mirror of
https://github.com/RIOT-OS/RIOT.git
synced 2025-01-18 12:52:44 +01:00
1846 lines
50 KiB
C
1846 lines
50 KiB
C
/*
|
|
* Copyright (C) 2021 Freie Universität Berlin
|
|
*
|
|
* This file is subject to the terms and conditions of the GNU Lesser
|
|
* General Public License v2.1. See the file LICENSE in the top level
|
|
* directory for more details.
|
|
*/
|
|
|
|
/**
|
|
* @ingroup fido2_ctap
|
|
* @{
|
|
* @file
|
|
*
|
|
* @author Nils Ollrogge <nils.ollrogge@fu-berlin.de>
|
|
* @}
|
|
*/
|
|
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <assert.h>
|
|
|
|
#include "errno.h"
|
|
#include "fmt.h"
|
|
#include "ztimer.h"
|
|
#include "byteorder.h"
|
|
|
|
#include "fido2/ctap/transport/ctap_transport.h"
|
|
#include "fido2/ctap.h"
|
|
#include "fido2/ctap/ctap_utils.h"
|
|
#include "fido2/ctap/ctap_cbor.h"
|
|
#include "fido2/ctap/ctap_mem.h"
|
|
|
|
#if IS_USED(MODULE_FIDO2_CTAP_TRANSPORT_HID)
|
|
#include "fido2/ctap/transport/hid/ctap_hid.h"
|
|
#endif
|
|
|
|
#define ENABLE_DEBUG (0)
|
|
#include "debug.h"
|
|
|
|
/**
|
|
* @brief CTAP get_assertion state
|
|
*/
|
|
typedef struct {
|
|
ctap_resident_key_t rks[CTAP_MAX_EXCLUDE_LIST_SIZE]; /**< eligible resident keys found */
|
|
uint8_t count; /**< number of rks found */
|
|
uint8_t cred_counter; /**< amount of creds sent to host */
|
|
uint32_t timer; /**< time gap between get_next_assertion calls in milliseconds */
|
|
bool uv; /**< indicate if user verified */
|
|
bool up; /**< indicate if user present */
|
|
uint8_t client_data_hash[SHA256_DIGEST_LENGTH]; /**< SHA-256 hash of JSON serialized client data */
|
|
} ctap_get_assertion_state_t;
|
|
|
|
/*** CTAP methods ***/
|
|
|
|
/**
|
|
* @brief MakeCredential method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.1
|
|
*/
|
|
static int _make_credential(ctap_req_t *req_raw);
|
|
|
|
/**
|
|
* @brief GetAssertion method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.2
|
|
*/
|
|
static int _get_assertion(ctap_req_t *req_raw);
|
|
|
|
/**
|
|
* @brief GetNextAssertion method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.3
|
|
*/
|
|
static int _get_next_assertion(void);
|
|
|
|
/**
|
|
* @brief GetInfo method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.4
|
|
*/
|
|
static int _get_info(void);
|
|
|
|
/**
|
|
* @brief ClientPIN method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.5
|
|
*/
|
|
static int _client_pin(ctap_req_t *req_raw);
|
|
|
|
/**
|
|
* @brief Reset method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.6
|
|
*/
|
|
static int _reset(void);
|
|
|
|
/*** CTAP clientPIN functions ***/
|
|
|
|
/**
|
|
* @brief ClientPIN getRetries method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.5.3
|
|
*/
|
|
static int _get_retries(void);
|
|
|
|
/**
|
|
* @brief ClientPIN getKeyAgreement method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.5.4
|
|
*/
|
|
static int _get_key_agreement(void);
|
|
|
|
/**
|
|
* @brief ClientPIN setPIN method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.5.5
|
|
*/
|
|
static int _set_pin(ctap_client_pin_req_t *req);
|
|
|
|
/**
|
|
* @brief ClientPIN changePIN method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.5.6
|
|
*/
|
|
static int _change_pin(ctap_client_pin_req_t *req);
|
|
|
|
/**
|
|
* @brief ClientPIN getPINToken method
|
|
*
|
|
* CTAP specification (version 20190130) section 5.5.7
|
|
*/
|
|
static int _get_pin_token(ctap_client_pin_req_t *req);
|
|
|
|
/*** helper functions ***/
|
|
|
|
/**
|
|
* @brief Initialize authData of attestation object
|
|
*
|
|
* This function generates the public key pair used by the credential
|
|
*/
|
|
static int _make_auth_data_attest(ctap_make_credential_req_t *req,
|
|
ctap_auth_data_t *auth_data,
|
|
ctap_resident_key_t *k, bool uv, bool up,
|
|
bool rk);
|
|
/**
|
|
* @brief Initialize authData of assertion object
|
|
*/
|
|
static int _make_auth_data_assert(uint8_t *rp_id, size_t rp_id_len,
|
|
ctap_auth_data_header_t *auth_data, bool uv,
|
|
bool up, uint32_t sign_count);
|
|
/**
|
|
* @brief Initialize authData of next assertion object
|
|
*/
|
|
static int _make_auth_data_next_assert(uint8_t *rp_id_hash,
|
|
ctap_auth_data_header_t *auth_data,
|
|
bool uv, bool up, uint32_t sign_count);
|
|
/**
|
|
* @brief Find most recent rk matching rp_id_hash and present in allow_list
|
|
*/
|
|
static int _find_matching_rks(ctap_resident_key_t *rks, size_t rks_len,
|
|
ctap_cred_desc_alt_t *allow_list,
|
|
size_t allow_list_len,
|
|
uint8_t *rp_id, size_t rp_id_len);
|
|
/**
|
|
* @brief Check if any of the credentials in li belong to this authenticator
|
|
*/
|
|
static bool _rks_exist(ctap_cred_desc_alt_t *li, size_t len, uint8_t *rp_id,
|
|
size_t rp_id_len);
|
|
|
|
/**
|
|
* @brief Decrypt credential that is stored by relying party
|
|
*
|
|
* This function is used when the credential is stored by the
|
|
* relying party in encrypted form.
|
|
* See Webauthn specification (version 20190304) section 4 (Credential ID)
|
|
* for more details.
|
|
*/
|
|
static int _ctap_decrypt_rk(ctap_resident_key_t *rk, ctap_cred_id_t *id);
|
|
|
|
/**
|
|
* @brief Write credential to flash
|
|
*/
|
|
static int _write_rk_to_flash(ctap_resident_key_t *rk);
|
|
|
|
/**
|
|
* @brief Save PIN to authenticator state and write the updated state to flash
|
|
*/
|
|
static int _save_pin(uint8_t *pin, size_t len);
|
|
|
|
/**
|
|
* @brief Write authenticator state to flash.
|
|
*/
|
|
static int _write_state_to_flash(const ctap_state_t *state);
|
|
|
|
/**
|
|
* @brief Check if PIN protocol version is supported
|
|
*/
|
|
static inline bool _pin_protocol_supported(uint8_t version);
|
|
|
|
/**
|
|
* @brief Decrement PIN attempts and indicate if authenticator is locked
|
|
*
|
|
* Should the decrease of PIN attempts cross one of the two thresholds
|
|
* ( @ref CTAP_PIN_MAX_ATTS_BOOT, @ref CTAP_PIN_MAX_ATTS ) this methods returns
|
|
* an error code indicating the locking status.
|
|
*/
|
|
static int _decrement_pin_attempts(void);
|
|
|
|
/**
|
|
* @brief Reset PIN attempts to its starting values
|
|
*/
|
|
static void _reset_pin_attempts(void);
|
|
|
|
/**
|
|
* @brief Verify pinAuth sent by platform
|
|
*
|
|
* pinAuth is verified by comparing it to the first 16 bytes of
|
|
* HMAC-SHA-256(pinToken, clientDataHash)
|
|
*/
|
|
static int _verify_pin_auth(uint8_t *auth, uint8_t *hash, size_t len);
|
|
|
|
/**
|
|
* @brief Check if authenticator is boot locked
|
|
*
|
|
* Authenticator needs to be rebooted in order to be used again.
|
|
*/
|
|
static inline bool _is_boot_locked(void);
|
|
|
|
/**
|
|
* @brief Check if authenticator is completely locked
|
|
*
|
|
* Authenticator needs to be reset, deleting all stored credentials, in order
|
|
* to be used again.
|
|
*/
|
|
static inline bool _is_locked(void);
|
|
|
|
/**
|
|
* @brief State of authenticator
|
|
*/
|
|
static ctap_state_t _state;
|
|
|
|
/**
|
|
* @brief Assertion state
|
|
*
|
|
* The assertion state is needed to keep state between the GetAssertion and
|
|
* GetNextAssertion methods.
|
|
*/
|
|
static ctap_get_assertion_state_t _assert_state;
|
|
|
|
/**
|
|
* @brief pinToken
|
|
*
|
|
* The pinToken is used to reduce the cost of the PIN mechanism and increase
|
|
* its security.
|
|
*
|
|
* See CTAP specification (version 20190130) section 5.5.2 for more details
|
|
*/
|
|
static uint8_t _pin_token[CTAP_PIN_TOKEN_SZ];
|
|
|
|
/**
|
|
* @brief remaining PIN attempts until authenticator is boot locked
|
|
*/
|
|
static int _rem_pin_att_boot = CTAP_PIN_MAX_ATTS_BOOT;
|
|
|
|
int fido2_ctap_init(void)
|
|
{
|
|
int ret;
|
|
|
|
ret = fido2_ctap_mem_init();
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return -EPROTO;
|
|
}
|
|
|
|
/**
|
|
* CTAP state information is stored at flashpage 0 of the memory area
|
|
* dedicated for storing CTAP data
|
|
*/
|
|
ret = fido2_ctap_mem_read(&_state, fido2_ctap_mem_flash_page(), 0,
|
|
sizeof(_state));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return -EPROTO;
|
|
}
|
|
|
|
/* first startup of the device */
|
|
if (_state.initialized_marker != CTAP_INITIALIZED_MARKER) {
|
|
ret = _reset();
|
|
if (ret != CTAP2_OK) {
|
|
return -EPROTO;
|
|
}
|
|
}
|
|
|
|
if (!IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
ret = fido2_ctap_utils_init_gpio_pin(CTAP_UP_BUTTON, CTAP_UP_BUTTON_MODE,
|
|
CTAP_UP_BUTTON_FLANK);
|
|
if (ret != CTAP2_OK) {
|
|
return -EPROTO;
|
|
}
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_init();
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return -EPROTO;
|
|
}
|
|
|
|
/* initialize pin_token */
|
|
ret = fido2_ctap_crypto_prng(_pin_token, sizeof(_pin_token));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return -EPROTO;
|
|
}
|
|
|
|
DEBUG("fido2_ctap: initialization successful \n");
|
|
|
|
return 0;
|
|
}
|
|
|
|
size_t fido2_ctap_handle_request(ctap_req_t *req, ctap_resp_t *resp)
|
|
{
|
|
assert(req);
|
|
assert(resp);
|
|
|
|
switch (req->method) {
|
|
case CTAP_GET_INFO:
|
|
DEBUG("fido2_ctap: get_info req \n");
|
|
return fido2_ctap_get_info(resp);
|
|
break;
|
|
case CTAP_MAKE_CREDENTIAL:
|
|
DEBUG("fido2_ctap: make_credential req \n");
|
|
return fido2_ctap_make_credential(req, resp);
|
|
break;
|
|
case CTAP_GET_ASSERTION:
|
|
DEBUG("fido2_ctap: get_assertion req \n");
|
|
return fido2_ctap_get_assertion(req, resp);
|
|
break;
|
|
case CTAP_GET_NEXT_ASSERTION:
|
|
DEBUG("fido2_ctap: get_next_assertion req \n");
|
|
return fido2_ctap_get_next_assertion(resp);
|
|
break;
|
|
case CTAP_CLIENT_PIN:
|
|
DEBUG("fido2_ctap: client_pin req \n");
|
|
return fido2_ctap_client_pin(req, resp);
|
|
break;
|
|
case CTAP_RESET:
|
|
DEBUG("fido2_ctap: reset req \n");
|
|
return fido2_ctap_reset(resp);
|
|
break;
|
|
default:
|
|
DEBUG("fido2_ctap: unknown req: %u \n", req->method);
|
|
resp->status = CTAP1_ERR_INVALID_COMMAND;
|
|
break;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
size_t fido2_ctap_get_info(ctap_resp_t *resp)
|
|
{
|
|
assert(resp);
|
|
|
|
fido2_ctap_cbor_init_encoder(resp->data, sizeof(resp->data));
|
|
|
|
resp->status = _get_info();
|
|
|
|
return fido2_ctap_cbor_get_buffer_size(resp->data);
|
|
}
|
|
|
|
size_t fido2_ctap_make_credential(ctap_req_t *req, ctap_resp_t *resp)
|
|
{
|
|
assert(req);
|
|
assert(resp);
|
|
|
|
fido2_ctap_cbor_init_encoder(resp->data, sizeof(resp->data));
|
|
|
|
resp->status = _make_credential(req);
|
|
|
|
return fido2_ctap_cbor_get_buffer_size(resp->data);
|
|
}
|
|
|
|
size_t fido2_ctap_get_assertion(ctap_req_t *req, ctap_resp_t *resp)
|
|
{
|
|
assert(req);
|
|
assert(resp);
|
|
|
|
fido2_ctap_cbor_init_encoder(resp->data, sizeof(resp->data));
|
|
|
|
resp->status = _get_assertion(req);
|
|
|
|
return fido2_ctap_cbor_get_buffer_size(resp->data);
|
|
}
|
|
|
|
size_t fido2_ctap_get_next_assertion(ctap_resp_t *resp)
|
|
{
|
|
assert(resp);
|
|
|
|
fido2_ctap_cbor_init_encoder(resp->data, sizeof(resp->data));
|
|
|
|
resp->status = _get_next_assertion();
|
|
|
|
return fido2_ctap_cbor_get_buffer_size(resp->data);
|
|
}
|
|
|
|
size_t fido2_ctap_client_pin(ctap_req_t *req, ctap_resp_t *resp)
|
|
{
|
|
assert(req);
|
|
assert(resp);
|
|
|
|
fido2_ctap_cbor_init_encoder(resp->data, sizeof(resp->data));
|
|
|
|
resp->status = _client_pin(req);
|
|
|
|
return fido2_ctap_cbor_get_buffer_size(resp->data);
|
|
}
|
|
|
|
size_t fido2_ctap_reset(ctap_resp_t *resp)
|
|
{
|
|
resp->status = _reset();
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int _reset(void)
|
|
{
|
|
fido2_ctap_mem_erase_flash();
|
|
|
|
_state.initialized_marker = CTAP_INITIALIZED_MARKER;
|
|
_state.rem_pin_att = CTAP_PIN_MAX_ATTS;
|
|
_state.pin_is_set = false;
|
|
_state.rk_amount_stored = 0;
|
|
|
|
_rem_pin_att_boot = CTAP_PIN_MAX_ATTS_BOOT;
|
|
|
|
/* invalidate AES CCM key */
|
|
memset(_state.cred_key, 0, sizeof(_state.cred_key));
|
|
_state.cred_key_is_initialized = false;
|
|
|
|
_state.config.options |= CTAP_INFO_OPTIONS_FLAG_PLAT;
|
|
_state.config.options |= CTAP_INFO_OPTIONS_FLAG_RK;
|
|
_state.config.options |= CTAP_INFO_OPTIONS_FLAG_CLIENT_PIN;
|
|
_state.config.options |= CTAP_INFO_OPTIONS_FLAG_UP;
|
|
|
|
uint8_t aaguid[CTAP_AAGUID_SIZE];
|
|
|
|
fmt_hex_bytes(aaguid, CTAP_AAGUID);
|
|
|
|
memcpy(_state.config.aaguid, aaguid, sizeof(_state.config.aaguid));
|
|
|
|
return _write_state_to_flash(&_state);
|
|
}
|
|
|
|
static int _make_credential(ctap_req_t *req_raw)
|
|
{
|
|
int ret;
|
|
bool uv = false;
|
|
bool up = false;
|
|
bool rk = false;
|
|
ctap_make_credential_req_t req = { 0 };
|
|
ctap_auth_data_t auth_data = { 0 };
|
|
ctap_resident_key_t k = { 0 };
|
|
|
|
if (_is_locked()) {
|
|
ret = CTAP2_ERR_PIN_BLOCKED;
|
|
goto done;
|
|
}
|
|
|
|
if (_is_boot_locked()) {
|
|
ret = CTAP2_ERR_PIN_AUTH_BLOCKED;
|
|
goto done;
|
|
}
|
|
|
|
/* set default values for options */
|
|
req.options.rk = false;
|
|
req.options.uv = false;
|
|
req.options.up = -1;
|
|
|
|
ret = fido2_ctap_cbor_parse_make_credential_req(&req, req_raw->buf, req_raw->len);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* true => authenticator is instructed to store credential on device */
|
|
rk = req.options.rk;
|
|
|
|
if (req.exclude_list_len > 0) {
|
|
if (_rks_exist(req.exclude_list, req.exclude_list_len, req.rp.id,
|
|
req.rp.id_len)) {
|
|
if (!IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
fido2_ctap_utils_user_presence_test();
|
|
}
|
|
|
|
ret = CTAP2_ERR_CREDENTIAL_EXCLUDED;
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* The user presence (up) check is mandatory for the MakeCredential method.
|
|
* For the MakeCredential method the up key of the options dictionary,
|
|
* which is part of the MakeCredential request, is not defined.
|
|
* Therefore setting it is invalid for this method.
|
|
*/
|
|
if (req.options.up != -1) {
|
|
ret = CTAP2_ERR_INVALID_OPTION;
|
|
goto done;
|
|
}
|
|
|
|
if (fido2_ctap_pin_is_set() && req.pin_auth_present) {
|
|
/* CTAP specification (version 20190130) section 5.5.8.1 */
|
|
if (req.pin_auth_len == 0) {
|
|
if (!IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
fido2_ctap_utils_user_presence_test();
|
|
}
|
|
|
|
ret = CTAP2_ERR_PIN_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
ret = _verify_pin_auth(req.pin_auth, req.client_data_hash,
|
|
sizeof(req.client_data_hash));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
uv = true;
|
|
}
|
|
/* CTAP specification (version 20190130) section 5.5.8.1 */
|
|
else if (!fido2_ctap_pin_is_set() && req.pin_auth_present
|
|
&& req.pin_auth_len == 0) {
|
|
if (!IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
fido2_ctap_utils_user_presence_test();
|
|
}
|
|
|
|
ret = CTAP2_ERR_PIN_NOT_SET;
|
|
goto done;
|
|
}
|
|
else if (fido2_ctap_pin_is_set() && !req.pin_auth_present) {
|
|
ret = CTAP2_ERR_PIN_REQUIRED;
|
|
goto done;
|
|
}
|
|
|
|
if (req.pin_auth_present && !_pin_protocol_supported(req.pin_protocol)) {
|
|
ret = CTAP2_ERR_PIN_AUTH_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
/* last moment where transaction can be cancelled */
|
|
if (IS_USED(MODULE_FIDO2_CTAP_TRANSPORT_HID)) {
|
|
if (fido2_ctap_transport_hid_should_cancel()) {
|
|
ret = CTAP2_ERR_KEEPALIVE_CANCEL;
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
/* user presence test to create a new credential */
|
|
if (IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
up = true;
|
|
}
|
|
else {
|
|
if (fido2_ctap_utils_user_presence_test() == CTAP2_OK) {
|
|
up = true;
|
|
}
|
|
}
|
|
|
|
ret = _make_auth_data_attest(&req, &auth_data, &k, uv, up, rk);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_cbor_encode_attestation_object(&auth_data, req.client_data_hash, &k);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* if created credential is a resident credential, save it to flash */
|
|
if (rk) {
|
|
ret = _write_rk_to_flash(&k);
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
ret = CTAP2_OK;
|
|
|
|
done:
|
|
/* clear rk to remove private key from memory */
|
|
memset(&k, 0, sizeof(k));
|
|
return ret;
|
|
}
|
|
|
|
static int _get_assertion(ctap_req_t *req_raw)
|
|
{
|
|
int ret;
|
|
bool uv = false;
|
|
bool up = false;
|
|
ctap_get_assertion_req_t req = { 0 };
|
|
ctap_auth_data_header_t auth_data = { 0 };
|
|
ctap_resident_key_t *rk = NULL;
|
|
|
|
if (_is_locked()) {
|
|
ret = CTAP2_ERR_PIN_BLOCKED;
|
|
goto done;
|
|
}
|
|
|
|
if (_is_boot_locked()) {
|
|
ret = CTAP2_ERR_PIN_AUTH_BLOCKED;
|
|
goto done;
|
|
}
|
|
|
|
memset(&_assert_state, 0, sizeof(ctap_get_assertion_state_t));
|
|
|
|
/* set default values for options */
|
|
req.options.up = true;
|
|
req.options.uv = false;
|
|
|
|
ret = fido2_ctap_cbor_parse_get_assertion_req(&req, req_raw->buf, req_raw->len);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* find eligble credentials */
|
|
_assert_state.count = _find_matching_rks(_assert_state.rks,
|
|
CTAP_MAX_EXCLUDE_LIST_SIZE,
|
|
req.allow_list,
|
|
req.allow_list_len, req.rp_id,
|
|
req.rp_id_len);
|
|
|
|
if (fido2_ctap_pin_is_set() && req.pin_auth_present) {
|
|
/* CTAP specification (version 20190130) section 5.5.8.2 */
|
|
if (req.pin_auth_len == 0) {
|
|
if (!IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
fido2_ctap_utils_user_presence_test();
|
|
}
|
|
|
|
ret = CTAP2_ERR_PIN_INVALID;
|
|
goto done;
|
|
}
|
|
ret = _verify_pin_auth(req.pin_auth, req.client_data_hash,
|
|
sizeof(req.client_data_hash));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
uv = true;
|
|
_assert_state.uv = true;
|
|
}
|
|
/* CTAP specification (version 20190130) section 5.5.8.2 */
|
|
else if (!fido2_ctap_pin_is_set() && req.pin_auth_present
|
|
&& req.pin_auth_len == 0) {
|
|
if (!IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
fido2_ctap_utils_user_presence_test();
|
|
}
|
|
|
|
ret = CTAP2_ERR_PIN_NOT_SET;
|
|
goto done;
|
|
}
|
|
else if (fido2_ctap_pin_is_set() && !req.pin_auth_present) {
|
|
uv = false;
|
|
_assert_state.uv = false;
|
|
}
|
|
|
|
if (req.pin_auth_present && !_pin_protocol_supported(req.pin_protocol)) {
|
|
ret = CTAP2_ERR_PIN_AUTH_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
if (req.options.up) {
|
|
if (IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)) {
|
|
up = true;
|
|
_assert_state.up = true;
|
|
}
|
|
else {
|
|
if (fido2_ctap_utils_user_presence_test() == CTAP2_OK) {
|
|
up = true;
|
|
_assert_state.up = true;
|
|
}
|
|
else {
|
|
ret = CTAP2_ERR_OPERATION_DENIED;
|
|
goto done;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (req.options.uv) {
|
|
ret = CTAP2_ERR_UNSUPPORTED_OPTION;
|
|
goto done;
|
|
}
|
|
|
|
if (_assert_state.count == 0) {
|
|
ret = CTAP2_ERR_NO_CREDENTIALS;
|
|
goto done;
|
|
}
|
|
|
|
memcpy(_assert_state.client_data_hash, req.client_data_hash,
|
|
SHA256_DIGEST_LENGTH);
|
|
|
|
/* most recently created eligble rk found */
|
|
rk = &_assert_state.rks[_assert_state.cred_counter++];
|
|
|
|
/* last moment where transaction can be cancelled */
|
|
if (fido2_ctap_transport_hid_should_cancel()) {
|
|
ret = CTAP2_ERR_KEEPALIVE_CANCEL;
|
|
goto done;
|
|
}
|
|
|
|
ret = _make_auth_data_assert(req.rp_id, req.rp_id_len, &auth_data, uv,
|
|
up,
|
|
rk->sign_count);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_cbor_encode_assertion_object(&auth_data,
|
|
req.client_data_hash, rk,
|
|
_assert_state.count);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
rk->sign_count++;
|
|
|
|
/**
|
|
* if has_nonce is false, the credential is a resident credential and
|
|
* therefore needs to be saved on the device.
|
|
*/
|
|
if (!rk->cred_desc.has_nonce) {
|
|
ret = _write_rk_to_flash(rk);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
/* save current time for get_next_assertion timeout */
|
|
_assert_state.timer = ztimer_now(ZTIMER_MSEC);
|
|
|
|
ret = CTAP2_OK;
|
|
|
|
done:
|
|
/* clear rk to remove private key from memory */
|
|
if (rk) {
|
|
memset(rk, 0, sizeof(*rk));
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static int _get_next_assertion(void)
|
|
{
|
|
int ret;
|
|
uint32_t now;
|
|
ctap_resident_key_t *rk = NULL;
|
|
ctap_auth_data_header_t auth_data = { 0 };
|
|
|
|
if (_is_locked()) {
|
|
ret = CTAP2_ERR_PIN_BLOCKED;
|
|
goto done;
|
|
}
|
|
|
|
if (_is_boot_locked()) {
|
|
ret = CTAP2_ERR_PIN_AUTH_BLOCKED;
|
|
goto done;
|
|
}
|
|
|
|
/* no current valid assertion req pending */
|
|
if (_assert_state.timer == 0) {
|
|
ret = CTAP2_ERR_NOT_ALLOWED;
|
|
goto done;
|
|
}
|
|
|
|
if (_assert_state.cred_counter >= _assert_state.count) {
|
|
ret = CTAP2_ERR_NOT_ALLOWED;
|
|
goto done;
|
|
}
|
|
|
|
now = ztimer_now(ZTIMER_MSEC);
|
|
if (now - _assert_state.timer > CTAP_GET_NEXT_ASSERTION_TIMEOUT) {
|
|
memset(&_assert_state, 0, sizeof(_assert_state));
|
|
ret = CTAP2_ERR_NOT_ALLOWED;
|
|
goto done;
|
|
}
|
|
|
|
/* next eligble rk */
|
|
rk = &_assert_state.rks[_assert_state.cred_counter];
|
|
_assert_state.cred_counter++;
|
|
|
|
ret = _make_auth_data_next_assert(rk->rp_id_hash, &auth_data,
|
|
_assert_state.uv, _assert_state.up,
|
|
rk->sign_count);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* cred count set to 0 because omitted when get_next_assertion */
|
|
ret = fido2_ctap_cbor_encode_assertion_object(&auth_data,
|
|
_assert_state.client_data_hash, rk,
|
|
0);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* restart timer */
|
|
_assert_state.timer = ztimer_now(ZTIMER_MSEC);
|
|
|
|
rk->sign_count++;
|
|
|
|
/**
|
|
* if has_nonce is false, the credential is a resident credential and
|
|
* therefore needs to be saved on the device.
|
|
*/
|
|
if (!rk->cred_desc.has_nonce) {
|
|
ret = _write_rk_to_flash(rk);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
ret = CTAP2_OK;
|
|
|
|
done:
|
|
/* clear rk to remove private key from memory */
|
|
if (rk) {
|
|
memset(rk, 0, sizeof(*rk));
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static int _get_info(void)
|
|
{
|
|
ctap_info_t info = { 0 };
|
|
|
|
info.versions |= CTAP_VERSION_FLAG_FIDO;
|
|
info.options = _state.config.options;
|
|
info.max_msg_size = CTAP_MAX_MSG_SIZE;
|
|
info.pin_protocol = CTAP_PIN_PROT_VER;
|
|
info.pin_is_set = fido2_ctap_pin_is_set();
|
|
memcpy(info.aaguid, _state.config.aaguid, CTAP_AAGUID_SIZE);
|
|
|
|
return fido2_ctap_cbor_encode_info(&info);
|
|
}
|
|
|
|
static int _client_pin(ctap_req_t *req_raw)
|
|
{
|
|
int ret;
|
|
ctap_client_pin_req_t req = { 0 };
|
|
|
|
ret = fido2_ctap_cbor_parse_client_pin_req(&req, req_raw->buf, req_raw->len);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
DEBUG("fido2_ctap: client_pin - error parsing request: %d \n", ret);
|
|
return ret;
|
|
}
|
|
|
|
/* common error handling */
|
|
if (req.sub_command != CTAP_CP_REQ_SUB_COMMAND_GET_RETRIES) {
|
|
if (_is_locked()) {
|
|
return CTAP2_ERR_PIN_BLOCKED;
|
|
}
|
|
|
|
if (_is_boot_locked()) {
|
|
return CTAP2_ERR_PIN_AUTH_BLOCKED;
|
|
}
|
|
}
|
|
|
|
if (req.pin_protocol != CTAP_PIN_PROT_VER) {
|
|
return CTAP1_ERR_OTHER;
|
|
}
|
|
|
|
switch (req.sub_command) {
|
|
case CTAP_CP_REQ_SUB_COMMAND_GET_RETRIES:
|
|
ret = _get_retries();
|
|
break;
|
|
case CTAP_CP_REQ_SUB_COMMAND_GET_KEY_AGREEMENT:
|
|
ret = _get_key_agreement();
|
|
break;
|
|
case CTAP_CP_REQ_SUB_COMMAND_SET_PIN:
|
|
ret = _set_pin(&req);
|
|
break;
|
|
case CTAP_CP_REQ_SUB_COMMAND_CHANGE_PIN:
|
|
ret = _change_pin(&req);
|
|
break;
|
|
case CTAP_CP_REQ_SUB_COMMAND_GET_PIN_TOKEN:
|
|
ret = _get_pin_token(&req);
|
|
break;
|
|
default:
|
|
ret = CTAP1_ERR_OTHER;
|
|
DEBUG("fido2_crap: clientpin - subcommand unknown %u \n",
|
|
req.sub_command);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int _get_retries(void)
|
|
{
|
|
return fido2_ctap_cbor_encode_retries(_state.rem_pin_att);
|
|
}
|
|
|
|
static int _get_key_agreement(void)
|
|
{
|
|
int ret;
|
|
ctap_public_key_cose_t key = { 0 };
|
|
|
|
|
|
/* generate key agreement key */
|
|
ret =
|
|
fido2_ctap_crypto_gen_keypair(&_state.ag_key.pub, _state.ag_key.priv,
|
|
sizeof(_state.ag_key.priv));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
memcpy(key.pubkey.x, _state.ag_key.pub.x, CTAP_CRYPTO_KEY_SIZE);
|
|
memcpy(key.pubkey.y, _state.ag_key.pub.y, CTAP_CRYPTO_KEY_SIZE);
|
|
|
|
key.alg_type = CTAP_COSE_ALG_ECDH_ES_HKDF_256;
|
|
key.cred_type = CTAP_PUB_KEY_CRED_PUB_KEY;
|
|
key.crv = CTAP_COSE_KEY_CRV_P256;
|
|
key.kty = CTAP_COSE_KEY_KTY_EC2;
|
|
|
|
return fido2_ctap_cbor_encode_key_agreement(&key);
|
|
}
|
|
|
|
static int _set_pin(ctap_client_pin_req_t *req)
|
|
{
|
|
uint8_t shared_key[SHA256_DIGEST_LENGTH] = { 0 };
|
|
uint8_t shared_secret[CTAP_CRYPTO_KEY_SIZE] = { 0 };
|
|
uint8_t hmac[SHA256_DIGEST_LENGTH] = { 0 };
|
|
uint8_t new_pin_dec[CTAP_PIN_MAX_SIZE] = { 0 };
|
|
size_t sz;
|
|
int ret;
|
|
|
|
if (!req->new_pin_enc_size || !req->pin_auth_present ||
|
|
!req->key_agreement_present) {
|
|
ret = CTAP2_ERR_MISSING_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
if (fido2_ctap_pin_is_set()) {
|
|
ret = CTAP2_ERR_PIN_AUTH_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
if (req->new_pin_enc_size < CTAP_PIN_ENC_MIN_SIZE) {
|
|
ret = CTAP1_ERR_OTHER;
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_ecdh(shared_secret, sizeof(shared_secret),
|
|
&req->key_agreement.pubkey, _state.ag_key.priv,
|
|
sizeof(_state.ag_key.priv));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* sha256 of shared secret ((abG).x) to obtain shared key */
|
|
ret = fido2_ctap_crypto_sha256(shared_secret, sizeof(shared_secret), shared_key);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_hmac_sha256(shared_key, sizeof(shared_key), req->new_pin_enc,
|
|
req->new_pin_enc_size, hmac);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
if (memcmp(hmac, req->pin_auth, CTAP_PIN_AUTH_SZ) != 0) {
|
|
DEBUG("fido2_ctap: set pin - hmac and pin_auth differ \n");
|
|
ret = CTAP2_ERR_PIN_AUTH_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
sz = sizeof(new_pin_dec);
|
|
ret = fido2_ctap_crypto_aes_dec(new_pin_dec, &sz, req->new_pin_enc,
|
|
req->new_pin_enc_size, shared_key,
|
|
sizeof(shared_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
DEBUG("fido2_ctap: set pin - error while decrypting PIN \n");
|
|
goto done;
|
|
}
|
|
|
|
/* last moment where transaction can be cancelled */
|
|
if (IS_USED(MODULE_FIDO2_CTAP_TRANSPORT_HID)) {
|
|
if (fido2_ctap_transport_hid_should_cancel()) {
|
|
ret = CTAP2_ERR_KEEPALIVE_CANCEL;
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
sz = fmt_strnlen((char *)new_pin_dec, CTAP_PIN_MAX_SIZE + 1);
|
|
if (sz < CTAP_PIN_MIN_SIZE || sz > CTAP_PIN_MAX_SIZE) {
|
|
ret = CTAP2_ERR_PIN_POLICY_VIOLATION;
|
|
goto done;
|
|
}
|
|
|
|
_save_pin(new_pin_dec, sz);
|
|
|
|
_reset_pin_attempts();
|
|
|
|
ret = CTAP2_OK;
|
|
|
|
done:
|
|
/* clear key agreement key */
|
|
memset(&_state.ag_key, 0, sizeof(_state.ag_key));
|
|
return ret;
|
|
}
|
|
|
|
static int _change_pin(ctap_client_pin_req_t *req)
|
|
{
|
|
int ret;
|
|
size_t sz;
|
|
hmac_context_t ctx;
|
|
uint8_t shared_key[CTAP_CRYPTO_KEY_SIZE] = { 0 };
|
|
uint8_t shared_secret[CTAP_CRYPTO_KEY_SIZE] = { 0 };
|
|
uint8_t pin_hash_dec[CTAP_PIN_TOKEN_SZ] = { 0 };
|
|
uint8_t hmac[SHA256_DIGEST_LENGTH] = { 0 };
|
|
uint8_t new_pin_dec[CTAP_PIN_MAX_SIZE] = { 0 };
|
|
|
|
if (!req->pin_auth_present || !req->key_agreement_present ||
|
|
!req->pin_hash_enc_present) {
|
|
ret = CTAP2_ERR_MISSING_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
if (!fido2_ctap_pin_is_set()) {
|
|
ret = CTAP2_ERR_PIN_NOT_SET;
|
|
goto done;
|
|
}
|
|
|
|
if (req->new_pin_enc_size < CTAP_PIN_ENC_MIN_SIZE) {
|
|
ret = CTAP1_ERR_OTHER;
|
|
goto done;
|
|
}
|
|
|
|
/* derive shared secret */
|
|
ret = fido2_ctap_crypto_ecdh(shared_secret, sizeof(shared_secret),
|
|
&req->key_agreement.pubkey, _state.ag_key.priv,
|
|
sizeof(_state.ag_key.priv));
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* sha256 of shared secret ((abG).x) to obtain shared key */
|
|
ret = fido2_ctap_crypto_sha256(shared_secret, sizeof(shared_secret), shared_key);
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_hmac_sha256_init(&ctx, shared_key, sizeof(shared_key));
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_hmac_sha256_update(&ctx, req->new_pin_enc, req->new_pin_enc_size);
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_hmac_sha256_update(&ctx, req->pin_hash_enc, sizeof(req->pin_hash_enc));
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_hmac_sha256_final(&ctx, hmac);
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* verify pinAuth by comparing first 16 bytes of HMAC-SHA-256*/
|
|
if (memcmp(hmac, req->pin_auth, CTAP_PIN_AUTH_SZ) != 0) {
|
|
DEBUG("fido2_ctap: pin hmac and pin_auth differ \n");
|
|
ret = CTAP2_ERR_PIN_AUTH_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
sz = sizeof(pin_hash_dec);
|
|
/* decrypt pinHashEnc */
|
|
ret = fido2_ctap_crypto_aes_dec(pin_hash_dec, &sz, req->pin_hash_enc,
|
|
sizeof(req->pin_hash_enc), shared_key,
|
|
sizeof(shared_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
DEBUG("fido2_ctap: set pin - error while decrypting pin hash \n");
|
|
goto done;
|
|
}
|
|
|
|
/* last moment where transaction can be cancelled */
|
|
if (IS_USED(MODULE_FIDO2_CTAP_TRANSPORT_HID)) {
|
|
if (fido2_ctap_transport_hid_should_cancel()) {
|
|
ret = CTAP2_ERR_KEEPALIVE_CANCEL;
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
/* verify decrypted pinHash against LEFT(SHA-256(curPin), 16) */
|
|
if (memcmp(pin_hash_dec, _state.pin_hash, CTAP_PIN_TOKEN_SZ) != 0) {
|
|
DEBUG("fido2_ctap: _get_pin_token - invalid pin \n");
|
|
|
|
/* reset key agreement key */
|
|
ret =
|
|
fido2_ctap_crypto_gen_keypair(&_state.ag_key.pub, _state.ag_key.priv,
|
|
sizeof(_state.ag_key.priv));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
_write_state_to_flash(&_state);
|
|
|
|
ret = _decrement_pin_attempts();
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = CTAP2_ERR_PIN_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
_reset_pin_attempts();
|
|
|
|
sz = sizeof(new_pin_dec);
|
|
/* decrypt newPinEnc to obtain newPin */
|
|
ret = fido2_ctap_crypto_aes_dec(new_pin_dec, &sz, req->new_pin_enc,
|
|
req->new_pin_enc_size, shared_key,
|
|
sizeof(shared_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
DEBUG("fido2_ctap: set pin - error while decrypting new PIN \n");
|
|
goto done;
|
|
}
|
|
|
|
sz = fmt_strnlen((char *)new_pin_dec, CTAP_PIN_MAX_SIZE + 1);
|
|
if (sz < CTAP_PIN_MIN_SIZE || sz > CTAP_PIN_MAX_SIZE) {
|
|
ret = CTAP2_ERR_PIN_POLICY_VIOLATION;
|
|
goto done;
|
|
}
|
|
|
|
_save_pin(new_pin_dec, sz);
|
|
|
|
ret = CTAP2_OK;
|
|
|
|
done:
|
|
/* clear key agreement key */
|
|
memset(&_state.ag_key, 0, sizeof(_state.ag_key));
|
|
return ret;
|
|
}
|
|
|
|
static int _get_pin_token(ctap_client_pin_req_t *req)
|
|
{
|
|
uint8_t shared_key[SHA256_DIGEST_LENGTH] = { 0 };
|
|
uint8_t shared_secret[CTAP_CRYPTO_KEY_SIZE] = { 0 };
|
|
uint8_t pin_hash_dec[CTAP_PIN_TOKEN_SZ] = { 0 };
|
|
uint8_t pin_token_enc[CTAP_PIN_TOKEN_SZ] = { 0 };
|
|
int ret;
|
|
size_t sz;
|
|
|
|
if (!fido2_ctap_pin_is_set()) {
|
|
ret = CTAP2_ERR_PIN_NOT_SET;
|
|
goto done;
|
|
}
|
|
|
|
if (!req->key_agreement_present || !req->pin_hash_enc_present) {
|
|
ret = CTAP2_ERR_MISSING_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_ecdh(shared_secret, sizeof(shared_secret),
|
|
&req->key_agreement.pubkey, _state.ag_key.priv,
|
|
sizeof(_state.ag_key.priv));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
/* last moment where transaction can be cancelled */
|
|
if (IS_USED(MODULE_FIDO2_CTAP_TRANSPORT_HID)) {
|
|
if (fido2_ctap_transport_hid_should_cancel()) {
|
|
ret = CTAP2_ERR_KEEPALIVE_CANCEL;
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
/* sha256 of shared secret ((abG).x) to obtain shared key */
|
|
ret = fido2_ctap_crypto_sha256(shared_secret, sizeof(shared_secret), shared_key);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
sz = sizeof(pin_hash_dec);
|
|
ret = fido2_ctap_crypto_aes_dec(pin_hash_dec, &sz, req->pin_hash_enc,
|
|
sizeof(req->pin_hash_enc), shared_key,
|
|
sizeof(shared_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
DEBUG("set pin: error while decrypting pin hash \n");
|
|
goto done;
|
|
}
|
|
|
|
if (memcmp(pin_hash_dec, _state.pin_hash, sizeof(_state.pin_hash)) != 0) {
|
|
DEBUG("fido2_ctap: _get_pin_token - invalid pin \n");
|
|
|
|
/* reset key agreement key */
|
|
ret =
|
|
fido2_ctap_crypto_gen_keypair(&_state.ag_key.pub, _state.ag_key.priv,
|
|
sizeof(_state.ag_key.priv));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = _decrement_pin_attempts();
|
|
|
|
if (ret != CTAP2_OK) {
|
|
goto done;
|
|
}
|
|
|
|
ret = CTAP2_ERR_PIN_INVALID;
|
|
goto done;
|
|
}
|
|
|
|
_reset_pin_attempts();
|
|
|
|
sz = sizeof(pin_token_enc);
|
|
ret = fido2_ctap_crypto_aes_enc(pin_token_enc, &sz, _pin_token,
|
|
sizeof(_pin_token), shared_key,
|
|
sizeof(shared_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
DEBUG("get pin token: error encrypting pin token \n");
|
|
goto done;
|
|
}
|
|
|
|
ret = fido2_ctap_cbor_encode_pin_token(pin_token_enc,
|
|
sizeof(pin_token_enc));
|
|
|
|
done:
|
|
/* clear key agreement key */
|
|
memset(&_state.ag_key, 0, sizeof(_state.ag_key));
|
|
return ret;
|
|
}
|
|
|
|
static int _save_pin(uint8_t *pin, size_t len)
|
|
{
|
|
uint8_t buf[SHA256_DIGEST_LENGTH] = { 0 };
|
|
int ret;
|
|
|
|
/* store LEFT(SHA-256(newPin), 16) */
|
|
ret = fido2_ctap_crypto_sha256(pin, len, buf);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
memcpy(_state.pin_hash, buf, sizeof(_state.pin_hash));
|
|
_state.pin_is_set = true;
|
|
|
|
return _write_state_to_flash(&_state);
|
|
}
|
|
|
|
bool fido2_ctap_cred_params_supported(uint8_t cred_type, int32_t alg_type)
|
|
{
|
|
if (cred_type == CTAP_PUB_KEY_CRED_PUB_KEY) {
|
|
if (alg_type == CTAP_COSE_ALG_ES256) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
static inline bool _pin_protocol_supported(uint8_t version)
|
|
{
|
|
return version == CTAP_PIN_PROT_VER;
|
|
}
|
|
|
|
bool fido2_ctap_pin_is_set(void)
|
|
{
|
|
return _state.pin_is_set;
|
|
}
|
|
|
|
static inline bool _is_locked(void)
|
|
{
|
|
return _state.rem_pin_att <= 0;
|
|
}
|
|
|
|
static inline bool _is_boot_locked(void)
|
|
{
|
|
return _rem_pin_att_boot <= 0;
|
|
}
|
|
|
|
static int _decrement_pin_attempts(void)
|
|
{
|
|
if (_state.rem_pin_att > 0) {
|
|
_state.rem_pin_att--;
|
|
}
|
|
|
|
if (_rem_pin_att_boot > 0) {
|
|
_rem_pin_att_boot--;
|
|
}
|
|
|
|
_write_state_to_flash(&_state);
|
|
|
|
if (_is_locked()) {
|
|
return CTAP2_ERR_PIN_BLOCKED;
|
|
}
|
|
|
|
if (_is_boot_locked()) {
|
|
return CTAP2_ERR_PIN_AUTH_BLOCKED;
|
|
}
|
|
|
|
return CTAP2_OK;
|
|
}
|
|
|
|
static void _reset_pin_attempts(void)
|
|
{
|
|
_state.rem_pin_att = CTAP_PIN_MAX_ATTS;
|
|
_rem_pin_att_boot = CTAP_PIN_MAX_ATTS_BOOT;
|
|
|
|
_write_state_to_flash(&_state);
|
|
}
|
|
|
|
static int _verify_pin_auth(uint8_t *auth, uint8_t *hash, size_t len)
|
|
{
|
|
int ret;
|
|
uint8_t hmac[SHA256_DIGEST_LENGTH] = { 0 };
|
|
|
|
ret = fido2_ctap_crypto_hmac_sha256(_pin_token, sizeof(_pin_token), hash, len, hmac);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
if (memcmp(auth, hmac, CTAP_PIN_AUTH_SZ) != 0) {
|
|
return CTAP2_ERR_PIN_AUTH_INVALID;
|
|
}
|
|
|
|
return CTAP2_OK;
|
|
}
|
|
|
|
static bool _rks_exist(ctap_cred_desc_alt_t *li, size_t len, uint8_t *rp_id,
|
|
size_t rp_id_len)
|
|
{
|
|
uint8_t rp_id_hash[SHA256_DIGEST_LENGTH] = { 0 };
|
|
ctap_resident_key_t rk;
|
|
int ret;
|
|
|
|
ret = fido2_ctap_crypto_sha256(rp_id, rp_id_len, rp_id_hash);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
/* no rks stored, try decrypt only */
|
|
if (_state.rk_amount_stored == 0) {
|
|
for (uint16_t i = 0; i < len; i++) {
|
|
ret = _ctap_decrypt_rk(&rk, &li[i].cred_id);
|
|
if (ret == CTAP2_OK) {
|
|
if (memcmp(rk.rp_id_hash, rp_id_hash, SHA256_DIGEST_LENGTH)
|
|
== 0) {
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
for (uint16_t i = 0; i < _state.rk_amount_stored; i++) {
|
|
int page_num = fido2_ctap_mem_get_flashpage_number_of_rk(i);
|
|
|
|
if (page_num < 0) {
|
|
return false;
|
|
}
|
|
|
|
int offset_into_page = fido2_ctap_mem_get_offset_of_rk_into_flashpage(i);
|
|
|
|
if (offset_into_page < 0) {
|
|
return false;
|
|
}
|
|
|
|
ret = fido2_ctap_mem_read(&rk, page_num, offset_into_page, sizeof(rk));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return false;
|
|
}
|
|
|
|
if (memcmp(rk.rp_id_hash, rp_id_hash, SHA256_DIGEST_LENGTH) == 0) {
|
|
for (size_t j = 0; j < len; j++) {
|
|
if (memcmp(li[j].cred_id.id, rk.cred_desc.cred_id,
|
|
CTAP_CREDENTIAL_ID_SIZE) == 0) {
|
|
return true;
|
|
}
|
|
else {
|
|
/* no match with stored key, try to decrypt */
|
|
ret = _ctap_decrypt_rk(&rk, &li[i].cred_id);
|
|
if (ret == CTAP2_OK) {
|
|
if (memcmp(rk.rp_id_hash, rp_id_hash,
|
|
SHA256_DIGEST_LENGTH) == 0) {
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static int _find_matching_rks(ctap_resident_key_t *rks, size_t rks_len,
|
|
ctap_cred_desc_alt_t *allow_list,
|
|
size_t allow_list_len, uint8_t *rp_id,
|
|
size_t rp_id_len)
|
|
{
|
|
uint8_t index = 0;
|
|
uint8_t rp_id_hash[SHA256_DIGEST_LENGTH] = { 0 };
|
|
ctap_resident_key_t rk;
|
|
int ret;
|
|
|
|
ret = fido2_ctap_crypto_sha256(rp_id, rp_id_len, rp_id_hash);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
/* no rks stored, try decrypt only */
|
|
if (_state.rk_amount_stored == 0) {
|
|
for (uint16_t i = 0; i < allow_list_len; i++) {
|
|
ret = _ctap_decrypt_rk(&rks[index], &allow_list[i].cred_id);
|
|
if (ret == CTAP2_OK) {
|
|
if (memcmp(rks[index].rp_id_hash, rp_id_hash,
|
|
SHA256_DIGEST_LENGTH) == 0) {
|
|
index++;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
for (int i = 0; i < _state.rk_amount_stored; i++) {
|
|
int page_num = fido2_ctap_mem_get_flashpage_number_of_rk(i);
|
|
|
|
if (page_num < 0) {
|
|
return CTAP1_ERR_OTHER;
|
|
}
|
|
|
|
int offset_into_page = fido2_ctap_mem_get_offset_of_rk_into_flashpage(i);
|
|
|
|
if (offset_into_page < 0) {
|
|
return CTAP1_ERR_OTHER;
|
|
}
|
|
|
|
ret = fido2_ctap_mem_read(&rk, page_num, offset_into_page, sizeof(rk));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
/* search for rk's matching rp_id_hash */
|
|
if (memcmp(rk.rp_id_hash, rp_id_hash, SHA256_DIGEST_LENGTH) == 0) {
|
|
if (allow_list_len == 0) {
|
|
memcpy(&rks[index], &rk, sizeof(rk));
|
|
index++;
|
|
}
|
|
else {
|
|
/* if allow list is present, also check that cred_id is in list */
|
|
for (size_t j = 0; j < allow_list_len; j++) {
|
|
if (memcmp(allow_list[j].cred_id.id, rk.cred_desc.cred_id,
|
|
sizeof(rk.cred_desc.cred_id)) == 0) {
|
|
memcpy(&rks[index], &rk, sizeof(rk));
|
|
index++;
|
|
break;
|
|
}
|
|
else {
|
|
/* no match with stored key, try to decrypt */
|
|
ret = _ctap_decrypt_rk(&rks[index],
|
|
&allow_list[j].cred_id);
|
|
if (ret == CTAP2_OK) {
|
|
if (memcmp(rks[index].rp_id_hash, rk.rp_id_hash,
|
|
SHA256_DIGEST_LENGTH) == 0) {
|
|
index++;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (index >= rks_len) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Sort in descending order based on creation time. Credential with the
|
|
* most recent (highest) creation time will be first in list.
|
|
*/
|
|
if (index > 0) {
|
|
qsort(rks, index, sizeof(ctap_resident_key_t), fido2_ctap_utils_cred_cmp);
|
|
}
|
|
|
|
return index;
|
|
}
|
|
|
|
/**
|
|
* overwrite existing key if equal, else find free space.
|
|
*
|
|
* The current official CTAP spec does not have credential management yet
|
|
* so rk's can't be deleted, only overwritten => we can be sure that there are
|
|
* no holes when reading keys from flash memory
|
|
*/
|
|
static int _write_rk_to_flash(ctap_resident_key_t *rk)
|
|
{
|
|
int ret;
|
|
int page_num = fido2_ctap_mem_flash_page() + CTAP_FLASH_RK_OFF;
|
|
int offset_into_page = 0;
|
|
bool equal = false;
|
|
ctap_resident_key_t rk_tmp = { 0 };
|
|
|
|
if (_state.rk_amount_stored > 0) {
|
|
for (uint16_t i = 0; i <= _state.rk_amount_stored; i++) {
|
|
page_num = fido2_ctap_mem_get_flashpage_number_of_rk(i);
|
|
|
|
if (page_num < 0) {
|
|
return CTAP1_ERR_OTHER;
|
|
}
|
|
|
|
offset_into_page = fido2_ctap_mem_get_offset_of_rk_into_flashpage(i);
|
|
|
|
if (offset_into_page < 0) {
|
|
return CTAP1_ERR_OTHER;
|
|
}
|
|
|
|
if (i == _state.rk_amount_stored) {
|
|
break;
|
|
}
|
|
|
|
ret = fido2_ctap_mem_read(&rk_tmp, page_num, offset_into_page, sizeof(rk_tmp));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return CTAP1_ERR_OTHER;
|
|
}
|
|
|
|
/* if equal overwrite */
|
|
if (fido2_ctap_utils_ks_equal(&rk_tmp, rk)) {
|
|
equal = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!equal) {
|
|
if (_state.rk_amount_stored >= CTAP_FLASH_MAX_NUM_RKS) {
|
|
return CTAP2_ERR_KEY_STORE_FULL;
|
|
}
|
|
|
|
_state.rk_amount_stored++;
|
|
ret = _write_state_to_flash(&_state);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
}
|
|
|
|
return fido2_ctap_mem_write(rk, page_num, offset_into_page, CTAP_FLASH_RK_SZ);
|
|
}
|
|
|
|
static int _make_auth_data_assert(uint8_t *rp_id, size_t rp_id_len,
|
|
ctap_auth_data_header_t *auth_data, bool uv,
|
|
bool up, uint32_t sign_count)
|
|
{
|
|
int ret;
|
|
|
|
ret = fido2_ctap_crypto_sha256(rp_id, rp_id_len, auth_data->rp_id_hash);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
auth_data->sign_count = htonl(sign_count);
|
|
|
|
if (up) {
|
|
auth_data->flags |= CTAP_AUTH_DATA_FLAG_UP;
|
|
}
|
|
|
|
if (uv) {
|
|
auth_data->flags |= CTAP_AUTH_DATA_FLAG_UV;
|
|
}
|
|
|
|
return CTAP2_OK;
|
|
}
|
|
|
|
static int _make_auth_data_next_assert(uint8_t *rp_id_hash,
|
|
ctap_auth_data_header_t *auth_data,
|
|
bool uv, bool up, uint32_t sign_count)
|
|
{
|
|
memcpy(auth_data->rp_id_hash, rp_id_hash, sizeof(auth_data->rp_id_hash));
|
|
|
|
auth_data->sign_count = htonl(sign_count);
|
|
|
|
if (up) {
|
|
auth_data->flags |= CTAP_AUTH_DATA_FLAG_UP;
|
|
}
|
|
|
|
if (uv) {
|
|
auth_data->flags |= CTAP_AUTH_DATA_FLAG_UV;
|
|
}
|
|
|
|
return CTAP2_OK;
|
|
}
|
|
|
|
static int _make_auth_data_attest(ctap_make_credential_req_t *req,
|
|
ctap_auth_data_t *auth_data,
|
|
ctap_resident_key_t *k,
|
|
bool uv, bool up, bool rk)
|
|
{
|
|
int ret;
|
|
/* device aaguid */
|
|
uint8_t aaguid[] = { CTAP_AAGUID };
|
|
ctap_auth_data_header_t *auth_header = &auth_data->header;
|
|
ctap_attested_cred_data_t *cred_data = &auth_data->attested_cred_data;
|
|
ctap_attested_cred_data_header_t *cred_header = &cred_data->header;
|
|
ctap_rp_ent_t *rp = &req->rp;
|
|
ctap_user_ent_t *user = &req->user;
|
|
|
|
memset(k, 0, sizeof(*k));
|
|
memset(auth_data, 0, sizeof(*auth_data));
|
|
|
|
ret = fido2_ctap_crypto_sha256(rp->id, rp->id_len, auth_header->rp_id_hash);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
/* set flag indicating that attested credential data included */
|
|
auth_header->flags |= CTAP_AUTH_DATA_FLAG_AT;
|
|
|
|
if (up) {
|
|
auth_header->flags |= CTAP_AUTH_DATA_FLAG_UP;
|
|
}
|
|
|
|
if (uv) {
|
|
auth_header->flags |= CTAP_AUTH_DATA_FLAG_UV;
|
|
}
|
|
|
|
auth_header->sign_count = 0;
|
|
|
|
memcpy(cred_header->aaguid, aaguid, sizeof(cred_header->aaguid));
|
|
|
|
ret =
|
|
fido2_ctap_crypto_gen_keypair(&cred_data->key.pubkey, k->priv_key,
|
|
sizeof(_state.ag_key.priv));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
cred_data->key.alg_type = req->alg_type;
|
|
cred_data->key.cred_type = req->cred_type;
|
|
cred_data->key.crv = CTAP_COSE_KEY_CRV_P256;
|
|
cred_data->key.kty = CTAP_COSE_KEY_KTY_EC2;
|
|
|
|
/* init key */
|
|
k->cred_desc.cred_type = req->cred_type;
|
|
k->user_id_len = user->id_len;
|
|
k->creation_time = ztimer_now(ZTIMER_MSEC);
|
|
|
|
memcpy(k->user_id, user->id, user->id_len);
|
|
memcpy(k->rp_id_hash, auth_header->rp_id_hash, SHA256_DIGEST_LENGTH);
|
|
|
|
if (rk) {
|
|
/* generate credential id as 16 random bytes */
|
|
ret = fido2_ctap_crypto_prng(cred_header->cred_id.id,
|
|
CTAP_CREDENTIAL_ID_SIZE);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
memcpy(k->cred_desc.cred_id, cred_header->cred_id.id,
|
|
sizeof(k->cred_desc.cred_id));
|
|
|
|
cred_header->cred_len_h = (CTAP_CREDENTIAL_ID_SIZE & 0xff00) >> 8;
|
|
cred_header->cred_len_l = CTAP_CREDENTIAL_ID_SIZE & 0x00ff;
|
|
}
|
|
else {
|
|
/* generate credential id by encrypting resident key */
|
|
uint8_t nonce[CTAP_AES_CCM_NONCE_SIZE];
|
|
ret = fido2_ctap_crypto_prng(nonce, sizeof(nonce));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
ret = fido2_ctap_encrypt_rk(k, nonce, sizeof(nonce),
|
|
&cred_header->cred_id);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
cred_header->cred_len_h = (sizeof(cred_header->cred_id) & 0xff00) >> 8;
|
|
cred_header->cred_len_l = sizeof(cred_header->cred_id) & 0x00ff;
|
|
}
|
|
|
|
return CTAP2_OK;
|
|
}
|
|
|
|
int fido2_ctap_encrypt_rk(ctap_resident_key_t *rk, uint8_t *nonce,
|
|
size_t nonce_len, ctap_cred_id_t *id)
|
|
{
|
|
assert(rk);
|
|
assert(nonce);
|
|
assert(id);
|
|
|
|
int ret;
|
|
|
|
/**
|
|
* If not initialized, create a new AES_CCM key to be able to encrypt a
|
|
* credential when it is not a resident credential and therefore
|
|
* will be stored by the relying party.
|
|
*/
|
|
if (!_state.cred_key_is_initialized) {
|
|
ret = fido2_ctap_crypto_prng(_state.cred_key, sizeof(_state.cred_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
_state.cred_key_is_initialized = true;
|
|
_write_state_to_flash(&_state);
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_aes_ccm_enc((uint8_t *)id, sizeof(id),
|
|
(uint8_t *)rk,
|
|
CTAP_CREDENTIAL_ID_ENC_SIZE,
|
|
NULL, 0,
|
|
CCM_MAC_MAX_LEN, CTAP_AES_CCM_L,
|
|
nonce, nonce_len,
|
|
_state.cred_key,
|
|
sizeof(_state.cred_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
memcpy(id->nonce, nonce, CTAP_AES_CCM_NONCE_SIZE);
|
|
|
|
return CTAP2_OK;
|
|
}
|
|
|
|
static int _ctap_decrypt_rk(ctap_resident_key_t *rk, ctap_cred_id_t *id)
|
|
{
|
|
int ret;
|
|
|
|
ret = fido2_ctap_crypto_aes_ccm_dec((uint8_t *)rk, sizeof(*rk),
|
|
(uint8_t *)id,
|
|
sizeof(id->id) + sizeof(id->mac),
|
|
NULL, 0,
|
|
CCM_MAC_MAX_LEN, CTAP_AES_CCM_L,
|
|
id->nonce, sizeof(id->nonce),
|
|
_state.cred_key,
|
|
sizeof(_state.cred_key));
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
/* store nonce in key to be able to later encrypt again */
|
|
memcpy(rk->cred_desc.nonce, id->nonce, CTAP_AES_CCM_NONCE_SIZE);
|
|
rk->cred_desc.has_nonce = true;
|
|
|
|
return CTAP2_OK;
|
|
}
|
|
|
|
static int _write_state_to_flash(const ctap_state_t *state)
|
|
{
|
|
/**
|
|
* CTAP state information is stored at flashpage 0 of the memory area
|
|
* dedicated for storing CTAP data
|
|
*/
|
|
return fido2_ctap_mem_write(state,
|
|
fido2_ctap_mem_flash_page(), 0,
|
|
CTAP_FLASH_STATE_SZ);
|
|
}
|
|
|
|
int fido2_ctap_get_sig(const uint8_t *auth_data, size_t auth_data_len,
|
|
const uint8_t *client_data_hash,
|
|
const ctap_resident_key_t *rk,
|
|
uint8_t *sig, size_t *sig_len)
|
|
{
|
|
assert(auth_data);
|
|
assert(client_data_hash);
|
|
assert(rk);
|
|
assert(sig);
|
|
assert(sig_len);
|
|
|
|
int ret;
|
|
sha256_context_t ctx;
|
|
uint8_t hash[SHA256_DIGEST_LENGTH];
|
|
|
|
ret = fido2_ctap_crypto_sha256_init(&ctx);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_sha256_update(&ctx, auth_data, auth_data_len);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_sha256_update(&ctx, client_data_hash, SHA256_DIGEST_LENGTH);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
ret = fido2_ctap_crypto_sha256_final(&ctx, hash);
|
|
|
|
if (ret != CTAP2_OK) {
|
|
return ret;
|
|
}
|
|
|
|
return fido2_ctap_crypto_get_sig(hash, sizeof(hash), sig, sig_len,
|
|
rk->priv_key,
|
|
sizeof(rk->priv_key));
|
|
}
|