From 1fab0b8f1f7aaad62d11a73c114537ce0588db89 Mon Sep 17 00:00:00 2001 From: Conor Patrick Date: Tue, 23 Apr 2019 21:57:50 -0400 Subject: [PATCH] add wallet api in as compile option --- fido2/device.h | 2 +- fido2/extensions/extensions.c | 25 ++++++++++++++++-- fido2/extensions/extensions.h | 9 +++++++ fido2/extensions/solo.c | 11 ++++++++ fido2/extensions/wallet.c | 48 +++++------------------------------ fido2/extensions/wallet.h | 5 +--- targets/stm32l432/src/app.h | 1 + 7 files changed, 53 insertions(+), 48 deletions(-) diff --git a/fido2/device.h b/fido2/device.h index 109d25a..e13ea51 100644 --- a/fido2/device.h +++ b/fido2/device.h @@ -9,7 +9,7 @@ #include "storage.h" -void device_init(); +void device_init(int argc, char *argv[]); uint32_t millis(); diff --git a/fido2/extensions/extensions.c b/fido2/extensions/extensions.c index ae669ea..ceaed72 100644 --- a/fido2/extensions/extensions.c +++ b/fido2/extensions/extensions.c @@ -35,6 +35,28 @@ int extension_needs_atomic_count(uint8_t klen, uint8_t * keyh) || ((wallet_request *) keyh)->operation == WalletSign; } +static uint8_t * output_buffer_ptr; +uint8_t output_buffer_offset; +uint8_t output_buffer_size; + +void extension_writeback_init(uint8_t * buffer, uint8_t size) +{ + output_buffer_ptr = buffer; + output_buffer_offset = 0; + output_buffer_size = size; +} + +void extension_writeback(uint8_t * buf, uint8_t size) +{ + if ((output_buffer_offset + size) > output_buffer_size) + { + return; + } + memmove(output_buffer_ptr + output_buffer_offset, buf, size); + output_buffer_offset += size; +} + + int16_t bridge_u2f_to_extensions(uint8_t * _chal, uint8_t * _appid, uint8_t klen, uint8_t * keyh) { int8_t ret = 0; @@ -55,8 +77,6 @@ int16_t bridge_u2f_to_extensions(uint8_t * _chal, uint8_t * _appid, uint8_t klen u2f_response_writeback((uint8_t *)&ret,1); #ifdef IS_BOOTLOADER ret = bootloader_bridge(klen, keyh); -#elif defined(WALLET_EXTENSION) - ret = bridge_u2f_to_wallet(_chal, _appid, klen, keyh); #else ret = bridge_u2f_to_solo(sig, keyh, klen); u2f_response_writeback(sig,72); @@ -82,6 +102,7 @@ int16_t extend_fido2(CredentialId * credid, uint8_t * output) { if (is_extension_request((uint8_t*)credid, sizeof(CredentialId))) { + printf1(TAG_EXT,"IS EXT REQ\r\n"); output[0] = bridge_u2f_to_solo(output+1, (uint8_t*)credid, sizeof(CredentialId)); return 1; } diff --git a/fido2/extensions/extensions.h b/fido2/extensions/extensions.h index 2d602c1..9bdb203 100644 --- a/fido2/extensions/extensions.h +++ b/fido2/extensions/extensions.h @@ -9,6 +9,11 @@ #include "u2f.h" #include "apdu.h" +int16_t bridge_u2f_to_extensions(uint8_t * chal, uint8_t * appid, uint8_t klen, uint8_t * keyh); + +// return 1 if request is a wallet request +int is_extension_request(uint8_t * req, int len); + int16_t extend_u2f(APDU_HEADER * req, uint8_t * payload, uint32_t len); int16_t extend_fido2(CredentialId * credid, uint8_t * output); @@ -17,4 +22,8 @@ int bootloader_bridge(int klen, uint8_t * keyh); int is_extension_request(uint8_t * kh, int len); + +void extension_writeback_init(uint8_t * buffer, uint8_t size); +void extension_writeback(uint8_t * buf, uint8_t size); + #endif /* EXTENSIONS_H_ */ diff --git a/fido2/extensions/solo.c b/fido2/extensions/solo.c index 8951506..37dd6f5 100644 --- a/fido2/extensions/solo.c +++ b/fido2/extensions/solo.c @@ -31,12 +31,15 @@ #include "log.h" #include APP_CONFIG + + // output must be at least 71 bytes int16_t bridge_u2f_to_solo(uint8_t * output, uint8_t * keyh, int keylen) { int8_t ret = 0; wallet_request * req = (wallet_request *) keyh; + extension_writeback_init(output, 71); printf1(TAG_WALLET, "u2f-solo [%d]: ", keylen); dump_hex1(TAG_WALLET, keyh, keylen); @@ -61,6 +64,14 @@ int16_t bridge_u2f_to_solo(uint8_t * output, uint8_t * keyh, int keylen) break; +#ifdef ENABLE_WALLET + case WalletSign: + case WalletRegister: + case WalletPin: + case WalletReset: + return bridge_to_wallet(keyh, keylen); +#endif + default: printf2(TAG_ERR,"Invalid wallet command: %x\n",req->operation); ret = CTAP1_ERR_INVALID_COMMAND; diff --git a/fido2/extensions/wallet.c b/fido2/extensions/wallet.c index 551e23b..a03d74e 100644 --- a/fido2/extensions/wallet.c +++ b/fido2/extensions/wallet.c @@ -14,8 +14,8 @@ #include "util.h" #include "storage.h" #include "device.h" +#include "extensions.h" -#if defined(USING_PC) || defined(IS_BOOTLOADER) typedef enum { MBEDTLS_ECP_DP_NONE = 0, @@ -32,9 +32,7 @@ typedef enum MBEDTLS_ECP_DP_SECP224K1, /*!