diff --git a/fido2/ctap.c b/fido2/ctap.c index ea14e62..bc42b28 100644 --- a/fido2/ctap.c +++ b/fido2/ctap.c @@ -325,7 +325,7 @@ static int is_matching_rk(CTAP_residentKey * rk, CTAP_residentKey * rk2) } -static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * auth_data_buf, unsigned int len, CTAP_userEntity * user, uint8_t credtype, int32_t algtype, int32_t * sz, int store) +static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * auth_data_buf, uint32_t * len, CTAP_credInfo * credInfo) { CborEncoder cose_key; int auth_data_sz, ret; @@ -335,7 +335,7 @@ static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * au uint8_t * cose_key_buf = auth_data_buf + sizeof(CTAP_authData); - if((sizeof(CTAP_authDataHeader)) > len) + if((sizeof(CTAP_authDataHeader)) > *len) { printf1(TAG_ERR,"assertion fail, auth_data_buf must be at least %d bytes\n", sizeof(CTAP_authData) - sizeof(CTAP_attestHeader)); exit(1); @@ -373,12 +373,12 @@ static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * au - if (credtype != 0) + if (credInfo != NULL) { // add attestedCredentialData authData->head.flags |= (1 << 6);//include attestation data - cbor_encoder_init(&cose_key, cose_key_buf, len - sizeof(CTAP_authData), 0); + cbor_encoder_init(&cose_key, cose_key_buf, *len - sizeof(CTAP_authData), 0); memmove(authData->attest.aaguid, CTAP_AAGUID, 16); authData->attest.credLenL = sizeof(CredentialId) & 0x00FF; @@ -396,10 +396,10 @@ static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * au make_auth_tag(authData->head.rpIdHash, authData->attest.id.nonce, count, authData->attest.id.tag); // resident key - if (store) + if (credInfo->rk) { memmove(&rk.id, &authData->attest.id, sizeof(CredentialId)); - memmove(&rk.user, user, sizeof(CTAP_userEntity)); + memmove(&rk.user, &credInfo->user, sizeof(CTAP_userEntity)); unsigned int index = STATE.rk_stored; unsigned int i; @@ -428,7 +428,7 @@ done_rk: //crypto_aes256_encrypt((uint8_t*)&authData->attest.credential.user, CREDENTIAL_ENC_SIZE); printf1(TAG_GREEN, "MADE credId: "); dump_hex1(TAG_GREEN, (uint8_t*) &authData->attest.id, sizeof(CredentialId)); - ctap_generate_cose_key(&cose_key, (uint8_t*)&authData->attest.id, sizeof(CredentialId), credtype, algtype); + ctap_generate_cose_key(&cose_key, (uint8_t*)&authData->attest.id, sizeof(CredentialId), credInfo->publicKeyCredentialType, credInfo->COSEAlgorithmIdentifier); auth_data_sz = sizeof(CTAP_authData) + cbor_encoder_get_buffer_size(&cose_key, cose_key_buf); @@ -445,7 +445,7 @@ done_rk: check_ret(ret); } - if (sz) *sz = auth_data_sz; + *len = auth_data_sz; return 0; } @@ -637,10 +637,10 @@ uint8_t ctap_make_credential(CborEncoder * encoder, uint8_t * request, int lengt CborEncoder map; ret = cbor_encoder_create_map(encoder, &map, 3); check_ret(ret); - int32_t auth_data_sz; + uint32_t auth_data_sz = sizeof(auth_data_buf); - ret = ctap_make_auth_data(&MC.rp, &map, auth_data_buf, sizeof(auth_data_buf), - &MC.user, MC.publicKeyCredentialType, MC.COSEAlgorithmIdentifier, &auth_data_sz, MC.rk); + ret = ctap_make_auth_data(&MC.rp, &map, auth_data_buf, &auth_data_sz, + &MC.credInfo); check_retr(ret); @@ -1043,27 +1043,22 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length) else #endif { - ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, sizeof(auth_data_buf), NULL, 0,0,NULL, 0); + uint32_t len = sizeof(auth_data_buf); + ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, &len, NULL); check_retr(ret); } - /*for (int j = 0; j < GA.credLen; j++)*/ - /*{*/ - /*printf1(TAG_GA,"CRED ID (# %d): ", GA.creds[j].credential.enc.count);*/ - /*dump_hex1(TAG_GA, (uint8_t*)&GA.creds[j].credential, sizeof(struct Credential));*/ - /*if (ctap_authenticate_credential(&GA.rp, &GA.creds[j])) // warning encryption will break this*/ - /*{*/ - /*printf1(TAG_GA," Authenticated.\n");*/ - /*}*/ - /*else*/ - /*{*/ - /*printf1(TAG_GA," NOT authentic.\n");*/ - /*}*/ - /*}*/ + if (GA.extensions.hmac_secret_present == EXT_HMAC_SECRET_PARSED) + { + printf1(TAG_GA, "hmac-secret is present\r\n"); + // map_size += 1; + // + // ret = cbor_encode_int(&map, RESP_numberOfCredentials); + // check_ret(ret); + // ret = cbor_encode_int(&map, validCredCount); + // check_ret(ret); + } - // Decrypt here - - // if (validCredCount > 0) { save_credential_list((CTAP_authDataHeader*)auth_data_buf, GA.clientDataHash, GA.creds, validCredCount-1); // skip last one diff --git a/fido2/ctap.h b/fido2/ctap.h index 06dd0fd..d781ce6 100644 --- a/fido2/ctap.h +++ b/fido2/ctap.h @@ -213,20 +213,25 @@ typedef struct CTAP_hmac_secret hmac_secret; } CTAP_extensions; +typedef struct +{ + CTAP_userEntity user; + uint8_t publicKeyCredentialType; + int32_t COSEAlgorithmIdentifier; + uint8_t rk; +} CTAP_credInfo; + typedef struct { uint32_t paramsParsed; uint8_t clientDataHash[CLIENT_DATA_HASH_SIZE]; struct rpId rp; - CTAP_userEntity user; - uint8_t publicKeyCredentialType; - int32_t COSEAlgorithmIdentifier; + CTAP_credInfo credInfo; CborValue excludeList; size_t excludeListSize; - uint8_t rk; uint8_t uv; uint8_t up; diff --git a/fido2/ctap_parse.c b/fido2/ctap_parse.c index 0d4ece8..d0963ea 100644 --- a/fido2/ctap_parse.c +++ b/fido2/ctap_parse.c @@ -128,14 +128,14 @@ uint8_t parse_user(CTAP_makeCredential * MC, CborValue * val) } sz = USER_ID_MAX_SIZE; - ret = cbor_value_copy_byte_string(&map, MC->user.id, &sz, NULL); + ret = cbor_value_copy_byte_string(&map, MC->credInfo.user.id, &sz, NULL); if (ret == CborErrorOutOfMemory) { printf2(TAG_ERR,"Error, USER_ID is too large\n"); return CTAP2_ERR_LIMIT_EXCEEDED; } - MC->user.id_size = sz; - printf1(TAG_GREEN,"parsed id_size: %d\r\n", MC->user.id_size); + MC->credInfo.user.id_size = sz; + printf1(TAG_GREEN,"parsed id_size: %d\r\n", MC->credInfo.user.id_size); check_ret(ret); } else if (strcmp((const char *)key, "name") == 0) @@ -146,12 +146,12 @@ uint8_t parse_user(CTAP_makeCredential * MC, CborValue * val) return CTAP2_ERR_INVALID_CBOR_TYPE; } sz = USER_NAME_LIMIT; - ret = cbor_value_copy_text_string(&map, (char *)MC->user.name, &sz, NULL); + ret = cbor_value_copy_text_string(&map, (char *)MC->credInfo.user.name, &sz, NULL); if (ret != CborErrorOutOfMemory) { // Just truncate the name it's okay check_ret(ret); } - MC->user.name[USER_NAME_LIMIT - 1] = 0; + MC->credInfo.user.name[USER_NAME_LIMIT - 1] = 0; } else if (strcmp((const char *)key, "displayName") == 0) { @@ -161,12 +161,12 @@ uint8_t parse_user(CTAP_makeCredential * MC, CborValue * val) return CTAP2_ERR_INVALID_CBOR_TYPE; } sz = DISPLAY_NAME_LIMIT; - ret = cbor_value_copy_text_string(&map, (char *)MC->user.displayName, &sz, NULL); + ret = cbor_value_copy_text_string(&map, (char *)MC->credInfo.user.displayName, &sz, NULL); if (ret != CborErrorOutOfMemory) { // Just truncate the name it's okay check_ret(ret); } - MC->user.displayName[DISPLAY_NAME_LIMIT - 1] = 0; + MC->credInfo.user.displayName[DISPLAY_NAME_LIMIT - 1] = 0; } else if (strcmp((const char *)key, "icon") == 0) { @@ -176,12 +176,12 @@ uint8_t parse_user(CTAP_makeCredential * MC, CborValue * val) return CTAP2_ERR_INVALID_CBOR_TYPE; } sz = ICON_LIMIT; - ret = cbor_value_copy_text_string(&map, (char *)MC->user.icon, &sz, NULL); + ret = cbor_value_copy_text_string(&map, (char *)MC->credInfo.user.icon, &sz, NULL); if (ret != CborErrorOutOfMemory) { // Just truncate the name it's okay check_ret(ret); } - MC->user.icon[ICON_LIMIT - 1] = 0; + MC->credInfo.user.icon[ICON_LIMIT - 1] = 0; } else @@ -305,8 +305,8 @@ uint8_t parse_pub_key_cred_params(CTAP_makeCredential * MC, CborValue * val) { if (pub_key_cred_param_supported(cred_type, alg_type) == CREDENTIAL_IS_SUPPORTED) { - MC->publicKeyCredentialType = cred_type; - MC->COSEAlgorithmIdentifier = alg_type; + MC->credInfo.publicKeyCredentialType = cred_type; + MC->credInfo.COSEAlgorithmIdentifier = alg_type; MC->paramsParsed |= PARAM_pubKeyCredParams; return 0; } @@ -779,8 +779,8 @@ uint8_t ctap_parse_make_credential(CTAP_makeCredential * MC, CborEncoder * encod ret = parse_user(MC, &map); - printf1(TAG_MC," ID: "); dump_hex1(TAG_MC, MC->user.id, MC->user.id_size); - printf1(TAG_MC," name: %s\n", MC->user.name); + printf1(TAG_MC," ID: "); dump_hex1(TAG_MC, MC->credInfo.user.id, MC->credInfo.user.id_size); + printf1(TAG_MC," name: %s\n", MC->credInfo.user.name); break; case MC_pubKeyCredParams: @@ -788,8 +788,8 @@ uint8_t ctap_parse_make_credential(CTAP_makeCredential * MC, CborEncoder * encod ret = parse_pub_key_cred_params(MC, &map); - printf1(TAG_MC," cred_type: 0x%02x\n", MC->publicKeyCredentialType); - printf1(TAG_MC," alg_type: %d\n", MC->COSEAlgorithmIdentifier); + printf1(TAG_MC," cred_type: 0x%02x\n", MC->credInfo.publicKeyCredentialType); + printf1(TAG_MC," alg_type: %d\n", MC->credInfo.COSEAlgorithmIdentifier); break; case MC_excludeList: @@ -819,7 +819,7 @@ uint8_t ctap_parse_make_credential(CTAP_makeCredential * MC, CborEncoder * encod case MC_options: printf1(TAG_MC,"CTAP_options\n"); - ret = parse_options(&map, &MC->rk, &MC->uv, &MC->up); + ret = parse_options(&map, &MC->credInfo.rk, &MC->uv, &MC->up); check_retr(ret); break; case MC_pinAuth: