| 1 | /*- |
| 2 | * Copyright (C) 2010, Romain Tartiere. |
| 3 | * |
| 4 | * This program is free software: you can redistribute it and/or modify it |
| 5 | * under the terms of the GNU Lesser General Public License as published by the |
| 6 | * Free Software Foundation, either version 3 of the License, or (at your |
| 7 | * option) any later version. |
| 8 | * |
| 9 | * This program is distributed in the hope that it will be useful, but WITHOUT |
| 10 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 11 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for |
| 12 | * more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU Lesser General Public License |
| 15 | * along with this program. If not, see <http://www.gnu.org/licenses/> |
| 16 | * |
| 17 | * $Id$ |
| 18 | */ |
| 19 | |
| 20 | /* |
| 21 | * This implementation was written based on information provided by the |
| 22 | * following documents: |
| 23 | * |
| 24 | * NIST Special Publication 800-38B |
| 25 | * Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication |
| 26 | * May 2005 |
| 27 | */ |
| 28 | #include "desfire_crypto.h" |
| 29 | |
| 30 | static void xor (const uint8_t *ivect, uint8_t *data, const size_t len); |
| 31 | static size_t key_macing_length (desfirekey_t key); |
| 32 | |
| 33 | static void xor (const uint8_t *ivect, uint8_t *data, const size_t len) { |
| 34 | for (size_t i = 0; i < len; i++) { |
| 35 | data[i] ^= ivect[i]; |
| 36 | } |
| 37 | } |
| 38 | |
| 39 | void cmac_generate_subkeys ( desfirekey_t key) { |
| 40 | int kbs = key_block_size (key); |
| 41 | const uint8_t R = (kbs == 8) ? 0x1B : 0x87; |
| 42 | |
| 43 | uint8_t l[kbs]; |
| 44 | memset (l, 0, kbs); |
| 45 | |
| 46 | uint8_t ivect[kbs]; |
| 47 | memset (ivect, 0, kbs); |
| 48 | |
| 49 | mifare_cypher_blocks_chained (NULL, key, ivect, l, kbs, MCD_RECEIVE, MCO_ENCYPHER); |
| 50 | |
| 51 | bool xor = false; |
| 52 | |
| 53 | // Used to compute CMAC on complete blocks |
| 54 | memcpy (key->cmac_sk1, l, kbs); |
| 55 | xor = l[0] & 0x80; |
| 56 | lsl (key->cmac_sk1, kbs); |
| 57 | if (xor) |
| 58 | key->cmac_sk1[kbs-1] ^= R; |
| 59 | |
| 60 | // Used to compute CMAC on the last block if non-complete |
| 61 | memcpy (key->cmac_sk2, key->cmac_sk1, kbs); |
| 62 | xor = key->cmac_sk1[0] & 0x80; |
| 63 | lsl (key->cmac_sk2, kbs); |
| 64 | if (xor) |
| 65 | key->cmac_sk2[kbs-1] ^= R; |
| 66 | } |
| 67 | |
| 68 | void cmac (const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac) { |
| 69 | int kbs = key_block_size (key); |
| 70 | uint8_t *buffer = malloc (padded_data_length (len, kbs)); |
| 71 | |
| 72 | memcpy (buffer, data, len); |
| 73 | |
| 74 | if ((!len) || (len % kbs)) { |
| 75 | buffer[len++] = 0x80; |
| 76 | while (len % kbs) { |
| 77 | buffer[len++] = 0x00; |
| 78 | } |
| 79 | xor (key->cmac_sk2, buffer + len - kbs, kbs); |
| 80 | } else { |
| 81 | xor (key->cmac_sk1, buffer + len - kbs, kbs); |
| 82 | } |
| 83 | |
| 84 | mifare_cypher_blocks_chained (NULL, key, ivect, buffer, len, MCD_SEND, MCO_ENCYPHER); |
| 85 | |
| 86 | memcpy (cmac, ivect, kbs); |
| 87 | free(buffer); |
| 88 | } |
| 89 | |
