shimun/solo
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

merge u2f endian fix

Browse Source
This commit is contained in:
Conor Patrick 2019-02-02 00:32:36 -05:00
commit 1b5e230d45
30 changed files with 264 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.clabot Normal file
View File

@ -0,0 +1,4 @@
{
"contributors": "https://raw.githubusercontent.com/solokeys/contributors/master/contributors.json",
"message": "We require contributors to sign our Copyright License Agreement, and we don't have {{usersWithoutCLA}} on file. In order for us to review and merge your code, please visit https://solokeys.com/legal/contributors, or contact @nickray, @conorpp or @0x0ece for further information or help."
}

4
.gitmodules vendored
View File

@ -3,7 +3,7 @@
url = https://github.com/intel/tinycbor
[submodule "python-fido2"]
path = python-fido2
url = https://github.com/SoloKeysSec/python-fido2
url = https://github.com/solokeys/python-fido2
[submodule "crypto/micro-ecc"]
path = crypto/micro-ecc
url = https://github.com/kmackay/micro-ecc.git
@ -12,4 +12,4 @@
url = https://github.com/kokke/tiny-AES-c
[submodule "targets/stm32l442/dfuse-tool"]
path = targets/stm32l442/dfuse-tool
url = https://github.com/SoloKeysSec/dfuse-tool
url = https://github.com/solokeys/dfuse-tool

3
.travis.yml
View File

@ -1,4 +1,4 @@
dist: trusty
dist: xenial
language: c
compiler: gcc
addons:
@ -7,6 +7,7 @@ addons:
- ubuntu-toolchain-r-test
packages:
- gcc-7
- cppcheck
script:
- export CC=gcc-7
- make test

11
99-solo.rules
View File

@ -1,6 +1,17 @@
# Notify ModemManager this device should be ignored
ACTION!="add|change|move", GOTO="mm_usb_device_blacklist_end"
SUBSYSTEM!="usb", GOTO="mm_usb_device_blacklist_end"
ENV{DEVTYPE}!="usb_device", GOTO="mm_usb_device_blacklist_end"
ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", ENV{ID_MM_DEVICE_IGNORE}="1"
LABEL="mm_usb_device_blacklist_end"
# Solo
ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", ATTRS{product}=="Solo", TAG+="uaccess", GROUP="plugdev", SYMLINK+="solokey"
ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", ATTRS{product}=="Solo HACKER (Unlocked)", TAG+="uaccess", GROUP="plugdev", SYMLINK+="solohacker"
SUBSYSTEM=="tty", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", TAG+="uaccess", GROUP="plugdev", SYMLINK+="solokey-serial"
# U2F Zero
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess", GROUP="plugdev", SYMLINK+="u2fzero"

13
Makefile
View File

@ -45,9 +45,6 @@ cbor: $(LIBCBOR)
$(LIBCBOR): tinycbor/Makefile
cd tinycbor/ && $(MAKE) clean && $(MAKE) -j8
test:
$(MAKE) -C . main
.PHONY: efm8prog
efm8prog:
cd './targets/efm8\Keil 8051 v9.53 - Debug' && $(MAKE) all
@ -92,6 +89,16 @@ wink3: env3
fido2-test: env3
env3/bin/python tools/ctap_test.py
CPPCHECK_FLAGS=--quiet --error-exitcode=2
cppcheck:
cppcheck $(CPPCHECK_FLAGS) crypto/aes-gcm
cppcheck $(CPPCHECK_FLAGS) crypto/sha256
cppcheck $(CPPCHECK_FLAGS) fido2
cppcheck $(CPPCHECK_FLAGS) pc
test: main cppcheck
clean:
rm -f *.o main.exe main $(obj)
rm -rf env2 env3

