webadmin/pico-keys-sdk
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-keys-sdk synced 2026-05-27 00:25:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add macros for PIN KDF.

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2026-04-01 16:20:22 +02:00
parent 189567eebe
commit f76bc631d2
2 changed files with 25 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/crypto_utils.c
View File

@@ -92,7 +92,7 @@ void pin_derive_kenc2(const uint8_t pin_token[32], uint8_t kenc[32]) {
// Encrypt 32-byte device key using AES-256-GCM
// Output: [nonce|ciphertext|tag] = 12 + in_len + 16 = 60 bytes
// ------------------------------------------------------------------
int encrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len, uint8_t version, uint8_t *out_buf) {
int encrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len, const pin_kdf_version_t version, uint8_t *out_buf) {
uint8_t *nonce = out_buf;
uint8_t *ct = out_buf + 12;
uint8_t *tag = out_buf + 12 + in_len;
@@ -102,11 +102,15 @@ int encrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len
mbedtls_gcm_context gcm;
mbedtls_gcm_init(&gcm);
uint8_t kenc[32];
if (version == 2) {
if (version == PIN_KDF_V2) {
pin_derive_kenc2(key, kenc);
} else {
}
else if (version == PIN_KDF_V1) {
pin_derive_kenc(key, kenc);
}
else {
return PICOKEY_WRONG_DATA;
}
int rc = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, kenc, 256);
mbedtls_platform_zeroize(kenc, sizeof(kenc));
if (rc != 0) {
@@ -123,7 +127,7 @@ int encrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len
// Input: [nonce|ciphertext|tag] = in_len bytes
// Output: decrypted = in_len - 12 - 16 bytes
// ------------------------------------------------------------------
int decrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len, uint8_t version, uint8_t *out_buf) {
int decrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len, const pin_kdf_version_t version, uint8_t *out_buf) {
const uint8_t *nonce = in_buf;
const uint8_t *ct = in_buf + 12;
const uint8_t *tag = in_buf + in_len - 16;
@@ -131,11 +135,14 @@ int decrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len
mbedtls_gcm_context gcm;
mbedtls_gcm_init(&gcm);
uint8_t kenc[32];
if (version == 2) {
if (version == PIN_KDF_V2) {
pin_derive_kenc2(key, kenc);
} else {
} else if (version == PIN_KDF_V1) {
pin_derive_kenc(key, kenc);
}
else {
return PICOKEY_WRONG_DATA;
}
int rc = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, kenc, 256);
mbedtls_platform_zeroize(kenc, sizeof(kenc));
if (rc != 0) {
@@ -157,7 +164,6 @@ void double_hash_pin(const uint8_t *pin, uint16_t len, uint8_t output[32]) {
hash_multi(o1, sizeof(o1), output);
}
void hash_multi(const uint8_t *input, uint16_t len, uint8_t output[32]) {
mbedtls_sha256_context ctx;
mbedtls_sha256_init(&ctx);