| 90 | size_t key_block_size (const desfirekey_t key) { |
| 91 | size_t block_size = 8; |
| 92 | switch (key->type) { |
| 93 | case T_DES: |
| 94 | case T_3DES: |
| 95 | case T_3K3DES: |
| 96 | block_size = 8; |
| 97 | break; |
| 98 | case T_AES: |
| 99 | block_size = 16; |
| 100 | break; |
| 101 | } |
| 102 | return block_size; |
| 103 | } |
| 104 | |
| 105 | /* |
| 106 | * Size of MACing produced with the key. |
| 107 | */ |
| 108 | static size_t key_macing_length (const desfirekey_t key) { |
| 109 | size_t mac_length = MAC_LENGTH; |
| 110 | switch (key->type) { |
| 111 | case T_DES: |
| 112 | case T_3DES: |
| 113 | mac_length = MAC_LENGTH; |
| 114 | break; |
| 115 | case T_3K3DES: |
| 116 | case T_AES: |
| 117 | mac_length = CMAC_LENGTH; |
| 118 | break; |
| 119 | } |
| 120 | return mac_length; |
| 121 | } |
| 122 | |
| 123 | /* |
| 124 | * Size required to store nbytes of data in a buffer of size n*block_size. |
| 125 | */ |
| 126 | size_t padded_data_length (const size_t nbytes, const size_t block_size) { |
| 127 | if ((!nbytes) || (nbytes % block_size)) |
| 128 | return ((nbytes / block_size) + 1) * block_size; |
| 129 | else |
| 130 | return nbytes; |
| 131 | } |
| 132 | |
| 133 | /* |
| 134 | * Buffer size required to MAC nbytes of data |
| 135 | */ |
| 136 | size_t maced_data_length (const desfirekey_t key, const size_t nbytes) { |
| 137 | return nbytes + key_macing_length (key); |
| 138 | } |
| 139 | /* |
| 140 | * Buffer size required to encipher nbytes of data and a two bytes CRC. |
| 141 | */ |
| 142 | size_t enciphered_data_length (const desfiretag_t tag, const size_t nbytes, int communication_settings) { |
| 143 | size_t crc_length = 0; |
| 144 | if (!(communication_settings & NO_CRC)) { |
| 145 | switch (DESFIRE(tag)->authentication_scheme) { |
| 146 | case AS_LEGACY: |
| 147 | crc_length = 2; |
| 148 | break; |
| 149 | case AS_NEW: |
| 150 | crc_length = 4; |
| 151 | break; |
| 152 | } |
| 153 | } |
| 154 | |
| 155 | size_t block_size = DESFIRE(tag)->session_key ? key_block_size (DESFIRE(tag)->session_key) : 1; |
| 156 | |
| 157 | return padded_data_length (nbytes + crc_length, block_size); |
| 158 | } |
| 159 | |
| 160 | void* mifare_cryto_preprocess_data (desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings) { |
| 161 | uint8_t *res = data; |
| 162 | uint8_t mac[4]; |
| 163 | size_t edl; |
| 164 | bool append_mac = true; |
| 165 | desfirekey_t key = DESFIRE(tag)->session_key; |
| 166 | |
| 167 | if (!key) |
| 168 | return data; |
| 169 | |
| 170 | switch (communication_settings & MDCM_MASK) { |
| 171 | case MDCM_PLAIN: |
| 172 | if (AS_LEGACY == DESFIRE(tag)->authentication_scheme) |
| 173 | break; |
| 174 | |
| 175 | /* |
| 176 | * When using new authentication methods, PLAIN data transmission from |
| 177 | * the PICC to the PCD are CMACed, so we have to maintain the |
| 178 | * cryptographic initialisation vector up-to-date to check data |
| 179 | * integrity later. |
| 180 | * |
| 181 | * The only difference with CMACed data transmission is that the CMAC |
| 182 | * is not apended to the data send by the PCD to the PICC. |
| 183 | */ |
| 184 | |
