default up to enabled

Typo

.all-contributorsrc

@@ -178,6 +178,15 @@
         "business",
         "ideas"
       ]
+    },
+    {
+      "login": "oplik0",
+      "name": "Jakub",
+      "avatar_url": "https://avatars2.githubusercontent.com/u/25460763?v=4",
+      "profile": "https://github.com/oplik0",
+      "contributions": [
+        "bug"
+      ]
     }
   ],
   "contributorsPerLine": 7,

README.md

@@ -135,6 +135,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     <td align="center"><a href="https://github.com/m3hm00d"><img src="https://avatars1.githubusercontent.com/u/42179593?v=4" width="100px;" alt="f.m3hm00d"/><br /><sub><b>f.m3hm00d</b></sub></a><br /><a href="https://github.com/solokeys/solo/commits?author=m3hm00d" title="Documentation">📖</a></td>
     <td align="center"><a href="http://blogs.gnome.org/hughsie/"><img src="https://avatars0.githubusercontent.com/u/151380?v=4" width="100px;" alt="Richard Hughes"/><br /><sub><b>Richard Hughes</b></sub></a><br /><a href="#ideas-hughsie" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/solokeys/solo/commits?author=hughsie" title="Code">💻</a> <a href="#infra-hughsie" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="#tool-hughsie" title="Tools">🔧</a></td>
     <td align="center"><a href="http://www.schulz.dk"><img src="https://avatars1.githubusercontent.com/u/1150049?v=4" width="100px;" alt="Kim Schulz"/><br /><sub><b>Kim Schulz</b></sub></a><br /><a href="#business-kimusan" title="Business development">💼</a> <a href="#ideas-kimusan" title="Ideas, Planning, & Feedback">🤔</a></td>
+    <td align="center"><a href="https://github.com/oplik0"><img src="https://avatars2.githubusercontent.com/u/25460763?v=4" width="100px;" alt="Jakub"/><br /><sub><b>Jakub</b></sub></a><br /><a href="https://github.com/solokeys/solo/issues?q=author%3Aoplik0" title="Bug reports">🐛</a></td>
   </tr>
 </table>
 
@@ -168,7 +169,7 @@ You can buy Solo, Solo Tap, and Solo for Hackers at [solokeys.com](https://solok
 <br/>
 
 [![License](https://img.shields.io/github/license/solokeys/solo.svg)](https://github.com/solokeys/solo/blob/master/LICENSE)
-[![All Contributors](https://img.shields.io/badge/all_contributors-18-orange.svg?style=flat-square)](#contributors)
+[![All Contributors](https://img.shields.io/badge/all_contributors-19-orange.svg?style=flat-square)](#contributors)
 [![Build Status](https://travis-ci.com/solokeys/solo.svg?branch=master)](https://travis-ci.com/solokeys/solo)
 [![Discourse Users](https://img.shields.io/discourse/https/discourse.solokeys.com/users.svg)](https://discourse.solokeys.com)
 [![Keybase Chat](https://img.shields.io/badge/chat-on%20keybase-brightgreen.svg)](https://keybase.io/team/solokeys.public)

STABLE_VERSION

@@ -1 +1 @@
-2.4.3
+2.5.2

docs/solo/customization.md

@@ -115,7 +115,7 @@ If the checks succeed, you are ready to program the device attestation key and c
 ### Programming an attestation key and certificate
 
 Convert the DER format of the device attestation certificate to "C" bytes using our utility script.  You may first need to
-first install prerequisite python modules (pip install -r tools/requirements.txt).
+first install prerequisite python modules (`pip install -r tools/requirements.txt`).
 
 ```
 python tools/gencert/cbytes.py device_cert.der
@@ -123,7 +123,7 @@ python tools/gencert/cbytes.py device_cert.der
 
 Copy the byte string portion into the [`attestation.c` source file of Solo](https://github.com/solokeys/solo/blob/master/targets/stm32l432/src/attestation.c).  Overwrite the development or "default" certificate that is already there.
 
-Now [build the Solo firmware](/solo/building), either a secure or hacker build.  You will need to produce a bootloader.hex file and a solo.hex file.
+Now [build the Solo firmware](/solo/building), either a secure or hacker build.  You will need to produce a `bootloader.hex` file and a `solo.hex` file.
 
 Print your attestation key in a hex string format.
 
@@ -131,11 +131,11 @@ Print your attestation key in a hex string format.
 python tools/print_x_y.py device_key.pem
 ```
 
-Merge the bootloader.hex, solo.hex, and attestion key into one firmware file.
+Merge the `bootloader.hex`, `solo.hex`, and attestion key into one firmware file.
 
 ```
 solo mergehex --attestation-key <attestation-key-hex-string> bootloader.hex solo.hex all.hex
 ```
 
-Now you have a newly create `all.hex` file with a custom attestation key.  You can [program this all.hex file
-with Solo in DFU mode](/solo/programming#procedure).
+Now you have a newly create `all.hex` file with a custom attestation key.  You can [program this `all.hex` file
+with Solo in DFU mode](/solo/programming#procedure).

docs/solo/nucleo32-board.md

@@ -85,14 +85,13 @@ brew install arm-none-eabi-gcc
 ### Install flashing software
 
 ST provides a CLI flashing tool - `STM32_Programmer_CLI`. It can be downloaded directly from the vendor's site:
-1\. Go to [download site URL](https://www.st.com/content/st_com/en/products/development-tools/software-development-tools/stm32-software-development-tools/stm32-programmers/stm32cubeprog.html),
-go to bottom page and from STM32CubeProg row select Download button.
-2\. Unzip contents of the archive.
-3\. Run \*Linux setup
-4\. In installation directory go to ./bin - there the ./STM32_Programmer_CLI is located
-5\. Add symlink to the STM32 CLI binary to .local/bin. Make sure the latter it is in $PATH.
+1. Go to [download site URL](https://www.st.com/content/st_com/en/products/development-tools/software-development-tools/stm32-software-development-tools/stm32-programmers/stm32cubeprog.html), go to bottom page and from STM32CubeProg row select Download button.
+2. Unzip contents of the archive.
+3. Run \*Linux setup
+4. In installation directory go to `./bin` - there the `./STM32_Programmer_CLI` is located
+5. Add symlink to the STM32 CLI binary to `.local/bin`. Make sure the latter it is in `$PATH`.
 
