mirror of
https://github.com/polhenarejos/pico-fido.git
synced 2024-09-20 03:10:10 +00:00
Compare commits
7 Commits
d1c6838a65
...
27f1cb85f4
Author | SHA1 | Date | |
---|---|---|---|
|
27f1cb85f4 | ||
|
902a988350 | ||
|
6256a9547d | ||
|
69e250921f | ||
|
037dee3891 | ||
|
0701c0841e | ||
|
c6c4b24910 |
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
release
|
||||
build_release
|
3
.gitmodules
vendored
3
.gitmodules
vendored
@ -1,3 +1,6 @@
|
||||
[submodule "pico-keys-sdk"]
|
||||
path = pico-keys-sdk
|
||||
url = https://github.com/polhenarejos/pico-keys-sdk
|
||||
[submodule "pico-sdk"]
|
||||
path = pico-sdk
|
||||
url = https://github.com/raspberrypi/pico-sdk.git
|
||||
|
@ -157,6 +157,7 @@ if(ENABLE_EMULATION)
|
||||
-Wl,--gc-sections
|
||||
)
|
||||
endif (APPLE)
|
||||
target_link_libraries(pico_fido PRIVATE pthread m)
|
||||
else()
|
||||
pico_add_extra_outputs(pico_fido)
|
||||
target_link_libraries(pico_fido PRIVATE pico_keys_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
|
||||
|
@ -50,7 +50,9 @@ for board in adafruit_feather_rp2040 \
|
||||
wiznet_w5100s_evb_pico
|
||||
do
|
||||
rm -rf *
|
||||
PICO_SDK_PATH=../../pico-sdk cmake .. -DPICO_BOARD=$board
|
||||
# PICO_SDK_PATH=../../pico-sdk cmake .. -DPICO_BOARD=$board
|
||||
PICO_SDK_PATH=../pico-sdk cmake .. -DPICO_BOARD=$board
|
||||
|
||||
make -kj20
|
||||
mv pico_fido.uf2 ../release/pico_fido_$board-$VERSION_MAJOR.$VERSION_MINOR.uf2
|
||||
|
||||
|
0
build_release/.gitkeep
Normal file
0
build_release/.gitkeep
Normal file
1
pico-sdk
Submodule
1
pico-sdk
Submodule
@ -0,0 +1 @@
|
||||
Subproject commit 6a7db34ff63345a7badec79ebea3aaef1712f374
|
0
release/.gitkeep
Normal file
0
release/.gitkeep
Normal file
@ -205,6 +205,7 @@ int cbor_config(const uint8_t *data, size_t len) {
|
||||
}
|
||||
file_put_data(ef_minpin, dataf, (uint16_t)(2 + minPinLengthRPIDs_len * 32));
|
||||
low_flash_available();
|
||||
free(dataf);
|
||||
goto err; //No return
|
||||
}
|
||||
else if (subcommand == 0x01) {
|
||||
|
@ -435,6 +435,7 @@ err:
|
||||
CBOR_FREE_BYTE_STRING(user.displayName);
|
||||
CBOR_FREE_BYTE_STRING(user.parent.name);
|
||||
CBOR_FREE_BYTE_STRING(credentialId.type);
|
||||
CBOR_FREE_BYTE_STRING(credentialId.id);
|
||||
for (size_t n = 0; n < credentialId.transports_len; n++) {
|
||||
CBOR_FREE_BYTE_STRING(credentialId.transports[n]);
|
||||
}
|
||||
|
@ -397,16 +397,8 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
flags = flagsx;
|
||||
selcred = &credsx[credentialCounter];
|
||||
}
|
||||
mbedtls_ecdsa_context ekey;
|
||||
mbedtls_ecdsa_init(&ekey);
|
||||
int ret = fido_load_key((int)selcred->curve, selcred->id.data, &ekey);
|
||||
if (ret != 0) {
|
||||
if (derive_key(rp_id_hash, false, selcred->id.data, MBEDTLS_ECP_DP_SECP256R1, &ekey) != 0) {
|
||||
mbedtls_ecdsa_free(&ekey);
|
||||
CBOR_ERROR(CTAP1_ERR_OTHER);
|
||||
}
|
||||
}
|
||||
|
||||
int ret = 0;
|
||||
uint8_t largeBlobKey[32];
|
||||
if (extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
|
||||
ret = credential_derive_large_blob_key(selcred->id.data, selcred->id.len, largeBlobKey);
|
||||
@ -529,6 +521,15 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
memcpy(pa, clientDataHash.data, clientDataHash.len);
|
||||
uint8_t hash[64], sig[MBEDTLS_ECDSA_MAX_LEN];
|
||||
const mbedtls_md_info_t *md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
|
||||
