From 7d4f9e4f1fbb3233acee7b097550f8487bde8a06 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 19 Apr 2022 19:09:38 +0200 Subject: [PATCH] Adding EAC and some crypto functions. Adding MBEDTLS submodule to core. --- .gitmodules | 3 + CMakeLists.txt | 4 + mbedtls | 1 + src/ccid/ccid2040.c | 53 +++++++- src/ccid/ccid2040.h | 3 + src/ccid/crypto_utils.c | 146 +++++++++++++++++++++ src/ccid/crypto_utils.h | 48 +++++++ src/ccid/eac.c | 270 ++++++++++++++++++++++++++++++++++++++ src/ccid/eac.h | 46 +++++++ src/usb/usb_descriptors.c | 2 +- 10 files changed, 572 insertions(+), 4 deletions(-) create mode 100644 .gitmodules create mode 160000 mbedtls create mode 100644 src/ccid/crypto_utils.c create mode 100644 src/ccid/crypto_utils.h create mode 100644 src/ccid/eac.c create mode 100644 src/ccid/eac.h diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..342fd0e --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "mbedtls"] + path = mbedtls + url = https://github.com/ARMmbed/mbedtls diff --git a/CMakeLists.txt b/CMakeLists.txt index 0c0d678..5485fdc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -50,6 +50,8 @@ target_sources(pico_ccid PUBLIC ${CMAKE_CURRENT_LIST_DIR}/src/fs/low_flash.c ${CMAKE_CURRENT_LIST_DIR}/src/rng/random.c ${CMAKE_CURRENT_LIST_DIR}/src/rng/neug.c + ${CMAKE_CURRENT_LIST_DIR}/src/ccid/eac.c + ${CMAKE_CURRENT_LIST_DIR}/src/ccid/crypto_utils.c ) target_include_directories(pico_ccid PUBLIC @@ -57,6 +59,8 @@ target_include_directories(pico_ccid PUBLIC ${CMAKE_CURRENT_LIST_DIR}/src/ccid ${CMAKE_CURRENT_LIST_DIR}/src/rng ${CMAKE_CURRENT_LIST_DIR}/src/usb + ${CMAKE_CURRENT_LIST_DIR}/mbedtls/include + ${CMAKE_CURRENT_LIST_DIR}/mbedtls/library ) pico_add_extra_outputs(pico_ccid) diff --git a/mbedtls b/mbedtls new file mode 160000 index 0000000..d65aeb3 --- /dev/null +++ b/mbedtls @@ -0,0 +1 @@ +Subproject commit d65aeb37349ad1a50e0f6c9b694d4b5290d60e49 diff --git a/src/ccid/ccid2040.c b/src/ccid/ccid2040.c index 876960f..f9fc775 100644 --- a/src/ccid/ccid2040.c +++ b/src/ccid/ccid2040.c @@ -1266,11 +1266,11 @@ void prepare_ccid() { struct ccid *c = &ccid; struct apdu *a = &apdu; - epi_init (epi, 1, c); - epo_init (epo, 2, c); + epi_init(epi, 1, c); + epo_init(epo, 2, c); apdu_init(a); - ccid_init (c, epi, epo, a); + ccid_init(c, epi, epo, a); } int process_apdu() { @@ -1480,6 +1480,53 @@ void led_off_all() { #endif } +int format_tlv_len(size_t len, uint8_t *out) { + if (len < 128) { + *out = len; + return 1; + } + else if (len < 256) { + *out++ = 0x81; + *out++ = len; + return 2; + } + else { + *out++ = 0x82; + *out++ = (len >> 8) & 0xff; + *out++ = len & 0xff; + return 3; + } + return 0; +} + +int walk_tlv(const uint8_t *cdata, size_t cdata_len, uint8_t **p, uint8_t *tag, size_t *tag_len, uint8_t **data) { + if (!p) + return 0; + if (!