-If you're on OsX and installed the STM32CubeProg, you need to add the following to your path:
+If you're on MacOS X and installed the STM32CubeProg, you need to add the following to your path:
 
 ```bash
 # ~/.bash_profile

docs/solo/solo-extras.md

@@ -3,16 +3,16 @@
 ## Random number generation
 
 Solo contains a True Random Number Generator (TRNG).  A TRNG is a hardware based mechanism
-that leverages natural phenomenon to generate random numbers, which is can be better than a traditional
+that leverages natural phenomenon to generate random numbers, which can be better than a traditional
 RNG that has state and updates deterministically using cryptographic methods.
 
-You can easily access the TRNG stream on Solo using our python tool [solo-python](https://github.com/solokeys/solo-python).
+You can easily access the TRNG stream on Solo using our python tool [`solo-python`](https://github.com/solokeys/solo-python).
 
 ```
 solo key rng raw > random.bin
 ```
 
-Or you can seed the state of the RNG on your kernel (/dev/random).
+Or you can seed the state of the RNG on your kernel (`/dev/random`).
 
 ```
 solo key rng feedkernel

fido2/apdu.c

@@ -9,7 +9,7 @@
 
 #include "apdu.h"
 
-int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu) 
+uint16_t apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu) 
 {
     EXT_APDU_HEADER *hapdu = (EXT_APDU_HEADER *)data;
     
@@ -62,6 +62,11 @@ int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu)
     if (len >= 7 && b0 == 0)
     {
         uint16_t extlen = (hapdu->lc[1] << 8) + hapdu->lc[2];
+
+        if (len - 7 < extlen)
+        {
+            return SW_WRONG_LENGTH;
+        }
         
          // case 2E (Le) - extended
         if (len == 7)
@@ -103,9 +108,18 @@ int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu)
             apdu->le = 0x10000;
         }
     }
+    else
+    {
+        if ((len > 5) && (len - 5 < hapdu->lc[0]))
+        {
+            return SW_WRONG_LENGTH;
+        }
+    }
     
     if (!apdu->case_type)
-        return 1;
+    {
+        return SW_COND_USE_NOT_SATISFIED;
+    }
     
     if (apdu->lc)
     {

fido2/apdu.h

@@ -36,7 +36,7 @@ typedef struct
     uint8_t case_type;
 } __attribute__((packed)) APDU_STRUCT;
 
-extern int apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu);
+extern uint16_t apdu_decode(uint8_t *data, size_t len, APDU_STRUCT *apdu);
 
 #define APDU_FIDO_U2F_REGISTER        0x01
 #define APDU_FIDO_U2F_AUTHENTICATE    0x02

fido2/ctap.c

@@ -25,11 +25,11 @@
 #include "extensions.h"
 
 #include "device.h"
+#include "data_migration.h"
 
 uint8_t PIN_TOKEN[PIN_TOKEN_SIZE];
 uint8_t KEY_AGREEMENT_PUB[64];
 static uint8_t KEY_AGREEMENT_PRIV[32];
-static uint8_t PIN_CODE_HASH[32];
 static int8_t PIN_BOOT_ATTEMPTS_LEFT = PIN_BOOT_ATTEMPTS;
 
 AuthenticatorState STATE;
@@ -438,7 +438,11 @@ static int ctap2_user_presence_test()
 {
     device_set_status(CTAPHID_STATUS_UPNEEDED);
     int ret = ctap_user_presence_test(CTAP2_UP_DELAY_MS);
-    if ( ret > 0 )
+    if ( ret > 1 )
+    {
+        return CTAP2_ERR_PROCESSING;
+    }
+    else if ( ret > 0 )
     {
         return CTAP1_ERR_SUCCESS;
     }
@@ -482,11 +486,19 @@ static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * au
     int but;
 
     but = ctap2_user_presence_test(CTAP2_UP_DELAY_MS);
-    check_retr(but);
+    if (CTAP2_ERR_PROCESSING == but)
+    {
+        authData->head.flags = (0 << 0);        // User presence disabled
+    }
+    else
+    {
+        check_retr(but);
+        authData->head.flags = (1 << 0);        // User presence
+    }
+    
     
     device_set_status(CTAPHID_STATUS_PROCESSING);
 
-    authData->head.flags = (1 << 0);        // User presence
     authData->head.flags |= (ctap_is_pin_set() << 2);
 
 
@@ -670,7 +682,16 @@ int ctap_authenticate_credential(struct rpId * rp, CTAP_credentialDescriptor * d
     switch(desc->type)
     {
         case PUB_KEY_CRED_PUB_KEY:
-            make_auth_tag(desc->credential.id.rpIdHash, desc->credential.id.nonce, desc->credential.id.count, tag);
+            crypto_sha256_init();
+            crypto_sha256_update(rp->id, rp->size);
+            crypto_sha256_final(rpIdHash);
+
+            printf1(TAG_RED,"rpId: %s\r\n", rp->id); dump_hex1(TAG_RED,rp->id, rp->size);
+            if (memcmp(desc->credential.id.rpIdHash, rpIdHash, 32) != 0)
+            {
+                return 0;
+            }
+            make_auth_tag(rpIdHash, desc->credential.id.nonce, desc->credential.id.count, tag);
             return (memcmp(desc->credential.id.tag, tag, CREDENTIAL_TAG_SIZE) == 0);
         break;
         case PUB_KEY_CRED_CTAP1:
@@ -734,7 +755,7 @@ uint8_t ctap_make_credential(CborEncoder * encoder, uint8_t * request, int lengt
         }
     }
 
-    if (MC.up)
+    if (MC.up == 1 || MC.up == 0)
     {
         return CTAP2_ERR_INVALID_OPTION;
     }
@@ -1227,8 +1248,9 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
     else
 #endif
     {
-
+        device_disable_up(GA.up == 0);
         ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, &auth_data_buf_sz, NULL);
+        device_disable_up(false);
         check_retr(ret);
 