30
README.md
View File

@ -1,8 +1,8 @@
![GitHub](https://img.shields.io/github/license/mashape/apistatus.svg)
[![Kickstarter](https://img.shields.io/badge/kickstarter-back%20us-red.svg)](https://solokeys.com/kickstarter)
[![Build Status](https://travis-ci.com/SoloKeysSec/solo.svg?branch=master)](https://travis-ci.com/SoloKeysSec/solo)
[![Discourse Status](https://img.shields.io/discourse/https/meta.discourse.org/status.svg)](https://discourse.solokeys.com)
[![License](https://img.shields.io/github/license/solokeys/solo.svg)](https://github.com/solokeys/solo/blob/master/LICENSE)
[![Build Status](https://travis-ci.com/solokeys/solo.svg?branch=master)](https://travis-ci.com/solokeys/solo)
[![Discourse Users](https://img.shields.io/discourse/https/discourse.solokeys.com/users.svg)](https://discourse.solokeys.com)
[![Keybase Chat](https://img.shields.io/badge/chat-on%20keybase-brightgreen.svg)](https://keybase.io/team/solokeys.public)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fsolokeys%2Fsolo.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fsolokeys%2Fsolo?ref=badge_shield)
# Solo
@ -35,20 +35,25 @@ Solo for Hacker is a special version of Solo that let you customize its firmware
You can only buy Solo for Hacker at [solokeys.com](https://solokeys.com), as we don't sell it on Amazon and other places to avoid confusing customers. If you buy a Hacker, you can permanently lock it into a regular Solo, but viceversa you can NOT take a regular Solo and turn it a Hacker.
If you have a Solo for Hacker, here's how you can load your own code on it. You can find more details, including how to permanently lock it, in our [documentation](https://solo.solokeys.io/building/).
If you have a Solo for Hacker, here's how you can load your own code on it. You can find more details, including how to permanently lock it, in our [documentation](https://docs.solokeys.io/solo/building/).
```bash
git clone --recurse-submodules https://github.com/SoloKeysSec/solo
git clone --recurse-submodules https://github.com/solokeys/solo
cd solo
cd targets/stm32l432
make cbor
make all-hacker
python ../../tools/solotool.py program solo.hex
cd ../..
make env3
source env3/bin/activate
python tools/solotool.py program targets/stm32l432/solo.hex
```
If you forgot the `--recurse-submodules` when cloning, simply `git submodule update --init --recursive`.
For example, if you want to turn off any blue light emission, you can edit [`led_rgb()`](https://github.com/SoloKeysSec/solo/blob/master/targets/stm32l432/src/led.c#L15) and force:
For example, if you want to turn off any blue light emission, you can edit [`led_rgb()`](https://github.com/solokeys/solo/blob/master/targets/stm32l432/src/led.c#L15) and force:
```
uint32_t b = 0;
```
@ -65,7 +70,7 @@ A frequently asked question is whether Solo for Hacker is less secure than regul
Clone Solo and build it
```bash
git clone --recurse-submodules https://github.com/SoloKeysSec/solo
git clone --recurse-submodules https://github.com/solokeys/solo
cd solo
make all
```
@ -93,12 +98,12 @@ Or any client example such as:
python python-fido2/examples/credential.py
```
You can find more details in our [documentation](https://solo.solokeys.io), including how to build on the the NUCLEO-L432KC development board.
You can find more details in our [documentation](https://docs.solokeys.io/solo/), including how to build on the the NUCLEO-L432KC development board.
# Documentation
Check out our [official documentation](https://solo.solokeys.io).
Check out our [official documentation](https://docs.solokeys.io/solo/).
# Contributors
@ -117,6 +122,9 @@ All software is licensed under GPLv3, and hardware under CC BY-SA 4.0.
Software and hardware are available under licenses for commercial use. Please contact SoloKeys for more information.
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fsolokeys%2Fsolo.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fsolokeys%2Fsolo?ref=badge_large)
# Where To Buy Solo
You can buy Solo, Solo Tap, and Solo for Hackers at [solokeys.com](https://solokeys.com).

4
docs/index.md
View File

@ -1,4 +0,0 @@
Welcome to the technical documentation for [solokeyssec/solo](https://github.com/solokeyssec/solo).
For now, you can read the repository `README.md`, more documentation to come!

1
docs/repo-readme.md
View File

@ -1 +0,0 @@
../README.md

4
docs/building.md → docs/solo/building.md
View File

@ -68,6 +68,10 @@ reconnect each time you program Solo.
python tools/solotool.py monitor <serial-port>
```
#### Linux Users:
[See issue 62](https://github.com/solokeys/solo/issues/62).
### Building a Solo release
If you want to build a release of Solo, we recommend trying a Hacker build first

