/* * Wrapper for crypto implementation on device * * */ #include #include #include #include "em_adc.h" #include "util.h" #include "crypto.h" #include "device.h" #include "sha256.h" #include "uECC.h" #include "aes.h" #include "ctap.h" #include "log.h" #include MBEDTLS_CONFIG_FILE #include "sha256_alt.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/ecdsa.h" const uint8_t attestation_cert_der[]; const uint16_t attestation_cert_der_size; const uint8_t attestation_key[]; const uint16_t attestation_key_size; static mbedtls_sha256_context embed_sha256_ctx; static mbedtls_ctr_drbg_context ctr_drbg; static const struct uECC_Curve_t * _es256_curve = NULL; static const uint8_t * _signing_key = NULL; static int _key_len = 0; // Secrets for testing only static uint8_t master_secret[32] = "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff" "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00"; static uint8_t transport_secret[32] = "\x10\x01\x22\x33\x44\x55\x66\x77\x87\x90\x0a\xbb\x3c\xd8\xee\xff" "\xff\xee\x8d\x1c\x3b\xfa\x99\x88\x77\x86\x55\x44\xd3\xff\x33\x00"; void crypto_sha256_init() { mbedtls_sha256_init( &embed_sha256_ctx ); mbedtls_sha256_starts(&embed_sha256_ctx,0); // sha256_init(&sha256_ctx); } void crypto_reset_master_secret() { ctap_generate_rng(master_secret, 32); } void crypto_sha256_update(uint8_t * data, size_t len) { mbedtls_sha256_update(&embed_sha256_ctx,data,len); // sha256_update(&sha256_ctx, data, len); } void crypto_sha256_update_secret() { mbedtls_sha256_update(&embed_sha256_ctx,master_secret,32); // sha256_update(&sha256_ctx, master_secret, 32); } void crypto_sha256_final(uint8_t * hash) { mbedtls_sha256_finish( &embed_sha256_ctx, hash ); // sha256_final(&sha256_ctx, hash); } void crypto_sha256_hmac_init(uint8_t * key, uint32_t klen, uint8_t * hmac) { uint8_t buf[64]; int i; memset(buf, 0, sizeof(buf)); if (key == CRYPTO_MASTER_KEY) { key = master_secret; klen = sizeof(master_secret); } if(klen > 64) { printf("Error, key size must be <= 64\n"); exit(1); } memmove(buf, key, klen); for (i = 0; i < sizeof(buf); i++) { buf[i] = buf[i] ^ 0x36; } crypto_sha256_init(); crypto_sha256_update(buf, 64); } void crypto_sha256_hmac_final(uint8_t * key, uint32_t klen, uint8_t * hmac) { uint8_t buf[64]; int i; crypto_sha256_final(hmac); memset(buf, 0, sizeof(buf)); if (key == CRYPTO_MASTER_KEY) { key = master_secret; klen = sizeof(master_secret); } if(klen > 64) { printf("Error, key size must be <= 64\n"); exit(1); } memmove(buf, key, klen); for (i = 0; i < sizeof(buf); i++) { buf[i] = buf[i] ^ 0x5c; } crypto_sha256_init(); crypto_sha256_update(buf, 64); crypto_sha256_update(hmac, 32); crypto_sha256_final(hmac); } uint8_t adc_rng(void) { int i; uint8_t random = 0; /* Random number generation */ for (i=0; i<3; i++) { ADC_Start(ADC0, adcStartSingle); while ((ADC0->IF & ADC_IF_SINGLE) == 0); random |= ((ADC_DataSingleGet(ADC0) & 0x07) << (i * 3)); } return random; } // Generate @num bytes of random numbers to @dest // return 1 if success, error otherwise int ctap_generate_rng(uint8_t * dst, size_t num) { return mbedtls_ctr_drbg_random(&ctr_drbg,dst,num) == 0; } int adc_entropy_func( void *data, unsigned char *output, size_t len ) { while(len--) *output++ = adc_rng(); return 0; } void crypto_ecc256_init() { uECC_set_rng((uECC_RNG_Function)ctap_generate_rng); _es256_curve = uECC_secp256r1(); mbedtls_ctr_drbg_init(&ctr_drbg); if ( mbedtls_ctr_drbg_seed(&ctr_drbg, adc_entropy_func, NULL, master_secret,32 ) != 0 ) { printf2(TAG_ERR, "mbedtls_ctr_drbg_seed failed\n"); exit(1); } } void crypto_load_external_key(uint8_t * key, int len) { _signing_key = key; _key_len = len; } void crypto_ecc256_load_attestation_key() { _signing_key = attestation_key; _key_len = 32; } /** * \brief Import a point from unsigned binary data * * \param grp Group to which the point should belong * \param P Point to import * \param buf Input buffer * \param ilen Actual length of input * * \return 0 if successful, * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid, * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed, * MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format * is not implemented. * * \note This function does NOT check that the point actually * belongs to the given group, see mbedtls_ecp_check_pubkey() for * that. */ //int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P, // const unsigned char *buf, size_t ilen ); /** * \brief Import X from unsigned binary data, big endian * * \param X Destination MPI * \param buf Input buffer * \param buflen Input buffer size * * \return 0 if successful, * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed */ //int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen ); /* * Set context from an mbedtls_ecp_keypair */ //int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key ); void crypto_ecc256_sign(uint8_t * data, int len, uint8_t * sig) { mbedtls_ecp_group grp; /*!< Elliptic curve and base point */ mbedtls_mpi d; /*!< our secret value */ //#define CRYPTO_ENABLE CMU->HFBUSCLKEN0 |= CMU_HFBUSCLKEN0_CRYPTO; \ // CRYPTO->IFC = _CRYPTO_IFC_MASK; \ // CRYPTO->CMD = CRYPTO_CMD_SEQSTOP; \ // CRYPTO->CTRL = CRYPTO_CTRL_DMA0RSEL_DDATA0; \ // CRYPTO->SEQCTRL = 0; \ // CRYPTO->SEQCTRLB = 0 // //#define CRYPTO_DISABLE \ // CRYPTO->IEN = 0; \ // CMU->HFBUSCLKEN0 &= ~CMU_HFBUSCLKEN0_CRYPTO; // CRYPTO_DISABLE; // CRYPTO_ENABLE; // mbedtls_ecp_group_init( &grp ); // mbedtls_mpi_init( &d ); // mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP256R1); // mbedtls_mpi_read_binary(&d, _signing_key, 32); // // mbedtls_mpi r,s; // mbedtls_mpi_init(&r); // mbedtls_mpi_init(&s); // // printf("signing..\n"); // dump_hex(data,len); // mbedtls_ecdsa_sign_det( &grp, &r, &s, &d, // data, 32, MBEDTLS_MD_SHA256 );// Issue: this will freeze on 13th iteration.. // printf("signed\n"); // // mbedtls_mpi_write_binary(&r,sig,32); // mbedtls_mpi_write_binary(&s,sig+32,32); if ( uECC_sign(_signing_key, data, len, sig, _es256_curve) == 0) { printf("error, uECC failed\n"); exit(1); } } #if 1 void crypto_ecdsa_sign(uint8_t * data, int len, uint8_t * sig, int MBEDTLS_ECP_ID) { const struct uECC_Curve_t * curve = NULL; switch(MBEDTLS_ECP_ID) { case MBEDTLS_ECP_DP_SECP192R1: curve = uECC_secp192r1(); if (_key_len != 24) goto fail; break; case MBEDTLS_ECP_DP_SECP224R1: curve = uECC_secp224r1(); if (_key_len != 28) goto fail; break; case MBEDTLS_ECP_DP_SECP256R1: curve = uECC_secp256r1(); if (_key_len != 32) goto fail; break; case MBEDTLS_ECP_DP_SECP256K1: curve = uECC_secp256k1(); if (_key_len != 32) goto fail; break; default: printf("error, invalid ECDSA alg specifier\n"); exit(1); } if ( uECC_sign(_signing_key, data, len, sig, curve) == 0) { printf2(TAG_ERR,"error, uECC failed\n"); exit(1); } return; fail: printf2(TAG_ERR,"error, invalid key length: %d\n", _key_len); exit(1); } #else void crypto_ecdsa_sign(uint8_t * data, int len, uint8_t * sig, int MBEDTLS_ECP_ID) { mbedtls_ecp_group grp; /*!