From 322bdf049d5e53cdb97be4a606ab00f393b5313d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=82=E3=81=8F?= Date: Fri, 17 Sep 2021 12:21:08 +0300 Subject: [PATCH] [FL-1826] Crypto: correct key provisioning procedure. (#709) * Crypto: correct key provisioning procedure. * Format Sources * Cli: target for bootloder in device_info --- applications/cli/cli_commands.c | 3 +- applications/crypto/crypto_cli.c | 53 +++++++++++++++---- .../targets/f6/furi-hal/furi-hal-crypto.c | 6 +++ .../targets/f7/furi-hal/furi-hal-crypto.c | 6 +++ lib/toolbox/args.c | 4 +- lib/toolbox/args.h | 2 +- 6 files changed, 61 insertions(+), 13 deletions(-) diff --git a/applications/cli/cli_commands.c b/applications/cli/cli_commands.c index eb459457..f03c12e7 100644 --- a/applications/cli/cli_commands.c +++ b/applications/cli/cli_commands.c @@ -14,7 +14,7 @@ static const uint8_t enclave_signature_iv[16] = static const uint8_t enclave_signature_input[ENCLAVE_SIGNATURE_SIZE] = {0xdc, 0x76, 0x15, 0x1e, 0x69, 0xe8, 0xdc, 0xd3, 0x4a, 0x71, 0x0b, 0x42, 0x71, 0xe0, 0xa9, 0x78}; static const uint8_t enclave_signature_expected[ENCLAVE_SIGNATURE_SIZE] = - {0x6b, 0x31, 0xc, 0xac, 0x3f, 0x68, 0x79, 0x76, 0x43, 0xc4, 0xfe, 0xe0, 0x25, 0x53, 0x64, 0xc7}; + {0x1b, 0xb3, 0xcf, 0x16, 0xc, 0x27, 0xf7, 0xf2, 0xf0, 0x7e, 0x5f, 0xbe, 0xfe, 0x89, 0x52, 0xe1}; /* * Device Info Command @@ -52,6 +52,7 @@ void cli_command_device_info(Cli* cli, string_t args, void* context) { const Version* boot_version = furi_hal_version_get_boot_version(); if(boot_version) { printf("boot_version : %s\r\n", version_get_version(boot_version)); + printf("boot_target : %s\r\n", version_get_target(boot_version)); printf("boot_commit : %s\r\n", version_get_githash(boot_version)); printf("boot_branch : %s\r\n", version_get_gitbranch(boot_version)); printf("boot_build_date : %s\r\n", version_get_builddate(boot_version)); diff --git a/applications/crypto/crypto_cli.c b/applications/crypto/crypto_cli.c index f687673a..cafd4aaa 100644 --- a/applications/crypto/crypto_cli.c +++ b/applications/crypto/crypto_cli.c @@ -14,7 +14,7 @@ void crypto_cli_print_usage() { "\tdecrypt \t - Using key from secure enclave and IV decrypt hex encoded encrypted with AES256CBC data to plain text\r\n"); printf("\thas_key \t - Check if secure enclave has key in slot\r\n"); printf( - "\tstore_key \t - Store key in secure enclave, returns allocated slot number !!! NON-REVERSABLE OPERATION - READ MANUAL FIRST !!!\r\n"); + "\tstore_key \t - Store key in secure enclave. !!! NON-REVERSABLE OPERATION - READ MANUAL FIRST !!!\r\n"); }; void crypto_cli_encrypt(Cli* cli, string_t args) { @@ -54,7 +54,7 @@ void crypto_cli_encrypt(Cli* cli, string_t args) { string_push_back(input, c); } else if(c == CliSymbolAsciiCR) { printf("\r\n"); - string_push_back(input, '\n'); + string_cat_str(input, "\r\n"); } } @@ -73,6 +73,7 @@ void crypto_cli_encrypt(Cli* cli, string_t args) { } else { printf("Hex-encoded encrypted data:\r\n"); for(size_t i = 0; i < size; i++) { + if(i % 80 == 