         ((CTAP_authDataHeader *)auth_data_buf)->flags &= ~(1 << 2);
@@ -1286,11 +1308,13 @@ uint8_t ctap_update_pin_if_verified(uint8_t * pinEnc, int len, uint8_t * platfor
     uint8_t hmac[32];
     int ret;
 
+//    Validate incoming data packet len
     if (len < 64)
     {
         return CTAP1_ERR_OTHER;
     }
 
+//    Validate device's state
     if (ctap_is_pin_set())  // Check first, prevent SCA
     {
         if (ctap_device_locked())
@@ -1303,6 +1327,7 @@ uint8_t ctap_update_pin_if_verified(uint8_t * pinEnc, int len, uint8_t * platfor
         }
     }
 
+//    calculate shared_secret
     crypto_ecc256_shared_secret(platform_pubkey, KEY_AGREEMENT_PRIV, shared_secret);
 
     crypto_sha256_init();
@@ -1325,6 +1350,7 @@ uint8_t ctap_update_pin_if_verified(uint8_t * pinEnc, int len, uint8_t * platfor
         return CTAP2_ERR_PIN_AUTH_INVALID;
     }
 
+//     decrypt new PIN with shared secret
     crypto_aes256_init(shared_secret, NULL);
 
     while((len & 0xf) != 0) // round up to nearest  AES block size multiple
@@ -1334,7 +1360,7 @@ uint8_t ctap_update_pin_if_verified(uint8_t * pinEnc, int len, uint8_t * platfor
 
     crypto_aes256_decrypt(pinEnc, len);
 
-
+//      validate new PIN (length)
 
     ret = trailing_zeros(pinEnc, NEW_PIN_ENC_MIN_SIZE - 1);
     ret = NEW_PIN_ENC_MIN_SIZE  - ret;
@@ -1350,6 +1376,8 @@ uint8_t ctap_update_pin_if_verified(uint8_t * pinEnc, int len, uint8_t * platfor
         dump_hex1(TAG_CP, pinEnc, ret);
     }
 
+//    validate device's state, decrypt and compare pinHashEnc (user provided current PIN hash) with stored PIN_CODE_HASH
+
     if (ctap_is_pin_set())
     {
         if (ctap_device_locked())
@@ -1362,7 +1390,14 @@ uint8_t ctap_update_pin_if_verified(uint8_t * pinEnc, int len, uint8_t * platfor
         }
         crypto_aes256_reset_iv(NULL);
         crypto_aes256_decrypt(pinHashEnc, 16);
-        if (memcmp(pinHashEnc, PIN_CODE_HASH, 16) != 0)
+
+        uint8_t pinHashEncSalted[32];
+        crypto_sha256_init();
+        crypto_sha256_update(pinHashEnc, 16);
+        crypto_sha256_update(STATE.PIN_SALT, sizeof(STATE.PIN_SALT));
+        crypto_sha256_final(pinHashEncSalted);
+
+        if (memcmp(pinHashEncSalted, STATE.PIN_CODE_HASH, 16) != 0)
         {
             ctap_reset_key_agreement();
             ctap_decrement_pin_attempts();
@@ -1378,6 +1413,7 @@ uint8_t ctap_update_pin_if_verified(uint8_t * pinEnc, int len, uint8_t * platfor
         }
     }
 
+//      set new PIN (update and store PIN_CODE_HASH)
     ctap_update_pin(pinEnc, ret);
 
     return 0;
@@ -1397,12 +1433,16 @@ uint8_t ctap_add_pin_if_verified(uint8_t * pinTokenEnc, uint8_t * platform_pubke
 
     crypto_aes256_decrypt(pinHashEnc, 16);
 
-
-    if (memcmp(pinHashEnc, PIN_CODE_HASH, 16) != 0)
+    uint8_t pinHashEncSalted[32];
+    crypto_sha256_init();
+    crypto_sha256_update(pinHashEnc, 16);
+    crypto_sha256_update(STATE.PIN_SALT, sizeof(STATE.PIN_SALT));
+    crypto_sha256_final(pinHashEncSalted);
+    if (memcmp(pinHashEncSalted, STATE.PIN_CODE_HASH, 16) != 0)
     {
         printf2(TAG_ERR,"Pin does not match!\n");
         printf2(TAG_ERR,"platform-pin-hash: "); dump_hex1(TAG_ERR, pinHashEnc, 16);
-        printf2(TAG_ERR,"authentic-pin-hash: "); dump_hex1(TAG_ERR, PIN_CODE_HASH, 16);
+        printf2(TAG_ERR,"authentic-pin-hash: "); dump_hex1(TAG_ERR, STATE.PIN_CODE_HASH, 16);
         printf2(TAG_ERR,"shared-secret: "); dump_hex1(TAG_ERR, shared_secret, 32);
         printf2(TAG_ERR,"platform-pubkey: "); dump_hex1(TAG_ERR, platform_pubkey, 64);
         printf2(TAG_ERR,"device-pubkey: "); dump_hex1(TAG_ERR, KEY_AGREEMENT_PUB, 64);
@@ -1710,8 +1750,18 @@ static void ctap_state_init()
     STATE.remaining_tries = PIN_LOCKOUT_ATTEMPTS;
     STATE.is_pin_set = 0;
     STATE.rk_stored = 0;
+    STATE.data_version = STATE_VERSION;
 
     ctap_reset_rk();
+
+    if (ctap_generate_rng(STATE.PIN_SALT, sizeof(STATE.PIN_SALT)) != 1) {
+        printf2(TAG_ERR, "Error, rng failed\n");
+        exit(1);
+    }
+
+    printf1(TAG_STOR, "Generated PIN SALT: ");
+    dump_hex1(TAG_STOR, STATE.PIN_SALT, sizeof STATE.PIN_SALT);
+
 }
 
 void ctap_init()
@@ -1744,14 +1794,12 @@ void ctap_init()
         }
     }
 
+    do_migration_if_required(&STATE);
+
     crypto_load_master_secret(STATE.key_space);
 
     if (ctap_is_pin_set())
     {
-        printf1(TAG_STOR,"pin code: \"%s\"\n", STATE.pin_code);
-        crypto_sha256_init();
-        crypto_sha256_update(STATE.pin_code, STATE.pin_code_length);
-        crypto_sha256_final(PIN_CODE_HASH);
         printf1(TAG_STOR, "attempts_left: %d\n", STATE.remaining_tries);
     }
     else
@@ -1783,34 +1831,38 @@ uint8_t ctap_is_pin_set()
     return STATE.is_pin_set == 1;
 }
 
