From b9c925b04705168b48bc981e522b201b59e45f55 Mon Sep 17 00:00:00 2001 From: 1234yhj Date: Wed, 13 Sep 2023 11:05:41 +0800 Subject: [PATCH 1/7] Update card-epass2003.c --- src/libopensc/card-epass2003.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c index d81e5bbbee..8483f27c57 100644 --- a/src/libopensc/card-epass2003.c +++ b/src/libopensc/card-epass2003.c @@ -90,7 +90,7 @@ static unsigned char PIN_ID[2] = { ENTERSAFE_USER_PIN_ID, ENTERSAFE_SO_PIN_ID }; /*0x00:plain; 0x01:scp01 sm*/ #define SM_PLAIN 0x00 #define SM_SCP01 0x01 - +//g_init_key_enc init key.. static unsigned char g_init_key_enc[16] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10 From 40ca329f9f969c6d1303c5cb031697f5fe76f4e1 Mon Sep 17 00:00:00 2001 From: haijie Date: Thu, 21 Mar 2024 11:01:11 +0800 Subject: [PATCH 2/7] Update card-epass2003.c update fips token support --- src/libopensc/card-epass2003.c | 80 +++++++++++++++------------------- 1 file changed, 34 insertions(+), 46 deletions(-) diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c index 7cf6741a43..b118516f6f 100644 --- a/src/libopensc/card-epass2003.c +++ b/src/libopensc/card-epass2003.c @@ -90,7 +90,7 @@ static unsigned char PIN_ID[2] = { ENTERSAFE_USER_PIN_ID, ENTERSAFE_SO_PIN_ID }; /*0x00:plain; 0x01:scp01 sm*/ #define SM_PLAIN 0x00 #define SM_SCP01 0x01 -//g_init_key_enc init key.. + static unsigned char g_init_key_enc[16] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10 @@ -360,7 +360,6 @@ aes128_encrypt_cmac_ft(struct sc_card *card, const unsigned char *key, int keysi EVP_CIPHER *alg = sc_evp_cipher(card->ctx, "AES-128-ECB"); r = openssl_enc(alg, key, iv0, data1, 16, out); if (r != SC_SUCCESS) { - sc_log_openssl(card->ctx); sc_evp_cipher_free(alg); return r; } @@ -397,16 +396,21 @@ aes128_encrypt_cmac_ft(struct sc_card *card, const unsigned char *key, int keysi if(length < 16){ memcpy(&data2[0],input,length); data2[length] = 0x80; + + //k2 xor padded data + for (int i=0;i<16;i++){ + data2[i]=data2[i]^k2Bin[offset + i]; + } + }else{ + memcpy(&data2[0],input,length); + //k1 xor padded data + for (int i=0;i<16;i++){ + data2[i]=data2[i]^k1Bin[offset + i]; + } } - - //k2 xor padded data - for (int i=0;i<16;i++){ - data2[i]=data2[i]^k2Bin[offset + i]; - } + alg = sc_evp_cipher(card->ctx, "AES-128-CBC"); r = openssl_enc(alg, key, iv, data2, 16, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -447,19 +451,15 @@ aes128_encrypt_cmac(struct sc_card *card, const unsigned char *key, int keysize, EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(mac); if(ctx == NULL){ EVP_MAC_CTX_free(ctx); - sc_log_openssl(card->ctx); return r; } if(!EVP_MAC_init(ctx, (const unsigned char *)key, keysize/8,params)){ - sc_log_openssl(card->ctx); goto err; } if(!EVP_MAC_update(ctx, input,length)){ - sc_log_openssl(card->ctx); goto err; } if(!EVP_MAC_final(ctx, output, &mactlen, 16)) { - sc_log_openssl(card->ctx); goto err; } r = SC_SUCCESS; @@ -479,8 +479,6 @@ aes128_encrypt_ecb(struct sc_card *card, const unsigned char *key, int keysize, int r; r = openssl_enc(alg, key, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -493,8 +491,6 @@ aes128_encrypt_cbc(struct sc_card *card, const unsigned char *key, int keysize, int r; r = openssl_enc(alg, key, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -507,8 +503,6 @@ aes128_decrypt_cbc(struct sc_card *card, const unsigned char *key, int keysize, int r; r = openssl_dec(alg, key, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -532,8 +526,6 @@ des3_encrypt_ecb(struct sc_card *card, const unsigned char *key, int keysize, r = openssl_enc(alg, bKey, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -556,8 +548,6 @@ des3_encrypt_cbc(struct sc_card *card, const unsigned char *key, int keysize, un r = openssl_enc(EVP_des_ede3_cbc(), bKey, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -580,8 +570,6 @@ des3_decrypt_cbc(struct sc_card *card, const unsigned char *key, int keysize, un r = openssl_dec(alg, bKey, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -595,8 +583,6 @@ des_encrypt_cbc(struct sc_card *card, const unsigned char *key, int keysize, uns r = openssl_enc(alg, key, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -610,8 +596,6 @@ des_decrypt_cbc(struct sc_card *card, const unsigned char *key, int keysize, uns r = openssl_dec(alg, key, iv, input, length, output); sc_evp_cipher_free(alg); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -658,8 +642,6 @@ sha1_digest(struct sc_card *card, const unsigned char *input, size_t length, uns r = openssl_dig(md, input, length, output); sc_evp_md_free(md); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -671,8 +653,6 @@ sha256_digest(struct sc_card *card, const unsigned char *input, size_t length, u r = openssl_dig(md, input, length, output); sc_evp_md_free(md); - if (r != SC_SUCCESS) - sc_log_openssl(card->ctx); return r; } @@ -3357,9 +3337,7 @@ external_key_auth(struct sc_card *card, unsigned char kid, r = hash_data(card, data, datalen, hash, SC_ALGORITHM_ECDSA_HASH_SHA1); LOG_TEST_RET(card->ctx, r, "hash data failed"); - r = des3_encrypt_cbc(card, hash, HASH_LEN, iv, random, 8, tmp_data); - LOG_TEST_RET(card->ctx, r, "encryption failed"); - + des3_encrypt_cbc(card, hash, HASH_LEN, iv, random, 8, tmp_data); sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x82, 0x01, 0x80 | kid); apdu.lc = apdu.datalen = 8; apdu.data = tmp_data; @@ -3438,7 +3416,7 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries data->pin1.max_tries = maxtries; } - LOG_TEST_RET(card->ctx, r, "verify pin failed"); + LOG_TEST_RET(card->ctx, r, "get pin retries failed"); } else if (data->cmd == SC_PIN_CMD_UNBLOCK) { /* verify */ r = external_key_auth(card, (kid + 1), (unsigned char *)data->pin1.data, @@ -3448,21 +3426,31 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries else if (data->cmd == SC_PIN_CMD_CHANGE || data->cmd == SC_PIN_CMD_UNBLOCK) { /* change */ r = external_key_auth(card, kid, (unsigned char *)data->pin1.data, data->pin1.len); - LOG_TEST_RET(card->ctx, r, "verify pin failed"); - - r = update_secret_key(card, 0x04, kid, data->pin2.data, + if(r == SC_SUCCESS) + { + r = update_secret_key(card, 0x04, kid, data->pin2.data, (unsigned long)data->pin2.len); - LOG_TEST_RET(card->ctx, r, "change pin failed"); + + LOG_TEST_RET(card->ctx, r, "change pin failed"); + }else{ + if (SC_SUCCESS == get_external_key_retries(card, 0x80 | kid, &retries)) { + data->pin1.tries_left = retries; + if (tries_left) + *tries_left = retries; + } + LOG_TEST_RET(card->ctx, r, "verify pin failed"); + } } else { r = external_key_auth(card, kid, (unsigned char *)data->pin1.data, data->pin1.len); - LOG_TEST_RET(card->ctx, r, "verify pin failed"); - - r = get_external_key_retries(card, 0x80 | kid, &retries); - if (retries < pin_low) - sc_log(card->ctx, "Verification failed (remaining tries: %d)", retries); + if (SC_SUCCESS == get_external_key_retries(card, 0x80 | kid, &retries)) + { + data->pin1.tries_left = retries; + if (tries_left) + *tries_left = retries; + } LOG_TEST_RET(card->ctx, r, "verify pin failed"); } From 7266daff1cf6ae4a032520d88fb1c39d8c28c875 Mon Sep 17 00:00:00 2001 From: haijie Date: Thu, 21 Mar 2024 11:21:00 +0800 Subject: [PATCH 3/7] Update card-epass2003.c comment dead code --- src/libopensc/card-epass2003.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c index b118516f6f..1812b7b81d 100644 --- a/src/libopensc/card-epass2003.c +++ b/src/libopensc/card-epass2003.c @@ -3389,7 +3389,7 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries int r; u8 kid; u8 retries = 0; - u8 pin_low = 3; + //u8 pin_low = 3; unsigned char maxtries = 0; LOG_FUNC_CALLED(card->ctx); From fd7c1db515930adc46c6c820ec64e0444449bede Mon Sep 17 00:00:00 2001 From: haijie Date: Thu, 21 Mar 2024 16:18:22 +0800 Subject: [PATCH 4/7] Update src/libopensc/card-epass2003.c Co-authored-by: Frank Morgner --- src/libopensc/card-epass2003.