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00},{0x02,0x04,0x46,0x08,0x01,0x03,0x05,0x07}}, | |
563 | {{0x3A,0xB5,0x1A,0x34,0x34,0x25,0x12,0xF0},{0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00},{0x02,0x04,0x06,0x0A,0x01,0x03,0x05,0x07}}, | |
564 | {{0xF2,0x88,0xEE,0x6F,0x70,0x6F,0xC2,0x52},{0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00},{0x02,0x04,0x06,0x0C,0x01,0x03,0x05,0x07}}, | |
565 | {{0x76,0xEF,0xEB,0x80,0x52,0x43,0x83,0x57},{0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00},{0x02,0x04,0x06,0x10,0x01,0x03,0x05,0x07}}, | |
566 | {{0x1C,0x09,0x8E,0x3B,0x23,0x23,0x52,0xB5},{0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00},{0x02,0x04,0x06,0x18,0x01,0x03,0x05,0x07}}, | |
567 | {{0xA9,0x13,0xA2,0xBE,0xCF,0x1A,0xC4,0x9A},{0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00},{0x02,0x04,0x06,0x28,0x01,0x03,0x05,0x07}}, | |
568 | {{0x25,0x56,0x4B,0xB0,0xC8,0x2A,0xD4,0x27},{0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00},{0x02,0x04,0x06,0x48,0x01,0x03,0x05,0x07}}, | |
569 | {{0xB1,0x04,0x57,0x3F,0xA7,0x16,0x62,0xD4},{0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x03,0x01,0x05,0x07}}, | |
570 | {{0x45,0x46,0xED,0xCC,0xE7,0xD3,0x8E,0xA3},{0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x05,0x03,0x01,0x07}}, | |
571 | {{0x22,0x6D,0xB5,0x35,0xE0,0x5A,0xE0,0x90},{0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x09,0x03,0x05,0x07}}, | |
572 | {{0xB8,0xF5,0xE5,0x44,0xC5,0x98,0x4A,0xBD},{0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x11,0x03,0x05,0x07}}, | |
573 | {{0xAC,0x78,0x0A,0x23,0x9E,0xF6,0xBC,0xA0},{0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x21,0x03,0x05,0x07}}, | |
574 | {{0x46,0x6B,0x2D,0x70,0x41,0x17,0xBF,0x3D},{0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x41,0x03,0x05,0x07}}, | |
575 | {{0x64,0x44,0x24,0x71,0xA2,0x56,0xDF,0xB5},{0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x05,0x03,0x07}}, | |
576 | {{0xC4,0x00,0x52,0x24,0xA2,0xD6,0x16,0x7A},{0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x07,0x05,0x03}}, | |
577 | {{0xD8,0x4A,0x80,0x1E,0x95,0x5B,0x70,0xC4},{0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x0B,0x05,0x07}}, | |
578 | {{0x08,0x56,0x6E,0xB5,0x64,0xD6,0x47,0x4E},{0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x13,0x05,0x07}}, | |
579 | {{0x41,0x6F,0xBA,0xA4,0xEB,0xAE,0xA0,0x55},{0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x23,0x05,0x07}}, | |
580 | {{0x62,0x9D,0xDE,0x72,0x84,0x4A,0x53,0xD5},{0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x43,0x05,0x07}}, | |
581 | {{0x39,0xD3,0x2B,0x66,0xB8,0x08,0x40,0x2E},{0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x07,0x05}}, | |
582 | {{0xAF,0x67,0xA9,0x18,0x57,0x21,0xAF,0x8D},{0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x09,0x07}}, | |
583 | {{0x34,0xBC,0x9D,0xBC,0xC4,0xC2,0x3B,0xC8},{0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x0D,0x07}}, | |
