diff --git a/u2f.c b/u2f.c new file mode 100644 index 0000000..af80b7e --- /dev/null +++ b/u2f.c @@ -0,0 +1,251 @@ +#include "u2f.h" +#include "ctap.h" +#include "crypto.h" +#if 0 + +// void u2f_response_writeback(uint8_t * buf, uint8_t len); +static int16_t u2f_register(struct u2f_register_request * req); +static int16_t u2f_version(); +static int16_t u2f_authenticate(struct u2f_authenticate_request * req, uint8_t control); + +void u2f_request(struct u2f_request_apdu * req) +{ + uint16_t * rcode = (uint16_t *)req; + uint32_t len = ((req->LC3) | ((uint32_t)req->LC2 << 8) | ((uint32_t)req->LC1 << 16)); + + u2f_response_start(); + + if (req->cla != 0) + { + u2f_hid_set_len(2); + *rcode = U2F_SW_CLASS_NOT_SUPPORTED; + goto end; + } + + switch(req->ins) + { + case U2F_REGISTER: + if (len != 64) + { + u2f_hid_set_len(2); + *rcode = U2F_SW_WRONG_LENGTH; + } + else + { + *rcode = u2f_register((struct u2f_register_request*)req->payload); + } + break; + case U2F_AUTHENTICATE: + *rcode = u2f_authenticate((struct u2f_authenticate_request*)req->payload, req->p1); + break; + case U2F_VERSION: + if (len) + { + u2f_hid_set_len(2); + *rcode = U2F_SW_WRONG_LENGTH; + } + else + { + *rcode = u2f_version(); + } + break; + case U2F_VENDOR_FIRST: + case U2F_VENDOR_LAST: + *rcode = U2F_SW_NO_ERROR; + break; + default: + u2f_hid_set_len(2); + *rcode = U2F_SW_INS_NOT_SUPPORTED; + break; + } + +end: + u2f_response_writeback((uint8_t*)rcode,2); + u2f_response_flush(); +} + +static uint8_t get_signature_length(uint8_t * sig) +{ + return 0x46 + ((sig[32] & 0x80) == 0x80) + ((sig[0] & 0x80) == 0x80); +} + +static void dump_signature_der(uint8_t * sig) +{ + uint8_t pad_s = (sig[32] & 0x80) == 0x80; + uint8_t pad_r = (sig[0] & 0x80) == 0x80; + uint8_t i[] = {0x30, 0x44}; + i[1] += (pad_s + pad_r); + + + // DER encoded signature + // write der sequence + // has to be minimum distance and padded with 0x00 if MSB is a 1. + u2f_response_writeback(i,2); + i[1] = 0; + + // length of R value plus 0x00 pad if necessary + u2f_response_writeback("\x02",1); + i[0] = 0x20 + pad_r; + u2f_response_writeback(i,1 + pad_r); + + // R value + u2f_response_writeback(sig, 32); + + // length of S value plus 0x00 pad if necessary + u2f_response_writeback("\x02",1); + i[0] = 0x20 + pad_s; + u2f_response_writeback(i,1 + pad_s); + + // S value + u2f_response_writeback(sig+32, 32); +} + +int8_t u2f_appid_eq(struct u2f_key_handle * kh, uint8_t * appid) +{ + + return 0; +} + +int8_t u2f_load_key(struct u2f_key_handle * kh, uint8_t * appid) +{ + crypto_ecc256_load_key(kh->key, U2F_KEY_HANDLE_KEY_SIZE, appid, U2F_APPLICATION_SIZE); + return 0; +} + +void u2f_make_auth_tag(struct u2f_key_handle * kh, uint8_t * appid, uint8_t * tag) +{ + uint8_t hashbuf[32]; + crypto_sha256_hmac_init(NULL, 0, hashbuf); + crypto_sha256_update(kh->key, U2F_KEY_HANDLE_KEY_SIZE); + crypto_sha256_update(appid, ); + crypto_sha256_hmac_final(hashbuf); + + memmove(tag, hashbuf, CREDENTIAL_TAG_SIZE); +} + + + +static