| 185 | append_mac = false; |
| 186 | |
| 187 | /* pass through */ |
| 188 | case MDCM_MACED: |
| 189 | switch (DESFIRE(tag)->authentication_scheme) { |
| 190 | case AS_LEGACY: |
| 191 | if (!(communication_settings & MAC_COMMAND)) |
| 192 | break; |
| 193 | |
| 194 | /* pass through */ |
| 195 | edl = padded_data_length (*nbytes - offset, key_block_size (DESFIRE(tag)->session_key)) + offset; |
| 196 | |
| 197 | // Fill in the crypto buffer with data ... |
| 198 | memcpy (res, data, *nbytes); |
| 199 | // ... and 0 padding |
| 200 | memset (res + *nbytes, 0, edl - *nbytes); |
| 201 | |
| 202 | mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, edl - offset, MCD_SEND, MCO_ENCYPHER); |
| 203 | |
| 204 | memcpy (mac, res + edl - 8, 4); |
| 205 | |
| 206 | // Copy again provided data (was overwritten by mifare_cypher_blocks_chained) |
| 207 | memcpy (res, data, *nbytes); |
| 208 | |
| 209 | if (!(communication_settings & MAC_COMMAND)) |
| 210 | break; |
| 211 | // Append MAC |
| 212 | size_t bla = maced_data_length (DESFIRE(tag)->session_key, *nbytes - offset) + offset; |
| 213 | bla++; |
| 214 | |
| 215 | memcpy (res + *nbytes, mac, 4); |
| 216 | |
| 217 | *nbytes += 4; |
| 218 | break; |
| 219 | case AS_NEW: |
| 220 | if (!(communication_settings & CMAC_COMMAND)) |
| 221 | break; |
| 222 | cmac (key, DESFIRE (tag)->ivect, res, *nbytes, DESFIRE (tag)->cmac); |
| 223 | |
| 224 | if (append_mac) { |
| 225 | size_t len = maced_data_length (key, *nbytes); |
| 226 | ++len; |
| 227 | memcpy (res, data, *nbytes); |
| 228 | memcpy (res + *nbytes, DESFIRE (tag)->cmac, CMAC_LENGTH); |
| 229 | *nbytes += CMAC_LENGTH; |
| 230 | } |
| 231 | break; |
| 232 | } |
| 233 | |
| 234 | break; |
| 235 | case MDCM_ENCIPHERED: |
| 236 | /* |<-------------- data -------------->| |
| 237 | * |<--- offset -->| | |
| 238 | * +---------------+--------------------+-----+---------+ |
| 239 | * | CMD + HEADERS | DATA TO BE SECURED | CRC | PADDING | |
| 240 | * +---------------+--------------------+-----+---------+ ---------------- |
| 241 | * | |<~~~~v~~~~~~~~~~~~~>| ^ | | (DES / 3DES) |
| 242 | * | | `---- crc16() ----' | | |
| 243 | * | | | ^ | | ----- *or* ----- |
| 244 | * |<~~~~~~~~~~~~~~~~~~~~v~~~~~~~~~~~~~>| ^ | | (3K3DES / AES) |
| 245 | * | `---- crc32() ----' | | |
| 246 | * | | ---- *then* ---- |
| 247 | * |<---------------------------------->| |
| 248 | * encypher()/decypher() |
| 249 | */ |
| 250 | |
| 251 | if (!(communication_settings & ENC_COMMAND)) |
| 252 | break; |
| 253 | edl = enciphered_data_length (tag, *nbytes - offset, communication_settings) + offset; |
| 254 | |
| 255 | // Fill in the crypto buffer with data ... |
| 256 | memcpy (res, data, *nbytes); |
| 257 | if (!(communication_settings & NO_CRC)) { |
| 258 | // ... CRC ... |
| 259 | switch (DESFIRE (tag)->authentication_scheme) { |
| 260 | case AS_LEGACY: |
| 261 | AppendCrc14443a(res + offset, *nbytes - offset); |
| 262 | *nbytes += 2; |
| 263 | break; |
| 264 | case AS_NEW: |
| 265 | crc32_append (res, *nbytes); |
| 266 | *nbytes += 4; |
| 267 | break; |
| 268 | } |
| 269 | } |
| 270 | // ... and padding |
