port to device, working

2018-07-13 20:29:14 -04:00
parent 2a8cda65bd
commit 6e7be67491
11 changed files with 203 additions and 68 deletions
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@@ -1404,7 +1404,6 @@ static uint16_t key_addr_offset(int index)
 uint16_t ctap_key_len(uint8_t index)
 {
    int i = ctap_keys_stored();
-    uint16_t offset;
    if (i >= MAX_KEYS || index >= MAX_KEYS)
    {
        return 0;
--- a/fido2/main.c
+++ b/fido2/main.c
@@ -27,7 +27,7 @@ int main(int argc, char * argv[])
 //            TAG_GEN|
            /*TAG_MC |*/
            /*TAG_GA |*/
-            TAG_WALLET |
+            /*TAG_WALLET |*/
            TAG_STOR |
            /*TAG_CP |*/
 //            TAG_CTAP|
@@ -35,7 +35,7 @@ int main(int argc, char * argv[])
            /*TAG_U2F|*/
            /*TAG_PARSE |*/
 //            TAG_TIME|
-//            TAG_DUMP|
+            /*TAG_DUMP|*/
            /*TAG_GREEN|*/
            /*TAG_RED|*/
            TAG_ERR
--- a/fido2/u2f.c
+++ b/fido2/u2f.c
@@ -37,7 +37,9 @@ void u2f_request(struct u2f_request_apdu* req, CTAP_RESPONSE * resp)
    {
        if (req->p1 == U2F_AUTHENTICATE_CHECK)
        {
-            if (memcmp(auth->chal, CHALLENGE_PIN, 32) == 0)     // Pin requests
+
+
+            if (is_wallet_device((uint8_t *) &auth->kh, auth->khl))     // Pin requests
            {
                rcode =  U2F_SW_CONDITIONS_NOT_SATISFIED;
            }
@@ -45,13 +47,15 @@ void u2f_request(struct u2f_request_apdu* req, CTAP_RESPONSE * resp)
            {
                rcode =  U2F_SW_WRONG_DATA;
            }
+            printf1(TAG_WALLET,"Ignoring U2F request\n");
            goto end;
        }
        else
        {
-            if (memcmp(auth->chal, CHALLENGE_PIN, 32) != 0)     // Pin requests
+            if ( ! is_wallet_device((uint8_t *) &auth->kh, auth->khl))     // Pin requests
            {
                rcode = U2F_SW_WRONG_PAYLOAD;
+                printf1(TAG_WALLET,"Ignoring U2F request\n");
                goto end;
            }
            rcode = bridge_u2f_to_wallet(auth->chal, auth->app, auth->khl, (uint8_t*)&auth->kh);
--- a/fido2/wallet.c
+++ b/fido2/wallet.c
@@ -32,8 +32,11 @@ typedef enum
    MBEDTLS_ECP_DP_SECP224K1,      /*!< 224-bits "Koblitz" curve */
    MBEDTLS_ECP_DP_SECP256K1,      /*!< 256-bits "Koblitz" curve */
 } mbedtls_ecp_group_id;
+#else
+#include "ecp.h"
 #endif

+
 typedef enum
 {
    WalletSign = 0x10,
@@ -44,14 +47,23 @@ typedef enum
    WalletRng = 0x15,
 } WalletOperation;

+int is_wallet_device(uint8_t * kh, int len)
+{
+    wallet_request * req = (wallet_request *) kh;
+
+    if (len < WALLET_MIN_LENGTH)
+        return 0;
+
+    return memcmp(req->tag, WALLET_TAG, sizeof(WALLET_TAG)-1) == 0;
+}

 // return 1 if hash is valid, 0 otherwise
 int check_pinhash(uint8_t * pinAuth, uint8_t * msg, uint8_t len)
 {
    uint8_t hmac[32];
    crypto_sha256_hmac_init(PIN_TOKEN, PIN_TOKEN_SIZE, hmac);
-    crypto_sha256_update(msg, 4);
-    crypto_sha256_update(msg+ 4 + 16, len - 4 - 16);
+    crypto_sha256_update(msg, 8);
+    crypto_sha256_update(msg+ 8 + 16, len - 8 - 16);
    crypto_sha256_hmac_final(PIN_TOKEN, PIN_TOKEN_SIZE, hmac);

    return (memcmp(pinAuth, hmac, 16) == 0);
@@ -404,7 +416,7 @@ int16_t bridge_u2f_to_wallet(uint8_t * _chal, uint8_t * _appid, uint8_t klen, ui

            break;
        case WalletVersion:
-            u2f_response_writeback(WALLET_VERSION, sizeof(WALLET_VERSION)-1);
+            u2f_response_writeback((uint8_t*)WALLET_VERSION, sizeof(WALLET_VERSION)-1);
            break;
        case WalletRng:
            printf1(TAG_WALLET,"WalletRng\n");
--- a/fido2/wallet.h
+++ b/fido2/wallet.h
@@ -54,14 +54,16 @@
 // Returns public key OR pinAuth

 // Only response to this challenge to prevent interference
-#define CHALLENGE_PIN  "\xf6\xa2\x3c\xa4\x0a\xf9\xda\xd4\x5f\xdc\xba\x7d\xc9\xde\xcb\xed\xb5\x84\x64\x3a\x4c\x9f\x44\xc2\x04\xb0\x17\xd7\xf4\x3e\xe0\x3f"
+#define WALLET_TAG  "\x8C\x27\x90\xf6"
+
+#define WALLET_MIN_LENGTH   (4 + 4 + 16)

 #define WALLET_VERSION  "WALLET_V1.0"

-#define MAX_CHALLENGE_SIZE          233
-#define MAX_KEYID_SIZE              232
+#define MAX_CHALLENGE_SIZE          229
+#define MAX_KEYID_SIZE              228

-#define MAX_PAYLOAD_SIZE            (255 - 16 - 4)
+#define MAX_PAYLOAD_SIZE            (255 - 16 - 4 - 4)

 typedef struct
 {
@@ -69,14 +71,17 @@ typedef struct
    uint8_t p1;
    uint8_t p2;
    uint8_t numArgs;
+    uint8_t tag[4];
    uint8_t pinAuth[16];
    uint8_t payload[MAX_PAYLOAD_SIZE];
 }__attribute__((packed)) wallet_request;


-
 int16_t bridge_u2f_to_wallet(uint8_t * chal, uint8_t * appid, uint8_t klen, uint8_t * keyh);

+// return 1 if request is a wallet request
+int is_wallet_device(uint8_t * req, int len);
+
 void wallet_init();

 #endif /* WALLET_H_ */