From b0baace2e77d3b96537792b459acd305daae24e7 Mon Sep 17 00:00:00 2001 From: Conor Patrick Date: Wed, 24 Apr 2019 00:15:32 -0400 Subject: [PATCH] move custom credid to different location --- fido2/ctap.c | 27 ++++++++++++--------------- fido2/ctap.h | 14 ++++++++++++++ fido2/ctap_parse.c | 19 +++++++++++++++---- fido2/extensions/solo.c | 1 + fido2/main.c | 2 +- 5 files changed, 43 insertions(+), 20 deletions(-) diff --git a/fido2/ctap.c b/fido2/ctap.c index 4b12461..7591545 100644 --- a/fido2/ctap.c +++ b/fido2/ctap.c @@ -36,16 +36,7 @@ AuthenticatorState STATE; static void ctap_reset_key_agreement(); -static struct { - CTAP_authDataHeader authData; - uint8_t clientDataHash[CLIENT_DATA_HASH_SIZE]; - CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE-1]; - uint8_t lastcmd; - uint32_t count; - uint32_t index; - uint32_t time; - uint8_t user_verified; -} getAssertionState; +struct _getAssertionState getAssertionState; uint8_t verify_pin_auth(uint8_t * pinAuth, uint8_t * clientDataHash) { @@ -436,6 +427,8 @@ static unsigned int get_credential_id_size(CTAP_credentialDescriptor * cred) { if (cred->type == PUB_KEY_CRED_CTAP1) return U2F_KEY_HANDLE_SIZE; + if (cred->type == PUB_KEY_CRED_CUSTOM) + return getAssertionState.customCredIdSize; return sizeof(CredentialId); } @@ -469,7 +462,7 @@ static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * au int but; - but = ctap_user_presence_test(); + but = 1; if (!but) @@ -677,6 +670,9 @@ int ctap_authenticate_credential(struct rpId * rp, CTAP_credentialDescriptor * d crypto_sha256_final(rpIdHash); return u2f_authenticate_credential((struct u2f_key_handle *)&desc->credential.id, rpIdHash); break; + case PUB_KEY_CRED_CUSTOM: + return is_extension_request(getAssertionState.customCredId, getAssertionState.customCredIdSize); + break; } return 0; @@ -1219,12 +1215,13 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length) { memset(auth_data_buf,0,sizeof(CTAP_authDataHeader)); auth_data_buf_sz = sizeof(CTAP_authDataHeader); - crypto_sha256_init(); - crypto_sha256_update(GA.rp.id, GA.rp.size); - crypto_sha256_final(((CTAP_authData *)auth_data_buf)->head.rpIdHash); + + ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, &auth_data_buf_sz, NULL); + check_retr(ret); ((CTAP_authData *)auth_data_buf)->head.flags = (1 << 0); - ((CTAP_authData *)auth_data_buf)->head.flags |= (ctap_is_pin_set() << 2); + ((CTAP_authData *)auth_data_buf)->head.flags &= ~(1 << 2); + ((CTAP_authData *)auth_data_buf)->head.flags |= (1 << 2); } else #endif diff --git a/fido2/ctap.h b/fido2/ctap.h index e36017e..984621b 100644 --- a/fido2/ctap.h +++ b/fido2/ctap.h @@ -113,6 +113,7 @@ #define PUB_KEY_CRED_PUB_KEY 0x01 #define PUB_KEY_CRED_CTAP1 0x41 +#define PUB_KEY_CRED_CUSTOM 0x42 #define PUB_KEY_CRED_UNKNOWN 0x3F #define CREDENTIAL_IS_SUPPORTED 1 @@ -302,6 +303,19 @@ typedef struct } CTAP_clientPin; +struct _getAssertionState { + CTAP_authDataHeader authData; + uint8_t