0) printf("\r\n"); printf("%02x", output[i]); } printf("\r\n"); @@ -127,7 +128,6 @@ void crypto_cli_decrypt(Cli* cli, string_t args) { string_push_back(hex_input, c); } else if(c == CliSymbolAsciiCR) { printf("\r\n"); - string_push_back(hex_input, '\n'); } } @@ -138,13 +138,15 @@ void crypto_cli_decrypt(Cli* cli, string_t args) { uint8_t* input = furi_alloc(size); uint8_t* output = furi_alloc(size); - if(args_read_hex_bytes(hex_input, input, size) && - furi_hal_crypto_decrypt(input, output, size)) { - printf("Decrypted data:\r\n"); - printf("%s\r\n", output); - + if(args_read_hex_bytes(hex_input, input, size)) { + if(furi_hal_crypto_decrypt(input, output, size)) { + printf("Decrypted data:\r\n"); + printf("%s\r\n", output); + } else { + printf("Failed to decrypt\r\n"); + } } else { - printf("Failed to decrypt input"); + printf("Failed to parse input"); } free(input); @@ -183,6 +185,7 @@ void crypto_cli_has_key(Cli* cli, string_t args) { } void crypto_cli_store_key(Cli* cli, string_t args) { + int key_slot = 0; int key_size = 0; string_t key_type; string_init(key_type); @@ -193,14 +196,26 @@ void crypto_cli_store_key(Cli* cli, string_t args) { size_t data_size = 0; do { + if(!args_read_int_and_trim(args, &key_slot)) { + printf("Incorrect or missing key type, expected master, simple or encrypted"); + break; + } if(!args_read_string_and_trim(args, key_type)) { printf("Incorrect or missing key type, expected master, simple or encrypted"); break; } if(string_cmp_str(key_type, "master") == 0) { + if(key_slot != 0) { + printf("Master keyslot must be is 0"); + break; + } key.type = FuriHalCryptoKeyTypeMaster; } else if(string_cmp_str(key_type, "simple") == 0) { + if(key_slot < 1 || key_slot > 99) { + printf("Simple keyslot must be in range"); + break; + } key.type = FuriHalCryptoKeyTypeSimple; } else if(string_cmp_str(key_type, "encrypted") == 0) { key.type = FuriHalCryptoKeyTypeEncrypted; @@ -230,6 +245,26 @@ void crypto_cli_store_key(Cli* cli, string_t args) { break; } + if(key_slot > 0) { + uint8_t iv[16]; + if(key_slot > 1) { + if(!furi_hal_crypto_store_load_key(key_slot - 1, iv)) { + printf( + "Slot %d before %d is empty, which is not allowed", + key_slot - 1, + key_slot); + break; + } + furi_hal_crypto_store_unload_key(key_slot - 1); + } + + if(furi_hal_crypto_store_load_key(key_slot, iv)) { + furi_hal_crypto_store_unload_key(key_slot); + printf("Key slot %d is already used", key_slot); + break; + } + } + uint8_t slot; if(furi_hal_crypto_store_add_key(&key, &slot)) { printf("Success. Stored to slot: %d", slot); diff --git a/firmware/targets/f6/furi-hal/furi-hal-crypto.c b/firmware/targets/f6/furi-hal/furi-hal-crypto.c index 51e4fe29..3e4ec98f 100644 --- a/firmware/targets/f6/furi-hal/furi-hal-crypto.c +++ b/firmware/targets/f6/furi-hal/furi-hal-crypto.c @@ -13,6 +13,7 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) { furi_assert(slot); SHCI_C2_FUS_StoreUsrKey_Cmd_Param_t pParam; + size_t key_data_size = 0; if (key->type == FuriHalCryptoKeyTypeMaster) { pParam.KeyType = KEYTYPE_MASTER; @@ -20,18 +21,23 