-uint8_t ctap_pin_matches(uint8_t * pin, int len)
-{
-    return memcmp(pin, STATE.pin_code, len) == 0;
-}
-
-
+/**
+ * Set new PIN, by updating PIN hash. Save state.
+ * Globals: STATE
+ * @param pin new PIN (raw)
+ * @param len pin array length
+ */
 void ctap_update_pin(uint8_t * pin, int len)
 {
-    if (len > NEW_PIN_ENC_MIN_SIZE || len < 4)
+    if (len >= NEW_PIN_ENC_MIN_SIZE || len < 4)
     {
         printf2(TAG_ERR, "Update pin fail length\n");
         exit(1);
     }
-    memset(STATE.pin_code, 0, NEW_PIN_ENC_MIN_SIZE);
-    memmove(STATE.pin_code, pin, len);
-    STATE.pin_code_length = len;
-    STATE.pin_code[NEW_PIN_ENC_MIN_SIZE - 1] = 0;
 
     crypto_sha256_init();
-    crypto_sha256_update(STATE.pin_code, len);
-    crypto_sha256_final(PIN_CODE_HASH);
+    crypto_sha256_update(pin, len);
+    uint8_t intermediateHash[32];
+    crypto_sha256_final(intermediateHash);
+
+    crypto_sha256_init();
+    crypto_sha256_update(intermediateHash, 16);
+    memset(intermediateHash, 0, sizeof(intermediateHash));
+    crypto_sha256_update(STATE.PIN_SALT, sizeof(STATE.PIN_SALT));
+    crypto_sha256_final(STATE.PIN_CODE_HASH);
 
     STATE.is_pin_set = 1;
 
     authenticator_write_state(&STATE, 1);
     authenticator_write_state(&STATE, 0);
 
-    printf1(TAG_CTAP, "New pin set: %s\n", STATE.pin_code);
+    printf1(TAG_CTAP, "New pin set: %s [%d]\n", pin, len);
+    dump_hex1(TAG_ERR, STATE.PIN_CODE_HASH, sizeof(STATE.PIN_CODE_HASH));
 }
 
 uint8_t ctap_decrement_pin_attempts()
@@ -1827,9 +1879,7 @@ uint8_t ctap_decrement_pin_attempts()
 
         if (ctap_device_locked())
         {
-            memset(PIN_TOKEN,0,sizeof(PIN_TOKEN));
-            memset(PIN_CODE_HASH,0,sizeof(PIN_CODE_HASH));
-            printf1(TAG_CP, "Device locked!\n");
+            lock_device_permanently();
         }
     }
     else
@@ -1985,8 +2035,17 @@ void ctap_reset()
     }
 
     ctap_reset_state();
-    memset(PIN_CODE_HASH,0,sizeof(PIN_CODE_HASH));
     ctap_reset_key_agreement();
 
     crypto_load_master_secret(STATE.key_space);
 }
+
+void lock_device_permanently() {
+    memset(PIN_TOKEN, 0, sizeof(PIN_TOKEN));
+    memset(STATE.PIN_CODE_HASH, 0, sizeof(STATE.PIN_CODE_HASH));
+
+    printf1(TAG_CP, "Device locked!\n");
+
+    authenticator_write_state(&STATE, 0);
+    authenticator_write_state(&STATE, 1);
+}

fido2/ctap.h

@@ -359,5 +359,6 @@ uint16_t ctap_key_len(uint8_t index);
 extern uint8_t PIN_TOKEN[PIN_TOKEN_SIZE];
 extern uint8_t KEY_AGREEMENT_PUB[64];
 
+void lock_device_permanently();
 
 #endif

fido2/ctap_parse.c

@@ -715,6 +715,7 @@ uint8_t ctap_parse_make_credential(CTAP_makeCredential * MC, CborEncoder * encod
     CborValue it,map;
 
     memset(MC, 0, sizeof(CTAP_makeCredential));
+    MC->up = 0xff;
     ret = cbor_parser_init(request, length, CborValidateCanonicalFormat, &parser, &it);
     check_retr(ret);
 
@@ -1010,6 +1011,7 @@ uint8_t ctap_parse_get_assertion(CTAP_getAssertion * GA, uint8_t * request, int
 
     memset(GA, 0, sizeof(CTAP_getAssertion));
     GA->creds = getAssertionState.creds;     // Save stack memory
+    GA->up = 0xff;
 
     ret = cbor_parser_init(request, length, CborValidateCanonicalFormat, &parser, &it);
     check_ret(ret);

fido2/ctaphid.c

@@ -16,6 +16,7 @@
 #include "util.h"
 #include "log.h"
 #include "extensions.h"
+#include "version.h"
 
 // move custom SHA512 command out,
 // and the following headers too
@@ -729,155 +730,22 @@ uint8_t ctaphid_handle_packet(uint8_t * pkt_raw)
             is_busy = 0;
         break;
 #endif
-#if defined(SOLO_HACKER) && (DEBUG_LEVEL > 0) && (!IS_BOOTLOADER == 1)
-        case CTAPHID_PROBE:
 