584 | {{0xB6,0x50,0xF9,0x81,0xF6,0xBF,0x90,0x3C},{0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x15,0x07}}, | |
585 | {{0x71,0x41,0x93,0xA1,0x59,0x81,0xA5,0x52},{0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x25,0x07}}, | |
586 | {{0x6B,0x00,0xBD,0x74,0x1C,0x3C,0xE0,0x1A},{0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x45,0x07}}, | |
587 | {{0x76,0xFD,0x0B,0xD0,0x41,0xD2,0x82,0x5D},{0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x09}}, | |
588 | {{0xC6,0x3A,0x1C,0x25,0x63,0x5A,0x2F,0x0E},{0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0B}}, | |
589 | {{0xD9,0x0E,0xD7,0x30,0xE2,0xAD,0xA9,0x87},{0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0F}}, | |
590 | {{0x6B,0x81,0xC6,0xD1,0x05,0x09,0x87,0x1E},{0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x17}}, | |
591 | {{0xB4,0xA7,0x1E,0x02,0x54,0x37,0x43,0x35},{0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x27}}, | |
592 | {{0x45,0x14,0x7C,0x7F,0xE0,0xDE,0x09,0x65},{0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x47}}, | |
593 | {{0x78,0xB0,0xF5,0x20,0x8B,0x7D,0xF3,0xDD},{0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00},{0xFE,0x04,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
594 | {{0x88,0xB3,0x3C,0xE1,0xF7,0x87,0x42,0xA1},{0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0xFC,0x06,0x08,0x01,0x03,0x05,0x07}}, | |
595 | {{0x11,0x2F,0xB2,0xF7,0xE2,0xB2,0x4F,0x6E},{0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0xFA,0x08,0x01,0x03,0x05,0x07}}, | |
596 | {{0x25,0x56,0x4E,0xC6,0xEB,0x2D,0x74,0x5B},{0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0xF8,0x01,0x03,0x05,0x07}}, | |
597 | {{0x7E,0x98,0x37,0xF9,0x80,0x8F,0x09,0x82},{0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0xFF,0x03,0x05,0x07}}, | |
598 | {{0xF9,0xB5,0x62,0x3B,0xD8,0x7B,0x3C,0x3F},{0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0xFD,0x05,0x07}}, | |
599 | {{0x29,0xC5,0x2B,0xFA,0xD1,0xFC,0x5C,0xC7},{0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0xFB,0x07}}, | |
600 | {{0xC1,0xA3,0x09,0x71,0xBD,0x8E,0xAF,0x2F},{0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0xF9}}, | |
601 | {{0xB6,0xDD,0xD1,0xAD,0xAA,0x15,0x6F,0x29},{0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x03,0x05,0x02,0x07,0x04,0x06,0x08}}, | |
602 | {{0x65,0x34,0x03,0x19,0x17,0xB3,0xA3,0x96},{0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x08,0x03,0x05,0x07}}, | |
603 | {{0xF9,0x38,0x43,0x56,0x52,0xE5,0xB1,0xA9},{0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x08,0x03,0x05,0x07}}, | |
604 | ||
605 | {{0xA4,0xA0,0xAF,0xDA,0x48,0xB0,0xA1,0x10},{0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x03,0x08,0x05,0x07}}, | |
606 | {{0x55,0x15,0x8A,0x0D,0x48,0x29,0x01,0xD8},{0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x03,0x05,0x08,0x07}}, | |
607 | {{0xC4,0x81,0x96,0x7D,0xA3,0xB7,0x73,0x50},{0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x05,0x04,0x06,0x08,0x07}}, | |
608 | {{0x36,0x73,0xDF,0xC1,0x1B,0x98,0xA8,0x1D},{0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x05,0x06,0x08,0x07}}, | |
