cvs.zerfleddert.de Git - proxmark3-svn/blob - client/emv/emv_roca.c

   1 /* roca.c - ROCA (CVE-2017-15361) fingerprint checker.
   2  * Written by Rob Stradling (based on https://github.com/crocs-muni/roca/blob/master/roca/detect.py)
   3  * Copyright (C) 2017-2018 Sectigo Limited
   4  * modified 2018 iceman  (dropped openssl bignum,  now use mbedtls lib)
   5  * modified 2018 merlok
   6  *
   7  * This program is free software: you can redistribute it and/or modify
   8  * it under the terms of the GNU General Public License as published by
   9  * the Free Software Foundation, either version 2 of the License, or
  10  * (at your option) any later version.
  11  *
  12  * This program is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  * GNU General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU General Public License
  18  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19  */
  20 //-----------------------------------------------------------------------------
  21 // EMV roca commands
  22 //-----------------------------------------------------------------------------
  23
  24 #include "emv_roca.h"
  25
  26 #include <stddef.h>
  27 #include <stdint.h>
  28 #include <stdbool.h>
  29
  30 #include "ui.h"
  31 #include "util.h"
  32 #include "mbedtls/bignum.h"
  33
  34
  35 static uint8_t g_primes[ROCA_PRINTS_LENGTH] = {
  36         11, 13, 17, 19, 37, 53, 61, 71, 73, 79, 97, 103, 107, 109, 127, 151, 157
  37 };
  38
  39 mbedtls_mpi g_prints[ROCA_PRINTS_LENGTH];
  40
  41 void rocacheck_init(void) {
  42
  43         for (int i = 0; i < ROCA_PRINTS_LENGTH; i++)
  44                 mbedtls_mpi_init(&g_prints[i]);
  45
  46         mbedtls_mpi_read_string(&g_prints[0], 10, "1026");
  47         mbedtls_mpi_read_string(&g_prints[1], 10, "5658");
  48         mbedtls_mpi_read_string(&g_prints[2], 10, "107286");
  49         mbedtls_mpi_read_string(&g_prints[3], 10, "199410");
  50         mbedtls_mpi_read_string(&g_prints[4], 10, "67109890");
  51         mbedtls_mpi_read_string(&g_prints[5], 10, "5310023542746834");
  52         mbedtls_mpi_read_string(&g_prints[6], 10, "1455791217086302986");
  53         mbedtls_mpi_read_string(&g_prints[7], 10, "20052041432995567486");
  54         mbedtls_mpi_read_string(&g_prints[8], 10, "6041388139249378920330");
  55         mbedtls_mpi_read_string(&g_prints[9], 10, "207530445072488465666");
  56         mbedtls_mpi_read_string(&g_prints[10], 10, "79228162521181866724264247298");
  57         mbedtls_mpi_read_string(&g_prints[11], 10, "1760368345969468176824550810518");
  58         mbedtls_mpi_read_string(&g_prints[12], 10, "50079290986288516948354744811034");
  59         mbedtls_mpi_read_string(&g_prints[13], 10, "473022961816146413042658758988474");
  60         mbedtls_mpi_read_string(&g_prints[14], 10, "144390480366845522447407333004847678774");
  61         mbedtls_mpi_read_string(&g_prints[15], 10, "1800793591454480341970779146165214289059119882");
  62         mbedtls_mpi_read_string(&g_prints[16], 10, "126304807362733370595828809000324029340048915994");
  63 }
  64
  65 void rocacheck_cleanup(void) {
  66         for (int i = 0; i < ROCA_PRINTS_LENGTH; i++)
  67                 mbedtls_mpi_free(&g_prints[i]);
  68 }
  69
  70 int bitand_is_zero(     mbedtls_mpi* a, mbedtls_mpi* b ) {
  71
  72         for (int i = 0; i < mbedtls_mpi_bitlen(a); i++) {
  73
  74                 if (mbedtls_mpi_get_bit(a, i) && mbedtls_mpi_get_bit(b, i))
  75                         return 0;
  76         }
  77         return 1;
  78 }
  79
  80
  81 mbedtls_mpi_uint mpi_get_uint(const mbedtls_mpi *X) {
  82
  83         if (X->n == 1 && X->s > 0) {
  84                 return X->p[0];
  85         }
  86         printf("ZERRRRO!!!\n");
  87         return 0;
  88 }