-            /*
-             * Expects CBOR-serialized data of the form
-             * {"subcommand": "hash_type", "data": b"the_data"}
-             * with hash_type in SHA256, SHA512
-             */
-
-            // some random logging
-            printf1(TAG_HID,"CTAPHID_PROBE\n");
-            // initialise CTAP response object
+        case CTAPHID_GETVERSION:
+            printf1(TAG_HID,"CTAPHID_GETVERSION\n");
             ctap_response_init(&ctap_resp);
-            // initialise write buffer
             ctaphid_write_buffer_init(&wb);
             wb.cid = cid;
-            wb.cmd = CTAPHID_PROBE;
-
-            // prepare parsing (or halt)
-            int ret;
-            CborParser parser;
-            CborValue it, map;
-            ret = cbor_parser_init(
-                ctap_buffer, (size_t) buffer_len(),
-                // strictly speaking, CTAP is not RFC canonical...
-                CborValidateCanonicalFormat,
-                &parser, &it);
-            check_hardcore(ret);
-
-            CborType type = cbor_value_get_type(&it);
-            if (type != CborMapType) exit(1);
-
-            ret = cbor_value_enter_container(&it,&map);
-            check_hardcore(ret);
-
-            size_t map_length = 0;
-            ret = cbor_value_get_map_length(&it, &map_length);
-            if (map_length != 2) exit(1);
-
-            // parse subcommand (or halt)
-            CborValue val;
-            ret = cbor_value_map_find_value(&it, "subcommand", &val);
-            check_hardcore(ret);
-            if (!cbor_value_is_text_string(&val))
-                exit(1);
-
-            int sha_version = 0;
-            bool found = false;
-            if (!found) {
-                ret = cbor_value_text_string_equals(
-                        &val, "SHA256", &found);
-                check_hardcore(ret);
-                if (found)
-                    sha_version = 256;
-            }
-            if (!found) {
-                ret = cbor_value_text_string_equals(
-                        &val, "SHA512", &found);
-                check_hardcore(ret);
-                if (found)
-                    sha_version = 512;
-            }
-            if (sha_version == 0)
-                exit(1);
-
-            // parse data (or halt)
-            ret = cbor_value_map_find_value(&it, "data", &val);
-            check_hardcore(ret);
-            if (!cbor_value_is_byte_string(&val))
-                exit(1);
-
-            size_t data_length = 0;
-            ret = cbor_value_calculate_string_length(&val, &data_length);
-            check_hardcore(ret);
-            if (data_length > 6*1024)
-                exit(1);
-
-            unsigned char data[6*1024];
-            ret = cbor_value_copy_byte_string (
-                    &val, &data[0], &data_length, &val);
-            check_hardcore(ret);
-
-            // execute subcommand
-            if (sha_version == 256) {
-                // calculate hash
-                crypto_sha256_init();
-                crypto_sha256_update(data, data_length);
-                crypto_sha256_final(ctap_buffer);
-                // write output
-                wb.bcnt = CF_SHA256_HASHSZ;  // 32 bytes
-                ctaphid_write(&wb, &ctap_buffer, CF_SHA256_HASHSZ);
-            }
-
-            if (sha_version == 512) {
-                // calculate hash
-                crypto_sha512_init();
-                crypto_sha512_update(data, data_length);
-                crypto_sha512_final(ctap_buffer);
-                // write output
-                wb.bcnt = CF_SHA512_HASHSZ;  // 64 bytes
-                ctaphid_write(&wb, &ctap_buffer, CF_SHA512_HASHSZ);
-            }
-
-            // finalize
+            wb.cmd = CTAPHID_GETVERSION;
+            wb.bcnt = 3;
+            ctap_buffer[0] = SOLO_VERSION_MAJ;
+            ctap_buffer[1] = SOLO_VERSION_MIN;
+            ctap_buffer[2] = SOLO_VERSION_PATCH;
+            ctaphid_write(&wb, &ctap_buffer, 3);
             ctaphid_write(&wb, NULL, 0);
             is_busy = 0;
         break;
 
-        /*
-        case CTAPHID_SHA256:
-            // some random logging
-            printf1(TAG_HID,"CTAPHID_SHA256\n");
-            // initialise CTAP response object
-            ctap_response_init(&ctap_resp);
-            // initialise write buffer
-            ctaphid_write_buffer_init(&wb);
-            wb.cid = cid;
-            wb.cmd = CTAPHID_SHA256;
-            wb.bcnt = CF_SHA256_HASHSZ;  // 32 bytes
-            // calculate hash
-            crypto_sha256_init();
-            crypto_sha256_update(ctap_buffer, buffer_len());
-            crypto_sha256_final(ctap_buffer);
-            // copy to output
-            ctaphid_write(&wb, &ctap_buffer, CF_SHA256_HASHSZ);
-            ctaphid_write(&wb, NULL, 0);
-            is_busy = 0;
-        break;
-        case CTAPHID_SHA512:
-            // some random logging
-            printf1(TAG_HID,"CTAPHID_SHA512\n");
-            // initialise CTAP response object
-            ctap_response_init(&ctap_resp);
-            // initialise write buffer
-            ctaphid_write_buffer_init(&wb);
-            wb.cid = cid;
-            wb.cmd = CTAPHID_SHA512;
-            wb.bcnt = CF_SHA512_HASHSZ;  // 64 bytes
-            // calculate hash
-            crypto_sha512_init();
-            crypto_sha512_update(ctap_buffer, buffer_len());
-            crypto_sha512_final(ctap_buffer);
-            // copy to output
-            ctaphid_write(&wb, &ctap_buffer, CF_SHA512_HASHSZ);
-            ctaphid_write(&wb, NULL, 0);
-            is_busy = 0;
-        break;
-        */
-#endif
         default:
             printf2(TAG_ERR,"error, unimplemented HID cmd: %02x\r\n", buffer_cmd());
             ctaphid_send_error(cid, CTAP1_ERR_INVALID_COMMAND);

fido2/ctaphid.h

@@ -28,6 +28,7 @@
 #define CTAPHID_ENTERBOOT       (TYPE_INIT | 0x51)
 #define CTAPHID_ENTERSTBOOT     (TYPE_INIT | 0x52)
 #define CTAPHID_GETRNG          (TYPE_INIT | 0x60)
+#define CTAPHID_GETVERSION      (TYPE_INIT | 0x61)
 // reserved for debug, not implemented except for HACKER and DEBUG_LEVEl > 0
 #define CTAPHID_PROBE           (TYPE_INIT | 0x70)
 

