summaryrefslogtreecommitdiff
path: root/cesar/cp/secu/src/secu.c
blob: 2bda3e57b548f43756e6eeb7de9bb2b73ed5af30 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
/* Cesar project {{{
 *
 * Copyright (C) 2008 Spidcom
 *
 * <<<Licence>>>
 *
 * }}} */
/**
 * \file    cp/secu/src/secu.c
 * \brief   Security functions.
 * \ingroup cp_secu
 *
 */
#include "common/std.h"
#include "string.h"

#include "cp/defs.h"
#include "cp/secu/defs.h"
#include "cp/secu/secu.h"
#include "cp/secu/pbkdf1.h"
#include "cp/secu/sha256.h"

#include "cp/secu/inc/pbkdf1.h"

/**
 * Start a new protocol run and initialise the protocol run structure.
 * \param  prun  protocol run to initialise.
 * \param  pid  protocol identifier
 * \param  prun_rand  the random number for the PRN.
 * \param  rand  a random number.
 */
void
cp_secu_protocol_run_new (cp_secu_protocol_run_t *prun, u8 pid,
                          uint prn_rand, uint rand)
{
    dbg_assert (prun);
    dbg_assert (pid <= 4);

    memset (prun, 0, sizeof (cp_secu_protocol_run_t));
    prun->pmn = 1;
    prun->pid = pid;
    prun->prn = prn_rand;
    prun->my_nonce = rand;
}

/**
 * Check a received protocol run against the current one.
 * \param  prun  current protocol run
 * \param  prun_recv  received protocol run
 * \return  whether this is a new or old protocol run, or garbage
 *
 * The current protocol run can be NULL if there is no current protocol run.
 * You can also use a pointer to an initialised protocol run if it is more
 * convenient.
 */
enum cp_secu_protocol_run_check_result_t
cp_secu_protocol_check (const cp_secu_protocol_run_t *prun,
                        const cp_secu_protocol_run_t *prun_recv)
{
    dbg_assert (prun_recv);

    if (prun_recv->pmn == 1)
        return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_NEW;
    else if (prun)
    {
        if (prun->prn == prun_recv->prn
            && prun->pmn != 0xff
            && (prun->pmn + 1 == prun_recv->pmn || prun_recv->pmn == 0xff)
            && prun->pid == prun_recv->pid
            && prun->my_nonce == prun_recv->my_nonce)
            return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_NEXT;
        else
            return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_FAILURE;
    }
    else
        return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_FAILURE;
}

/**
 * Update a protocol run for the next message.
 * \param  prun  current protocol run
 * \param  last  whether this is the last message
 *
 * Received protocol run should have been copied to the current one before
 * this call.
 */
void
cp_secu_protocol_next (cp_secu_protocol_run_t *prun, bool last)
{
    dbg_assert (prun);

    if (last)
        prun->pmn = 0xff;
    else
    {
        dbg_assert (prun->pmn != 0xff);
        prun->pmn++;
    }
}

void
cp_secu_aes_generate_key (const uint num, cp_key_t *output)
{
    u8 input[4];
    u8 buffer[sizeof(cp_key_t)];

    dbg_assert (output);

#if DEFS_BIG_ENDIAN
    GET_UINT32(*(u32*) input, (u8*) &num, 0);
    GET_UINT32(*(u32*) (input + 4) , (u8*) &num, 4);
    GET_UINT32(*(u32*) (input + 8) , (u8*) &num, 8);
    GET_UINT32(*(u32*) (input + 12), (u8*) &num, 12);
#else
    memcpy (input, &num, sizeof (uint));
#endif

    /* Call the real function to generate an AES key. */
    cp_secu_pbkdf1 (input, sizeof (input),
                    buffer , sizeof(buffer),
                    CP_SECU_SALT_SPIDCOM);

#if DEFS_BIG_ENDIAN
    GET_UINT32 (output->key[0], buffer, 0);
    GET_UINT32 (output->key[1], buffer, 4);
    GET_UINT32 (output->key[2], buffer, 8);
    GET_UINT32 (output->key[3], buffer, 12);
#else
    memcpy (output->key, buffer, 16);
#endif

}

/**
 * Generate the NID from the NMK and the security level.
 * \param  buffer  the buffer containing the NMK.
 * \param  the Security level.
 * \return  the NID computed.
 */
cp_nid_t
cp_secu_nmk2nid(const cp_key_t nmk, const u8 security_level)
{
    cp_nid_t nid = 0;
    u8 input [sizeof(cp_key_t)]__attribute__((aligned(sizeof (cp_key_t))));
    u8 output[CP_NID_SIZE]__attribute__((aligned(sizeof (cp_nid_t))));

    dbg_assert (security_level <= 2);

#if DEFS_BIG_ENDIAN
    GET_UINT32(*(u32*) input, (u8*) &nmk.key, 0);
    GET_UINT32(*(u32*) (input + 4) , (u8*) &nmk.key, 4);
    GET_UINT32(*(u32*) (input + 8) , (u8*) &nmk.key, 8);
    GET_UINT32(*(u32*) (input + 12), (u8*) &nmk.key, 12);
#else
    memcpy (input, &nmk.key, sizeof (cp_key_t));
#endif

    cp_secu_pbkdf1 (input, sizeof (cp_key_t), output, CP_NID_SIZE,
                    CP_SECU_SALT_KEY_NID);
    output[CP_NID_SIZE-1] = output[CP_NID_SIZE-1] >> 4;