| 271 | memset (res + *nbytes, 0, edl - *nbytes); |
| 272 | |
| 273 | *nbytes = edl; |
| 274 | |
| 275 | mifare_cypher_blocks_chained (tag, NULL, NULL, res + offset, *nbytes - offset, MCD_SEND, (AS_NEW == DESFIRE(tag)->authentication_scheme) ? MCO_ENCYPHER : MCO_DECYPHER); |
| 276 | break; |
| 277 | default: |
| 278 | |
| 279 | *nbytes = -1; |
| 280 | res = NULL; |
| 281 | break; |
| 282 | } |
| 283 | |
| 284 | return res; |
| 285 | |
| 286 | } |
| 287 | |
| 288 | void* mifare_cryto_postprocess_data (desfiretag_t tag, void *data, size_t *nbytes, int communication_settings) |
| 289 | { |
| 290 | void *res = data; |
| 291 | size_t edl; |
| 292 | void *edata = NULL; |
| 293 | uint8_t first_cmac_byte = 0x00; |
| 294 | |
| 295 | desfirekey_t key = DESFIRE(tag)->session_key; |
| 296 | |
| 297 | if (!key) |
| 298 | return data; |
| 299 | |
| 300 | // Return directly if we just have a status code. |
| 301 | if (1 == *nbytes) |
| 302 | return res; |
| 303 | |
| 304 | switch (communication_settings & MDCM_MASK) { |
| 305 | case MDCM_PLAIN: |
| 306 | |
| 307 | if (AS_LEGACY == DESFIRE(tag)->authentication_scheme) |
| 308 | break; |
| 309 | |
| 310 | /* pass through */ |
| 311 | case MDCM_MACED: |
| 312 | switch (DESFIRE (tag)->authentication_scheme) { |
| 313 | case AS_LEGACY: |
| 314 | if (communication_settings & MAC_VERIFY) { |
| 315 | *nbytes -= key_macing_length (key); |
| 316 | if (*nbytes <= 0) { |
| 317 | *nbytes = -1; |
| 318 | res = NULL; |
| 319 | #ifdef WITH_DEBUG |
| 320 | Dbprintf ("No room for MAC!"); |
| 321 | #endif |
| 322 | break; |
| 323 | } |
| 324 | |
| 325 | edl = enciphered_data_length (tag, *nbytes - 1, communication_settings); |
| 326 | edata = malloc (edl); |
| 327 | |
| 328 | memcpy (edata, data, *nbytes - 1); |
| 329 | memset ((uint8_t *)edata + *nbytes - 1, 0, edl - *nbytes + 1); |
| 330 | |
| 331 | mifare_cypher_blocks_chained (tag, NULL, NULL, edata, edl, MCD_SEND, MCO_ENCYPHER); |
| 332 | |
| 333 | if (0 != memcmp ((uint8_t *)data + *nbytes - 1, (uint8_t *)edata + edl - 8, 4)) { |
| 334 | #ifdef WITH_DEBUG |
| 335 | Dbprintf ("MACing not verified"); |
| 336 | hexdump ((uint8_t *)data + *nbytes - 1, key_macing_length (key), "Expect ", 0); |
| 337 | hexdump ((uint8_t *)edata + edl - 8, key_macing_length (key), "Actual ", 0); |
| 338 | #endif |
| 339 | DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR; |
| 340 | *nbytes = -1; |
| 341 | res = NULL; |
| 342 | } |
| 343 | } |
| 344 | break; |
| 345 | case AS_NEW: |
| 346 | if (!(communication_settings & CMAC_COMMAND)) |
| 347 | break; |
| 348 | if (communication_settings & CMAC_VERIFY) { |
| 349 | if (*nbytes < 9) { |
| 350 | *nbytes = -1; |
| 351 | res = NULL; |
| 352 | break; |
| 353 | } |
| 354 | first_cmac_byte = ((uint8_t *)data)[*nbytes - 9]; |
| 355 | ((uint8_t *)data)[*nbytes - 9] = ((uint8_t *)data)[*nbytes-1]; |
| 356 | } |
| 357 | |
| 358 | int n = (communication_settings & CMAC_VERIFY) ? 8 : 0; |
| 359 | cmac (key, DESFIRE (tag)->ivect, ((uint8_t *)data), *nbytes - n, DESFIRE (tag)->cmac); |
| 360 | |
| 361 | if (communication_settings & CMAC_VERIFY) { |
| 362 | ((uint8_t *)data)[*nbytes - 9] = first_cmac_byte; |