0
docs/code-overview.md → docs/solo/code-overview.md
View File

8
docs/contributing.md → docs/solo/contributing.md
View File

@ -1,15 +1,15 @@
We are very open to contributions!
[Currently](https://github.com/solokeyssec/solo/issues), most work will go towards
[Currently](https://github.com/solokeys/solo/issues), most work will go towards
* implementing STM32L432
* ~~implementing STM32L432~~
* implementing NFC
* adding documentation and improving accessability of the code
In the future, we would love to see creative plugins/extensions, putting the TRNG and other features of the STM32L432 to good use!
Feel free to send a [pull request](https://github.com/SoloKeysSec/solo/pulls) at any time, we don't currently have a formal contribution process.
Feel free to send a [pull request](https://github.com/solokeys/solo/pulls) at any time, please note that we do require a lightweight copyright license agreement in order to accept contributions. Reason and procedure: <https://solokeys.com/legal/contributors/>.
If you want to discuss your plans in quasi-realtime beforehand, you can also join our [solokeys.public](https://keybase.io/team/solokeys.public) Keybase team.
But first: [join our mailing list!](https://solokeys.us19.list-manage.com/subscribe/post?u=cc0c298fb99cd136bdec8294b&id=b9cb3de62d)
But first: [join our mailing list!](https://solokeys.us19.list-manage.com/subscribe/post?u=cc0c298fb99cd136bdec8294b&id=6550fc947a)

0
docs/documenting.md → docs/solo/documenting.md
View File

4
docs/fido2-impl.md → docs/solo/fido2-impl.md
View File

@ -15,6 +15,8 @@ A master secret, `M`, is generated at initialization. This is only used for
all key generation and derivation in FIDO2. Solo uses a key wrapping method
for FIDO2 operation.
** NOTE: The masked implementation of AES is planned, but not yet implemented. Currently it is normal AES. **
## Key wrapping
When you register a service with a FIDO2 or U2F authenticator, the
@ -55,6 +57,8 @@ keys which are then used for FIDO2/U2F. -->
## Key derivation
** Planned, but not yet implemented. **
Master secret `M` consists of 64 bytes, split into equal parts `M1` and `M2`.
In theory, we should only need 32 bytes to achieve 256 security, but we also
plan to have side channel security hence the added bytes.

BIN
docs/solo/images/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

0
docs/images/logo.svg → docs/solo/images/logo.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.9 KiB

After

Width:  |  Height:  |  Size: 3.9 KiB

4
docs/solo/index.md Normal file
View File

@ -0,0 +1,4 @@
Welcome to the technical documentation for [solokeys/solo](https://github.com/solokeys/solo).
For now, you can read the repository `README.md`, more documentation to come!

12
docs/solo/metadata-statements.md Normal file
View File

@ -0,0 +1,12 @@
For information on what this is, see the [spec](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-statement-v2.0-rd-20180702.html#fido2-example).
## CTAP2
```
{!metadata/solo-FIDO2-CTAP2-Authenticator.json!}
```
## U2F
```
{!metadata/solo-FIDO2-U2F-Authenticator.json!}
```

1
docs/solo/repo-readme.md Symbolic link
View File

@ -0,0 +1 @@
../../README.md

4
docs/signed-updates.md → docs/solo/signed-updates.md
View File

@ -22,5 +22,5 @@ In order to boot the application, a valid signature must be provided to the boot
signature using a public key stored in the bootloader section, and the data in the application section. If the signature
is valid, the boot flag in the data section will be changed to allow boot.
Signature checks and checks to the data section boot flag are made redundantly to make glitching attacks more difficult. Random delays
between redundant checks are also made.
We are working to make the signature checking process redundantly to make glitching attacks more difficult. Also random delays
between redundant checks.