< Elliptic curve and base point */ mbedtls_mpi d; /*!< our secret value */ mbedtls_ecp_group_init( &grp ); mbedtls_mpi_init( &d ); mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_ID); mbedtls_mpi_read_binary(&d, _signing_key, 32); mbedtls_mpi r,s; mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); printf("signing..\n"); dump_hex(data,len); mbedtls_ecdsa_sign_det( &grp, &r, &s, &d, data, 32, MBEDTLS_MD_SHA256 );// Issue: this will freeze on 13th iteration.. printf("signed\n"); mbedtls_mpi_write_binary(&r,sig,32); mbedtls_mpi_write_binary(&s,sig+32,32); } #endif /* * Generate a keypair with configurable base point */ // mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) // mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) /* * Curve types: internal for now, might be exposed later */ typedef enum { ECP_TYPE_NONE = 0, ECP_TYPE_SHORT_WEIERSTRASS, /* y^2 = x^3 + a x + b */ ECP_TYPE_MONTGOMERY, /* y^2 = x^3 + a x^2 + x */ } ecp_curve_type; /* * Get the type of a curve */ static inline ecp_curve_type ecp_get_type( const mbedtls_ecp_group *grp ) { if( grp->G.X.p == NULL ) return( ECP_TYPE_NONE ); if( grp->G.Y.p == NULL ) return( ECP_TYPE_MONTGOMERY ); else return( ECP_TYPE_SHORT_WEIERSTRASS ); } static int mbedtls_ecp_gen_privkey( mbedtls_ecp_group *grp, const mbedtls_ecp_point *G, mbedtls_mpi *d, mbedtls_ecp_point *Q, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret; size_t n_size = ( grp->nbits + 7 ) / 8; #if defined(ECP_MONTGOMERY) if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY ) { /* [M225] page 5 */ size_t b; MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) ); /* Make sure the most significant bit is nbits */ b = mbedtls_mpi_bitlen( d ) - 1; /* mbedtls_mpi_bitlen is one-based */ if( b > grp->nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - grp->nbits ) ); else MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, grp->nbits, 1 ) ); /* Make sure the last three bits are unset */ MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) ); } else #endif /* ECP_MONTGOMERY */ #if defined(ECP_SHORTWEIERSTRASS) if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS ) { /* SEC1 3.2.1: Generate d such that 1 <= n < N */ int count = 0; unsigned char rnd[MBEDTLS_ECP_MAX_BYTES]; /* * Match the procedure given in RFC 6979 (deterministic ECDSA): * - use the same byte ordering; * - keep the leftmost nbits bits of the generated octet string; * - try until result is in the desired range. * This also avoids any biais, which is especially important for ECDSA. */ do { MBEDTLS_MPI_CHK( f_rng( p_rng, rnd, n_size ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( d, rnd, n_size ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) ); /* * Each try has at worst a probability 1/2 of failing (the msb has * a probability 1/2 of being 0, and then the result will be < N), * so after 30 tries failure probability is a most 2**(-30). * * For most curves, 1 try is enough with overwhelming probability, * since N starts with a lot of 1s in binary, but some curves * such as secp224k1 are actually very close to the worst case. */ if( ++count > 30 ) return( MBEDTLS_ERR_ECP_RANDOM_FAILED ); } while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 ); } else #endif /* ECP_SHORTWEIERSTRASS */ return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); cleanup: if( ret != 0 ) return( ret ); return 0; } static int mbedtls_ecp_derive_pubkey( mbedtls_ecp_group *grp, const mbedtls_ecp_point *G, mbedtls_mpi *d, mbedtls_ecp_point *Q, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { return( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) ); } static int hmac_vector_func(uint8_t * hmac, uint8_t * dst, int len) { static int hmac_ptr = 0; if (hmac==NULL) { hmac_ptr = 0; return 0; } int i; while(len--) { *dst++ = hmac[hmac_ptr++ % 32]; } return 0; } void generate_private_key(uint8_t * data, int len, uint8_t * data2, int len2, uint8_t * privkey) { crypto_sha256_hmac_init(CRYPTO_MASTER_KEY, 0, privkey); crypto_sha256_update(data, len); crypto_sha256_update(data2, len2); crypto_sha256_update(master_secret, 32); crypto_sha256_hmac_final(CRYPTO_MASTER_KEY, 0, privkey); // mbedtls_ecp_group grp; /*!< Elliptic curve and base point */ // mbedtls_mpi d; /*!< our secret value */ // mbedtls_ecp_point Q; // // mbedtls_ecp_group_init( &grp ); // mbedtls_mpi_init( &d ); // mbedtls_ecp_point_init(&Q); // // mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP256R1); // //// mbedtls_mpi_read_binary(&d, _signing_key, 32); // hmac_vector_func(NULL, NULL, 0); // mbedtls_ecp_gen_privkey(&grp, &grp.G, &d, &Q, hmac_vector_func, privkey); // mbedtls_mpi_write_binary(&d,privkey,32); } /*int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key, uECC_Curve curve);*/ void crypto_ecc256_derive_public_key(uint8_t * data, int len, uint8_t * x, uint8_t * y) { int ret; uint8_t privkey[32]; uint8_t pubkey[64]; // generate_private_key(data,len,NULL,0,privkey); crypto_sha256_hmac_init(CRYPTO_MASTER_KEY, 0, privkey); crypto_sha256_update(data, len); crypto_sha256_update(NULL, 0); crypto_sha256_update(master_secret, 32); crypto_sha256_hmac_final(CRYPTO_MASTER_KEY, 0, privkey); // mbedtls_ecp_group grp; /*!< Elliptic curve and base point */ // mbedtls_mpi d; /*!< our secret value */ // mbedtls_ecp_point Q; // // mbedtls_ecp_group_init( &grp ); // mbedtls_mpi_init( &d ); // mbedtls_ecp_point_init(&Q); // // mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP256R1); // //// mbedtls_mpi_read_binary(&d, _signing_key, 32); // hmac_vector_func(NULL, NULL, 0); // ret= mbedtls_ecp_gen_privkey(&grp, &grp.G, &d, &Q, hmac_vector_func, privkey); // if (ret != 0) // { // printf("error with priv key -0x04%x\n", -ret); // } //// mbedtls_mpi_write_binary(&d,privkey,32); // // memset(pubkey,0,sizeof(pubkey)); // // ret = mbedtls_ecp_derive_pubkey( &grp, &grp.G, // &d, &Q, hmac_vector_func, privkey); // // if (ret != 0) // { // printf("error with public key\n"); // } // // mbedtls_mpi_write_binary(&Q.X,x,32); // mbedtls_mpi_write_binary(&Q.Y,y,32); uECC_compute_public_key(privkey, pubkey, _es256_curve); memmove(x,pubkey,32); memmove(y,pubkey+32,32); } void crypto_ecc256_load_key(uint8_t * data, int len, uint8_t * data2, int len2) { static uint8_t privkey[32]; generate_private_key(data,len,data2,len2,privkey); _signing_key = privkey; _key_len = 32; } void crypto_ecc256_make_key_pair(uint8_t * pubkey, uint8_t * privkey) { if (uECC_make_key(pubkey, privkey, _es256_curve) != 1) { printf("Error, uECC_make_key failed\n"); exit(1); } } void crypto_ecc256_shared_secret(const