mirror of
https://github.com/polhenarejos/pico-fido.git
synced 2024-09-20 03:10:10 +00:00
Compare commits
9 Commits
27f1cb85f4
...
a60a7f10c5
Author | SHA1 | Date | |
---|---|---|---|
|
a60a7f10c5 | ||
|
02556fcde1 | ||
|
f234b0dc26 | ||
|
8ba9116454 | ||
|
5a31405244 | ||
|
69e250921f | ||
|
037dee3891 | ||
|
0701c0841e | ||
|
c6c4b24910 |
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
release
|
||||
build_release
|
3
.gitmodules
vendored
3
.gitmodules
vendored
@ -1,3 +1,6 @@
|
||||
[submodule "pico-keys-sdk"]
|
||||
path = pico-keys-sdk
|
||||
url = https://github.com/polhenarejos/pico-keys-sdk
|
||||
[submodule "pico-sdk"]
|
||||
path = pico-sdk
|
||||
url = https://github.com/raspberrypi/pico-sdk.git
|
||||
|
@ -50,7 +50,9 @@ for board in adafruit_feather_rp2040 \
|
||||
wiznet_w5100s_evb_pico
|
||||
do
|
||||
rm -rf *
|
||||
PICO_SDK_PATH=../../pico-sdk cmake .. -DPICO_BOARD=$board
|
||||
# PICO_SDK_PATH=../../pico-sdk cmake .. -DPICO_BOARD=$board
|
||||
PICO_SDK_PATH=../pico-sdk cmake .. -DPICO_BOARD=$board
|
||||
|
||||
make -kj20
|
||||
mv pico_fido.uf2 ../release/pico_fido_$board-$VERSION_MAJOR.$VERSION_MINOR.uf2
|
||||
|
||||
|
0
build_release/.gitkeep
Normal file
0
build_release/.gitkeep
Normal file
@ -1 +1 @@
|
||||
Subproject commit 7a88a2b8e74780e3d5f5a48fb5d5705fbff2d940
|
||||
Subproject commit 956f476872e25603ee063b776e3da280670cb15e
|
1
pico-sdk
Submodule
1
pico-sdk
Submodule
@ -0,0 +1 @@
|
||||
Subproject commit 6a7db34ff63345a7badec79ebea3aaef1712f374
|
0
release/.gitkeep
Normal file
0
release/.gitkeep
Normal file
@ -203,7 +203,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
}
|
||||
|
||||
uint8_t flags = 0;
|
||||
uint8_t rp_id_hash[32];
|
||||
uint8_t rp_id_hash[32] = {0};
|
||||
mbedtls_sha256((uint8_t *) rpId.data, rpId.len, rp_id_hash, 0);
|
||||
|
||||
bool resident = false;
|
||||
@ -323,12 +323,22 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
credential_free(&creds[i]);
|
||||
}
|
||||
else {
|
||||
if (numberOfCredentials != i) {
|
||||
creds[numberOfCredentials++] = creds[i];
|
||||
}
|
||||
else {
|
||||
numberOfCredentials++;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (numberOfCredentials != i) {
|
||||
creds[numberOfCredentials++] = creds[i];
|
||||
}
|
||||
else {
|
||||
numberOfCredentials++;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (numberOfCredentials == 0) {
|
||||
@ -399,7 +409,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
}
|
||||
|
||||
int ret = 0;
|
||||
uint8_t largeBlobKey[32];
|
||||
uint8_t largeBlobKey[32] = {0};
|
||||
if (extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
|
||||
ret = credential_derive_large_blob_key(selcred->id.data, selcred->id.len, largeBlobKey);
|
||||
if (ret != 0) {
|
||||
@ -408,7 +418,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
}
|
||||
|
||||
size_t ext_len = 0;
|
||||
uint8_t ext[512];
|
||||
uint8_t ext[512] = {0};
|
||||
if (extensions.present == true) {
|
||||
cbor_encoder_init(&encoder, ext, sizeof(ext), 0);
|
||||
int l = 0;
|
||||
@ -439,7 +449,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
|
||||
CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "hmac-secret"));
|
||||
|
||||
uint8_t sharedSecret[64];
|
||||
uint8_t sharedSecret[64] = {0};
|
||||
mbedtls_ecp_point Qp;
|
||||
mbedtls_ecp_point_init(&Qp);
|
||||
mbedtls_mpi_lset(&Qp.Z, 1);
|
||||
@ -461,13 +471,13 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
