diff --git a/Makefile b/Makefile index 8c4ad24..259e3a9 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ VERSION_PAT:=$(shell python -c 'print("$(VERSION)".split(".")[2])') VERSION_FLAGS= -DSOLO_VERSION_MAJ=$(VERSION_MAJ) -DSOLO_VERSION_MIN=$(VERSION_MIN) \ -DSOLO_VERSION_PATCH=$(VERSION_PAT) -DSOLO_VERSION=\"$(VERSION_FULL)\" -CFLAGS = -O2 -fdata-sections -ffunction-sections $(VERSION_FLAGS) +CFLAGS = -O2 -fdata-sections -ffunction-sections $(VERSION_FLAGS) -g INCLUDES = -I./tinycbor/src -I./crypto/sha256 -I./crypto/micro-ecc/ -Icrypto/tiny-AES-c/ -I./fido2/ -I./pc -I./fido2/extensions INCLUDES += -I./crypto/cifra/src diff --git a/fido2/ctap.c b/fido2/ctap.c index 7591545..a354b58 100644 --- a/fido2/ctap.c +++ b/fido2/ctap.c @@ -664,7 +664,6 @@ int ctap_authenticate_credential(struct rpId * rp, CTAP_credentialDescriptor * d return (memcmp(desc->credential.id.tag, tag, CREDENTIAL_TAG_SIZE) == 0); break; case PUB_KEY_CRED_CTAP1: - printf1(TAG_CTAP,"PUB_KEY_CRED_CTAP1\r\n"); crypto_sha256_init(); crypto_sha256_update(rp->id, rp->size); crypto_sha256_final(rpIdHash); @@ -673,6 +672,9 @@ int ctap_authenticate_credential(struct rpId * rp, CTAP_credentialDescriptor * d case PUB_KEY_CRED_CUSTOM: return is_extension_request(getAssertionState.customCredId, getAssertionState.customCredIdSize); break; + default: + printf1(TAG_ERR, "PUB_KEY_CRED_UNKNOWN %x\r\n",desc->type); + break; } return 0; @@ -1127,6 +1129,7 @@ uint8_t ctap_get_next_assertion(CborEncoder * encoder) uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length) { CTAP_getAssertion GA; + uint8_t auth_data_buf[sizeof(CTAP_authDataHeader) + 80]; int ret = ctap_parse_get_assertion(&GA,request,length); @@ -1166,16 +1169,21 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length) printf1(TAG_GA, "ALLOW_LIST has %d creds\n", GA.credLen); int validCredCount = ctap_filter_invalid_credentials(&GA); - if (validCredCount > 1) + if (validCredCount == 0) + { + printf2(TAG_ERR,"Error, no authentic credential\n"); + return CTAP2_ERR_NO_CREDENTIALS; + } + else if (validCredCount > 1) { map_size += 1; } + if (GA.creds[validCredCount - 1].credential.user.id_size) { map_size += 1; } - if (GA.extensions.hmac_secret_present == EXT_HMAC_SECRET_PARSED) { printf1(TAG_GA, "hmac-secret is present\r\n"); @@ -1184,12 +1192,6 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length) ret = cbor_encoder_create_map(encoder, &map, map_size); check_ret(ret); - if (validCredCount == 0) - { - printf2(TAG_ERR,"Error, no authentic credential\n"); - return CTAP2_ERR_NO_CREDENTIALS; - } - // if only one account for this RP, null out the user details if (validCredCount < 2 || !getAssertionState.user_verified) { diff --git a/fido2/ctap.h b/fido2/ctap.h index 984621b..9677d87 100644 --- a/fido2/ctap.h +++ b/fido2/ctap.h @@ -279,7 +279,7 @@ typedef struct uint8_t pinAuthEmpty; int pinProtocol; - CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE]; + CTAP_credentialDescriptor * creds; uint8_t allowListPresent; CTAP_extensions extensions; @@ -306,7 +306,7 @@ typedef struct struct _getAssertionState { CTAP_authDataHeader authData; uint8_t clientDataHash[CLIENT_DATA_HASH_SIZE]; - CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE-1]; + CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE]; uint8_t lastcmd; uint32_t count; uint32_t index; diff --git a/fido2/ctap_parse.c b/fido2/ctap_parse.c index 951156d..75dcb7f 100644 --- a/fido2/ctap_parse.c +++ b/fido2/ctap_parse.c @@ -1005,6 +1005,8 @@ uint8_t ctap_parse_get_assertion(CTAP_getAssertion * GA, uint8_t * request, int CborValue it,map; memset(GA, 0, sizeof(CTAP_getAssertion)); + GA->creds = getAssertionState.creds; // Save stack memory + ret = cbor_parser_init(request, length, CborValidateCanonicalFormat, &parser, &it); check_ret(ret);