10
docs/udev.md → docs/solo/udev.md
View File

@ -1,6 +1,6 @@
# tl;dr
Create [`/etc/udev/99-solo.rules`](https://github.com/SoloKeysSec/solo/blob/master/99-solo.rules) and add the following (which assumes your user is in group `plugdev`):
Create [`/etc/udev/rules.d/99-solo.rules`](https://github.com/solokeys/solo/blob/master/99-solo.rules) and add the following (which assumes your user is in group `plugdev`):
```
# Solo
@ -13,7 +13,7 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct
Then run
```
udevadm trigger
sudo udevadm control --reload-rules && sudo udevadm trigger
```
# How do udev rules work and why are they needed
@ -65,8 +65,8 @@ udevadm trigger
## What about vendor and product ID for Solo?
| Key | Vendor ID | Product ID |
| --- | --- | --- |
| Solo | 10c4 | 8acf |
| U2F Zero | 0483 | a2ca |
| Solo | 0483 | a2ca |
| U2F Zero | 10c4 | 8acf |
## You got this all wrong, I can't believe it!
Are you suffering from [us being wrong](https://xkcd.com/386/)? Please, send us a [pull request](https://github.com/SoloKeysSec/solo/pulls) and prove us wrong :D
Are you suffering from [us being wrong](https://xkcd.com/386/)? Please, send us a [pull request](https://github.com/solokeys/solo/pulls) and prove us wrong :D

39
metadata/solo-FIDO2-CTAP2-Authenticator.json Normal file
View File

File diff suppressed because one or more lines are too long

37
metadata/solo-FIDO2-U2F-Authenticator.json Normal file
View File

File diff suppressed because one or more lines are too long

34
mkdocs.yml
View File

@ -1,21 +1,27 @@
site_name: Solo
site_name: Solo Technical Documentation
site_author: SoloKeys
site_description: 'Documentation for the SoloKeys solo software'
repo_url: 'https://github.com/solokeyssec/solo'
repo_name: 'solokeyssec/solo'
copyright: 'Copyright &copy; 2018 SoloKeys'
site_url: 'https://docs.solokeys.io/solo/'
repo_url: 'https://github.com/solokeys/solo'
repo_name: 'solokeys/solo'
copyright: 'Copyright &copy; 2018 - 2019 SoloKeys'
nav:
- Home: index.md
- README.md: repo-readme.md
- FIDO2 Implementation: fido2-impl.md
- Signed update process: signed-updates.md
- Building: building.md
- Code documentation: code-overview.md
- Contributing Code: contributing.md
- Contributing Docs: documenting.md
- What the udev?!: udev.md
- Home: solo/index.md
- FIDO2 Implementation: solo/fido2-impl.md
- Metadata Statements: solo/metadata-statements.md
- Build instructions: solo/building.md
- Signed update process: solo/signed-updates.md
- Code documentation: solo/code-overview.md
- Contributing Code: solo/contributing.md
- Contributing Docs: solo/documenting.md
- udev Rules: solo/udev.md
- About: solo/repo-readme.md
theme:
name: material
logo: 'images/logo.svg'
logo: 'solo/images/logo.svg'
favicon: 'solo/images/favicon.ico'
markdown_extensions:
- markdown_include.include

6
pc/device.c
View File

@ -54,7 +54,11 @@ void device_set_status(int status)
int udp_server()
{
int fd;
static bool run_already = false;
static int fd = -1;
if (run_already && fd >= 0) return fd;
run_already = true;
if ( (fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0 ) {
perror( "socket failed" );
return 1;

4
targets/stm32l432/README.md
View File

@ -1,4 +1,4 @@
# STM32L4xx Solo
# STM32L432 Solo
Check out our [official documentation](https://solo.solokeys.io/building/)
Check out our [official documentation](https://docs.solokeys.io/solo/building/)
for instructions on building and programming!

6
targets/stm32l432/lib/usbd/usbd_desc.c
View File

@ -56,12 +56,14 @@
#ifndef SOLO_HACKER
#define USBD_MANUFACTURER_STRING "Solo Keys"
#define USBD_PRODUCT_FS_STRING "Solo"
#define USBD_SERIAL_NUM "solocafebabe"
#ifndef USBD_SERIAL_NUM
#define USBD_SERIAL_NUM "0123456789ABCDEF"
#endif
#else
#define USBD_MANUFACTURER_STRING "Solo Keys"
#define USBD_PRODUCT_FS_STRING "Solo HACKER (Unlocked)"
#ifndef USBD_SERIAL_NUM
#define USBD_SERIAL_NUM "Solo-Keys-Solo"
#define USBD_SERIAL_NUM "0123456789ABCDEF"
#endif
#endif

13
targets/stm32l432/lib/usbd/usbd_hid.c
View File