| 363 | if (0 != memcmp (DESFIRE (tag)->cmac, (uint8_t *)data + *nbytes - 9, 8)) { |
| 364 | #ifdef WITH_DEBUG |
| 365 | Dbprintf ("CMAC NOT verified :-("); |
| 366 | hexdump ((uint8_t *)data + *nbytes - 9, 8, "Expect ", 0); |
| 367 | hexdump (DESFIRE (tag)->cmac, 8, "Actual ", 0); |
| 368 | #endif |
| 369 | DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR; |
| 370 | *nbytes = -1; |
| 371 | res = NULL; |
| 372 | } else { |
| 373 | *nbytes -= 8; |
| 374 | } |
| 375 | } |
| 376 | break; |
| 377 | } |
| 378 | |
| 379 | free (edata); |
| 380 | |
| 381 | break; |
| 382 | case MDCM_ENCIPHERED: |
| 383 | (*nbytes)--; |
| 384 | bool verified = false; |
| 385 | int crc_pos = 0x00; |
| 386 | int end_crc_pos = 0x00; |
| 387 | uint8_t x; |
| 388 | |
| 389 | /* |
| 390 | * AS_LEGACY: |
| 391 | * ,-----------------+-------------------------------+--------+ |
| 392 | * \ BLOCK n-1 | BLOCK n | STATUS | |
| 393 | * / PAYLOAD | CRC0 | CRC1 | 0x80? | 0x000000000000 | 0x9100 | |
| 394 | * `-----------------+-------------------------------+--------+ |
| 395 | * |
| 396 | * <------------ DATA ------------> |
| 397 | * FRAME = PAYLOAD + CRC(PAYLOAD) + PADDING |
| 398 | * |
| 399 | * AS_NEW: |
| 400 | * ,-------------------------------+-----------------------------------------------+--------+ |
| 401 | * \ BLOCK n-1 | BLOCK n | STATUS | |
| 402 | * / PAYLOAD | CRC0 | CRC1 | CRC2 | CRC3 | 0x80? | 0x0000000000000000000000000000 | 0x9100 | |
| 403 | * `-------------------------------+-----------------------------------------------+--------+ |
| 404 | * <----------------------------------- DATA ------------------------------------->| |
| 405 | * |
| 406 | * <----------------- DATA ----------------> |
| 407 | * FRAME = PAYLOAD + CRC(PAYLOAD + STATUS) + PADDING + STATUS |
| 408 | * `------------------' |
| 409 | */ |
| 410 | |
| 411 | mifare_cypher_blocks_chained (tag, NULL, NULL, res, *nbytes, MCD_RECEIVE, MCO_DECYPHER); |
| 412 | |
| 413 | /* |
| 414 | * Look for the CRC and ensure it is followed by NULL padding. We |
| 415 | * can't start by the end because the CRC is supposed to be 0 when |
| 416 | * verified, and accumulating 0's in it should not change it. |
| 417 | */ |
| 418 | switch (DESFIRE (tag)->authentication_scheme) { |
| 419 | case AS_LEGACY: |
| 420 | crc_pos = *nbytes - 8 - 1; // The CRC can be over two blocks |
| 421 | if (crc_pos < 0) { |
| 422 | /* Single block */ |
| 423 | crc_pos = 0; |
| 424 | } |
| 425 | break; |
| 426 | case AS_NEW: |
| 427 | /* Move status between payload and CRC */ |
| 428 | res = DESFIRE (tag)->crypto_buffer; |
| 429 | memcpy (res, data, *nbytes); |
| 430 | |
| 431 | crc_pos = (*nbytes) - 16 - 3; |
| 432 | if (crc_pos < 0) { |
| 433 | /* Single block */ |
| 434 | crc_pos = 0; |
| 435 | } |
| 436 | memcpy ((uint8_t *)res + crc_pos + 1, (uint8_t *)res + crc_pos, *nbytes - crc_pos); |
| 437 | ((uint8_t *)res)[crc_pos] = 0x00; |
| 438 | crc_pos++; |
| 439 | *nbytes += 1; |
| 440 | break; |
| 441 | } |
| 442 | |
| 443 | do { |
| 444 | uint16_t crc16 =0x00; |
| 445 | uint32_t crc; |
| 446 | switch (DESFIRE (tag)->authentication_scheme) { |
| 447 | case AS_LEGACY: |
| 448 | end_crc_pos = crc_pos + 2; |
| 449 | AppendCrc14443a (res, end_crc_pos); |
| 450 | |
| 451 | // |
| 452 | |
| 453 | |
| 454 | crc = crc16; |
| 455 | break; |
| 456 | case AS_NEW: |
| 457 | end_crc_pos = crc_pos + 4; |
| 458 | crc32_ex (res, end_crc_pos, (uint8_t *)&crc); |
| 459 | break; |
| 460 | } |
| 461 | if (!crc) { |
| 462 | verified = true; |
| 463 | for (int n = end_crc_pos; n < *nbytes - 1; n++) { |
| 464 | uint8_t byte = ((uint8_t *)res)[n]; |
| 465 | if (!( (0x00 == byte) || ((0x80 == byte) && (n == end_crc_pos)) )) |
| 466 | verified = false; |
| 467 | } |
| 468 | } |
| 469 | if (verified) { |
| 470 | *nbytes = crc_pos; |
| 471 | switch (DESFIRE (tag)->authentication_scheme) { |
| 472 | case AS_LEGACY: |
| 473 | ((uint8_t *)data)[(*nbytes)++] = 0x00; |
| 474 | break; |
| 475 | case AS_NEW: |
| 476 | /* The status byte was already before the CRC */ |
| 477 | break; |
| 478 | } |
| 479 | } else { |
| 480 | switch (DESFIRE (tag)->authentication_scheme) { |
| 481 | case AS_LEGACY: |
| 482 | break; |
| 483 | case AS_NEW: |
| 484 | x = ((uint8_t *)res)[crc_pos - 1]; |
| 485 | ((uint8_t *)res)[crc_pos - 1] = ((uint8_t *)res)[crc_pos]; |
| 486 | ((uint8_t *)res)[crc_pos] = x; |
| 487 | break; |
| 488 | } |
| 489 | crc_pos++; |
| 490 | } |
| 491 | } while (!verified && (end_crc_pos < *nbytes)); |
| 492 | |
| 493 | if (!verified) { |
| 494 | #ifdef WITH_DEBUG |
| 495 | /* FIXME In some configurations, the file is transmitted PLAIN */ |
| 496 | Dbprintf("CRC not verified in decyphered stream"); |
| 497 | #endif |
| 498 | DESFIRE (tag)->last_pcd_error = CRYPTO_ERROR; |
| 499 | *nbytes = -1; |
| 500 | res = NULL; |
| 501 | } |
| 502 | |
| 503 | break; |
| 504 | default: |
| 505 | Dbprintf("Unknown communication settings"); |
| 506 | *nbytes = -1; |
| 507 | res = NULL; |
| 508 | break; |
| 509 | |
| 510 | } |
| 511 | return res; |
| 512 | } |
| 513 | |
| 514 | |
| 515 | void mifare_cypher_single_block (desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size) |
| 516 | { |
| 517 | uint8_t ovect[MAX_CRYPTO_BLOCK_SIZE]; |
| 518 | |
| 519 | if (direction == MCD_SEND) { |
| 520 | xor (ivect, data, block_size); |
| 521 | } else { |
| 522 | memcpy (ovect, data, block_size); |
| 523 | } |
| 524 | |
| 525 | uint8_t edata[MAX_CRYPTO_BLOCK_SIZE]; |
| 526 | |
| 527 | switch (key->type) { |
| 528 | case T_DES: |
| 529 | switch (operation) { |
| 530 | case MCO_ENCYPHER: |
| 531 | //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT); |
| 532 | des_enc(edata, data, key->data); |
| 533 | break; |
| 534 | case MCO_DECYPHER: |
| 535 | //DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT); |
| 536 | des_dec(edata, data, key->data); |
| 537 | break; |
| 538 | } |
| 539 | break; |
| 540 | case T_3DES: |
| 541 | switch (operation) { |
| 542 | case MCO_ENCYPHER: |
| 543 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT); |
| 544 | // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT); |
| 545 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT); |
| 546 | tdes_enc(edata,data, key->data); |
| 547 | break; |
| 548 | case MCO_DECYPHER: |
| 549 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT); |
| 550 | // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT); |
| 551 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT); |
| 552 | tdes_dec(data, edata, key->data); |
| 553 | break; |
| 554 | } |
| 555 | break; |
| 556 | case T_3K3DES: |
| 557 | switch (operation) { |
| 558 | case MCO_ENCYPHER: |
| 559 | tdes_enc(edata,data, key->data); |
| 560 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_ENCRYPT); |
| 561 | // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_DECRYPT); |
| 562 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_ENCRYPT); |
| 563 | break; |
| 564 | case MCO_DECYPHER: |
| 565 | tdes_dec(data, edata, key->data); |
| 566 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks3), DES_DECRYPT); |
| 567 | // DES_ecb_encrypt ((DES_cblock *) edata, (DES_cblock *) data, &(key->ks2), DES_ENCRYPT); |
| 568 | // DES_ecb_encrypt ((DES_cblock *) data, (DES_cblock *) edata, &(key->ks1), DES_DECRYPT); |
| 569 | break; |
| 570 | } |
| 571 | break; |
| 572 | case T_AES: |
| 573 | switch (operation) |
| 574 | { |
| 575 | case MCO_ENCYPHER: |
| 576 | { |
| 577 | AesCtx ctx; |
| 578 | AesCtxIni(&ctx, ivect, key->data, KEY128,CBC); |
| 579 | AesEncrypt(&ctx, data, edata, sizeof(edata) ); |
| 580 | break; |
| 581 | } |
| 582 | case MCO_DECYPHER: |
| 583 | { |
| 584 | AesCtx ctx; |
| 585 | AesCtxIni(&ctx, ivect, key->data, KEY128,CBC); |
| 586 | AesDecrypt(&ctx, edata, data, sizeof(edata)); |
| 587 | break; |
| 588 | } |
| 589 | } |
| 590 | break; |
| 591 | } |
| 592 | |
| 593 | memcpy (data, edata, block_size); |
| 594 | |
| 595 | if (direction == MCD_SEND) { |
| 596 | memcpy (ivect, data, block_size); |
| 597 | } else { |
| 598 | xor (ivect, data, block_size); |
| 599 | memcpy (ivect, ovect, block_size); |
| 600 | } |
| 601 | } |
| 602 | |
| 603 | /* |
| 604 | * This function performs all CBC cyphering / deciphering. |
| 605 | * |
| 606 | * The tag argument may be NULL, in which case both key and ivect shall be set. |
| 607 | * When using the tag session_key and ivect for processing data, these |
| 608 | * arguments should be set to NULL. |
| 609 | * |
| 610 | * Because the tag may contain additional data, one may need to call this |
| 611 | * function with tag, key and ivect defined. |
| 612 | */ |
| 613 | void mifare_cypher_blocks_chained (desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation) { |
| 614 | size_t block_size; |
| 615 | |
| 616 | if (tag) { |
| 617 | if (!key) |
| 618 | key = DESFIRE (tag)->session_key; |
| 619 | if (!ivect) |
| 620 | ivect = DESFIRE (tag)->ivect; |
| 621 | |
| 622 | switch (DESFIRE (tag)->authentication_scheme) { |
| 623 | case AS_LEGACY: |
| 624 | memset (ivect, 0, MAX_CRYPTO_BLOCK_SIZE); |
| 625 | break; |
| 626 | case AS_NEW: |
| 627 | break; |
| 628 | } |
| 629 | } |
| 630 | |
| 631 | block_size = key_block_size (key); |
| 632 | |
| 633 | size_t offset = 0; |
| 634 | while (offset < data_size) { |
| 635 | mifare_cypher_single_block (key, data + offset, ivect, direction, operation, block_size); |
| 636 | offset += block_size; |
| 637 | } |
| 638 | } |