From 8e4690c426dbe48c9ecfa8b100c39e009ead2a55 Mon Sep 17 00:00:00 2001
From: Victor Costan <victor@pwnage.(none)>
Date: Tue, 17 Nov 2009 14:36:25 -0500
Subject: [PATCH] Instruction for computing the size of some data after
 encryption.

---
 .jcop                                  |  2 +-
 src/edu/mit/csail/tc/TEMApplet.java    |  2 +-
 src/edu/mit/csail/tc/TEMExecution.java | 19 +++++++++++++------
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/.jcop b/.jcop
index ee4d2bd..e62eb60 100644
--- a/.jcop
+++ b/.jcop
@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?><jcop.project debug_comp="1" version="2"><package debug_comp="0" exportmap="false" jcop.id=""><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu.mit.csail"><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu"><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu.mit"><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu.mit.csail.tc"><aid jcop.id="package">1983122910face</aid><cunit jcop.id="TEMStore.java"/><cunit jcop.id="TEMApplet.java"><applet jcop.id="TEMApplet"><aid jcop.id="applet">1983122910BABE</aid></applet></cunit><cunit jcop.id="TEMTag.java"/><cunit jcop.id="TEMBuffers.java"/><cunit jcop.id="TEMCrypto.java"/><cunit jcop.id="TEMExecution.java"/><version jcop.id="package">1.14</version></package></jcop.project>
\ No newline at end of file
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><jcop.project debug_comp="1" version="2"><package debug_comp="0" exportmap="false" jcop.id=""><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu.mit.csail"><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu"><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu.mit"><aid jcop.id="package"/><version jcop.id="package">1.0</version></package><package debug_comp="0" exportmap="false" jcop.id="edu.mit.csail.tc"><aid jcop.id="package">1983122910face</aid><cunit jcop.id="TEMStore.java"/><cunit jcop.id="TEMApplet.java"><applet jcop.id="TEMApplet"><aid jcop.id="applet">1983122910BABE</aid></applet></cunit><cunit jcop.id="TEMTag.java"/><cunit jcop.id="TEMBuffers.java"/><cunit jcop.id="TEMCrypto.java"/><cunit jcop.id="TEMExecution.java"/><version jcop.id="package">1.15</version></package></jcop.project>
\ No newline at end of file
diff --git a/src/edu/mit/csail/tc/TEMApplet.java b/src/edu/mit/csail/tc/TEMApplet.java
index 1b6ca34..95f79e6 100644
--- a/src/edu/mit/csail/tc/TEMApplet.java
+++ b/src/edu/mit/csail/tc/TEMApplet.java
@@ -24,7 +24,7 @@
  */
 public class TEMApplet extends Applet {
   /** The firmware version. */
-  public static final short FIRMWARE_VER = 0x010E;
+  public static final short FIRMWARE_VER = 0x010F;
   
 	public static void install(byte[] bArray, short bOffset, byte bLength) {
 		// GP-compliant JavaCard applet registration
diff --git a/src/edu/mit/csail/tc/TEMExecution.java b/src/edu/mit/csail/tc/TEMExecution.java
index 3f8c243..d262aa8 100644
--- a/src/edu/mit/csail/tc/TEMExecution.java
+++ b/src/edu/mit/csail/tc/TEMExecution.java
@@ -456,7 +456,7 @@ else if ((opcode & 2) != 0) {
 							                               operand3, ((opcode & 2) == 0));
 					}
 					Util.setShort(pBuffer, sp, result); sp += 2;
-					break;
+					break;				  
 				case 0x5A: // rdk  (read key) 
 					sp -= 2; operand1 = Util.getShort(pBuffer, sp);
 					result = TEMCrypto.loadKey(pBuffer, operand1);
@@ -464,17 +464,24 @@ else if ((opcode & 2) != 0) {
 						authorizedKeys[result] = true;
 					Util.setShort(pBuffer, sp, result); sp += 2;
 					break;
+        case 0x58: // ldkel (load key encryption length)
 				case 0x5B: // stk (store key)
 					sp -= 2; operand2 = Util.getShort(pBuffer, sp);
 					sp -= 2; operand1 = Util.getShort(pBuffer, sp);
 					if(authorizedKeys[operand1] == false)
 						ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
-					if(operand2 == (short)-1) {
-						result = TEMCrypto.saveKey((byte)operand1, outBuffer, outOffset);
-						outOffset += result;						
+
+					if (opcode == 0x58) {  // ldkel
+					  result = TEMCrypto.getEncryptedDataSize((byte)operand1, operand2);
+					}
+					else {
+  					if(operand2 == (short)-1) {  // stk
+  						result = TEMCrypto.saveKey((byte)operand1, outBuffer, outOffset);
+  						outOffset += result;						
+  					}
+  					else
+  						result = TEMCrypto.saveKey((byte)operand1, pBuffer, operand2);
 					}
-					else
-						result = TEMCrypto.saveKey((byte)operand1, pBuffer, operand2);
 					Util.setShort(pBuffer, sp, result); sp += 2;
 					break;
 				case 0x5C: // relk (release key)