int16_t u2f_authenticate(struct u2f_authenticate_request * req, uint8_t control) +{ + + uint8_t up = 1; + uint32_t count; + + if (control == U2F_AUTHENTICATE_CHECK) + { + u2f_hid_set_len(2); + if (u2f_appid_eq(&req->kh, req->app) == 0) + { + return U2F_SW_CONDITIONS_NOT_SATISFIED; + } + else + { + return U2F_SW_WRONG_DATA; + } + } + if ( + control != U2F_AUTHENTICATE_SIGN || + req->khl != U2F_KEY_HANDLE_SIZE || + u2f_appid_eq(&req->kh, req->app) != 0 || // Order of checks is important + u2f_load_key(&req->kh, req->app) != 0 + + ) + { + u2f_hid_set_len(2); + return U2F_SW_WRONG_PAYLOAD; + } + + + + if (u2f_get_user_feedback()) + { + u2f_hid_set_len(2); + return U2F_SW_CONDITIONS_NOT_SATISFIED; + } + + count = u2f_count(); + + u2f_sha256_start(); + u2f_sha256_update(req->app,32); + u2f_sha256_update(&up,1); + u2f_sha256_update((uint8_t *)&count,4); + u2f_sha256_update(req->chal,32); + + u2f_sha256_finish(); + + if (u2f_ecdsa_sign((uint8_t*)req, req->kh, req->app) == -1) + { + return U2F_SW_WRONG_DATA+0x20; + } + + u2f_hid_set_len(7 + get_signature_length((uint8_t*)req)); + + u2f_response_writeback(&up,1); + u2f_response_writeback((uint8_t *)&count,4); + dump_signature_der((uint8_t*)req); + + return U2F_SW_NO_ERROR; +} + +static int16_t u2f_register(struct u2f_register_request * req) +{ + uint8_t i[] = {0x0,U2F_EC_FMT_UNCOMPRESSED}; + + uint8_t key_handle[U2F_KEY_HANDLE_SIZE]; + uint8_t pubkey[64]; + + + const uint16_t attest_size = u2f_attestation_cert_size(); + + if (u2f_get_user_feedback()) + { + u2f_hid_set_len(2); + return U2F_SW_CONDITIONS_NOT_SATISFIED; + } + + if ( u2f_new_keypair(key_handle, req->app, pubkey) == -1) + { + u2f_hid_set_len(2); + return U2F_SW_INSUFFICIENT_MEMORY; + } + + u2f_sha256_start(); + u2f_sha256_update(i,1); + u2f_sha256_update(req->app,32); + + u2f_sha256_update(req->chal,32); + + u2f_sha256_update(key_handle,U2F_KEY_HANDLE_SIZE); + u2f_sha256_update(i+1,1); + u2f_sha256_update(pubkey,64); + u2f_sha256_finish(); + + if (u2f_ecdsa_sign((uint8_t*)req, U2F_ATTESTATION_HANDLE, req->app) == -1) + { + return U2F_SW_WRONG_DATA; + } + + u2f_hid_set_len(69 + get_signature_length((uint8_t*)req) + U2F_KEY_HANDLE_SIZE + u2f_attestation_cert_size()); + i[0] = 0x5; + u2f_response_writeback(i,2); + u2f_response_writeback(pubkey,64); + i[0] = U2F_KEY_HANDLE_SIZE; + u2f_response_writeback(i,1); + u2f_response_writeback(key_handle,U2F_KEY_HANDLE_SIZE); + + u2f_response_writeback(u2f_get_attestation_cert(),u2f_attestation_cert_size()); + + dump_signature_der((uint8_t*)req); + + + return U2F_SW_NO_ERROR; +} + +static int16_t u2f_version() +{ + code const char version[] = "U2F_V2"; + u2f_hid_set_len(2 + sizeof(version)-1); + u2f_response_writeback(version, sizeof(version)-1); + return U2F_SW_NO_ERROR; +} +#endif diff --git a/u2f.h b/u2f.h new file mode 100644 index 0000000..ab36576 --- /dev/null +++ b/u2f.h @@ -0,0 +1,112 @@ +#ifndef _U2F_H_ +#define _U2F_H_ + +#include + +#define U2F_EC_FMT_UNCOMPRESSED 0x04 + +#define U2F_EC_POINT_SIZE 32 +#define U2F_EC_PUBKEY_SIZE 65 +#define U2F_APDU_SIZE 7 +#define U2F_CHALLENGE_SIZE 32 +#define U2F_APPLICATION_SIZE 32 +#define U2F_KEY_HANDLE_TAG_SIZE 16 +#define U2F_KEY_HANDLE_KEY_SIZE 36 +#define U2F_KEY_HANDLE_SIZE (U2F_KEY_HANDLE_KEY_SIZE+U2F_KEY_HANDLE_TAG_SIZE) +#define U2F_REGISTER_REQUEST_SIZE (U2F_CHALLENGE_SIZE+U2F_APPLICATION_SIZE) +#define U2F_MAX_REQUEST_PAYLOAD (1 + U2F_CHALLENGE_SIZE+U2F_APPLICATION_SIZE + 1 + U2F_KEY_HANDLE_SIZE) + + +// U2F native commands +#define U2F_REGISTER 0x01 +#define U2F_AUTHENTICATE 0x02 +#define U2F_VERSION 0x03 +#define U2F_VENDOR_FIRST 0xc0 +#define U2F_VENDOR_LAST 0xff + +// U2F_CMD_REGISTER command defines +#define U2F_REGISTER_ID 0x05 +#define U2F_REGISTER_HASH_ID 0x00 + +// U2F Authenticate +#define U2F_AUTHENTICATE_CHECK 0x7 +#define U2F_AUTHENTICATE_SIGN 0x3 + + +// Command status responses +#define U2F_SW_NO_ERROR 0x9000 +#define U2F_SW_WRONG_DATA 0x6984 +#define U2F_SW_CONDITIONS_NOT_SATISFIED 0x6985 +#define U2F_SW_INS_NOT_SUPPORTED 0x6d00 +#define U2F_SW_WRONG_LENGTH 0x6700 +#define U2F_SW_CLASS_NOT_SUPPORTED 0x6E00 +#define U2F_SW_WRONG_PAYLOAD 0x6a80 +#define U2F_SW_INSUFFICIENT_MEMORY 0x9210 + +// Delay in milliseconds to wait for user input +#define U2F_MS_USER_INPUT_WAIT 3000 + +struct u2f_request_apdu +{ + uint8_t cla; + uint8_t ins; + uint8_t p1; + uint8_t p2; + uint8_t LC1; + uint8_t LC2; + uint8_t LC3; + uint8_t payload[U2F_MAX_REQUEST_PAYLOAD]; +}; + +struct u2f_ec_point +{ + uint8_t fmt; + uint8_t x[U2F_EC_POINT_SIZE]; + uint8_t y[U2F_EC_POINT_SIZE]; +}; + +struct u2f_register_request +{ + uint8_t chal[U2F_CHALLENGE_SIZE]; + uint8_t app[U2F_APPLICATION_SIZE]; +}; + + +struct u2f_key_handle +{ + uint8_t tag[U2F_KEY_HANDLE_TAG_SIZE]; + uint8_t key[U2F_KEY_HANDLE_KEY_SIZE]; +}; + + +struct u2f_authenticate_request +{ + uint8_t chal[U2F_CHALLENGE_SIZE]; + uint8_t app[U2F_APPLICATION_SIZE]; + uint8_t khl; + struct u2f_key_handle kh; +}; + +// u2f_request send a U2F message to U2F protocol +// @req U2F message +void u2f_request(struct u2f_request_apdu* req); + + +////////////////////////////////////////////////////////////////// +/* Platform specific functions that must be implemented by user */ +////////////////////////////////////////////////////////////////// + +// u2f_response_writeback callback for u2f to send back response data +// @buf data to write back +// @len length of buf in bytes +extern void u2f_response_writeback(uint8_t * buf, uint16_t len); + +// u2f_response_flush callback when u2f finishes and will +// indicate when all buffer data, if any, should be written +extern void u2f_response_flush(); + +// set_response_length method to set the total length of the response for use by underlying layer +// @len the length of U2F response in bytes +extern void set_response_length(uint16_t len); + +#endif /* U2F_H_ */