uint8_t * pubkey, const uint8_t * privkey, uint8_t * shared_secret) { if (uECC_shared_secret(pubkey, privkey, shared_secret, _es256_curve) != 1) { printf("Error, uECC_shared_secret failed\n"); exit(1); } } struct AES_ctx aes_ctx; void crypto_aes256_init(uint8_t * key, uint8_t * nonce) { if (key == CRYPTO_TRANSPORT_KEY) { AES_init_ctx(&aes_ctx, transport_secret); } else { AES_init_ctx(&aes_ctx, key); } if (nonce == NULL) { memset(aes_ctx.Iv, 0, 16); } else { memmove(aes_ctx.Iv, nonce, 16); } } // prevent round key recomputation void crypto_aes256_reset_iv(uint8_t * nonce) { if (nonce == NULL) { memset(aes_ctx.Iv, 0, 16); } else { memmove(aes_ctx.Iv, nonce, 16); } } void crypto_aes256_decrypt(uint8_t * buf, int length) { AES_CBC_decrypt_buffer(&aes_ctx, buf, length); } void crypto_aes256_encrypt(uint8_t * buf, int length) { AES_CBC_encrypt_buffer(&aes_ctx, buf, length); } const uint8_t attestation_cert_der[] = "\x30\x82\x01\xfb\x30\x82\x01\xa1\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0a\x06\x08" "\x2a\x86\x48\xce\x3d\x04\x03\x02\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13" "\x02\x55\x53\x31\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e" "\x06\x03\x55\x04\x0a\x0c\x07\x54\x45\x53\x54\x20\x43\x41\x30\x20\x17\x0d\x31\x38" "\x30\x35\x31\x30\x30\x33\x30\x36\x32\x30\x5a\x18\x0f\x32\x30\x36\x38\x30\x34\x32" "\x37\x30\x33\x30\x36\x32\x30\x5a\x30\x7c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13" "\x02\x55\x53\x31\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x0f\x30\x0d" "\x06\x03\x55\x04\x07\x0c\x06\x4c\x61\x75\x72\x65\x6c\x31\x15\x30\x13\x06\x03\x55" "\x04\x0a\x0c\x0c\x54\x45\x53\x54\x20\x43\x4f\x4d\x50\x41\x4e\x59\x31\x22\x30\x20" "\x06\x03\x55\x04\x0b\x0c\x19\x41\x75\x74\x68\x65\x6e\x74\x69\x63\x61\x74\x6f\x72" "\x20\x41\x74\x74\x65\x73\x74\x61\x74\x69\x6f\x6e\x31\x14\x30\x12\x06\x03\x55\x04" "\x03\x0c\x0b\x63\x6f\x6e\x6f\x72\x70\x70\x2e\x63\x6f\x6d\x30\x59\x30\x13\x06\x07" "\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00" "\x04\x45\xa9\x02\xc1\x2e\x9c\x0a\x33\xfa\x3e\x84\x50\x4a\xb8\x02\xdc\x4d\xb9\xaf" "\x15\xb1\xb6\x3a\xea\x8d\x3f\x03\x03\x55\x65\x7d\x70\x3f\xb4\x02\xa4\x97\xf4\x83" "\xb8\xa6\xf9\x3c\xd0\x18\xad\x92\x0c\xb7\x8a\x5a\x3e\x14\x48\x92\xef\x08\xf8\xca" "\xea\xfb\x32\xab\x20\xa3\x62\x30\x60\x30\x46\x06\x03\x55\x1d\x23\x04\x3f\x30\x3d" "\xa1\x30\xa4\x2e\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31" "\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e\x06\x03\x55\x04" "\x0a\x0c\x07\x54\x45\x53\x54\x20\x43\x41\x82\x09\x00\xf7\xc9\xec\x89\xf2\x63\x94" "\xd9\x30\x09\x06\x03\x55\x1d\x13\x04\x02\x30\x00\x30\x0b\x06\x03\x55\x1d\x0f\x04" "\x04\x03\x02\x04\xf0\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d\x04\x03\x02\x03\x48\x00" "\x30\x45\x02\x20\x18\x38\xb0\x45\x03\x69\xaa\xa7\xb7\x38\x62\x01\xaf\x24\x97\x5e" "\x7e\x74\x64\x1b\xa3\x7b\xf7\xe6\xd3\xaf\x79\x28\xdb\xdc\xa5\x88\x02\x21\x00\xcd" "\x06\xf1\xe3\xab\x16\x21\x8e\xd8\xc0\x14\xaf\x09\x4f\x5b\x73\xef\x5e\x9e\x4b\xe7" "\x35\xeb\xdd\x9b\x6d\x8f\x7d\xf3\xc4\x3a\xd7"; const uint16_t attestation_cert_der_size = sizeof(attestation_cert_der)-1; const uint8_t attestation_key[] = "\xcd\x67\xaa\x31\x0d\x09\x1e\xd1\x6e\x7e\x98\x92\xaa\x07\x0e\x19\x94\xfc\xd7\x14\xae\x7c\x40\x8f\xb9\x46\xb7\x2e\x5f\xe7\x5d\x30"; const uint16_t attestation_key_size = sizeof(attestation_key)-1;