mbedtls_ecdsa_context ekey;
|
||||
mbedtls_ecdsa_init(&ekey);
|
||||
ret = fido_load_key((int)selcred->curve, selcred->id.data, &ekey);
|
||||
if (ret != 0) {
|
||||
if (derive_key(rp_id_hash, false, selcred->id.data, MBEDTLS_ECP_DP_SECP256R1, &ekey) != 0) {
|
||||
mbedtls_ecdsa_free(&ekey);
|
||||
CBOR_ERROR(CTAP1_ERR_OTHER);
|
||||
}
|
||||
}
|
||||
if (ekey.grp.id == MBEDTLS_ECP_DP_SECP384R1) {
|
||||
md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA384);
|
||||
}
|
||||
@ -611,16 +612,20 @@ err:
|
||||
CBOR_FREE_BYTE_STRING(clientDataHash);
|
||||
CBOR_FREE_BYTE_STRING(pinUvAuthParam);
|
||||
CBOR_FREE_BYTE_STRING(rpId);
|
||||
CBOR_FREE_BYTE_STRING(kax);
|
||||
CBOR_FREE_BYTE_STRING(kay);
|
||||
CBOR_FREE_BYTE_STRING(salt_enc);
|
||||
CBOR_FREE_BYTE_STRING(salt_auth);
|
||||
if (asserted == false) {
|
||||
for (int i = 0; i < MAX_CREDENTIAL_COUNT_IN_LIST; i++) {
|
||||
credential_free(&creds[i]);
|
||||
}
|
||||
}
|
||||
|
||||
for (size_t m = 0; m < allowList_len; m++) {
|
||||
for (size_t m = 0; m < MAX_CREDENTIAL_COUNT_IN_LIST; m++) {
|
||||
CBOR_FREE_BYTE_STRING(allowList[m].type);
|
||||
CBOR_FREE_BYTE_STRING(allowList[m].id);
|
||||
for (size_t n = 0; n < allowList[m].transports_len; n++) {
|
||||
for (size_t n = 0; n < 8; n++) {
|
||||
CBOR_FREE_BYTE_STRING(allowList[m].transports[n]);
|
||||
}
|
||||
}
|
||||
|
@ -291,8 +291,10 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
||||
&ecred) == 0 &&
|
||||
(ecred.extensions.credProtect != CRED_PROT_UV_REQUIRED ||
|
||||
(flags & FIDO2_AUT_FLAG_UV))) {
|
||||
credential_free(&ecred);
|
||||
CBOR_ERROR(CTAP2_ERR_CREDENTIAL_EXCLUDED);
|
||||
}
|
||||
credential_free(&ecred);
|
||||
}
|
||||
|
||||
if (extensions.largeBlobKey == pfalse ||
|
||||
@ -510,11 +512,14 @@ err:
|
||||
CBOR_FREE_BYTE_STRING(user.id);
|
||||
CBOR_FREE_BYTE_STRING(user.displayName);
|
||||
CBOR_FREE_BYTE_STRING(user.parent.name);
|
||||
for (size_t n = 0; n < pubKeyCredParams_len; n++) {
|
||||
if (extensions.present == true) {
|
||||
CBOR_FREE_BYTE_STRING(extensions.credBlob);
|
||||
}
|
||||
for (size_t n = 0; n < MAX_CREDENTIAL_COUNT_IN_LIST; n++) {
|
||||
CBOR_FREE_BYTE_STRING(pubKeyCredParams[n].type);
|
||||
}
|
||||
|
||||
for (size_t m = 0; m < excludeList_len; m++) {
|
||||
for (size_t m = 0; m < MAX_CREDENTIAL_COUNT_IN_LIST; m++) {
|
||||
CBOR_FREE_BYTE_STRING(excludeList[m].type);
|
||||
CBOR_FREE_BYTE_STRING(excludeList[m].id);
|
||||
for (size_t n = 0; n < excludeList[m].transports_len; n++) {
|
||||
|
@ -50,6 +50,7 @@ int cmd_authenticate() {
|
||||
ret = derive_key(req->appId, false, req->keyHandle, MBEDTLS_ECP_DP_SECP256R1, &key);
|
||||
if (verify_key(req->appId, req->keyHandle, &key) != 0) {
|
||||
mbedtls_ecdsa_free(&key);
|
||||
free(tmp_kh);
|
||||
return SW_INCORRECT_PARAMS();
|
||||
}
|
||||
}
|
||||
|
@ -41,14 +41,7 @@ int credential_verify(uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id
|
||||
mbedtls_chachapoly_context chatx;
|
||||
mbedtls_chachapoly_init(&chatx);
|
||||
mbedtls_chachapoly_setkey(&chatx, key);
|
||||
int ret = mbedtls_chachapoly_auth_decrypt(&chatx,
|
||||
cred_id_len - (4 + 12 + 16),
|
||||
iv,
|
||||
rp_id_hash,
|
||||
32,
|
||||
tag,
|
||||
cipher,
|
||||
cipher);
|
||||
int ret = mbedtls_chachapoly_auth_decrypt(&chatx, cred_id_len - (4 + 12 + 16), iv, rp_id_hash, 32, tag, cipher, cipher);
|
||||
mbedtls_chachapoly_free(&chatx);