609 | {{0xCE,0xE0,0xB3,0x1B,0x41,0xEB,0x15,0x12},{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x06,0x05,0x08,0x07}}, | |
610 | {{0},{0},{0}} | |
611 | }; | |
612 | ||
613 | ||
614 | int testKeyDiversificationWithMasterkeyTestcases() | |
a66fca86 | 615 | { |
3ad48540 MHS |
616 | |
617 | int error = 0; | |
618 | int i; | |
619 | ||
620 | uint8_t empty[8]={0}; | |
621 | prnlog("[+} Testing encryption/decryption"); | |
622 | ||
623 | for (i = 0; memcmp(testcases+i,empty,8) ; i++) { | |
624 | error += testDES(testcases[i],ctx_enc, ctx_dec); | |
625 | } | |
626 | if(error) | |
a66fca86 | 627 | { |
3ad48540 MHS |
628 | prnlog("[+] %d errors occurred (%d testcases)", error, i); |
629 | }else | |
630 | { | |
631 | prnlog("[+] Hashing seems to work (%d testcases)", i); | |
a66fca86 | 632 | } |
3ad48540 MHS |
633 | return error; |
634 | } | |
635 | ||
636 | ||
637 | void print64bits(char*name, uint64_t val) | |
638 | { | |
639 | printf("%s%08x%08x\n",name,(uint32_t) (val >> 32) ,(uint32_t) (val & 0xFFFFFFFF)); | |
640 | } | |
641 | ||
642 | uint64_t testCryptedCSN(uint64_t crypted_csn, uint64_t expected) | |
643 | { | |
644 | int retval = 0; | |
645 | uint8_t result[8] = {0}; | |
646 | if(debug_print) prnlog("debug_print %d", debug_print); | |
647 | if(debug_print) print64bits(" {csn} ", crypted_csn ); | |
648 | ||
649 | uint64_t crypted_csn_swapped = swapZvalues(crypted_csn); | |
650 | ||
651 | if(debug_print) print64bits(" {csn-revz} ", crypted_csn_swapped); | |
652 | ||
653 | hash0(crypted_csn, result); | |
654 | uint64_t resultbyte = x_bytes_to_num(result,8 ); | |
655 | if(debug_print) print64bits(" hash0 " , resultbyte ); | |
656 | ||
657 | if(resultbyte != expected ) | |
658 | { | |
659 | ||
660 | if(debug_print) { | |
661 | prnlog("\n[+] FAIL!"); | |
662 | print64bits(" expected " , expected ); | |
663 | } | |
664 | retval = 1; | |
665 | ||
666 | }else | |
667 | { | |
668 | if(debug_print) prnlog(" [OK]"); | |
669 | } | |
670 | return retval; | |
671 | } | |
672 | ||
673 | int testDES2(uint64_t csn, uint64_t expected) | |
674 | { | |
675 | uint8_t result[8] = {0}; | |
676 | uint8_t input[8] = {0}; | |
677 | ||
678 | print64bits(" csn ", csn); | |
679 | x_num_to_bytes(csn, 8,input); | |
680 | ||
e0991f6a | 681 | mbedtls_des_crypt_ecb(&ctx_enc,input, result); |
3ad48540 MHS |
682 | |
683 | uint64_t crypt_csn = x_bytes_to_num(result, 8); | |
684 | print64bits(" {csn} ", crypt_csn ); | |
685 | print64bits(" expected ", expected ); | |
686 | ||
687 | if( expected == crypt_csn ) | |
688 | { | |
689 | prnlog("[+] OK"); | |
690 | return 0; | |
691 | }else | |
692 | { | |
693 | return 1; | |
694 | } | |
695 | } | |
696 | ||
697 | /** | |
698 | * These testcases come from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977 | |
699 | * @brief doTestsWithKnownInputs | |
700 | * @return | |
701 | */ | |
702 | int doTestsWithKnownInputs() | |
703 | { | |
704 | ||
