summaryrefslogtreecommitdiff
path: root/cesar/cp/secu/src/secu.c
blob: ae219872cd85d988b38efb6af8c1c51742f39e12 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
/* Cesar project {{{
 *
 * Copyright (C) 2008 Spidcom
 *
 * <<<Licence>>>
 *
 * }}} */
/**
 * \file    cp/secu/src/secu.c
 * \brief   Security functions.
 * \ingroup cp_secu
 *
 */
#include "common/std.h"
#include "string.h"

#include "cp/defs.h"
#include "cp/secu/defs.h"
#include "cp/secu/secu.h"
#include "cp/secu/pbkdf1.h"
#include "cp/secu/sha256.h"

#include "cp/secu/inc/pbkdf1.h"

/**
 * Start a new protocol run and initialise the protocol run structure.
 * \param  prun  protocol run to initialise.
 * \param  pid  protocol identifier
 * \param  prun_rand  the random number for the PRN.
 * \param  rand  a random number.
 */
void
cp_secu_protocol_run_new (cp_secu_protocol_run_t *prun, u8 pid,
                          uint prn_rand, uint rand)
{
    dbg_assert (prun);
    dbg_assert (pid <= 4);

    memset (prun, 0, sizeof (cp_secu_protocol_run_t));
    prun->pmn = 1;
    prun->pid = pid;
    prun->prn = prn_rand;
    prun->my_nonce = rand;
}

/**
 * Check a received protocol run against the current one.
 * \param  prun  current protocol run
 * \param  prun_recv  received protocol run
 * \return  whether this is a new or old protocol run, or garbage
 *
 * The current protocol run can be NULL if there is no current protocol run.
 * You can also use a pointer to an initialised protocol run if it is more
 * convenient.
 */
enum cp_secu_protocol_run_check_result_t
cp_secu_protocol_check (const cp_secu_protocol_run_t *prun,
                        const cp_secu_protocol_run_t *prun_recv)
{
    dbg_assert (prun_recv);

    if (prun_recv->pmn == 1)
        return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_NEW;
    else if (prun)
    {
        if (prun->prn == prun_recv->prn
            && prun->pmn != 0xff
            && (prun->pmn + 1 == prun_recv->pmn || prun_recv->pmn == 0xff)
            && prun->pid == prun_recv->pid
            && prun->my_nonce == prun_recv->my_nonce)
            return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_NEXT;
        else
            return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_FAILURE;
    }
    else
        return CP_SECU_PROTOCOL_RUN_CHECK_RESULT_FAILURE;
}

/**
 * Update a protocol run for the next message.
 * \param  prun  current protocol run
 * \param  last  whether this is the last message
 *
 * Received protocol run should have been copied to the current one before
 * this call.
 */
void
cp_secu_protocol_next (cp_secu_protocol_run_t *prun, bool last)
{
    dbg_assert (prun);

    if (last)
        prun->pmn = 0xff;
    else
    {
        dbg_assert (prun->pmn != 0xff);
        prun->pmn++;
    }
}

/**
 * Generate the AES key.
 * \param  num  a random number.
 * \param  output  the key generated.
 */
void
cp_secu_aes_generate_key (uint num, u8 *output)
{
    dbg_assert (num);
    dbg_assert (output);

    memcpy (output, &num, 4);
    cp_secu_pbkdf1 (output, output, CP_SECU_AES_SIZE, CP_SECU_SALT_SPIDCOM);
}

/**
 * Generate the NID from the NMK and the security level.
 * \param  buffer  the buffer containing the NMK.
 * \param  the Security level.
 * \return  the NID computed.
 */
cp_nid_t
cp_secu_nmk2nid(cp_key_t nmk, u8 security_level)
{
    uint i;
    cp_nid_t nid = 0;
    u8 buffer[CP_NMK_SIZE];

    dbg_assert (security_level <= 2);

    for (i = 0; i < 4; i++)
        memcpy (buffer + i * 4, &nmk.key[i], 4);

    secu_pbkdf1 (buffer, CP_NMK_SIZE, NULL, 0, CP_SECU_PBKDF1_ITERATION_NID,
                 buffer);

    /* Set the right nibble of rightmost octet of NID = rightmost nibble
     * of the 52 Bit Hashed NID offset*/
    buffer[CP_NID_SIZE - 1] >>= 4;

    /* Mask the left nibble of rightmost octet of NID... */
    buffer[CP_NID_SIZE - 1] &= 0x0F;

    /* ... and then, insert the Security Level */
    buffer[CP_NID_SIZE - 1] |= ((security_level << 4) & 0xF0);

    memcpy (&nid, buffer, CP_NID_SIZE);
    return nid;
}

void
cp_secu_tek_gen (const u32 left[], const uint left_len,
                 const u32 right[], const uint right_len,
                 cp_key_t *output)
{
    u8 sha_buff[left_len + right_len];
    u8 output_buffer [CP_SECU_SHA256_SIZE];
    dbg_assert (left);
    dbg_assert (right);
    dbg_assert (output);

    /* Insert the left part in the left part of the sha_buf. */
    memcpy (sha_buff + right_len, left, left_len);
    memcpy (sha_buff, right, right_len);

    /* Salt is NULL, no salt use for the tek
     * the first 0 is for the salt length
     * the second one is for the iteration number.
     * see HPAV section 7.10.7.2. Paragraph 4 .*/
    cp_secu_sha256 (sha_buff, left_len + right_len, output_buffer);

    /* Copy the leftmost 16 bytes. */
    memcpy (output->key, output_buffer, 16);
}