|
||||
CBOR_ERROR(CTAP2_ERR_EXTENSION_FIRST);
|
||||
}
|
||||
uint8_t salt_dec[64], poff = ((uint8_t)hmacSecretPinUvAuthProtocol - 1) * IV_SIZE;
|
||||
uint8_t salt_dec[64] = {0}, poff = ((uint8_t)hmacSecretPinUvAuthProtocol - 1) * IV_SIZE;
|
||||
ret = decrypt((uint8_t)hmacSecretPinUvAuthProtocol, sharedSecret, salt_enc.data, (uint16_t)salt_enc.len, salt_dec);
|
||||
if (ret != 0) {
|
||||
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
|
||||
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
|
||||
}
|
||||
uint8_t cred_random[64], *crd = NULL;
|
||||
uint8_t cred_random[64] = {0}, *crd = NULL;
|
||||
ret = credential_derive_hmac_key(selcred->id.data, selcred->id.len, cred_random);
|
||||
if (ret != 0) {
|
||||
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
|
||||
@ -479,7 +489,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
else {
|
||||
crd = cred_random;
|
||||
}
|
||||
uint8_t out1[64], hmac_res[80];
|
||||
uint8_t out1[64] = {0}, hmac_res[80] = {0};
|
||||
mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), crd, 32, salt_dec, 32, out1);
|
||||
if ((uint8_t)salt_enc.len == 64 + poff) {
|
||||
mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), crd, 32, salt_dec + 32, 32, out1 + 32);
|
||||
@ -519,7 +529,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
}
|
||||
|
||||
memcpy(pa, clientDataHash.data, clientDataHash.len);
|
||||
uint8_t hash[64], sig[MBEDTLS_ECDSA_MAX_LEN];
|
||||
uint8_t hash[64] = {0}, sig[MBEDTLS_ECDSA_MAX_LEN] = {0};
|
||||
const mbedtls_md_info_t *md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
|
||||
mbedtls_ecdsa_context ekey;
|
||||
mbedtls_ecdsa_init(&ekey);
|
||||
|
@ -162,7 +162,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
||||
CBOR_PARSE_MAP_END(map, 1);
|
||||
|
||||
uint8_t flags = FIDO2_AUT_FLAG_AT;
|
||||
uint8_t rp_id_hash[32];
|
||||
uint8_t rp_id_hash[32] = {0};
|
||||
mbedtls_sha256((uint8_t *) rp.id.data, rp.id.len, rp_id_hash, 0);
|
||||
|
||||
if (pinUvAuthParam.present == true) {
|
||||
@ -320,7 +320,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
||||
|
||||
const known_app_t *ka = find_app_by_rp_id_hash(rp_id_hash);
|
||||
|
||||
uint8_t cred_id[MAX_CRED_ID_LENGTH];
|
||||
uint8_t cred_id[MAX_CRED_ID_LENGTH] = {0};
|
||||
size_t cred_id_len = 0;
|
||||
|
||||
CBOR_CHECK(credential_create(&rp.id, &user.id, &user.parent.name, &user.displayName, &options,
|
||||
@ -331,7 +331,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
||||
flags |= FIDO2_AUT_FLAG_UV;
|
||||
}
|
||||
size_t ext_len = 0;
|
||||
uint8_t ext[512];
|
||||
uint8_t ext[512] = {0};
|
||||
CborEncoder encoder, mapEncoder, mapEncoder2;
|
||||
if (extensions.present == true) {
|
||||
cbor_encoder_init(&encoder, ext, sizeof(ext), 0);
|
||||
@ -400,7 +400,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
||||
}
|
||||
size_t olen = 0;
|
||||
uint32_t ctr = get_sign_counter();
|
||||
uint8_t cbor_buf[1024];
|
||||
uint8_t cbor_buf[1024] = {0};
|
||||
cbor_encoder_init(&encoder, cbor_buf, sizeof(cbor_buf), 0);
|
||||
CBOR_CHECK(COSE_key(&ekey, &encoder, &mapEncoder));
|
||||
size_t rs = cbor_encoder_get_buffer_size(&encoder, cbor_buf);
|
||||
@ -426,7 +426,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
||||
}
|
||||
|
||||
memcpy(pa, clientDataHash.data, clientDataHash.len);
|
||||
uint8_t hash[64], sig[MBEDTLS_ECDSA_MAX_LEN];
|
||||