705 | // KSel from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977 | |
706 | int errors = 0; | |
707 | prnlog("[+] Testing DES encryption"); | |
708 | // uint8_t key[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf}; | |
709 | prnlog("[+] Testing foo"); | |
710 | uint8_t key[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf}; | |
711 | ||
e0991f6a | 712 | mbedtls_des_setkey_enc( &ctx_enc, key); |
3ad48540 MHS |
713 | testDES2(0xbbbbaaaabbbbeeee,0xd6ad3ca619659e6b); |
714 | ||
715 | prnlog("[+] Testing hashing algorithm"); | |
716 | ||
717 | errors += testCryptedCSN(0x0102030405060708,0x0bdd6512073c460a); | |
718 | errors += testCryptedCSN(0x1020304050607080,0x0208211405f3381f); | |
719 | errors += testCryptedCSN(0x1122334455667788,0x2bee256d40ac1f3a); | |
720 | errors += testCryptedCSN(0xabcdabcdabcdabcd,0xa91c9ec66f7da592); | |
721 | errors += testCryptedCSN(0xbcdabcdabcdabcda,0x79ca5796a474e19b); | |
722 | errors += testCryptedCSN(0xcdabcdabcdabcdab,0xa8901b9f7ec76da4); | |
723 | errors += testCryptedCSN(0xdabcdabcdabcdabc,0x357aa8e0979a5b8d); | |
724 | errors += testCryptedCSN(0x21ba6565071f9299,0x34e80f88d5cf39ea); | |
725 | errors += testCryptedCSN(0x14e2adfc5bb7e134,0x6ac90c6508bd9ea3); | |
726 | ||
727 | if(errors) | |
728 | { | |
729 | prnlog("[+] %d errors occurred (9 testcases)", errors); | |
730 | }else | |
731 | { | |
732 | prnlog("[+] Hashing seems to work (9 testcases)" ); | |
733 | } | |
734 | return errors; | |
735 | } | |
736 | ||
737 | int readKeyFile(uint8_t key[8]) | |
738 | { | |
3ad48540 | 739 | FILE *f; |
97d582a6 | 740 | int retval = 1; |
3ad48540 | 741 | f = fopen("iclass_key.bin", "rb"); |
1c313691 I |
742 | if (!f) |
743 | return retval; | |
744 | ||
745 | if (fread(key, sizeof(uint8_t), 8, f) == 8) { | |
746 | retval = 0; | |
3ad48540 | 747 | } |
1c313691 | 748 | fclose(f); |
97d582a6 | 749 | return retval; |
3ad48540 MHS |
750 | } |
751 | ||
3ad48540 MHS |
752 | int doKeyTests(uint8_t debuglevel) |
753 | { | |
754 | debug_print = debuglevel; | |
755 | ||
756 | prnlog("[+] Checking if the master key is present (iclass_key.bin)..."); | |
757 | uint8_t key[8] = {0}; | |
758 | if(readKeyFile(key)) | |
759 | { | |
760 | prnlog("[+] Master key not present, will not be able to do all testcases"); | |
761 | }else | |
762 | { | |
763 | ||
764 | //Test if it's the right key... | |
765 | uint8_t i; | |
766 | uint8_t j = 0; | |
767 | for(i =0 ; i < sizeof(key) ; i++) | |
768 | j += key[i]; | |
769 | ||
770 | if(j != 185) | |
771 | { | |
772 | prnlog("[+] A key was loaded, but it does not seem to be the correct one. Aborting these tests"); | |
773 | }else | |
774 | { | |
775 | prnlog("[+] Key present"); | |
776 | ||
777 | prnlog("[+] Checking key parity..."); | |
778 | des_checkParity(key); | |
e0991f6a OM |
779 | mbedtls_des_setkey_enc( &ctx_enc, key); |
780 | mbedtls_des_setkey_dec( &ctx_dec, key); | |
3ad48540 MHS |
781 | // Test hashing functions |
782 | prnlog("[+] The following tests require the correct 8-byte master key"); | |