#if DEFS_BIG_ENDIAN
    uint w1, w2;
    GET_UINT32 (w1, output, 0);
    GET_UINT32 (w2, output, 4);
    nid = ((u64) (w2 & 0xFFFFFF) << 32) | w1;
#else
    memcpy (&nid, output, CP_NID_SIZE);
    nid = nid & 0xFFFFFFFFFFFFFull;
#endif

    nid |= ((u64) security_level << 52);

    return nid;
}

void
cp_secu_tek_gen (const u32 left[], const u32 right[], cp_key_t *output)
{
    u8 sha_buff[CP_SECU_HASH_KEY_FOR_TEK_SIZE * 2];
    u8 output_buffer [CP_SECU_SHA256_SIZE];
    dbg_assert (left);
    dbg_assert (right);
    dbg_assert (output);

#if DEFS_BIG_ENDIAN
    uint i, j;
    for (i = 0; i < CP_SECU_HASH_KEY_FOR_TEK_SIZE; i += 4)
        PUT_UINT32 (right[i/4], sha_buff, i);

    for (i = CP_SECU_HASH_KEY_FOR_TEK_SIZE, j = 0;
         j < CP_SECU_HASH_KEY_FOR_TEK_SIZE;
         j += 4, i += 4)
        PUT_UINT32 (left[j/4], sha_buff, i);
#else
    /* Insert the left part in the left part of the sha_buf. */
    memcpy (sha_buff + CP_SECU_HASH_KEY_FOR_TEK_SIZE, left,
            CP_SECU_HASH_KEY_FOR_TEK_SIZE);
    memcpy (sha_buff, right, CP_SECU_HASH_KEY_FOR_TEK_SIZE);
#endif

    /* Salt is NULL, no salt use for the tek
     * the first 0 is for the salt length
     * the second one is for the iteration number.
     * see HPAV section 7.10.7.2. Paragraph 4 .*/
    cp_secu_sha256 (sha_buff, CP_SECU_HASH_KEY_FOR_TEK_SIZE * 2,
                    output_buffer);

    /* Copy the leftmost 16 bytes. */
#if DEFS_BIG_ENDIAN
    GET_UINT32 (output->key[0], output_buffer, 0);
    GET_UINT32 (output->key[1], output_buffer, 4);
    GET_UINT32 (output->key[2], output_buffer, 8);
    GET_UINT32 (output->key[3], output_buffer, 12);
#else
    memcpy (output->key, output_buffer, 16);
#endif
}

void
cp_secu_generate_hash (const u32 seed, u8 *hash, const uint hash_length)
{

    uint compt = 0;
    uint iteration = hash_length / CP_SECU_OUTPUT_KEY_SIZE;
    /* For each CP_SECU_OUTPUT_KEY_SIZE of the hash. */
    for (compt = 0; compt < iteration; compt++)
    {
        /* Generate hash. */
        cp_secu_pbkdf1 ((u8 *) &seed, sizeof (seed),
                        &hash[compt * CP_SECU_OUTPUT_KEY_SIZE],
                        CP_SECU_OUTPUT_KEY_SIZE,
                        CP_SECU_SALT_SPIDCOM);
    }
    /* Check if last part is not enought for CP_SECU_OUTPUT_KEY_SIZE. */
    uint modulo = hash_length % CP_SECU_OUTPUT_KEY_SIZE;
    if (modulo)
    {
        cp_secu_pbkdf1 ((u8 *) &seed, sizeof (seed),
                        &hash[iteration * CP_SECU_OUTPUT_KEY_SIZE],
                        modulo,
                        CP_SECU_SALT_SPIDCOM);
    }
}

void
cp_secu_aes_cbc_encrypt (cp_secu_aes_t *ctx, u32 iv[4],
                         const u32 *input, u32 *output, int length)
{
    /* Based on the Real AES CBC function, this one only work with word
     * instead of bytes. */
    int i;
    int len;
    u32 wb[4];

    dbg_assert (ctx);
    dbg_assert (iv);
    dbg_assert (input);
    dbg_assert (output);

    while (length > 0)
    {
        len = (length > 16) ? 128 : length * 8;
        for (i = 0; len; i++)
        {
            wb[i] = bitstream_direct_read (input, i*32, len > 32 ? 32 : len) ^
                iv[i];
            len -= 32;
        }

        cp_secu_aes_encrypt (ctx, wb, wb);

        len = (length > 16) ? 128 : length * 8;
        for (i = 0; len; i++)
        {
            bitstream_direct_write (output, i*32, wb[i], len > 32 ? 32 : len);
            iv[i] = wb[i];
            len -= 32;
        }

        input += 4;
        output += 4;
        length -= 16;
    }
}

void
cp_secu_aes_cbc_decrypt (cp_secu_aes_t *ctx, u32 iv[4],
                         const u32 *input, u32 *output, int length)
{
    int i;
    u32 temp[4];
    u32 wb[4];
    int len;

    dbg_assert (ctx);
    dbg_assert (iv);
    dbg_assert (input);
    dbg_assert (output);

    while (length > 0)
    {
        len = (length > 16) ? 128 : length * 8;
        for (i = 0; len; i++)
        {
            temp[i] = bitstream_direct_read (input, i*32, len > 32 ? 32 :
                                             len);
            wb[i] = temp[i];
            len -= 32;
        }

        cp_secu_aes_decrypt (ctx, wb, wb);

        for (i = 0; i < 4; i++)
            wb[i] ^= iv[i];

        len = (length > 16) ? 128 : length * 8;
        for (i = 0; len; i++)
        {
            bitstream_direct_write (output, i*32, wb[i], len > 32 ? 32 : len);
            len -= 32;
        }

        for (i = 0; i < 4; i++)
            iv[i] = temp[i];

        input += 4;
        output += 4;
        length -= 16;
    }
}