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) { pParam.KeyType = KEYTYPE_SIMPLE; } else if (key->type == FuriHalCryptoKeyTypeEncrypted) { pParam.KeyType = KEYTYPE_ENCRYPTED; + key_data_size += 12; } else { furi_crash("Incorrect key type"); } if (key->size == FuriHalCryptoKeySize128) { pParam.KeySize = KEYSIZE_16; + key_data_size += 16; } else if (key->size == FuriHalCryptoKeySize256) { pParam.KeySize = KEYSIZE_32; + key_data_size += 32; } else { furi_crash("Incorrect key size"); } + memcpy(pParam.KeyData, key->data, key_data_size); + return SHCI_C2_FUS_StoreUsrKey(&pParam, slot) == SHCI_Success; } diff --git a/firmware/targets/f7/furi-hal/furi-hal-crypto.c b/firmware/targets/f7/furi-hal/furi-hal-crypto.c index 51e4fe29..3e4ec98f 100644 --- a/firmware/targets/f7/furi-hal/furi-hal-crypto.c +++ b/firmware/targets/f7/furi-hal/furi-hal-crypto.c @@ -13,6 +13,7 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) { furi_assert(slot); SHCI_C2_FUS_StoreUsrKey_Cmd_Param_t pParam; + size_t key_data_size = 0; if (key->type == FuriHalCryptoKeyTypeMaster) { pParam.KeyType = KEYTYPE_MASTER; @@ -20,18 +21,23 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) { pParam.KeyType = KEYTYPE_SIMPLE; } else if (key->type == FuriHalCryptoKeyTypeEncrypted) { pParam.KeyType = KEYTYPE_ENCRYPTED; + key_data_size += 12; } else { furi_crash("Incorrect key type"); } if (key->size == FuriHalCryptoKeySize128) { pParam.KeySize = KEYSIZE_16; + key_data_size += 16; } else if (key->size == FuriHalCryptoKeySize256) { pParam.KeySize = KEYSIZE_32; + key_data_size += 32; } else { furi_crash("Incorrect key size"); } + memcpy(pParam.KeyData, key->data, key_data_size); + return SHCI_C2_FUS_StoreUsrKey(&pParam, slot) == SHCI_Success; } diff --git a/lib/toolbox/args.c b/lib/toolbox/args.c index 76e59d69..b347b42e 100644 --- a/lib/toolbox/args.c +++ b/lib/toolbox/args.c @@ -76,12 +76,12 @@ bool args_char_to_hex(char hi_nibble, char low_nibble, uint8_t* byte) { return result; } -bool args_read_hex_bytes(string_t args, uint8_t* bytes, uint8_t bytes_count) { +bool args_read_hex_bytes(string_t args, uint8_t* bytes, size_t bytes_count) { bool result = true; const char* str_pointer = string_get_cstr(args); if(args_get_first_word_length(args) == (bytes_count * 2)) { - for(uint8_t i = 0; i < bytes_count; i++) { + for(size_t i = 0; i < bytes_count; i++) { if(!args_char_to_hex(str_pointer[i * 2], str_pointer[i * 2 + 1], &(bytes[i]))) { result = false; break; diff --git a/lib/toolbox/args.h b/lib/toolbox/args.h index 17e54c77..4ae1e1db 100644 --- a/lib/toolbox/args.h +++ b/lib/toolbox/args.h @@ -46,7 +46,7 @@ bool args_read_probably_quoted_string_and_trim(string_t args, string_t word); * @return true - success * @return false - arguments string does not contain enough values, or contain non-hex ASCII values */ -bool args_read_hex_bytes(string_t args, uint8_t* bytes, uint8_t bytes_count); +bool args_read_hex_bytes(string_t args, uint8_t* bytes, size_t bytes_count); /************************************ HELPERS ***************************************/