fido2/data_migration.c

@@ -0,0 +1,91 @@
+// Copyright 2019 SoloKeys Developers
+//
+// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
+// http://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
+// http://opensource.org/licenses/MIT>, at your option. This file may not be
+// copied, modified, or distributed except according to those terms.
+
+#include "data_migration.h"
+#include "log.h"
+#include "device.h"
+#include "crypto.h"
+
+// TODO move from macro to function/assert for better readability?
+#define check(x) assert(state_prev_0xff->x == state_tmp_ptr->x);
+#define check_buf(x) assert(memcmp(state_prev_0xff->x, state_tmp_ptr->x, sizeof(state_tmp_ptr->x)) == 0);
+
+bool migrate_from_FF_to_01(AuthenticatorState_0xFF* state_prev_0xff, AuthenticatorState_0x01* state_tmp_ptr){
+    // Calculate PIN hash, and replace PIN raw storage with it; add version to structure
+    // other ingredients do not change
+    if (state_tmp_ptr->data_version != 0xFF)
+        return false;
+
+    static_assert(sizeof(AuthenticatorState_0xFF) <= sizeof(AuthenticatorState_0x01), "New state structure is smaller, than current one, which is not handled");
+
+    if (ctap_generate_rng(state_tmp_ptr->PIN_SALT, sizeof(state_tmp_ptr->PIN_SALT)) != 1) {
+        printf2(TAG_ERR, "Error, rng failed\n");
+        return false;
+    }
+    if (state_prev_0xff->is_pin_set){
+        crypto_sha256_init();
+        crypto_sha256_update(state_prev_0xff->pin_code, state_prev_0xff->pin_code_length);
+        uint8_t intermediateHash[32];
+        crypto_sha256_final(intermediateHash);
+
+        crypto_sha256_init();
+        crypto_sha256_update(intermediateHash, 16);
+        memset(intermediateHash, 0, sizeof(intermediateHash));
+        crypto_sha256_update(state_tmp_ptr->PIN_SALT, sizeof(state_tmp_ptr->PIN_SALT));
+        crypto_sha256_final(state_tmp_ptr->PIN_CODE_HASH);
+    }
+
+    assert(state_tmp_ptr->_reserved == state_prev_0xff->pin_code_length);
+    state_tmp_ptr->_reserved = 0xFF;
+    state_tmp_ptr->data_version = 1;
+
+    check(is_initialized);
+    check(is_pin_set);
+    check(remaining_tries);
+    check(rk_stored);
+    check_buf(key_lens);
+    check_buf(key_space);
+    assert(state_tmp_ptr->data_version != 0xFF);
+
+    return true;
+}
+
+void save_migrated_state(AuthenticatorState *state_tmp_ptr) {
+    memmove(&STATE, state_tmp_ptr, sizeof(AuthenticatorState));
+    authenticator_write_state(state_tmp_ptr, 0);
+    authenticator_write_state(state_tmp_ptr, 1);
+}
+
+void do_migration_if_required(AuthenticatorState* state_current){
+    // Currently handles only state structures with the same size, or bigger
+    // FIXME rework to raw buffers with fixed size to allow state structure size decrease
+    if(!state_current->is_initialized)
+        return;
+
+    AuthenticatorState state_tmp;
+    AuthenticatorState state_previous;
+    authenticator_read_state(&state_previous);
+    authenticator_read_state(&state_tmp);
+    if(state_current->data_version == 0xFF){
+        printf2(TAG_ERR, "Running migration\n");
+        bool success = migrate_from_FF_to_01((AuthenticatorState_0xFF *) &state_previous, &state_tmp);
+        if (!success){
+            printf2(TAG_ERR, "Failed migration from 0xFF to 1\n");
+            // FIXME discuss migration failure behavior
+            goto return_cleanup;
+        }
+        dump_hex1(TAG_ERR, (void*)&state_tmp, sizeof(state_tmp));
+        dump_hex1(TAG_ERR, (void*)&state_previous, sizeof(state_previous));
+        save_migrated_state(&state_tmp);
+    }
+
+    assert(state_current->data_version == STATE_VERSION);
+
+    return_cleanup:
+    memset(&state_tmp, 0, sizeof(AuthenticatorState));
+    memset(&state_previous, 0, sizeof(AuthenticatorState));
+}

fido2/data_migration.h

@@ -0,0 +1,15 @@
+// Copyright 2019 SoloKeys Developers
+//
+// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
+// http://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
+// http://opensource.org/licenses/MIT>, at your option. This file may not be
+// copied, modified, or distributed except according to those terms.
+
+#ifndef FIDO2_PR_DATA_MIGRATION_H
+#define FIDO2_PR_DATA_MIGRATION_H
+
+#include "storage.h"
+
+void do_migration_if_required(AuthenticatorState* state_current);
+
+#endif //FIDO2_PR_DATA_MIGRATION_H

fido2/device.h

@@ -53,7 +53,7 @@ void device_set_status(uint32_t status);
 int device_is_button_pressed();
 
 // Test for user presence
-// Return 1 for user is present, 0 user not present, -1 if cancel is requested.
+// Return 2 for disabled, 1 for user is present, 0 user not present, -1 if cancel is requested.
 int ctap_user_presence_test(uint32_t delay);
 
 // Generate @num bytes of random numbers to @dest
@@ -106,7 +106,7 @@ void device_set_clock_rate(DEVICE_CLOCK_RATE param);
 #define NFC_IS_AVAILABLE 2
 int device_is_nfc();
 
-void request_from_nfc(bool request_active);
+void device_disable_up(bool request_active);
 
 void device_init_button();
 

fido2/extensions/wallet.c

@@ -95,7 +95,7 @@ int8_t wallet_pin(uint8_t subcmd, uint8_t * pinAuth, uint8_t * arg1, uint8_t * a
             if (ret != 0)
                 return ret;
 
-            printf1(TAG_WALLET,"Success.  Pin = %s\n", STATE.pin_code);
+//            printf1(TAG_WALLET,"Success.  Pin = %s\n", STATE.pin_code);
 
             break;
         case CP_cmdChangePin:

fido2/storage.h

@@ -11,6 +11,9 @@
 
 #define KEY_SPACE_BYTES     128
 #define MAX_KEYS            (1)
+#define PIN_SALT_LEN        (32)
+#define STATE_VERSION        (1)
+
 
 #define BACKUP_MARKER       0x5A
 #define INITIALIZED_MARKER  0xA5
@@ -19,20 +22,40 @@
 #define ERR_KEY_SPACE_TAKEN (-2)
 #define ERR_KEY_SPACE_EMPTY (-2)
 