*p) + *p = (uint8_t *)cdata; + if (*p-cdata >= cdata_len) + return 0; + uint8_t tg = 0x0; + size_t tgl = 0; + tg = *(*p)++; + tgl = *(*p)++; + if (tgl == 0x82) { + tgl = *(*p)++ << 8; + tgl |= *(*p)++; + } + else if (tgl == 0x81) { + tgl = *(*p)++; + } + if (tag) + *tag = tg; + if (tag_len) + *tag_len = tgl; + if (data) + *data = *p; + *p = *p+tgl; + return 1; +} + void init_rtc() { rtc_init(); diff --git a/src/ccid/ccid2040.h b/src/ccid/ccid2040.h index 4df3696..64d491d 100644 --- a/src/ccid/ccid2040.h +++ b/src/ccid/ccid2040.h @@ -249,4 +249,7 @@ extern void led_set_blink(uint32_t mode); #define CCID_WRONG_PADDING -1011 #define CCID_VERIFICATION_FAILED -1012 +extern int walk_tlv(const uint8_t *cdata, size_t cdata_len, uint8_t **p, uint8_t *tag, size_t *tag_len, uint8_t **data); +extern int format_tlv_len(size_t len, uint8_t *out); + #endif \ No newline at end of file diff --git a/src/ccid/crypto_utils.c b/src/ccid/crypto_utils.c new file mode 100644 index 0000000..48cea9e --- /dev/null +++ b/src/ccid/crypto_utils.c @@ -0,0 +1,146 @@ +/* + * This file is part of the Pico CCID distribution (https://github.com/polhenarejos/pico-ccid). + * Copyright (c) 2022 Pol Henarejos. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 3. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include "mbedtls/md.h" +#include "mbedtls/sha256.h" +#include "mbedtls/aes.h" +#include "crypto_utils.h" +#include "ccid2040.h" + +void double_hash_pin(const uint8_t *pin, size_t len, uint8_t output[32]) { + uint8_t o1[32]; + hash_multi(pin, len, o1); + for (int i = 0; i < sizeof(o1); i++) + o1[i] ^= pin[i%len]; + hash_multi(o1, sizeof(o1), output); +} + +void hash_multi(const uint8_t *input, size_t len, uint8_t output[32]) { + mbedtls_sha256_context ctx; + mbedtls_sha256_init(&ctx); + int iters = 256; + pico_unique_board_id_t unique_id; + + pico_get_unique_board_id(&unique_id); + + mbedtls_sha256_starts (&ctx, 0); + mbedtls_sha256_update (&ctx, unique_id.id, sizeof(unique_id.id)); + + while (iters > len) + { + mbedtls_sha256_update (&ctx, input, len); + iters -= len; + } + if (iters > 0) // remaining iterations + mbedtls_sha256_update (&ctx, input, iters); + mbedtls_sha256_finish (&ctx, output); + mbedtls_sha256_free (&ctx); +} + +void hash256(const uint8_t *input, size_t len, uint8_t output[32]) { + mbedtls_sha256_context ctx; + mbedtls_sha256_init(&ctx); + + mbedtls_sha256_starts (&ctx, 0); + mbedtls_sha256_update (&ctx, input, len); + + mbedtls_sha256_finish (&ctx, output); + mbedtls_sha256_free (&ctx); +} + +void generic_hash(mbedtls_md_type_t md, const uint8_t *input, size_t len, uint8_t *output) { + mbedtls_md_context_t ctx; + mbedtls_md_init(&ctx); + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md); + mbedtls_md_setup(&ctx, md_info, 0); + mbedtls_md_starts(&ctx); + mbedtls_md_update(&ctx, input, len); + mbedtls_md_finish(&ctx, output); + mbedtls_md_free(&ctx); +} + +int aes_encrypt(const uint8_t *key, const uint8_t *iv, int key_size, int mode, uint8_t *data, int