add checking some rare case in iso14443-4 chaining. add NAK checking and aborting the data sending.

.all-contributorsrc

@@ -178,6 +178,15 @@
         "business",
         "ideas"
       ]
+    },
+    {
+      "login": "oplik0",
+      "name": "Jakub",
+      "avatar_url": "https://avatars2.githubusercontent.com/u/25460763?v=4",
+      "profile": "https://github.com/oplik0",
+      "contributions": [
+        "bug"
+      ]
     }
   ],
   "contributorsPerLine": 7,

README.md

@@ -135,6 +135,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     <td align="center"><a href="https://github.com/m3hm00d"><img src="https://avatars1.githubusercontent.com/u/42179593?v=4" width="100px;" alt="f.m3hm00d"/><br /><sub><b>f.m3hm00d</b></sub></a><br /><a href="https://github.com/solokeys/solo/commits?author=m3hm00d" title="Documentation">📖</a></td>
     <td align="center"><a href="http://blogs.gnome.org/hughsie/"><img src="https://avatars0.githubusercontent.com/u/151380?v=4" width="100px;" alt="Richard Hughes"/><br /><sub><b>Richard Hughes</b></sub></a><br /><a href="#ideas-hughsie" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/solokeys/solo/commits?author=hughsie" title="Code">💻</a> <a href="#infra-hughsie" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="#tool-hughsie" title="Tools">🔧</a></td>
     <td align="center"><a href="http://www.schulz.dk"><img src="https://avatars1.githubusercontent.com/u/1150049?v=4" width="100px;" alt="Kim Schulz"/><br /><sub><b>Kim Schulz</b></sub></a><br /><a href="#business-kimusan" title="Business development">💼</a> <a href="#ideas-kimusan" title="Ideas, Planning, & Feedback">🤔</a></td>
+    <td align="center"><a href="https://github.com/oplik0"><img src="https://avatars2.githubusercontent.com/u/25460763?v=4" width="100px;" alt="Jakub"/><br /><sub><b>Jakub</b></sub></a><br /><a href="https://github.com/solokeys/solo/issues?q=author%3Aoplik0" title="Bug reports">🐛</a></td>
   </tr>
 </table>
 
@@ -168,7 +169,7 @@ You can buy Solo, Solo Tap, and Solo for Hackers at [solokeys.com](https://solok
 <br/>
 
 [![License](https://img.shields.io/github/license/solokeys/solo.svg)](https://github.com/solokeys/solo/blob/master/LICENSE)
-[![All Contributors](https://img.shields.io/badge/all_contributors-18-orange.svg?style=flat-square)](#contributors)
+[![All Contributors](https://img.shields.io/badge/all_contributors-19-orange.svg?style=flat-square)](#contributors)
 [![Build Status](https://travis-ci.com/solokeys/solo.svg?branch=master)](https://travis-ci.com/solokeys/solo)
 [![Discourse Users](https://img.shields.io/discourse/https/discourse.solokeys.com/users.svg)](https://discourse.solokeys.com)
 [![Keybase Chat](https://img.shields.io/badge/chat-on%20keybase-brightgreen.svg)](https://keybase.io/team/solokeys.public)

STABLE_VERSION

@@ -1 +1 @@
-2.4.3
+2.5.1

fido2/apdu.c

@@ -9,7 +9,7 @@
 
 #include "apdu.h"
 
-int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu) 
+uint16_t apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu) 
 {
     EXT_APDU_HEADER *hapdu = (EXT_APDU_HEADER *)data;
     
@@ -62,6 +62,11 @@ int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu)
     if (len >= 7 && b0 == 0)
     {
         uint16_t extlen = (hapdu->lc[1] << 8) + hapdu->lc[2];
+
+        if (len - 7 < extlen)
+        {
+            return SW_WRONG_LENGTH;
+        }
         
          // case 2E (Le) - extended
         if (len == 7)
@@ -103,9 +108,18 @@ int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu)
             apdu->le = 0x10000;
         }
     }
+    else
+    {
+        if ((len > 5) && (len - 5 < hapdu->lc[0]))
+        {
+            return SW_WRONG_LENGTH;
+        }
+    }
     
     if (!apdu->case_type)
-        return 1;
+    {
+        return SW_COND_USE_NOT_SATISFIED;
+    }
     
     if (apdu->lc)
     {

fido2/apdu.h

@@ -36,7 +36,7 @@ typedef struct
     uint8_t case_type;
 } __attribute__((packed)) APDU_STRUCT;
 
-extern int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu);
+extern uint16_t apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu);
 
 #define APDU_FIDO_U2F_REGISTER        0x01
 #define APDU_FIDO_U2F_AUTHENTICATE    0x02

fido2/ctap.c

@@ -486,7 +486,7 @@ static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * au
     
     device_set_status(CTAPHID_STATUS_PROCESSING);
 
-    authData->head.flags = (but << 0);
+    authData->head.flags = (1 << 0);        // User presence
     authData->head.flags |= (ctap_is_pin_set() << 2);
 
 

targets/stm32l432/src/device.c

@@ -55,7 +55,16 @@ static int is_physical_button_pressed()
 
 static int is_touch_button_pressed()
 {
-    return tsc_read_button(0) || tsc_read_button(1);
+    int is_pressed = (tsc_read_button(0) || tsc_read_button(1));
+#ifndef IS_BOOTLOADER
+    if (is_pressed)
+    {
+        // delay for debounce, and longer than polling timer period.
+        delay(95);
+        return (tsc_read_button(0) || tsc_read_button(1));
+    }
+#endif
+    return is_pressed;
 }
 
 int (*IS_BUTTON_PRESSED)() = is_physical_button_pressed;
@@ -66,7 +75,7 @@ static void edge_detect_touch_button()
     uint8_t current_touch = 0;
     if (is_touch_button_pressed == IS_BUTTON_PRESSED)
     {
-        current_touch = IS_BUTTON_PRESSED();
+        current_touch = (tsc_read_button(0) || tsc_read_button(1));
 