+typedef struct
+{
+  // Pin information
+  uint8_t is_initialized;
+  uint8_t is_pin_set;
+  uint8_t pin_code[NEW_PIN_ENC_MIN_SIZE];
+  int pin_code_length;
+  int8_t remaining_tries;
+
+  uint16_t rk_stored;
+
+  uint16_t key_lens[MAX_KEYS];
+  uint8_t key_space[KEY_SPACE_BYTES];
+} AuthenticatorState_0xFF;
+
+
 typedef struct
 {
     // Pin information
     uint8_t is_initialized;
     uint8_t is_pin_set;
-    uint8_t pin_code[NEW_PIN_ENC_MIN_SIZE];
-    int pin_code_length;
+    uint8_t PIN_CODE_HASH[32];
+    uint8_t PIN_SALT[PIN_SALT_LEN];
+    int _reserved;
     int8_t remaining_tries;
 
     uint16_t rk_stored;
 
     uint16_t key_lens[MAX_KEYS];
     uint8_t key_space[KEY_SPACE_BYTES];
-} AuthenticatorState;
+    uint8_t data_version;
+} AuthenticatorState_0x01;
+
+typedef AuthenticatorState_0x01 AuthenticatorState;
 
 
 typedef struct

fido2/u2f.c

@@ -118,9 +118,9 @@ void u2f_request_nfc(uint8_t * header, uint8_t * data, int datalen, CTAP_RESPONS
 	if (!header)
 		return;
 
-    request_from_nfc(true);  // disable presence test
+    device_disable_up(true);  // disable presence test
 	u2f_request_ex((APDU_HEADER *)header, data, datalen, resp);
-    request_from_nfc(false); // enable presence test
+    device_disable_up(false); // enable presence test
 }
 
 void u2f_request(struct u2f_request_apdu* req, CTAP_RESPONSE * resp)

pc/device.c

@@ -26,6 +26,7 @@
 #define RK_NUM  50
 
 bool use_udp = true;
+static bool _up_disabled = false;
 
 struct ResidentKeyStore {
     CTAP_residentKey rks[RK_NUM];
@@ -299,6 +300,10 @@ void ctaphid_write_block(uint8_t * data)
 
 int ctap_user_presence_test(uint32_t d)
 {
+    if (_up_disabled)
+    {
+        return 2;
+    }
     return 1;
 }
 
@@ -633,6 +638,11 @@ int device_is_nfc()
     return 0;
 }
 
+void device_disable_up(bool disable)
+{
+    _up_disabled = disable;
+}
+
 void device_set_clock_rate(DEVICE_CLOCK_RATE param)
 {
 

targets/stm32l432/build/application.mk

@@ -10,6 +10,7 @@ SRC += $(DRIVER_LIBS) $(USB_LIB)
 SRC += ../../fido2/apdu.c ../../fido2/util.c ../../fido2/u2f.c ../../fido2/test_power.c
 SRC += ../../fido2/stubs.c ../../fido2/log.c  ../../fido2/ctaphid.c  ../../fido2/ctap.c
 SRC += ../../fido2/ctap_parse.c ../../fido2/main.c
+SRC += ../../fido2/data_migration.c
 SRC += ../../fido2/extensions/extensions.c ../../fido2/extensions/solo.c
 SRC += ../../fido2/extensions/wallet.c
 

targets/stm32l432/src/device.c

@@ -45,7 +45,7 @@ uint32_t __last_update = 0;
 extern PCD_HandleTypeDef hpcd;
 static int _NFC_status = 0;
 static bool isLowFreq = 0;
-static bool _RequestComeFromNFC = false;
+static bool _up_disabled = false;
 
 // #define IS_BUTTON_PRESSED()         (0  == (LL_GPIO_ReadInputPort(SOLO_BUTTON_PORT) & SOLO_BUTTON_PIN))
 static int is_physical_button_pressed()
@@ -92,8 +92,8 @@ static void edge_detect_touch_button()
 
 }
 
-void request_from_nfc(bool request_active) {
-    _RequestComeFromNFC = request_active;
+void device_disable_up(bool disable) {
+    _up_disabled = disable;
 }
 
 // Timer6 overflow handler.  happens every ~90ms.
@@ -582,11 +582,17 @@ static int wait_for_button_release(uint32_t wait)
 int ctap_user_presence_test(uint32_t up_delay)
 {
     int ret;
-    if (device_is_nfc() == NFC_IS_ACTIVE || _RequestComeFromNFC)
+
+    if (device_is_nfc() == NFC_IS_ACTIVE)
     {
         return 1;
     }
 
+    if (_up_disabled)
+    {
+        return 2;
+    }
+
 #if SKIP_BUTTON_CHECK_WITH_DELAY
     int i=500;
     while(i--)

targets/stm32l432/src/nfc.c

@@ -18,6 +18,18 @@
 static uint8_t chain_buffer[2048] = {0};
 static size_t chain_buffer_len = 0;
 static bool chain_buffer_tx = false;
+static uint8_t current_cid = 0;
+
+// forward declarations
+void rblock_acknowledge(uint8_t req0, bool ack);
+
+uint8_t p14443_have_cid(uint8_t pcb) {
+    // CID 
+    if (pcb & 0x08)
+        return true;
+    else
+        return false;
+}
 
 uint8_t p14443_block_offset(uint8_t pcb) {
     uint8_t offset = 1;
@@ -191,7 +203,7 @@ bool nfc_write_response_ex(uint8_t req0, uint8_t * data, uint8_t len, uint16_t r
 		return false;
 
 	res[0] = NFC_CMD_IBLOCK | (req0 & 0x0f);
-    res[1] = 0;
+    res[1] = current_cid;
     res[2] = 0;
 
     uint8_t block_offset = p14443_block_offset(req0);
@@ -228,6 +240,8 @@ void nfc_write_response_chaining_plain(uint8_t req0, uint8_t * data, int len)
 	{
 		uint8_t res[32] = {0};
         res[0] = iBlock;
+        res[1] = current_cid;
+        res[2] = 0;
 		if (len && data)
 			memcpy(&res[block_offset], data, len);
 		nfc_write_frame(res, len + block_offset);
@@ -237,7 +251,7 @@ void nfc_write_response_chaining_plain(uint8_t req0, uint8_t * data, int len)
 			// transmit I block
 			int vlen = MIN(32 - block_offset, len - sendlen);
             res[0] = iBlock;
-            res[1] = 0;
+            res[1] = current_cid;
             res[2] = 0;
 			memcpy(&res[block_offset], &data[sendlen], vlen);
 