|
||||
return ret;
|
||||
}
|
||||
@ -83,8 +76,7 @@ int credential_create(CborCharString *rpId,
|
||||
if (extensions->credBlob.present == true &&
|
||||
extensions->credBlob.len < MAX_CREDBLOB_LENGTH) {
|
||||
CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "credBlob"));
|
||||
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, extensions->credBlob.data,
|
||||
extensions->credBlob.len));
|
||||
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, extensions->credBlob.data, extensions->credBlob.len));
|
||||
}
|
||||
if (extensions->credProtect != 0) {
|
||||
CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "credProtect"));
|
||||
@ -130,11 +122,7 @@ int credential_create(CborCharString *rpId,
|
||||
mbedtls_chachapoly_context chatx;
|
||||
mbedtls_chachapoly_init(&chatx);
|
||||
mbedtls_chachapoly_setkey(&chatx, key);
|
||||
int ret = mbedtls_chachapoly_encrypt_and_tag(&chatx,
|
||||
rs,
|
||||
iv,
|
||||
rp_id_hash,
|
||||
32,
|
||||
int ret = mbedtls_chachapoly_encrypt_and_tag(&chatx, rs, iv, rp_id_hash, 32,
|
||||
cred_id + 4 + 12,
|
||||
cred_id + 4 + 12,
|
||||
cred_id + 4 + 12 + rs);
|
||||
@ -155,10 +143,7 @@ err:
|
||||
return 0;
|
||||
}
|
||||
|
||||
int credential_load(const uint8_t *cred_id,
|
||||
size_t cred_id_len,
|
||||
const uint8_t *rp_id_hash,
|
||||
Credential *cred) {
|
||||
int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash, Credential *cred) {
|
||||
int ret = 0;
|
||||
CborError error = CborNoError;
|
||||
uint8_t *copy_cred_id = (uint8_t *) calloc(1, cred_id_len);
|
||||
@ -205,9 +190,7 @@ int credential_load(const uint8_t *cred_id,
|
||||
CBOR_FIELD_KEY_TEXT_VAL_UINT(2, "credProtect", cred->extensions.credProtect);
|
||||
CBOR_FIELD_KEY_TEXT_VAL_BYTES(2, "credBlob", cred->extensions.credBlob);
|
||||
CBOR_FIELD_KEY_TEXT_VAL_BOOL(2, "largeBlobKey", cred->extensions.largeBlobKey);
|
||||
CBOR_FIELD_KEY_TEXT_VAL_BOOL(2,
|
||||
"thirdPartyPayment",
|
||||
cred->extensions.thirdPartyPayment);
|
||||
CBOR_FIELD_KEY_TEXT_VAL_BOOL(2, "thirdPartyPayment", cred->extensions.thirdPartyPayment);
|
||||
CBOR_ADVANCE(2);
|
||||
}
|
||||
CBOR_PARSE_MAP_END(_f1, 2);
|
||||
@ -258,6 +241,9 @@ void credential_free(Credential *cred) {
|
||||
CBOR_FREE_BYTE_STRING(cred->userName);
|
||||
CBOR_FREE_BYTE_STRING(cred->userDisplayName);
|
||||
CBOR_FREE_BYTE_STRING(cred->id);
|
||||
if (cred->extensions.present) {
|
||||
CBOR_FREE_BYTE_STRING(cred->extensions.credBlob);
|
||||
}
|
||||
cred->present = false;
|
||||
cred->extensions.present = false;
|
||||
cred->opts.present = false;
|
||||
|
@ -168,6 +168,7 @@ int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffe
|
||||
MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
|
||||
MBEDTLS_X509_KU_KEY_CERT_SIGN);
|
||||
int ret = mbedtls_x509write_crt_der(&ctx, buffer, buffer_size, random_gen, NULL);
|
||||
mbedtls_x509write_crt_free(&ctx);
|
||||
/* pk cannot be freed, as it is freed later */
|
||||
//mbedtls_pk_free(&key);
|
||||
return ret;
|
||||
@ -206,7 +207,7 @@ int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecdsa_con
|
||||
uint8_t hmac[32], d[32];
|
||||
size_t olen = 0;
|
||||
int ret = mbedtls_ecp_write_key_ext(key, &olen, d, sizeof(d));
|
||||
if (key == NULL) {
|
||||
if (key == &ctx) {
|
||||
mbedtls_ecdsa_free(&ctx);
|
||||
}
|
||||
if (ret != 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user