shimun/solo
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

reuse memory for allow_list of creds

Browse Source
This commit is contained in:
Conor Patrick 2019-04-24 11:45:30 -04:00
parent 41ae0e4a2c
commit 813eb97d2f
4 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -32,7 +32,7 @@ VERSION_PAT:=$(shell python -c 'print("$(VERSION)".split(".")[2])')
VERSION_FLAGS= -DSOLO_VERSION_MAJ=$(VERSION_MAJ) -DSOLO_VERSION_MIN=$(VERSION_MIN) \ VERSION_FLAGS= -DSOLO_VERSION_MAJ=$(VERSION_MAJ) -DSOLO_VERSION_MIN=$(VERSION_MIN) \
-DSOLO_VERSION_PATCH=$(VERSION_PAT) -DSOLO_VERSION=\"$(VERSION_FULL)\" -DSOLO_VERSION_PATCH=$(VERSION_PAT) -DSOLO_VERSION=\"$(VERSION_FULL)\"
CFLAGS = -O2 -fdata-sections -ffunction-sections $(VERSION_FLAGS) CFLAGS = -O2 -fdata-sections -ffunction-sections $(VERSION_FLAGS) -g
INCLUDES = -I./tinycbor/src -I./crypto/sha256 -I./crypto/micro-ecc/ -Icrypto/tiny-AES-c/ -I./fido2/ -I./pc -I./fido2/extensions INCLUDES = -I./tinycbor/src -I./crypto/sha256 -I./crypto/micro-ecc/ -Icrypto/tiny-AES-c/ -I./fido2/ -I./pc -I./fido2/extensions
INCLUDES += -I./crypto/cifra/src INCLUDES += -I./crypto/cifra/src

20
fido2/ctap.c
View File

@ -664,7 +664,6 @@ int ctap_authenticate_credential(struct rpId * rp, CTAP_credentialDescriptor * d
return (memcmp(desc->credential.id.tag, tag, CREDENTIAL_TAG_SIZE) == 0); return (memcmp(desc->credential.id.tag, tag, CREDENTIAL_TAG_SIZE) == 0);
break; break;
case PUB_KEY_CRED_CTAP1: case PUB_KEY_CRED_CTAP1:
printf1(TAG_CTAP,"PUB_KEY_CRED_CTAP1\r\n");
crypto_sha256_init(); crypto_sha256_init();
crypto_sha256_update(rp->id, rp->size); crypto_sha256_update(rp->id, rp->size);
crypto_sha256_final(rpIdHash); crypto_sha256_final(rpIdHash);
@ -673,6 +672,9 @@ int ctap_authenticate_credential(struct rpId * rp, CTAP_credentialDescriptor * d
case PUB_KEY_CRED_CUSTOM: case PUB_KEY_CRED_CUSTOM:
return is_extension_request(getAssertionState.customCredId, getAssertionState.customCredIdSize); return is_extension_request(getAssertionState.customCredId, getAssertionState.customCredIdSize);
break; break;
default:
printf1(TAG_ERR, "PUB_KEY_CRED_UNKNOWN %x\r\n",desc->type);
break;
} }
return 0; return 0;
@ -1127,6 +1129,7 @@ uint8_t ctap_get_next_assertion(CborEncoder * encoder)
uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length) uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
{ {
CTAP_getAssertion GA; CTAP_getAssertion GA;
uint8_t auth_data_buf[sizeof(CTAP_authDataHeader) + 80]; uint8_t auth_data_buf[sizeof(CTAP_authDataHeader) + 80];
int ret = ctap_parse_get_assertion(&GA,request,length); int ret = ctap_parse_get_assertion(&GA,request,length);
@ -1166,16 +1169,21 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
printf1(TAG_GA, "ALLOW_LIST has %d creds\n", GA.credLen); printf1(TAG_GA, "ALLOW_LIST has %d creds\n", GA.credLen);
int validCredCount = ctap_filter_invalid_credentials(&GA); int validCredCount = ctap_filter_invalid_credentials(&GA);
if (validCredCount > 1) if (validCredCount == 0)
{
printf2(TAG_ERR,"Error, no authentic credential\n");
return CTAP2_ERR_NO_CREDENTIALS;
}
else if (validCredCount > 1)
{ {
map_size += 1; map_size += 1;
} }
if (GA.creds[validCredCount - 1].credential.user.id_size) if (GA.creds[validCredCount - 1].credential.user.id_size)
{ {
map_size += 1; map_size += 1;
} }
if (GA.extensions.hmac_secret_present == EXT_HMAC_SECRET_PARSED) if (GA.extensions.hmac_secret_present == EXT_HMAC_SECRET_PARSED)
{ {
printf1(TAG_GA, "hmac-secret is present\r\n"); printf1(TAG_GA, "hmac-secret is present\r\n");
@ -1184,12 +1192,6 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
ret = cbor_encoder_create_map(encoder, &map, map_size); ret = cbor_encoder_create_map(encoder, &map, map_size);
check_ret(ret); check_ret(ret);
if (validCredCount == 0)
{
printf2(TAG_ERR,"Error, no authentic credential\n");
return CTAP2_ERR_NO_CREDENTIALS;
}
// if only one account for this RP, null out the user details // if only one account for this RP, null out the user details
if (validCredCount < 2 || !getAssertionState.user_verified) if (validCredCount < 2 || !getAssertionState.user_verified)
{ {

4
fido2/ctap.h
View File

@ -279,7 +279,7 @@ typedef struct
uint8_t pinAuthEmpty; uint8_t pinAuthEmpty;
int pinProtocol; int pinProtocol;
CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE]; CTAP_credentialDescriptor * creds;
uint8_t allowListPresent; uint8_t allowListPresent;
CTAP_extensions extensions; CTAP_extensions extensions;
@ -306,7 +306,7 @@ typedef struct
struct _getAssertionState { struct _getAssertionState {
CTAP_authDataHeader authData; CTAP_authDataHeader authData;
uint8_t clientDataHash[CLIENT_DATA_HASH_SIZE]; uint8_t clientDataHash[CLIENT_DATA_HASH_SIZE];
CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE-1]; CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE];
uint8_t lastcmd; uint8_t lastcmd;
uint32_t count; uint32_t count;
uint32_t index; uint32_t index;

2
fido2/ctap_parse.c
View File

@ -1005,6 +1005,8 @@ uint8_t ctap_parse_get_assertion(CTAP_getAssertion * GA, uint8_t * request, int
CborValue it,map; CborValue it,map;
memset(GA, 0, sizeof(CTAP_getAssertion)); memset(GA, 0, sizeof(CTAP_getAssertion));
GA->creds = getAssertionState.creds; // Save stack memory
ret = cbor_parser_init(request, length, CborValidateCanonicalFormat, &parser, &it); ret = cbor_parser_init(request, length, CborValidateCanonicalFormat, &parser, &it);
check_ret(ret); check_ret(ret);