@@ -268,6 +282,20 @@ void nfc_write_response_chaining_plain(uint8_t req0, uint8_t * data, int len)
 					printf1(TAG_NFC, "R block RX timeout %d/%d.\r\n",sendlen,len);
 					break;
 				}
+                
+                if (!IS_RBLOCK(recbuf[0]))
+                {
+					printf1(TAG_NFC, "R block RX error. Not a R block(0x%02x) %d/%d.\r\n", recbuf[0], sendlen, len);
+					break;
+				}
+                
+                // NAK check
+                if (recbuf[0] & NFC_CMD_RBLOCK_ACK)
+                {
+                    rblock_acknowledge(recbuf[0], true);
+					printf1(TAG_NFC, "R block RX error. NAK received. %d/%d.\r\n", recbuf[0], sendlen, len);
+					break;
+                }
 
                 uint8_t rblock_offset = p14443_block_offset(recbuf[0]);
 				if (reclen != rblock_offset)
@@ -466,7 +494,9 @@ void rblock_acknowledge(uint8_t req0, bool ack)
     NFC_STATE.block_num = !NFC_STATE.block_num;
 
     buf[0] = NFC_CMD_RBLOCK | (req0 & 0x0f);
-    if (ack)
+    buf[1] = current_cid;
+    // iso14443-4:2001 page 16. ACK, if bit is set to 0, NAK, if bit is set to 1
+    if (!ack)
         buf[0] |= NFC_CMD_RBLOCK_ACK;
 
     nfc_write_frame(buf, block_offset);
@@ -701,10 +731,10 @@ void apdu_process(uint8_t buf0, uint8_t *apduptr, APDU_STRUCT *apdu)
 			printf1(TAG_NFC, "FIDO2 CTAP message. %d\r\n", timestamp());
 
 			// WTX_on(WTX_TIME_DEFAULT);
-            request_from_nfc(true);
+            device_disable_up(true);
             ctap_response_init(&ctap_resp);
             status = ctap_request(apdu->data, apdu->lc, &ctap_resp);
-            request_from_nfc(false);
+            device_disable_up(false);
 			// if (!WTX_off())
 			// 	return;
 
@@ -784,9 +814,10 @@ void nfc_process_iblock(uint8_t * buf, int len)
     }
     
     APDU_STRUCT apdu;
-    if (apdu_decode(buf + block_offset, len - block_offset, &apdu)) {
+    uint16_t ret = apdu_decode(buf + block_offset, len - block_offset, &apdu);
+    if (ret != 0) {
         printf1(TAG_NFC,"apdu decode error\r\n");
-        nfc_write_response(buf[0], SW_COND_USE_NOT_SATISFIED);
+        nfc_write_response(buf[0], ret);
         return;
     }
     printf1(TAG_NFC,"apdu ok. %scase=%02x cla=%02x ins=%02x p1=%02x p2=%02x lc=%d le=%d\r\n", 
@@ -851,6 +882,8 @@ void nfc_process_block(uint8_t * buf, unsigned int len)
     else if (IS_IBLOCK(buf[0]))
     {
         uint8_t block_offset = p14443_block_offset(buf[0]);
+        if (p14443_have_cid(buf[0])) 
+            current_cid = buf[1];
 		if (buf[0] & 0x10)
 		{
 			printf1(TAG_NFC_APDU, "NFC_CMD_IBLOCK chaining blen=%d len=%d offs=%d\r\n", ibuflen, len, block_offset);
@@ -901,7 +934,9 @@ void nfc_process_block(uint8_t * buf, unsigned int len)
     }
     else if (IS_RBLOCK(buf[0]))
     {
-        rblock_acknowledge(buf[0], false);
+        if (p14443_have_cid(buf[0])) 
+            current_cid = buf[1];
+        rblock_acknowledge(buf[0], true);
         printf1(TAG_NFC, "NFC_CMD_RBLOCK\r\n");
     }
     else if (IS_SBLOCK(buf[0]))
@@ -910,7 +945,10 @@ void nfc_process_block(uint8_t * buf, unsigned int len)
         if ((buf[0] & NFC_SBLOCK_DESELECT) == 0)
         {
             printf1(TAG_NFC, "NFC_CMD_SBLOCK, DESELECTED\r\n");
-            nfc_write_frame(buf, 1);
+            uint8_t block_offset = p14443_block_offset(buf[0]);
+            if (p14443_have_cid(buf[0])) 
+                current_cid = buf[1];
+            nfc_write_frame(buf, block_offset);
             ams_wait_for_tx(2);
             ams_write_command(AMS_CMD_SLEEP);
             nfc_state_init();

targets/stm32l432/src/nfc.h

@@ -34,9 +34,9 @@ typedef struct
 #define IS_PPSS_CMD(x)                (((x) & 0xf0) == NFC_CMD_PPSS)
 #define NFC_CMD_IBLOCK                0x00
 #define IS_IBLOCK(x)                  ( (((x) & 0xc0) == NFC_CMD_IBLOCK) && (((x) & 0x02) == 0x02) )
-#define NFC_CMD_RBLOCK                0x80
-#define NFC_CMD_RBLOCK_ACK            0x20
-#define IS_RBLOCK(x)                  ( (((x) & 0xc0) == NFC_CMD_RBLOCK) && (((x) & 0x02) == 0x02) )
+#define NFC_CMD_RBLOCK                0xa0
+#define NFC_CMD_RBLOCK_ACK            0x10
+#define IS_RBLOCK(x)                  ( (((x) & 0xe0) == NFC_CMD_RBLOCK) && (((x) & 0x02) == 0x02) )
 #define NFC_CMD_SBLOCK                0xc0
 #define IS_SBLOCK(x)                  ( (((x) & 0xc0) == NFC_CMD_SBLOCK) && (((x) & 0x02) == 0x02) )