dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

Moving all SM stuff to EAC.

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2022-04-10 19:00:52 +02:00
parent c098d80524
commit 57d593561a
5 changed files with 168 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CMakeLists.txt
View File

@@ -53,6 +53,7 @@ target_sources(pico_hsm PUBLIC
${CMAKE_CURRENT_LIST_DIR}/src/rng/neug.c
${CMAKE_CURRENT_LIST_DIR}/src/hsm/crypto_utils.c
${CMAKE_CURRENT_LIST_DIR}/src/hsm/dkek.c
${CMAKE_CURRENT_LIST_DIR}/src/hsm/eac.c
${CMAKE_CURRENT_LIST_DIR}/mbedtls/library/sha256.c
${CMAKE_CURRENT_LIST_DIR}/mbedtls/library/aes.c

67
src/hsm/eac.c Normal file
View File

@@ -0,0 +1,67 @@
/*
* This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
* Copyright (c) 2022 Pol Henarejos.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 3.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "eac.h"
#include "crypto_utils.h"
#include "random.h"
#include "mbedtls/cmac.h"
static uint8_t nonce[8];
static uint8_t auth_token[8];
static uint8_t sm_kmac[16];
static uint8_t sm_kenc[16];
static MSE_protocol sm_protocol;
bool is_secured_apdu() {
return (CLA(apdu) & 0xC);
}
void sm_derive_key(const uint8_t *input, size_t input_len, uint8_t counter, const uint8_t *nonce, size_t nonce_len, uint8_t *out) {
uint8_t *b = (uint8_t *)calloc(1, input_len+nonce_len+4);
if (input)
memcpy(b, input, input_len);
if (nonce)
memcpy(b+input_len, nonce, nonce_len);
b[input_len+nonce_len+3] = counter;
uint8_t digest[20];
generic_hash(MBEDTLS_MD_SHA1, b, input_len+nonce_len+4, digest);
memcpy(out, digest, 16);
free(b);
}
void sm_derive_all_keys(const uint8_t *derived, size_t derived_len) {
memcpy(nonce, random_bytes_get(8), 8);
sm_derive_key(derived, derived_len, 1, nonce, sizeof(nonce), sm_kenc);
sm_derive_key(derived, derived_len, 2, nonce, sizeof(nonce), sm_kmac);
}
void sm_set_protocol(MSE_protocol proto) {
sm_protocol = proto;
}
MSE_protocol sm_get_protocol() {
return sm_protocol;
}
uint8_t *sm_get_nonce() {
return nonce;
}
int sm_sign(uint8_t *in, size_t in_len, uint8_t *out) {
return mbedtls_cipher_cmac(mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB), sm_kmac, 128, in, in_len, out);
}

37
src/hsm/eac.h Normal file
View File

@@ -0,0 +1,37 @@
/*
* This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
* Copyright (c) 2022 Pol Henarejos.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 3.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _EAC_H_
#define _EAC_H_
#include <stdlib.h>
#include "pico/stdlib.h"
#include "hsm2040.h"
typedef enum MSE_protocol {
MSE_AES = 0,
MSE_3DES,
MSE_NONE
}MSE_protocol;
extern void sm_derive_all_keys(const uint8_t *input, size_t input_len);
extern void sm_set_protocol(MSE_protocol proto);
extern MSE_protocol sm_get_protocol();
extern uint8_t *sm_get_nonce();
extern int sm_sign(uint8_t *in, size_t in_len, uint8_t *out);
#endif

2
src/hsm/hsm2040.h
View File

@@ -106,7 +106,7 @@ enum ccid_state {
CCID_STATE_EXEC_REQUESTED, /* Exec requested */
};
#define CLS(a) a.cmd_apdu_head[0]
#define CLA(a) a.cmd_apdu_head[0]
#define INS(a) a.cmd_apdu_head[1]
#define P1(a) a.cmd_apdu_head[2]
#define P2(a) a.cmd_apdu_head[3]

83
src/hsm/sc_hsm.c
View File

@@ -33,6 +33,7 @@
#include "crypto_utils.h"
#include "dkek.h"
#include "hardware/rtc.h"
#include "eac.h"
const uint8_t sc_hsm_aid[] = {
11,
@@ -1801,14 +1802,6 @@ static int cmd_extras() {
return SW_OK();
}
enum MSE_protocol {
MSE_AES = 0,
MSE_3DES,
MSE_NONE
} mse_protocol;
uint8_t nonce[8];
uint8_t auth_token[8];
static int cmd_mse() {
int p1 = P1(apdu);
int p2 = P2(apdu);
@@ -1820,12 +1813,13 @@ static int cmd_mse() {
uint8_t tag_len = *p++;
if (tag == 0x80) {
if (tag_len == 10 && memcmp(p, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", tag_len) == 0)
mse_protocol = MSE_AES;
sm_set_protocol(MSE_AES);
else if (tag_len == 10 && memcmp(p, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", tag_len) == 0)
mse_protocol = MSE_3DES;
sm_set_protocol(MSE_3DES);
else
return SW_REFERENCE_NOT_FOUND();
}
p += tag_len;
}
}
else
@@ -1841,23 +1835,70 @@ int cmd_general_authenticate() {
if (apdu.cmd_apdu_data[0] == 0x7C) {
const uint8_t *p = &apdu.cmd_apdu_data[2];
int r = 0;
mbedtls_ecp_point P;
mbedtls_ecp_point_init(&P);
mbedtls_ecp_group grp;
mbedtls_ecp_group_init(&grp);
r = mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1);
if (r != 0)
return SW_EXEC_ERROR();
size_t pubkey_len = 0;
const uint8_t *pubkey = NULL;
while (p-apdu.cmd_apdu_data < apdu.cmd_apdu_data[1]) {
uint8_t tag = *p++;
uint8_t tag_len = *p++;
if (tag == 0x80) {
int r = mbedtls_ecp_point_read_binary(&grp, &P, p, tag_len);
if (r != 0)
return SW_WRONG_DATA();
pubkey = p-1; //mbedtls ecdh starts reading one pos before
pubkey_len = tag_len+1;
}
p += tag_len;
}
memcpy(nonce, random_bytes_get(8), 8);
mbedtls_ecdh_context ctx;
int key_size = file_read_uint16(termca_pk);
mbedtls_ecdh_init(&ctx);
mbedtls_ecp_group_id gid = MBEDTLS_ECP_DP_SECP192R1;
r = mbedtls_ecdh_setup(&ctx, gid);
if (r != 0) {
mbedtls_ecdh_free(&ctx);
return SW_DATA_INVALID();
}
r = mbedtls_mpi_read_binary(&ctx.ctx.mbed_ecdh.d, termca_pk+2, key_size);
if (r != 0) {
mbedtls_ecdh_free(&ctx);
return SW_DATA_INVALID();
}
r = mbedtls_ecdh_read_public(&ctx, pubkey, pubkey_len);
if (r != 0) {
mbedtls_ecdh_free(&ctx);
return SW_DATA_INVALID();
}
size_t olen = 0;
uint8_t derived[MBEDTLS_ECP_MAX_BYTES];
r = mbedtls_ecdh_calc_secret(&ctx, &olen, derived, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL);
mbedtls_ecdh_free(&ctx);
if (r != 0) {
return SW_EXEC_ERROR();
}
sm_derive_all_keys(derived, olen);
uint8_t *t = (uint8_t *)calloc(1, pubkey_len+16);
memcpy(t, "\x7F\x49\x3F\x06\x0A", 5);
if (sm_get_protocol() == MSE_AES)
memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", 10);
else if (sm_get_protocol() == MSE_3DES)
memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", 10);
t[15] = 0x86;
memcpy(t+16, pubkey, pubkey_len);
res_APDU[res_APDU_size++] = 0x7C;
res_APDU[res_APDU_size++] = 20;
res_APDU[res_APDU_size++] = 0x81;
res_APDU[res_APDU_size++] = 8;
memcpy(res_APDU+res_APDU_size, sm_get_nonce(), 8);
res_APDU_size += 8;
res_APDU[res_APDU_size++] = 0x82;
res_APDU[res_APDU_size++] = 8;
r = sm_sign(t, pubkey_len+16, res_APDU+res_APDU_size);
free(t);
if (r != HSM_OK)
return SW_EXEC_ERROR();
res_APDU_size += 8;
}
}
return SW_OK();