uint8_t hash[64] = {0}, sig[MBEDTLS_ECDSA_MAX_LEN] = {0};
|
||||
const mbedtls_md_info_t *md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
|
||||
if (ekey.grp.id == MBEDTLS_ECP_DP_SECP384R1) {
|
||||
md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA384);
|
||||
@ -447,7 +447,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
||||
ret = mbedtls_ecdsa_write_signature(&ekey, mbedtls_md_get_type(md), hash, mbedtls_md_get_size(md), sig, sizeof(sig), &olen, random_gen, NULL);
|
||||
mbedtls_ecdsa_free(&ekey);
|
||||
|
||||
uint8_t largeBlobKey[32];
|
||||
uint8_t largeBlobKey[32] = {0};
|
||||
if (extensions.largeBlobKey == ptrue && options.rk == ptrue) {
|
||||
ret = credential_derive_large_blob_key(cred_id, cred_id_len, largeBlobKey);
|
||||
if (ret != 0) {
|
||||
|
@ -159,7 +159,7 @@ typedef struct CborCharString {
|
||||
|
||||
#define CBOR_FIELD_GET_KEY_TEXT(_n) \
|
||||
CBOR_ASSERT(cbor_value_is_text_string(&(_f##_n)) == true); \
|
||||
char _fd##_n[64]; \
|
||||
char _fd##_n[64] = {0}; \
|
||||
size_t _fdl##_n = sizeof(_fd##_n); \
|
||||
CBOR_CHECK(cbor_value_copy_text_string(&(_f##_n), _fd##_n, &_fdl##_n, &(_f##_n)))
|
||||
|
||||
|
@ -20,6 +20,8 @@
|
||||
|
||||
from fido2.client import CtapError
|
||||
from fido2.cose import ES256, ES384, ES512
|
||||
import fido2.features
|
||||
fido2.features.webauthn_json_mapping.enabled = False
|
||||
from utils import ES256K
|
||||
import pytest
|
||||
|
||||
|
@ -69,12 +69,12 @@ def test_hmac_secret_entropy(device, MCHmacSecret, hmac, salts
|
||||
|
||||
#print(shannon_entropy(auth.authenticator_data.extensions['hmac-secret']))
|
||||
if len(salts) == 1:
|
||||
assert shannon_entropy(auth.authenticator_data.extensions['hmac-secret']) > 4.6
|
||||
assert shannon_entropy(ext["hmacGetSecret"]['output1']) > 4.6
|
||||
assert shannon_entropy(auth.authenticator_data.extensions['hmac-secret']) > 4.5
|
||||
assert shannon_entropy(ext["hmacGetSecret"]['output1']) > 4.5
|
||||
if len(salts) == 2:
|
||||
assert shannon_entropy(auth.authenticator_data.extensions['hmac-secret']) > 5.4
|
||||
assert shannon_entropy(ext["hmacGetSecret"]['output1']) > 4.6
|
||||
assert shannon_entropy(ext["hmacGetSecret"]['output2']) > 4.6
|
||||
assert shannon_entropy(ext["hmacGetSecret"]['output1']) > 4.5
|
||||
assert shannon_entropy(ext["hmacGetSecret"]['output2']) > 4.5
|
||||
|
||||
def get_output(device, MCHmacSecret, hmac, salts):
|
||||
hout = {'salt1':salts[0]}
|
||||
|
@ -196,16 +196,13 @@ class TestHID(object):
|
||||
|
||||
device.set_cid(cid2) # send ping on 2nd channel
|
||||
device.send_raw("\x81\x00\x39")
|
||||
time.sleep(0.1)
|
||||
device.send_raw("\x00")
|
||||
|
||||
cmd, r = device.recv_raw() # busy response
|
||||
time.sleep(0.1)
|
||||
|
||||
|
||||
device.set_cid(cid1) # finish 1st channel ping
|
||||
device.send_raw("\x00")
|
||||
|
||||
device.set_cid(cid2)
|
||||
|
||||
assert cmd == 0xBF
|
||||
assert r[0] == CtapError.ERR.CHANNEL_BUSY
|
||||
|
||||
@ -213,9 +210,11 @@ class TestHID(object):
|
||||
cmd, r = device.recv_raw() # ping response
|
||||
assert cmd == 0x81
|
||||
assert len(r) == 0x39
|
||||
cmd, r = device.recv_raw() # ping response
|
||||
|
||||
def test_cid_0(self, device):
|
||||
device.reset()
|
||||
time.sleep(0.1)
|
||||
device.set_cid(b"\x00\x00\x00\x00")
|
||||
device.send_raw(
|
||||
"\x86\x00\x08\x11\x22\x33\x44\x55\x66\x77\x88", cid="\x00\x00\x00\x00"
|
||||
|
Loading…
Reference in New Issue
Block a user