clientDataHash[CLIENT_DATA_HASH_SIZE]; + CTAP_credentialDescriptor creds[ALLOW_LIST_MAX_SIZE-1]; + uint8_t lastcmd; + uint32_t count; + uint32_t index; + uint32_t time; + uint8_t user_verified; + uint8_t customCredId[256]; + uint8_t customCredIdSize; +}; + void ctap_response_init(CTAP_RESPONSE * resp); uint8_t ctap_request(uint8_t * pkt_raw, int length, CTAP_RESPONSE * resp); diff --git a/fido2/ctap_parse.c b/fido2/ctap_parse.c index 4276da1..951156d 100644 --- a/fido2/ctap_parse.c +++ b/fido2/ctap_parse.c @@ -16,6 +16,7 @@ #include "util.h" #include "log.h" +extern struct _getAssertionState getAssertionState; void _check_ret(CborError ret, int line, const char * filename) { @@ -883,6 +884,8 @@ uint8_t parse_credential_descriptor(CborValue * arr, CTAP_credentialDescriptor * size_t buflen; char type[12]; CborValue val; + cred->type = 0; + if (cbor_value_get_type(arr) != CborMapType) { printf2(TAG_ERR,"Error, CborMapType expected in credential\n"); @@ -899,8 +902,11 @@ uint8_t parse_credential_descriptor(CborValue * arr, CTAP_credentialDescriptor * } buflen = sizeof(CredentialId); - cbor_value_copy_byte_string(&val, (uint8_t*)&cred->credential.id, &buflen, NULL); - + ret = cbor_value_copy_byte_string(&val, (uint8_t*)&cred->credential.id, &buflen, NULL); + + printf1(TAG_GREEN,"KEYL is %d\r\n", buflen); + printf1(TAG_GREEN,"MAX is %d\r\n", sizeof(CredentialId)); + if (buflen == U2F_KEY_HANDLE_SIZE) { printf2(TAG_PARSE,"CTAP1 credential\n"); @@ -908,8 +914,13 @@ uint8_t parse_credential_descriptor(CborValue * arr, CTAP_credentialDescriptor * } else if (buflen != sizeof(CredentialId)) { - printf2(TAG_ERR,"Ignoring credential is incorrect length\n"); + printf2(TAG_ERR,"Ignoring credential is incorrect length, treating as custom\n"); + cred->type = PUB_KEY_CRED_CUSTOM; + buflen = 256; + ret = cbor_value_copy_byte_string(&val, getAssertionState.customCredId, &buflen, NULL); + getAssertionState.customCredIdSize = buflen; } + check_ret(ret); ret = cbor_value_map_find_value(arr, "type", &val); check_ret(ret); @@ -926,7 +937,7 @@ uint8_t parse_credential_descriptor(CborValue * arr, CTAP_credentialDescriptor * if (strncmp(type, "public-key",11) == 0) { - if (PUB_KEY_CRED_CTAP1 != cred->type) + if (0 == cred->type) { cred->type = PUB_KEY_CRED_PUB_KEY; } diff --git a/fido2/extensions/solo.c b/fido2/extensions/solo.c index 37dd6f5..bc215e0 100644 --- a/fido2/extensions/solo.c +++ b/fido2/extensions/solo.c @@ -40,6 +40,7 @@ int16_t bridge_u2f_to_solo(uint8_t * output, uint8_t * keyh, int keylen) wallet_request * req = (wallet_request *) keyh; extension_writeback_init(output, 71); + delay(500); printf1(TAG_WALLET, "u2f-solo [%d]: ", keylen); dump_hex1(TAG_WALLET, keyh, keylen); diff --git a/fido2/main.c b/fido2/main.c index 6dee829..b7b7d69 100644 --- a/fido2/main.c +++ b/fido2/main.c @@ -37,7 +37,7 @@ int main(int argc, char *argv[]) //TAG_NFC_APDU | TAG_NFC | //TAG_CP | - //TAG_CTAP| + TAG_CTAP| //TAG_HID| TAG_U2F| //TAG_PARSE |