shimun/solo
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

bugfix/skip-auth for fido2 extension

Browse Source
This commit is contained in:
Conor Patrick 2019-02-14 15:53:02 -05:00
parent 0651316da5
commit 6745c9a0cb
4 changed files with 54 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
fido2/ctap.c
View File

@ -777,7 +777,18 @@ int ctap_filter_invalid_credentials(CTAP_getAssertion * GA)
if (! ctap_authenticate_credential(&GA->rp, &GA->creds[i])) if (! ctap_authenticate_credential(&GA->rp, &GA->creds[i]))
{ {
printf1(TAG_GA, "CRED #%d is invalid\n", GA->creds[i].credential.id.count); printf1(TAG_GA, "CRED #%d is invalid\n", GA->creds[i].credential.id.count);
GA->creds[i].credential.id.count = 0; // invalidate #ifdef ENABLE_U2F_EXTENSIONS
if (is_extension_request((uint8_t*)&GA->creds[i].credential.id, sizeof(CredentialId)))
{
printf1(TAG_EXT, "CRED #%d is extension\n", GA->creds[i].credential.id.count);
count++;
}
else
#endif
{
GA->creds[i].credential.id.count = 0; // invalidate
}
} }
else else
{ {
@ -999,8 +1010,20 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
ret = cbor_encoder_create_map(encoder, &map, map_size); ret = cbor_encoder_create_map(encoder, &map, map_size);
check_ret(ret); check_ret(ret);
ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, sizeof(auth_data_buf), NULL, 0,0,NULL, 0); #ifdef ENABLE_U2F_EXTENSIONS
check_retr(ret); if ( is_extension_request((uint8_t*)&GA.creds[validCredCount - 1].credential.id, sizeof(CredentialId)) )
{
ret = cbor_encode_int(&map,RESP_authData);
check_ret(ret);
ret = cbor_encode_byte_string(&map, auth_data_buf, sizeof(CTAP_authDataHeader));
check_ret(ret);
}
else
#endif
{
ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, sizeof(auth_data_buf), NULL, 0,0,NULL, 0);
check_retr(ret);
}
/*for (int j = 0; j < GA.credLen; j++)*/ /*for (int j = 0; j < GA.credLen; j++)*/
/*{*/ /*{*/

2
fido2/extensions/extensions.c
View File

@ -82,7 +82,7 @@ int16_t extend_fido2(CredentialId * credid, uint8_t * output)
{ {
if (is_extension_request((uint8_t*)credid, sizeof(CredentialId))) if (is_extension_request((uint8_t*)credid, sizeof(CredentialId)))
{ {
bridge_u2f_to_solo(output, (uint8_t*)credid, sizeof(CredentialId)); output[0] = bridge_u2f_to_solo(output+1, (uint8_t*)credid, sizeof(CredentialId));
return 1; return 1;
} }
else else

2
fido2/extensions/solo.c
View File

@ -31,7 +31,7 @@
#include "log.h" #include "log.h"
#include APP_CONFIG #include APP_CONFIG
// output must be at least 72 bytes // output must be at least 71 bytes
int16_t bridge_u2f_to_solo(uint8_t * output, uint8_t * keyh, int keylen) int16_t bridge_u2f_to_solo(uint8_t * output, uint8_t * keyh, int keylen)
{ {
int8_t ret = 0; int8_t ret = 0;

27
tools/solotool.py
View File

@ -201,6 +201,24 @@ class SoloClient:
return res.signature[1:] return res.signature[1:]
def exchange_fido2(self, cmd, addr=0, data=b"A" * 16):
chal = "B" * 32
req = SoloClient.format_request(cmd, addr, data)
assertions, client_data = self.client.get_assertion(
self.host, chal, [{"id": req, "type": "public-key"}]
)
if len(assertions) < 1:
raise RuntimeError("Device didn't respond to FIDO2 extended assertion")
res = assertions[0]
ret = res.signature[0]
if ret != CtapError.ERR.SUCCESS:
raise RuntimeError("Device returned non-success code %02x" % (ret,))
return res.signature[1:]
def bootloader_version(self,): def bootloader_version(self,):
data = self.exchange(SoloBootloader.version) data = self.exchange(SoloBootloader.version)
if len(data) > 2: if len(data) > 2:
@ -208,7 +226,7 @@ class SoloClient:
return data[0] return data[0]
def solo_version(self,): def solo_version(self,):
data = self.exchange_u2f(SoloExtension.version) data = self.exchange_fido2(SoloExtension.version)
return (data[0], data[1], data[2]) return (data[0], data[1], data[2])
def write_flash(self, addr, data): def write_flash(self, addr, data):
@ -585,6 +603,7 @@ def solo_main():
action="store_true", action="store_true",
help="Continuously dump random numbers generated from Solo.", help="Continuously dump random numbers generated from Solo.",
) )
parser.add_argument("--wink", action="store_true", help="HID Wink command.") parser.add_argument("--wink", action="store_true", help="HID Wink command.")
parser.add_argument( parser.add_argument(
"--reset", "--reset",
@ -596,6 +615,9 @@ def solo_main():
action="store_true", action="store_true",
help="Verify that the Solo firmware is from SoloKeys. Check firmware version.", help="Verify that the Solo firmware is from SoloKeys. Check firmware version.",
) )
parser.add_argument(
"--version", action="store_true", help="Check firmware version on Solo."
)
args = parser.parse_args() args = parser.parse_args()
p = SoloClient() p = SoloClient()
@ -627,6 +649,9 @@ def solo_main():
else: else:
print("Unknown fingerprint! ", cert.fingerprint(hashes.SHA256())) print("Unknown fingerprint! ", cert.fingerprint(hashes.SHA256()))
args.version = True
if args.version:
try: try:
v = p.solo_version() v = p.solo_version()
print("Version: ", v) print("Version: ", v)