783 | testKeyDiversificationWithMasterkeyTestcases(); | |
784 | } | |
785 | } | |
786 | prnlog("[+] Testing key diversification with non-sensitive keys..."); | |
787 | doTestsWithKnownInputs(); | |
788 | return 0; | |
a66fca86 | 789 | } |
3ad48540 MHS |
790 | |
791 | /** | |
792 | ||
793 | void checkParity2(uint8_t* key) | |
794 | { | |
795 | ||
796 | uint8_t stored_parity = key[7]; | |
797 | printf("Parity byte: 0x%02x\n", stored_parity); | |
798 | int i; | |
799 | int byte; | |
800 | int fails =0; | |
801 | BitstreamIn bits = {key, 56, 0}; | |
802 | ||
803 | bool parity = 0; | |
804 | ||
805 | for(i =0 ; i < 56; i++) | |
806 | { | |
807 | ||
808 | if ( i > 0 && i % 7 == 0) | |
809 | { | |
810 | parity = !parity; | |
811 | bool pbit = stored_parity & (0x80 >> (byte)); | |
812 | if(parity != pbit) | |
813 | { | |
814 | printf("parity2 fail byte %d, should be %d, was %d\n", (i / 7), parity, pbit); | |
815 | fails++; | |
816 | } | |
817 | parity =0 ; | |
818 | byte = i / 7; | |
819 | } | |
820 | parity = parity ^ headBit(&bits); | |
821 | } | |
822 | if(fails) | |
823 | { | |
824 | printf("parity2 fails: %d\n", fails); | |
825 | }else | |
826 | { | |
827 | printf("Key syntax is with parity bits grouped in the last byte!\n"); | |
828 | } | |
829 | } | |
830 | void modifyKey_put_parity_last(uint8_t * key, uint8_t* output) | |
831 | { | |
832 | uint8_t paritybits = 0; | |
833 | bool parity =0; | |
834 | BitstreamOut out = { output, 0,0}; | |
835 | unsigned int bbyte, bbit; | |
836 | for(bbyte=0; bbyte <8 ; bbyte++ ) | |
837 | { | |
838 | for(bbit =0 ; bbit< 7 ; bbit++) | |
839 | { | |
840 | bool bit = *(key+bbyte) & (1 << (7-bbit)); | |
841 | pushBit(&out,bit); | |
842 | parity ^= bit; | |
843 | } | |
844 | bool paritybit = *(key+bbyte) & 1; | |
845 | paritybits |= paritybit << (7-bbyte); | |
846 | parity = 0; | |
847 | ||
848 | } | |
849 | output[7] = paritybits; | |
850 | printf("Parity byte: %02x\n", paritybits); | |
851 | } | |
852 | ||
853 | * @brief Modifies a key with parity bits last, so that it is formed with parity | |
854 | * bits inside each byte | |
855 | * @param key | |
856 | * @param output | |
857 | ||
858 | void modifyKey_put_parity_allover(uint8_t * key, uint8_t* output) | |
859 | { | |
860 | bool parity =0; | |
861 | BitstreamOut out = { output, 0,0}; | |
862 | BitstreamIn in = {key, 0,0}; | |
863 | unsigned int bbyte, bbit; | |
864 | for(bbit =0 ; bbit < 56 ; bbit++) | |
865 | { | |
866 | ||
867 | if( bbit > 0 && bbit % 7 == 0) | |
868 | { | |
869 | pushBit(&out,!parity); | |
870 | parity = 0; | |
871 | } | |
872 | bool bit = headBit(&in); | |
873 | pushBit(&out,bit ); | |
874 | parity ^= bit; | |
875 | ||
876 | } | |
877 | pushBit(&out, !parity); | |
878 | ||
879 | ||
880 | if( des_key_check_key_parity(output)) | |
881 | { | |
882 | printf("modifyKey_put_parity_allover fail, DES key invalid parity!"); | |
883 | } | |
884 | ||
885 | } | |
886 | ||
887 | */ | |
888 | ||
889 |