@ -114,15 +114,10 @@ USBD_ClassTypeDef USBD_HID =
NULL,
NULL,
NULL,
NULL,
NULL,
// USBD_HID_GetFSCfgDesc,
// USBD_HID_GetFSCfgDesc,
// USBD_HID_GetFSCfgDesc,
// USBD_HID_GetDeviceQualifierDesc,
USBD_HID_GetFSCfgDesc,
USBD_HID_GetFSCfgDesc,
USBD_HID_GetFSCfgDesc,
USBD_HID_GetDeviceQualifierDesc,
};
#define USBD_HID_CfgHSDesc USBD_HID_OtherSpeedCfgDesc

6
targets/stm32l432/src/init.c
View File

@ -276,7 +276,7 @@ void init_usb()
// Enable USB Clock
SET_BIT(RCC->APB1ENR1, RCC_APB1ENR1_USBFSEN);
#if DEBUG_LEVEL > 0
USBD_Composite_Set_Classes(&USBD_HID, &USBD_CDC);
in_endpoint_to_class[HID_EPIN_ADDR & 0x7F] = 0;
out_endpoint_to_class[HID_EPOUT_ADDR & 0x7F] = 0;
@ -290,6 +290,10 @@ void init_usb()
//
// USBD_RegisterClass(&Solo_USBD_Device, &USBD_CDC);
USBD_CDC_RegisterInterface(&Solo_USBD_Device, &USBD_Interface_fops_FS);
#else
USBD_Init(&Solo_USBD_Device, &Solo_Desc, 0);
USBD_RegisterClass(&Solo_USBD_Device, &USBD_HID);
#endif
USBD_Start(&Solo_USBD_Device);
}

53
tools/solotool.py
View File

@ -31,11 +31,17 @@ import tempfile
from binascii import hexlify, unhexlify
from hashlib import sha256
from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from fido2.hid import CtapHidDevice, CTAPHID
from fido2.client import Fido2Client, ClientError
from fido2.ctap import CtapError
from fido2.ctap1 import CTAP1, ApduError
from fido2.ctap2 import CTAP2
from fido2.utils import Timeout
from fido2.attestation import Attestation
import usb.core
import usb.util
@ -119,6 +125,7 @@ class SoloBootloader:
class SoloClient:
def __init__(self,):
self.origin = 'https://example.org'
self.host = 'example.org'
self.exchange = self.exchange_hid
self.do_reboot = True
@ -145,6 +152,8 @@ class SoloClient:
raise RuntimeError('No FIDO device found')
self.dev = dev
self.ctap1 = CTAP1(dev)
self.ctap2 = CTAP2(dev)
self.client = Fido2Client(dev, self.origin)
if self.exchange == self.exchange_hid:
self.send_data_hid(CTAPHID.INIT, '\x11\x11\x11\x11\x11\x11\x11\x11')
@ -222,6 +231,32 @@ class SoloClient:
def wink(self,):
self.send_data_hid(CTAPHID.WINK, b'')
def reset(self,):
self.ctap2.reset()
def make_credential(self,):
rp = {'id': self.host, 'name': 'example site'}
user = {'id': b'abcdef', 'name': 'example user'}
challenge = 'Y2hhbGxlbmdl'
attest, data = self.client.make_credential(
rp, user, challenge, exclude_list=[]
)
try:
attest.verify(data.hash)
except AttributeError:
verifier = Attestation.for_type(attest.fmt)
verifier().verify(
attest.att_statement,
attest.auth_data,
data.hash
)
print('Register valid')
x5c = attest.att_statement['x5c'][0]
cert = x509.load_der_x509_certificate(x5c, default_backend())
return cert
def enter_solo_bootloader(self,):
"""
If solo is configured as solo hacker or something similar,
@ -560,11 +595,16 @@ def solo_main():
help='Continuously dump random numbers generated from Solo.',
)
parser.add_argument("--wink", action="store_true", help='HID Wink command.')
parser.add_argument("--reset", action="store_true", help='Issue a FIDO2 reset command. Warning: your credentials will be lost.')
parser.add_argument("--verify-solo", action="store_true", help='Verify that the Solo firmware is from SoloKeys.')
args = parser.parse_args()
p = SoloClient()
p.find_device()
if args.reset:
p.reset()
if args.rng:
while True:
r = p.get_rng(255)
@ -575,6 +615,15 @@ def solo_main():
p.wink()
sys.exit(0)
if args.verify_solo:
cert = p.make_credential()
solo_fingerprint = b'r\xd5\x831&\xac\xfc\xe9\xa8\xe8&`\x18\xe6AI4\xc8\xbeJ\xb8h_\x91\xb0\x99!\x13\xbb\xd42\x95'
if (cert.fingerprint(hashes.SHA256()) == solo_fingerprint):
print('Valid firmware from SoloKeys')
else:
print('This is either a Solo Hacker or a invalid Solo.')
def asked_for_help():
for i, v in enumerate(sys.argv):
@ -954,6 +1003,10 @@ def main_mergehex():
if __name__ == '__main__':
if sys.version_info[0] < 3:
print('Sorry, python3 is required.')
sys.exit(1)
if len(sys.argv) < 2 or (len(sys.argv) == 2 and asked_for_help()):
print('Diverse command line tool for working with Solo')
print('usage: %s <command> [options] [-h]' % sys.argv[0])