len) { + mbedtls_aes_context aes; + mbedtls_aes_init(&aes); + uint8_t tmp_iv[IV_SIZE]; + size_t iv_offset = 0; + memset(tmp_iv, 0, IV_SIZE); + if (iv) + memcpy(tmp_iv, iv, IV_SIZE); + int r = mbedtls_aes_setkey_enc(&aes, key, key_size); + if (r != 0) + return CCID_EXEC_ERROR; + if (mode == HSM_AES_MODE_CBC) + return mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, len, tmp_iv, data, data); + return mbedtls_aes_crypt_cfb128(&aes, MBEDTLS_AES_ENCRYPT, len, &iv_offset, tmp_iv, data, data); +} + +int aes_decrypt(const uint8_t *key, const uint8_t *iv, int key_size, int mode, uint8_t *data, int len) { + mbedtls_aes_context aes; + mbedtls_aes_init(&aes); + uint8_t tmp_iv[IV_SIZE]; + size_t iv_offset = 0; + memset(tmp_iv, 0, IV_SIZE); + if (iv) + memcpy(tmp_iv, iv, IV_SIZE); + int r = mbedtls_aes_setkey_dec(&aes, key, key_size); + if (r != 0) + return CCID_EXEC_ERROR; + if (mode == HSM_AES_MODE_CBC) + return mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, len, tmp_iv, data, data); + r = mbedtls_aes_setkey_enc(&aes, key, key_size); //CFB requires set_enc instead set_dec + return mbedtls_aes_crypt_cfb128(&aes, MBEDTLS_AES_DECRYPT, len, &iv_offset, tmp_iv, data, data); +} + +int aes_encrypt_cfb_256(const uint8_t *key, const uint8_t *iv, uint8_t *data, int len) { + return aes_encrypt(key, iv, 256, HSM_AES_MODE_CFB, data, len); +} +int aes_decrypt_cfb_256(const uint8_t *key, const uint8_t *iv, uint8_t *data, int len) { + return aes_decrypt(key, iv, 256, HSM_AES_MODE_CFB, data, len); +} + +struct lv_data { + unsigned char *value; + uint8_t len; +}; + +struct ec_curve_mbed_id { + struct lv_data curve; + mbedtls_ecp_group_id id; +}; +struct ec_curve_mbed_id ec_curves_mbed[] = { + { { (unsigned char *) "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 24}, MBEDTLS_ECP_DP_SECP192R1 }, + { { (unsigned char *) "\xFF\xFF\xFF\xFF\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 32}, MBEDTLS_ECP_DP_SECP256R1 }, + { { (unsigned char *) "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF", 48}, MBEDTLS_ECP_DP_SECP384R1 }, + { { (unsigned char *) "\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 66}, MBEDTLS_ECP_DP_SECP521R1 }, + { { (unsigned char *) "\xA9\xFB\x57\xDB\xA1\xEE\xA9\xBC\x3E\x66\x0A\x90\x9D\x83\x8D\x72\x6E\x3B\xF6\x23\xD5\x26\x20\x28\x20\x13\x48\x1D\x1F\x6E\x53\x77", 32}, MBEDTLS_ECP_DP_BP256R1 }, + { { (unsigned char *) "\x8C\xB9\x1E\x82\xA3\x38\x6D\x28\x0F\x5D\x6F\x7E\x50\xE6\x41\xDF\x15\x2F\x71\x09\xED\x54\x56\xB4\x12\xB1\xDA\x19\x7F\xB7\x11\x23\xAC\xD3\xA7\x29\x90\x1D\x1A\x71\x87\x47\x00\x13\x31\x07\xEC\x53", 48}, MBEDTLS_ECP_DP_BP384R1 }, + { { (unsigned char *) "\xAA\xDD\x9D\xB8\xDB\xE9\xC4\x8B\x3F\xD4\xE6\xAE\x33\xC9\xFC\x07\xCB\x30\x8D\xB3\xB3\xC9\xD2\x0E\xD6\x63\x9C\xCA\x70\x33\x08\x71\x7D\x4D\x9B\x00\x9B\xC6\x68\x42\xAE\xCD\xA1\x2A\xE6\xA3\x80\xE6\x28\x81\xFF\x2F\x2D\x82\xC6\x85\x28\xAA\x60\x56\x58\x3A\x48\xF3", 64}, MBEDTLS_ECP_DP_BP512R1 }, + { { (unsigned char *) "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE\xFF\xFF\xEE\x37", 24}, MBEDTLS_ECP_DP_SECP192K1 }, + { { (unsigned char *) "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE\xFF\xFF\xFC\x2F", 32}, MBEDTLS_ECP_DP_SECP256K1 }, + { { NULL, 0 }, MBEDTLS_ECP_DP_NONE } +}; + +mbedtls_ecp_group_id ec_get_curve_from_prime(const uint8_t *prime, size_t prime_len) { + for (struct ec_curve_mbed_id *ec = ec_curves_mbed; ec->id != MBEDTLS_ECP_DP_NONE; ec++) { + if (prime_len == ec->curve.len && memcmp(prime, ec->curve.value, prime_len) == 0) { + return ec->id; + } + } + return MBEDTLS_ECP_DP_NONE; +} \ No newline at end of file diff --git a/src/ccid/crypto_utils.h b/src/ccid/crypto_utils.h new file mode 100644 index 0000000..8bccf11 --- /dev/null +++ b/src/ccid/crypto_utils.h @@ -0,0 +1,48 @@ +/* + * This file is part of the Pico CCID distribution (https://github.com/polhenarejos/pico-ccid). + * Copyright (c) 2022 Pol Henarejos. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 3. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef _CRYPTO_UTILS_H_ +#define _CRYPTO_UTILS_H_ + +#include "stdlib.h" +#include "pico/stdlib.h" +#include "mbedtls/ecp.h" +#include "mbedtls/md.h" + +#define HSM_KEY_RSA 0x1 +#define HSM_KEY_EC 0x10 +#define HSM_KEY_AES 0x100 +#define HSM_KEY_AES_128 0x300 +#define HSM_KEY_AES_192 0x500 +#define HSM_KEY_AES_256 0x900 + +#define HSM_AES_MODE_CBC 1 +#define HSM_AES_MODE_CFB 2 + +#define IV_SIZE 16 + +extern void double_hash_pin(const uint8_t *pin, size_t len, uint8_t output[32]); +extern void hash_multi(const uint8_t *input, size_t len, uint8_t output[32]); +extern void hash256(const uint8_t *input, size_t len, uint8_t output[32]); +extern void generic_hash(mbedtls_md_type_t md, const uint8_t *input, size_t len, uint8_t *output); +extern int aes_encrypt(const uint8_t *key, const uint8_t *iv, int key_size, int mode, uint8_t *data, int len); +extern int aes_decrypt(const uint8_t *key, const uint8_t *iv, int key_size, int mode, uint8_t *data, int len); +extern int aes_encrypt_cfb_256(const uint8_t *key, const uint8_t *iv, uint8_t *data, int len); +extern int aes_decrypt_cfb_256(const uint8_t *key, const uint8_t *iv, uint8_t *data, int len); +extern mbedtls_ecp_group_id ec_get_curve_from_prime(const uint8_t *prime, size_t prime_len); + +#endif diff --git a/src/ccid/eac.c b/src/ccid/eac.c new file mode 100644 index 0000000..561d11b --- /dev/null +++ b/src/ccid/eac.c @@ -0,0 +1,270 @@ +/* + * This file is part of the Pico CCID distribution (https://github.com/polhenarejos/pico-ccid). + * Copyright (c) 2022 Pol Henarejos. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 3. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "eac.h" +#include "crypto_utils.h" +#include "random.h" +#include "mbedtls/cmac.h" + +static uint8_t nonce[8]; +static uint8_t auth_token[8]; +static uint8_t sm_kmac[16]; +static uint8_t sm_kenc[16]; +static MSE_protocol sm_protocol = MSE_NONE; +static mbedtls_mpi sm_mSSC; +static uint8_t sm_blocksize = 0; +static uint8_t sm_iv[16]; +size_t sm_session_pin_len = 0; +uint8_t sm_session_pin[16]; + +bool is_secured_apdu() { + return (CLA(apdu) & 0xC); +} + +void sm_derive_key(const uint8_t *input, size_t input_len, uint8_t counter, const uint8_t *nonce, size_t nonce_len, uint8_t *out) { + uint8_t *b = (uint8_t *)calloc(1, input_len+nonce_len+4); + if (input) + memcpy(b, input, input_len); + if (nonce) + memcpy(b+input_len, nonce, nonce_len); + b[input_len+nonce_len+3] = counter; + uint8_t digest[20]; + generic_hash(MBEDTLS_MD_SHA1, b, input_len+nonce_len+4, digest); + memcpy(out, digest, 16); + free(b); +} + +void sm_derive_all_keys(const uint8_t *derived, size_t derived_len) { + memcpy(nonce, random_bytes_get(8), 8); + sm_derive_key(derived, derived_len, 1, nonce, sizeof(nonce), sm_kenc); + sm_derive_key(derived, derived_len, 2, nonce, sizeof(nonce), sm_kmac); + mbedtls_mpi_init(&sm_mSSC); + mbedtls_mpi_grow(&sm_mSSC, sm_blocksize); + mbedtls_mpi_lset(&sm_mSSC, 0); + memset(sm_iv, 0, sizeof(sm_iv)); + sm_session_pin_len = 0; +} + +void sm_set_protocol(MSE_protocol proto) { + sm_protocol = proto; + if (proto == MSE_AES) + sm_blocksize = 16; + else if (proto == MSE_3DES) + sm_blocksize = 8; +} + +MSE_protocol sm_get_protocol() { + return sm_protocol; +} + +uint8_t *sm_get_nonce() { + return nonce; +} + +int sm_sign(uint8_t *in, size_t in_len, uint8_t *out) { + return mbedtls_cipher_cmac(mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB), sm_kmac, 128, in, in_len, out); +} + +int sm_unwrap() { + uint8_t sm_indicator = (CLA(apdu) >> 2) & 0x3; + if (sm_indicator == 0) + return CCID_OK; + int r = sm_verify(); + if (r != CCID_OK) + return r; + int le = sm_get_le(); + if (le >= 0) + apdu.expected_res_size = le; + uint8_t *body = NULL; + size_t body_size = 0; + bool is87 = false; + uint8_t tag = 0x0, *tag_data = NULL, *p = NULL; + size_t tag_len = 0; + while (walk_tlv(apdu.cmd_apdu_data, apdu.cmd_apdu_data_len, &p, &tag, &tag_len, &tag_data)) { + if (tag == 0x87 || tag == 0x85) { + body = tag_data; + body_size = tag_len; + if (tag == 0x87) { + is87 = true; + body_size--; + } + } + } + if (!body) + return CCID_WRONG_DATA; + if (is87 && *body++ != 0x1) { + return CCID_WRONG_PADDING; + } + sm_update_iv(); + aes_decrypt(sm_kenc, sm_iv, 128, HSM_AES_MODE_CBC, body, body_size); + memmove(apdu.cmd_apdu_data, body, body_size); + apdu.cmd_apdu_data_len = sm_remove_padding(apdu.cmd_apdu_data, body_size); + DEBUG_PAYLOAD(apdu.cmd_apdu_data, apdu.cmd_apdu_data_len); + return CCID_OK; +} + +int sm_wrap() { + uint8_t sm_indicator = (CLA(apdu) >> 2) & 0x3; + if (sm_indicator == 0) + return CCID_OK; + uint8_t input[1024]; + size_t input_len = 0; + memset(input, 0, sizeof(input)); + mbedtls_mpi ssc; + mbedtls_mpi_init(&ssc); + mbedtls_mpi_add_int(&ssc, &sm_mSSC, 