< 224-bits "Koblitz" curve */ MBEDTLS_ECP_DP_SECP256K1, /*!< 256-bits "Koblitz" curve */ } mbedtls_ecp_group_id; -#else -#include "ecp.h" -#endif + // return 1 if hash is valid, 0 otherwise @@ -70,14 +68,14 @@ int8_t wallet_pin(uint8_t subcmd, uint8_t * pinAuth, uint8_t * arg1, uint8_t * a return CTAP2_ERR_NOT_ALLOWED; } - u2f_response_writeback(KEY_AGREEMENT_PUB,sizeof(KEY_AGREEMENT_PUB)); + extension_writeback(KEY_AGREEMENT_PUB,sizeof(KEY_AGREEMENT_PUB)); printf1(TAG_WALLET,"pubkey: "); dump_hex1(TAG_WALLET,KEY_AGREEMENT_PUB,64); break; case CP_cmdGetRetries: printf1(TAG_WALLET,"cmdGetRetries\n"); pinTokenEnc[0] = ctap_leftover_pin_attempts(); - u2f_response_writeback(pinTokenEnc,1); + extension_writeback(pinTokenEnc,1); break; case CP_cmdSetPin: @@ -145,7 +143,7 @@ int8_t wallet_pin(uint8_t subcmd, uint8_t * pinAuth, uint8_t * arg1, uint8_t * a return ret; printf1(TAG_WALLET,"pinToken: "); dump_hex1(TAG_WALLET, PIN_TOKEN, 16); - u2f_response_writeback(pinTokenEnc, PIN_TOKEN_SIZE); + extension_writeback(pinTokenEnc, PIN_TOKEN_SIZE); break; @@ -159,7 +157,7 @@ int8_t wallet_pin(uint8_t subcmd, uint8_t * pinAuth, uint8_t * arg1, uint8_t * a return 0; } -int16_t bridge_u2f_to_wallet(uint8_t * _chal, uint8_t * _appid, uint8_t klen, uint8_t * keyh) +int16_t bridge_to_wallet(uint8_t * keyh, uint8_t klen) { static uint8_t msg_buf[WALLET_MAX_BUFFER]; int reqlen = klen; @@ -259,7 +257,7 @@ int16_t bridge_u2f_to_wallet(uint8_t * _chal, uint8_t * _appid, uint8_t klen, ui crypto_load_external_key(key, keysize); crypto_ecdsa_sign(args[0], lens[0], sig, MBEDTLS_ECP_DP_SECP256K1); - u2f_response_writeback(sig,64); + extension_writeback(sig,64); break; case WalletRegister: @@ -374,39 +372,7 @@ int16_t bridge_u2f_to_wallet(uint8_t * _chal, uint8_t * _appid, uint8_t klen, ui break; - case WalletVersion: - u2f_response_writeback((uint8_t*)WALLET_VERSION, sizeof(WALLET_VERSION)-1); - break; - case WalletRng: - printf1(TAG_WALLET,"WalletRng\n"); - if ( ctap_device_locked() ) - { - printf1(TAG_ERR,"device locked\n"); - ret = CTAP2_ERR_NOT_ALLOWED; - goto cleanup; - } - if ( ctap_is_pin_set() ) - { - if ( ! check_pinhash(req->pinAuth, msg_buf, reqlen)) - { - printf2(TAG_ERR,"pinAuth is NOT valid\n"); - dump_hex1(TAG_ERR,msg_buf,reqlen); - ret = CTAP2_ERR_PIN_AUTH_INVALID; - goto cleanup; - } - } - ret = ctap_generate_rng(sig, 72); - if (ret != 1) - { - printf1(TAG_WALLET,"Rng failed\n"); - ret = CTAP2_ERR_PROCESSING; - goto cleanup; - } - ret = 0; - - u2f_response_writeback((uint8_t *)sig,72); - break; default: printf2(TAG_ERR,"Invalid wallet command: %x\n",req->operation); diff --git a/fido2/extensions/wallet.h b/fido2/extensions/wallet.h index b4f0dd3..629a53f 100644 --- a/fido2/extensions/wallet.h +++ b/fido2/extensions/wallet.h @@ -87,10 +87,7 @@ typedef enum } WalletOperation; -int16_t bridge_u2f_to_extensions(uint8_t * chal, uint8_t * appid, uint8_t klen, uint8_t * keyh); - -// return 1 if request is a wallet request -int is_extension_request(uint8_t * req, int len); +int16_t bridge_to_wallet(uint8_t * keyh, uint8_t klen); void wallet_init(); diff --git a/targets/stm32l432/src/app.h b/targets/stm32l432/src/app.h index 8570d24..ec2bd68 100644 --- a/targets/stm32l432/src/app.h +++ b/targets/stm32l432/src/app.h @@ -23,6 +23,7 @@ //#define USING_DEV_BOARD #define ENABLE_U2F_EXTENSIONS + #define ENABLE_WALLET #define ENABLE_U2F