liz/flipperzero-firmware
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[FL-1490] FuriHal: crypto api. Crypto cli tool. (#702)

Browse Source 
* FuriHal: crypto layer
* Furi: add crash routine.
* FuriHal: crypto api. Crypto: cli command to manipulate secure enclave and encrypt/decrypt plain text.
* DeviceInfo: secure enclave verification.
* Rename original to enclave_valid
* Update expected enclave signature to match production keys
* F7: remove unused files
This commit is contained in:
あく
2021-09-15 12:59:49 +03:00
committed by GitHub
parent 95d9140d24
commit 66f9d946ae
52 changed files with 1056 additions and 1609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
applications/applications.c
View File

@@ -39,6 +39,7 @@ extern int32_t music_player_app(void* p);
// On system start hooks declaration
extern void bt_cli_init();
extern void crypto_cli_init();
extern void ibutton_cli_init();
extern void irda_cli_init();
extern void lfrfid_cli_init();
@@ -171,6 +172,9 @@ const size_t FLIPPER_APPS_COUNT = sizeof(FLIPPER_APPS) / sizeof(FlipperApplicati
// On system start hooks
const FlipperOnStartHook FLIPPER_ON_SYSTEM_START[] = {
#ifdef SRV_CLI
crypto_cli_init,
#endif
irda_cli_init,
#ifdef APP_NFC
nfc_cli_init,

21
applications/cli/cli_commands.c
View File

@@ -7,6 +7,15 @@
#include <notification/notification-messages.h>
#include <shci.h>
#define ENCLAVE_SIGNATURE_KEY_SLOT 1
#define ENCLAVE_SIGNATURE_SIZE 16
static const uint8_t enclave_signature_iv[16] =
{0x32, 0xe6, 0xa7, 0x85, 0x20, 0xae, 0x0b, 0xf0, 0x00, 0xb6, 0x30, 0x9b, 0xd5, 0x42, 0x9e, 0xa6};
static const uint8_t enclave_signature_input[ENCLAVE_SIGNATURE_SIZE] =
{0xdc, 0x76, 0x15, 0x1e, 0x69, 0xe8, 0xdc, 0xd3, 0x4a, 0x71, 0x0b, 0x42, 0x71, 0xe0, 0xa9, 0x78};
static const uint8_t enclave_signature_expected[ENCLAVE_SIGNATURE_SIZE] =
{0x6b, 0x31, 0xc, 0xac, 0x3f, 0x68, 0x79, 0x76, 0x43, 0xc4, 0xfe, 0xe0, 0x25, 0x53, 0x64, 0xc7};
/*
* Device Info Command
* This command is intended to be used by humans and machines
@@ -85,6 +94,18 @@ void cli_command_device_info(Cli* cli, string_t args, void* context) {
printf("%02X", ble_mac[i]);
}
printf("\r\n");
// Signature verification
uint8_t buffer[ENCLAVE_SIGNATURE_SIZE];
bool enclave_valid = false;
if(furi_hal_crypto_store_load_key(ENCLAVE_SIGNATURE_KEY_SLOT, enclave_signature_iv)) {
if(furi_hal_crypto_encrypt(enclave_signature_input, buffer, ENCLAVE_SIGNATURE_SIZE)) {
enclave_valid =
memcmp(buffer, enclave_signature_expected, ENCLAVE_SIGNATURE_SIZE) == 0;
}
furi_hal_crypto_store_unload_key(ENCLAVE_SIGNATURE_KEY_SLOT);
}
printf("enclave_valid : %s\r\n", enclave_valid ? "true" : "false");
} else {
printf("radio_alive : false\r\n");
}