1); + mbedtls_mpi_copy(&sm_mSSC, &ssc); + int r = mbedtls_mpi_write_binary(&ssc, input, sm_blocksize); + input_len += sm_blocksize; + mbedtls_mpi_free(&ssc); + if (res_APDU_size > 0) { + res_APDU[res_APDU_size++] = 0x80; + memset(res_APDU+res_APDU_size, 0, (sm_blocksize - (res_APDU_size%sm_blocksize))); + res_APDU_size += (sm_blocksize - (res_APDU_size%sm_blocksize)); + DEBUG_PAYLOAD(res_APDU, res_APDU_size); + sm_update_iv(); + aes_encrypt(sm_kenc, sm_iv, 128, HSM_AES_MODE_CBC, res_APDU, res_APDU_size); + memmove(res_APDU+1, res_APDU, res_APDU_size); + res_APDU[0] = 0x1; + res_APDU_size++; + if (res_APDU_size < 128) { + memmove(res_APDU+2, res_APDU, res_APDU_size); + res_APDU[1] = res_APDU_size; + res_APDU_size += 2; + } + else if (res_APDU_size < 256) { + memmove(res_APDU+3, res_APDU, res_APDU_size); + res_APDU[1] = 0x81; + res_APDU[2] = res_APDU_size; + res_APDU_size += 3; + } + else { + memmove(res_APDU+4, res_APDU, res_APDU_size); + res_APDU[1] = 0x82; + res_APDU[2] = res_APDU_size >> 8; + res_APDU[3] = res_APDU_size & 0xff; + res_APDU_size += 4; + } + res_APDU[0] = 0x87; + } + res_APDU[res_APDU_size++] = 0x99; + res_APDU[res_APDU_size++] = 2; + res_APDU[res_APDU_size++] = apdu.sw >> 8; + res_APDU[res_APDU_size++] = apdu.sw & 0xff; + memcpy(input+input_len, res_APDU, res_APDU_size); + input_len += res_APDU_size; + input[input_len++] = 0x80; + input_len += (sm_blocksize - (input_len%sm_blocksize)); + r = sm_sign(input, input_len, res_APDU+res_APDU_size+2); + res_APDU[res_APDU_size++] = 0x8E; + res_APDU[res_APDU_size++] = 8; + res_APDU_size += 8; + if (apdu.expected_res_size > 0) + apdu.expected_res_size = res_APDU_size; + return CCID_OK; +} + +int sm_get_le() { + uint8_t tag = 0x0, *tag_data = NULL, *p = NULL; + size_t tag_len = 0; + while (walk_tlv(apdu.cmd_apdu_data, apdu.cmd_apdu_data_len, &p, &tag, &tag_len, &tag_data)) { + if (tag == 0x97) { + uint32_t le = 0; + for (int t = 1; t <= tag_len; t++) + le |= (*tag_data++) << (tag_len-t); + return le; + } + } + return -1; +} + +void sm_update_iv() { + uint8_t tmp_iv[16], sc_counter[16]; + memset(tmp_iv, 0, sizeof(tmp_iv)); //IV is always 0 for encryption of IV based on counter + mbedtls_mpi_write_binary(&sm_mSSC, sc_counter, sizeof(sc_counter)); + aes_encrypt(sm_kenc, tmp_iv, 128, HSM_AES_MODE_CBC, sc_counter, sizeof(sc_counter)); + memcpy(sm_iv, sc_counter, sizeof(sc_counter)); +} + +int sm_verify() { + uint8_t input[1024]; + memset(input, 0, sizeof(input)); + int input_len = 0, r = 0; + bool add_header = (CLA(apdu) & 0xC) == 0xC; + int data_len = (int)(apdu.cmd_apdu_data_len/sm_blocksize)*sm_blocksize; + if (data_len % sm_blocksize) + data_len += sm_blocksize; + if (data_len+(add_header ? sm_blocksize : 0) > 1024) + return CCID_WRONG_LENGTH; + mbedtls_mpi ssc; + mbedtls_mpi_init(&ssc); + mbedtls_mpi_add_int(&ssc, &sm_mSSC, 1); + mbedtls_mpi_copy(&sm_mSSC, &ssc); + r = mbedtls_mpi_write_binary(&ssc, input, sm_blocksize); + input_len += sm_blocksize; + mbedtls_mpi_free(&ssc); + if (r != 0) + return CCID_EXEC_ERROR; + if (add_header) { + input[input_len++] = CLA(apdu); + input[input_len++] = INS(apdu); + input[input_len++] = P1(apdu); + input[input_len++] = P2(apdu); + input[input_len++] = 0x80; + input_len += sm_blocksize-5; + } + bool some_added = false; + const uint8_t *mac = NULL; + size_t mac_len = 0; + uint8_t tag = 0x0, *tag_data = NULL, *p = NULL; + size_t tag_len = 0; + while (walk_tlv(apdu.cmd_apdu_data, apdu.cmd_apdu_data_len, &p, &tag, &tag_len, &tag_data)) { + if (tag & 0x1) { + input[input_len++] = tag; + int tlen = format_tlv_len(tag_len, input+input_len); + input_len += tlen; + memcpy(input+input_len, tag_data, tag_len); + input_len += tag_len; + some_added = true; + } + if (tag == 0x8E) { + mac = tag_data; + mac_len = tag_len; + } + } + if (!mac) + return CCID_WRONG_DATA; + if (some_added) { + input[input_len++] = 0x80; + input_len += (sm_blocksize - (input_len%sm_blocksize)); + } + uint8_t signature[16]; + r = sm_sign(input, input_len, signature); + if (r != 0) + return CCID_EXEC_ERROR; + if (memcmp(signature, mac, mac_len) == 0) + return CCID_OK; + return CCID_VERIFICATION_FAILED; +} + +int sm_remove_padding(const uint8_t *data, size_t data_len) { + int i = data_len-1; + for (; i >= 0 && data[i] == 0; i--); + if (i < 0 || data[i] != 0x80) + return -1; + return i; +} \ No newline at end of file diff --git a/src/ccid/eac.h b/src/ccid/eac.h new file mode 100644 index 0000000..e7d4f94 --- /dev/null +++ b/src/ccid/eac.h @@ -0,0 +1,46 @@ +/* + * This file is part of the Pico CCID distribution (https://github.com/polhenarejos/pico-ccid). + * Copyright (c) 2022 Pol Henarejos. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 3. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef _EAC_H_ +#define _EAC_H_ + +#include +#include "pico/stdlib.h" +#include "ccid2040.h" + +typedef enum MSE_protocol { + MSE_AES = 0, + MSE_3DES, + MSE_NONE +}MSE_protocol; + +extern void sm_derive_all_keys(const uint8_t *input, size_t input_len); +extern void sm_set_protocol(MSE_protocol proto); +extern MSE_protocol sm_get_protocol(); +extern uint8_t *sm_get_nonce(); +extern int sm_sign(uint8_t *in, size_t in_len, uint8_t *out); +int sm_verify(); +void sm_update_iv(); +int sm_get_le(); +extern int sm_unwrap(); +int sm_remove_padding(const uint8_t *data, size_t data_len); +extern int sm_wrap(); +extern bool is_secured_apdu(); +extern uint8_t sm_session_pin[16]; +extern size_t sm_session_pin_len; + +#endif diff --git a/src/usb/usb_descriptors.c b/src/usb/usb_descriptors.c index 7a8b376..093296a 100644 --- a/src/usb/usb_descriptors.c +++ b/src/usb/usb_descriptors.c @@ -52,7 +52,7 @@ tusb_desc_device_t const desc_device = .idVendor = (USB_VID), .idProduct = (USB_PID), - .bcdDevice = HSM_VERSION, + .bcdDevice = CCID_VERSION, .iManufacturer = 1, .iProduct = 2,