         // 1 sample per 25 ms
         if ((millis() - __last_button_bounce_time) > 25)
@@ -153,7 +162,6 @@ void device_set_status(uint32_t status)
 
 int device_is_button_pressed()
 {
-
     return IS_BUTTON_PRESSED();
 }
 

targets/stm32l432/src/nfc.c

@@ -228,6 +228,8 @@ void nfc_write_response_chaining_plain(uint8_t req0, uint8_t * data, int len)
 	{
 		uint8_t res[32] = {0};
         res[0] = iBlock;
+        res[1] = 0;
+        res[2] = 0;
 		if (len && data)
 			memcpy(&res[block_offset], data, len);
 		nfc_write_frame(res, len + block_offset);
@@ -268,6 +270,19 @@ void nfc_write_response_chaining_plain(uint8_t req0, uint8_t * data, int len)
 					printf1(TAG_NFC, "R block RX timeout %d/%d.\r\n",sendlen,len);
 					break;
 				}
+                
+                if (!IS_RBLOCK(recbuf[0]))
+                {
+					printf1(TAG_NFC, "R block RX error. Not a R block(0x%02x) %d/%d.\r\n", recbuf[0], sendlen, len);
+					break;
+				}
+                
+                // NAK check
+                if (recbuf[0] & NFC_CMD_RBLOCK_ACK)
+                {
+					printf1(TAG_NFC, "R block RX error. NAK received. %d/%d.\r\n", recbuf[0], sendlen, len);
+					break;
+                }
 
                 uint8_t rblock_offset = p14443_block_offset(recbuf[0]);
 				if (reclen != rblock_offset)
@@ -466,7 +481,8 @@ void rblock_acknowledge(uint8_t req0, bool ack)
     NFC_STATE.block_num = !NFC_STATE.block_num;
 
     buf[0] = NFC_CMD_RBLOCK | (req0 & 0x0f);
-    if (ack)
+    // iso14443-4:2001 page 16. ACK, if bit is set to 0, NAK, if bit is set to 1
+    if (!ack)
         buf[0] |= NFC_CMD_RBLOCK_ACK;
 
     nfc_write_frame(buf, block_offset);
@@ -784,9 +800,10 @@ void nfc_process_iblock(uint8_t * buf, int len)
     }
     
     APDU_STRUCT apdu;
-    if (apdu_decode(buf + block_offset, len - block_offset, &apdu)) {
+    uint16_t ret = apdu_decode(buf + block_offset, len - block_offset, &apdu);
+    if (ret != 0) {
         printf1(TAG_NFC,"apdu decode error\r\n");
-        nfc_write_response(buf[0], SW_COND_USE_NOT_SATISFIED);
+        nfc_write_response(buf[0], ret);
         return;
     }
     printf1(TAG_NFC,"apdu ok. %scase=%02x cla=%02x ins=%02x p1=%02x p2=%02x lc=%d le=%d\r\n", 
@@ -802,7 +819,6 @@ void nfc_process_iblock(uint8_t * buf, int len)
         
         memmove(&chain_buffer[chain_buffer_len], apdu.data, apdu.lc);
         chain_buffer_len += apdu.lc;
-        delay(1);
         nfc_write_response(buf[0], SW_SUCCESS);
         printf1(TAG_NFC, "APDU chaining ok. %d/%d\r\n", apdu.lc, chain_buffer_len);
         return;
@@ -810,7 +826,6 @@ void nfc_process_iblock(uint8_t * buf, int len)
     
     // if we have ISO 7816 APDU chain - move there all the data
     if (!chain_buffer_tx && chain_buffer_len > 0) {
-        delay(1);
         memmove(&apdu.data[chain_buffer_len], apdu.data, apdu.lc);
         memmove(apdu.data, chain_buffer, chain_buffer_len);
         apdu.lc += chain_buffer_len; // here apdu struct does not match with memory!

targets/stm32l432/src/nfc.h

@@ -34,9 +34,9 @@ typedef struct
 #define IS_PPSS_CMD(x)                (((x) & 0xf0) == NFC_CMD_PPSS)
 #define NFC_CMD_IBLOCK                0x00
 #define IS_IBLOCK(x)                  ( (((x) & 0xc0) == NFC_CMD_IBLOCK) && (((x) & 0x02) == 0x02) )
-#define NFC_CMD_RBLOCK                0x80
+#define NFC_CMD_RBLOCK                0xa0
-#define NFC_CMD_RBLOCK_ACK            0x20
+#define NFC_CMD_RBLOCK_ACK            0x10
-#define IS_RBLOCK(x)                  ( (((x) & 0xc0) == NFC_CMD_RBLOCK) && (((x) & 0x02) == 0x02) )
+#define IS_RBLOCK(x)                  ( (((x) & 0xe0) == NFC_CMD_RBLOCK) && (((x) & 0x02) == 0x02) )
 #define NFC_CMD_SBLOCK                0xc0
 #define IS_SBLOCK(x)                  ( (((x) & 0xc0) == NFC_CMD_SBLOCK) && (((x) & 0x02) == 0x02) )