284
applications/crypto/crypto_cli.c Normal file
View File

@@ -0,0 +1,284 @@
#include <furi-hal.h>
#include <furi.h>
#include <lib/toolbox/args.h>
#include <cli/cli.h>
void crypto_cli_print_usage() {
printf("Usage:\r\n");
printf("crypto <cmd> <args>\r\n");
printf("Cmd list:\r\n");
printf(
"\tencrypt <key_slot:int> <iv:hex>\t - Using key from secure enclave and IV encrypt plain text with AES256CBC and encode to hex\r\n");
printf(
"\tdecrypt <key_slot:int> <iv:hex>\t - Using key from secure enclave and IV decrypt hex encoded encrypted with AES256CBC data to plain text\r\n");
printf("\thas_key <key_slot:int>\t - Check if secure enclave has key in slot\r\n");
printf(
"\tstore_key <key_type:str> <key_size:int> <key_data:hex>\t - Store key in secure enclave, returns allocated slot number !!! NON-REVERSABLE OPERATION - READ MANUAL FIRST !!!\r\n");
};
void crypto_cli_encrypt(Cli* cli, string_t args) {
int key_slot = 0;
bool key_loaded = false;
uint8_t iv[16];
do {
if(!args_read_int_and_trim(args, &key_slot) || !(key_slot > 0 && key_slot <= 100)) {
printf("Incorrect or missing slot, expected int 1-100");
break;
}
if(!args_read_hex_bytes(args, iv, 16)) {
printf("Incorrect or missing IV, expected 16 bytes in hex");
break;
}
if(!furi_hal_crypto_store_load_key(key_slot, iv)) {
printf("Unable to load key from slot %d", key_slot);
break;
}
key_loaded = true;
printf("Enter plain text and press Ctrl+C to complete encryption:\r\n");
string_t input;
string_init(input);
char c;
while(cli_read(cli, (uint8_t*)&c, 1) == 1) {
if(c == CliSymbolAsciiETX) {
printf("\r\n");
break;
} else if(c >= 0x20 && c < 0x7F) {
putc(c, stdout);
fflush(stdout);
string_push_back(input, c);
} else if(c == CliSymbolAsciiCR) {
printf("\r\n");
string_push_back(input, '\n');
}
}
size_t size = string_size(input);
if(size > 0) {
// C-string null termination and block alignments
size++;
size_t remain = size % 16;
if(remain) {
size = size - remain + 16;
}
string_reserve(input, size);
uint8_t* output = furi_alloc(size);
if(!furi_hal_crypto_encrypt((const uint8_t*)string_get_cstr(input), output, size)) {
printf("Failed to encrypt input");
} else {
printf("Hex-encoded encrypted data:\r\n");
for(size_t i = 0; i < size; i++) {
printf("%02x", output[i]);
}
printf("\r\n");
}
free(output);
} else {
printf("No input");
}
string_clear(input);
} while(0);
if(key_loaded) {
furi_hal_crypto_store_unload_key(key_slot);
}
}
void crypto_cli_decrypt(Cli* cli, string_t args) {
int key_slot = 0;
bool key_loaded = false;
uint8_t iv[16];
do {
if(!args_read_int_and_trim(args, &key_slot) || !(key_slot > 0 && key_slot <= 100)) {
printf("Incorrect or missing slot, expected int 1-100");
break;
}
if(!args_read_hex_bytes(args, iv, 16)) {
printf("Incorrect or missing IV, expected 16 bytes in hex");
break;
}
if(!furi_hal_crypto_store_load_key(key_slot, iv)) {
printf("Unable to load key from slot %d", key_slot);
break;
}
key_loaded = true;
printf("Enter Hex-encoded data and press Ctrl+C to complete decryption:\r\n");
string_t hex_input;
string_init(hex_input);
char c;
while(cli_read(cli, (uint8_t*)&c, 1) == 1) {
if(c == CliSymbolAsciiETX) {
printf("\r\n");
break;
} else if(c >= 0x20 && c < 0x7F) {
putc(c, stdout);
fflush(stdout);
string_push_back(hex_input, c);
} else if(c == CliSymbolAsciiCR) {
printf("\r\n");
string_push_back(hex_input, '\n');
}
}
string_strim(hex_input);
size_t hex_size = string_size(hex_input);
if(hex_size > 0 && hex_size % 2 == 0) {
size_t size = hex_size / 2;
uint8_t* input = furi_alloc(size);
uint8_t* output = furi_alloc(size);
if(args_read_hex_bytes(hex_input, input, size) &&
furi_hal_crypto_decrypt(input, output, size)) {
printf("Decrypted data:\r\n");
printf("%s\r\n", output);
} else {
printf("Failed to decrypt input");
}
free(input);
free(output);
} else {
printf("Invalid or empty input");
}
string_clear(hex_input);
} while(0);
if(key_loaded) {
furi_hal_crypto_store_unload_key(key_slot);
}
}
void crypto_cli_has_key(Cli* cli, string_t args) {
int key_slot = 0;
uint8_t iv[16];
do {
if(!args_read_int_and_trim(args, &key_slot) || !(key_slot > 0 && key_slot <= 100)) {
printf("Incorrect or missing slot, expected int 1-100");
break;
}
if(!furi_hal_crypto_store_load_key(key_slot, iv)) {
printf("Unable to load key from slot %d", key_slot);
break;
}
printf("Successfully loaded key from slot %d", key_slot);
furi_hal_crypto_store_unload_key(key_slot);
} while(0);
}
void crypto_cli_store_key(Cli* cli, string_t args) {
int key_size = 0;
string_t key_type;
string_init(key_type);
uint8_t data[32 + 12] = {};
FuriHalCryptoKey key;
key.data = data;
size_t data_size = 0;
do {
if(!args_read_string_and_trim(args, key_type)) {
printf("Incorrect or missing key type, expected master, simple or encrypted");
break;
}
if(string_cmp_str(key_type, "master") == 0) {
key.type = FuriHalCryptoKeyTypeMaster;
} else if(string_cmp_str(key_type, "simple") == 0) {
key.type = FuriHalCryptoKeyTypeSimple;
} else if(string_cmp_str(key_type, "encrypted") == 0) {
key.type = FuriHalCryptoKeyTypeEncrypted;
data_size += 12;
} else {
printf("Incorrect or missing key type, expected master, simple or encrypted");
break;
}
if(!args_read_int_and_trim(args, &key_size)) {
printf("Incorrect or missing key size, expected 128 or 256");
break;
}
if(key_size == 128) {
key.size = FuriHalCryptoKeySize128;
data_size += 16;
} else if(key_size == 256) {
key.size = FuriHalCryptoKeySize256;
data_size += 32;
} else {
printf("Incorrect or missing key size, expected 128 or 256");
}
if(!args_read_hex_bytes(args, data, data_size)) {
printf("Incorrect or missing key data, expected hex encoded key with or without IV.");
break;
}
uint8_t slot;
if(furi_hal_crypto_store_add_key(&key, &slot)) {
printf("Success. Stored to slot: %d", slot);
} else {
printf("Failure");
}
} while(0);
string_clear(key_type);
}
void crypto_cli(Cli* cli, string_t args, void* context) {
string_t cmd;
string_init(cmd);
do {
if(!args_read_string_and_trim(args, cmd)) {
crypto_cli_print_usage();
break;
}
if(string_cmp_str(cmd, "encrypt") == 0) {
crypto_cli_encrypt(cli, args);
break;
}
if(string_cmp_str(cmd, "decrypt") == 0) {
crypto_cli_decrypt(cli, args);
break;
}
if(string_cmp_str(cmd, "has_key") == 0) {
crypto_cli_has_key(cli, args);
break;
}
if(string_cmp_str(cmd, "store_key") == 0) {
crypto_cli_store_key(cli, args);
break;
}
crypto_cli_print_usage();
} while(false);
string_clear(cmd);
}
void crypto_cli_init() {
Cli* cli = furi_record_open("cli");
cli_add_command(cli, "crypto", CliCommandFlagDefault, crypto_cli, NULL);
furi_record_close("cli");
}