  89
  90 void print_mpi(const char *msg, int radix, const mbedtls_mpi *X) {
  91
  92         char Xchar[400] = {0};
  93         size_t len = 0;
  94
  95         mbedtls_mpi_write_string(X, radix, Xchar, sizeof(Xchar), &len);
  96         printf("%s[%zd] %s\n", msg, len, Xchar);
  97 }
  98
  99 bool emv_rocacheck(const unsigned char *buf, size_t buflen, bool verbose) {
 100
 101         mbedtls_mpi t_modulus;
 102         mbedtls_mpi_init(&t_modulus);
 103
 104         bool ret = false;
 105
 106         rocacheck_init();
 107
 108         MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary(&t_modulus, buf, buflen) );
 109
 110         for (int i = 0; i < ROCA_PRINTS_LENGTH; i++) {
 111
 112                 mbedtls_mpi t_temp;
 113                 mbedtls_mpi t_prime;
 114                 mbedtls_mpi g_one;
 115
 116                 mbedtls_mpi_init(&t_temp);
 117                 mbedtls_mpi_init(&t_prime);
 118                 mbedtls_mpi_init(&g_one);
 119
 120                 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string(&g_one, 10, "1") );
 121
 122                 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int(&t_prime, &t_prime, g_primes[i]) );
 123
 124                 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi(&t_temp, &t_modulus, &t_prime) );
 125
 126                 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l(&g_one, mpi_get_uint(&t_temp)) );
 127
 128                 if (bitand_is_zero(&g_one, &g_prints[i])) {
 129                         if (verbose)
 130                                 PrintAndLogEx(FAILED, "No fingerprint found.\n");
 131                         goto cleanup;
 132                 }
 133
 134                 mbedtls_mpi_free(&g_one);
 135                 mbedtls_mpi_free(&t_temp);
 136                 mbedtls_mpi_free(&t_prime);
 137         }
 138
 139         ret = true;
 140         if (verbose)
 141                 PrintAndLogEx(SUCCESS, "Fingerprint found!\n");
 142
 143 cleanup:
 144         mbedtls_mpi_free(&t_modulus);
 145
 146         rocacheck_cleanup();
 147         return ret;
 148 }
 149
 150 int roca_self_test( void ) {
 151         int ret = 0;
 152
 153         PrintAndLogEx(INFO, "ROCA check vulnerability tests" );
 154
 155         // positive
 156         uint8_t keyp[] = "\x94\x4e\x13\x20\x8a\x28\x0c\x37\xef\xc3\x1c\x31\x14\x48\x5e\x59"\
 157                         "\x01\x92\xad\xbb\x8e\x11\xc8\x7c\xad\x60\xcd\xef\x00\x37\xce\x99"\
 158                                         "\x27\x83\x30\xd3\xf4\x71\xa2\x53\x8f\xa6\x67\x80\x2e\xd2\xa3\xc4"\
 159                                         "\x4a\x8b\x7d\xea\x82\x6e\x88\x8d\x0a\xa3\x41\xfd\x66\x4f\x7f\xa7";
 160
 161
 162         if (emv_rocacheck(keyp, 64, false)) {
 163                 PrintAndLogEx(SUCCESS, "Weak modulus [ %s]", _GREEN_(PASS) );
 164         }
 165         else {
 166                 ret++;
 167                 PrintAndLogEx(FAILED, "Weak modulus [ %s]", _RED_(FAIL) );
 168         }
 169
 170         // negative
 171         uint8_t keyn[] = "\x84\x4e\x13\x20\x8a\x28\x0c\x37\xef\xc3\x1c\x31\x14\x48\x5e\x59"\
 172                         "\x01\x92\xad\xbb\x8e\x11\xc8\x7c\xad\x60\xcd\xef\x00\x37\xce\x99"\
 173                                         "\x27\x83\x30\xd3\xf4\x71\xa2\x53\x8f\xa6\x67\x80\x2e\xd2\xa3\xc4"\
 174                                         "\x4a\x8b\x7d\xea\x82\x6e\x88\x8d\x0a\xa3\x41\xfd\x66\x4f\x7f\xa7";
 175
 176         if (emv_rocacheck(keyn, 64, false)) {
 177                 ret++;
 178                 PrintAndLogEx(FAILED, "Strong modulus [ %s]", _RED_(FAIL) );
 179         } else {
 180                 PrintAndLogEx(SUCCESS, "Strong modulus [ %s]", _GREEN_(PASS) );
 181         }
 182
 183         return ret;
 184 }