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c index 1812b7b81d..6b841d8fbc 100644 --- a/src/libopensc/card-epass2003.c +++ b/src/libopensc/card-epass2003.c @@ -3438,7 +3438,7 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries if (tries_left) *tries_left = retries; } - LOG_TEST_RET(card->ctx, r, "verify pin failed"); + LOG_TEST_RET(card->ctx, r, "change pin failed"); } } else { From c5ec42e0a6549e639648585939793952b3ef3df0 Mon Sep 17 00:00:00 2001 From: haijie Date: Thu, 21 Mar 2024 16:18:33 +0800 Subject: [PATCH 5/7] Update src/libopensc/card-epass2003.c Co-authored-by: Frank Morgner --- src/libopensc/card-epass2003.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c index 6b841d8fbc..f37ad10727 100644 --- a/src/libopensc/card-epass2003.c +++ b/src/libopensc/card-epass2003.c @@ -3389,7 +3389,6 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries int r; u8 kid; u8 retries = 0; - //u8 pin_low = 3; unsigned char maxtries = 0; LOG_FUNC_CALLED(card->ctx); From 901f270abbd399743e1cb6a2fa2d6b6b1b89253e Mon Sep 17 00:00:00 2001 From: haijie Date: Thu, 21 Mar 2024 18:03:17 +0800 Subject: [PATCH 6/7] Update card-epass2003.c modified logical judgement --- src/libopensc/card-epass2003.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c index f37ad10727..37872d50dc 100644 --- a/src/libopensc/card-epass2003.c +++ b/src/libopensc/card-epass2003.c @@ -360,6 +360,7 @@ aes128_encrypt_cmac_ft(struct sc_card *card, const unsigned char *key, int keysi EVP_CIPHER *alg = sc_evp_cipher(card->ctx, "AES-128-ECB"); r = openssl_enc(alg, key, iv0, data1, 16, out); if (r != SC_SUCCESS) { + sc_log_openssl(card->ctx); sc_evp_cipher_free(alg); return r; } @@ -401,15 +402,23 @@ aes128_encrypt_cmac_ft(struct sc_card *card, const unsigned char *key, int keysi for (int i=0;i<16;i++){ data2[i]=data2[i]^k2Bin[offset + i]; } - }else{ + }else if(length ==16){ memcpy(&data2[0],input,length); //k1 xor padded data for (int i=0;i<16;i++){ data2[i]=data2[i]^k1Bin[offset + i]; } + }else{ + memcpy(&data2[0],input,16); + //k1 xor padded data + for (int i=0;i<16;i++){ + data2[i]=data2[i]^k1Bin[offset + i]; } alg = sc_evp_cipher(card->ctx, "AES-128-CBC"); r = openssl_enc(alg, key, iv, data2, 16, output); + if( r!=SC_SUCCESS){ + sc_log_openssl(card->ctx); + } sc_evp_cipher_free(alg); return r; } @@ -3425,8 +3434,7 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries else if (data->cmd == SC_PIN_CMD_CHANGE || data->cmd == SC_PIN_CMD_UNBLOCK) { /* change */ r = external_key_auth(card, kid, (unsigned char *)data->pin1.data, data->pin1.len); - if(r == SC_SUCCESS) - { + if(r == SC_SUCCESS){ r = update_secret_key(card, 0x04, kid, data->pin2.data, (unsigned long)data->pin2.len); @@ -3444,8 +3452,7 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries r = external_key_auth(card, kid, (unsigned char *)data->pin1.data, data->pin1.len); - if (SC_SUCCESS == get_external_key_retries(card, 0x80 | kid, &retries)) - { + if (SC_SUCCESS == get_external_key_retries(card, 0x80 | kid, &retries)){ data->pin1.tries_left = retries; if (tries_left) *tries_left = retries; @@ -3453,8 +3460,7 @@ epass2003_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries LOG_TEST_RET(card->ctx, r, "verify pin failed"); } - if (r == SC_SUCCESS) - { + if (r == SC_SUCCESS){ data->pin1.logged_in = SC_PIN_STATE_LOGGED_IN; } return r; From 52e312aa47c91536884226bd4f904d7f70452692 Mon Sep 17 00:00:00 2001 From: haijie Date: Mon, 25 Mar 2024 17:57:03 +0800 Subject: [PATCH 7/7] Update card-epass2003.c Fix syntax errors --- src/libopensc/card-epass2003.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c index e062b51457..fc145373f2 100644 --- a/src/libopensc/card-epass2003.c +++ b/src/libopensc/card-epass2003.c @@ -415,6 +415,7 @@ aes128_encrypt_cmac_ft(struct sc_card *card, const unsigned char *key, int keysi //k1 xor padded data for (int i=0;i<16;i++){ data2[i]=data2[i]^k1Bin[offset + i]; + } } alg = sc_evp_cipher(card->ctx, "AES-128-CBC"); r = openssl_enc(alg, key, iv, data2, 16, output);