6
applications/gui/canvas.c
View File

@@ -116,7 +116,7 @@ void canvas_set_font(Canvas* canvas, Font font) {
} else if(font == FontKeyboard) {
u8g2_SetFont(&canvas->fb, u8g2_font_profont11_mf);
} else {
furi_check(0);
furi_crash(NULL);
}
}
@@ -150,7 +150,7 @@ void canvas_draw_str_aligned(
x -= (u8g2_GetStrWidth(&canvas->fb, str) / 2);
break;
default:
furi_check(0);
furi_crash(NULL);
break;
}
@@ -164,7 +164,7 @@ void canvas_draw_str_aligned(
y += (u8g2_GetAscent(&canvas->fb) / 2);
break;
default:
furi_check(0);
furi_crash(NULL);
break;
}

2
applications/menu/menu.c
View File

@@ -35,7 +35,7 @@ ValueMutex* menu_init() {
ValueMutex* menu_mutex = furi_alloc(sizeof(ValueMutex));
if(menu_mutex == NULL || !init_mutex(menu_mutex, menu, sizeof(Menu))) {
printf("[menu_task] cannot create menu mutex\r\n");
furi_check(0);
furi_crash(NULL);
}
// OpenGui record

2
applications/subghz/scenes/subghz_scene_receiver.c
View File

@@ -20,7 +20,7 @@ static void subghz_scene_receiver_update_statusbar(void* context) {
} else if(subghz->txrx->preset == FuriHalSubGhzPreset2FSKAsync) {
snprintf(preset_str, sizeof(preset_str), "FM");
} else {
furi_check(0);
furi_crash(NULL);
}
subghz_receiver_add_data_statusbar(
subghz->subghz_receiver, frequency_str, preset_str, string_get_cstr(history_stat_str));

2
applications/subghz/scenes/subghz_scene_receiver_info.c
View File

@@ -44,7 +44,7 @@ const void subghz_scene_receiver_info_on_enter(void* context) {
} else if(subghz->txrx->preset == FuriHalSubGhzPreset2FSKAsync) {
snprintf(buffer_str, sizeof(buffer_str), "FM");
} else {
furi_check(0);
furi_crash(NULL);
}
widget_add_string_element(
subghz->widget, 113, 0, AlignLeft, AlignTop, FontSecondary, buffer_str);

2
applications/subghz/scenes/subghz_scene_transmitter.c
View File

@@ -39,7 +39,7 @@ static void subghz_scene_transmitter_update_data_show(void* context) {
} else if(subghz->txrx->preset == FuriHalSubGhzPreset2FSKAsync) {
snprintf(preset_str, sizeof(preset_str), "FM");
} else {
furi_check(0);
furi_crash(NULL);
}
subghz_transmitter_add_data_to_show(

4
applications/subghz/subghz_i.c
View File

@@ -20,7 +20,7 @@ void subghz_begin(FuriHalSubGhzPreset preset) {
uint32_t subghz_rx(void* context, uint32_t frequency) {
furi_assert(context);
if(!furi_hal_subghz_is_frequency_valid(frequency)) {
furi_check(0);
furi_crash(NULL);
}
SubGhzWorker* worker = context;
@@ -37,7 +37,7 @@ uint32_t subghz_rx(void* context, uint32_t frequency) {
uint32_t subghz_tx(uint32_t frequency) {
if(!furi_hal_subghz_is_frequency_valid(frequency)) {
furi_check(0);
furi_crash(NULL);
}
furi_hal_subghz_idle();
uint32_t value = furi_hal_subghz_set_frequency_and_path(frequency);