Fixing next get assertion.
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
@@ -45,7 +45,9 @@ int cbor_parse(const uint8_t *data, size_t len) {
|
||||
else if (data[0] == CTAP_CLIENT_PIN)
|
||||
return cbor_client_pin(data + 1, len - 1);
|
||||
else if (data[0] == CTAP_GET_ASSERTION)
|
||||
return cbor_get_assertion(data + 1, len - 1);
|
||||
return cbor_get_assertion(data + 1, len - 1, false);
|
||||
else if (data[0] == CTAP_GET_NEXT_ASSERTION)
|
||||
return cbor_get_next_assertion(data + 1, len - 1);
|
||||
return CTAP2_ERR_INVALID_CBOR;
|
||||
}
|
||||
|
||||
|
||||
@@ -29,28 +29,39 @@
|
||||
#include "credential.h"
|
||||
#include <math.h>
|
||||
|
||||
CborCharString rpIdx = {0};
|
||||
CborByteString pinUvAuthParamx = {0}, clientDataHashx = {0};
|
||||
bool residentx = false;
|
||||
Credential credsx[MAX_CREDENTIAL_COUNT_IN_LIST] = {0};
|
||||
uint64_t pinUvAuthProtocolx = 0;
|
||||
CredExtensions extensionx = {0};
|
||||
CredOptions optionsx = {0};
|
||||
uint8_t flagsx = 0;
|
||||
uint8_t credentialCounter = 1;
|
||||
uint8_t numberOfCredentialsx = 0;
|
||||
uint8_t flagsx = 0;
|
||||
uint32_t timerx = 0;
|
||||
uint8_t *datax = NULL;
|
||||
size_t lenx = 0;
|
||||
|
||||
int cbor_get_next_assertion(const uint8_t *data, size_t len) {
|
||||
CborError error = CborNoError;
|
||||
if (clientDataHashx.present == false || rpIdx.present == false || pinUvAuthParamx.present == false || pinUvAuthProtocolx == 0 || numberOfCredentialsx == 0)
|
||||
CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
|
||||
if (credentialCounter == numberOfCredentialsx)
|
||||
printf("%d %d %ld %ld\n", credentialCounter, numberOfCredentialsx, timerx, board_millis());
|
||||
if (credentialCounter >= numberOfCredentialsx)
|
||||
CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
|
||||
if (timerx+30*1000 < board_millis())
|
||||
CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
|
||||
CBOR_CHECK(cbor_get_assertion(datax, lenx, true));
|
||||
timerx = board_millis();
|
||||
credentialCounter++;
|
||||
err:
|
||||
if (error != CborNoError) {
|
||||
for (int i = 0; i < MAX_CREDENTIAL_COUNT_IN_LIST; i++)
|
||||
credential_free(&credsx[i]);
|
||||
if (datax) {
|
||||
free(datax);
|
||||
datax = NULL;
|
||||
}
|
||||
lenx = 0;
|
||||
residentx = false;
|
||||
timerx = 0;
|
||||
flagsx = 0;
|
||||
credentialCounter = 0;
|
||||
numberOfCredentialsx = 0;
|
||||
if (error == CborErrorImproperValue)
|
||||
return CTAP2_ERR_CBOR_UNEXPECTED_TYPE;
|
||||
return error;
|
||||
@@ -58,7 +69,7 @@ err:
|
||||
return 0;
|
||||
}
|
||||
|
||||
int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
||||
size_t resp_size = 0;
|
||||
uint64_t pinUvAuthProtocol = 0, hmacSecretPinUvAuthProtocol = 1;
|
||||
CredOptions options = {0};
|
||||
@@ -189,6 +200,10 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
uint8_t rp_id_hash[32];
|
||||
mbedtls_sha256((uint8_t *)rpId.data, rpId.len, rp_id_hash, 0);
|
||||
|
||||
bool resident = false;
|
||||
uint8_t numberOfCredentials = 0;
|
||||
Credential *selcred = NULL;
|
||||
if (next == false) {
|
||||
if (pinUvAuthParam.present == true) {
|
||||
if (pinUvAuthParam.len == 0 || pinUvAuthParam.data == NULL) {
|
||||
if (check_user_presence() == false)
|
||||
@@ -229,7 +244,6 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
// Check pinUvAuthToken permissions. See 6.2.2.4
|
||||
}
|
||||
|
||||
bool resident = false;
|
||||
if (allowList_len > 0)
|
||||
{
|
||||
for (int e = 0; e < allowList_len; e++) {
|
||||
@@ -237,10 +251,13 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
|
||||
if (strcmp(allowList[e].type.data, "public-key") != 0)
|
||||
continue;
|
||||
if (credential_load(allowList[e].id.data, allowList[e].id.len, rp_id_hash, &creds[e]) != 0)
|
||||
if (credential_load(allowList[e].id.data, allowList[e].id.len, rp_id_hash, &creds[creds_len]) != 0) {
|
||||
CBOR_FREE_BYTE_STRING(allowList[e].id);
|
||||
credential_free(&creds[creds_len]);
|
||||
}
|
||||
else
|
||||
creds_len++;
|
||||
}
|
||||
creds_len = allowList_len;
|
||||
}
|
||||
else {
|
||||
for (int i = 0; i < MAX_RESIDENT_CREDENTIALS && creds_len < MAX_CREDENTIAL_COUNT_IN_LIST; i++) {
|
||||
@@ -255,7 +272,6 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
}
|
||||
resident = true;
|
||||
}
|
||||
uint8_t numberOfCredentials = 0;
|
||||
for (int i = 0; i < creds_len; i++) {
|
||||
if (creds[i].present == true) {
|
||||
if (creds[i].extensions.present == true) {
|
||||
@@ -264,12 +280,13 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
else if (creds[i].extensions.credProtect == CRED_PROT_UV_OPTIONAL_WITH_LIST && resident == true && !(flags & FIDO2_AUT_FLAG_UV))
|
||||
credential_free(&creds[i]);
|
||||
else
|
||||
numberOfCredentials++;
|
||||
creds[numberOfCredentials++] = creds[i];
|
||||
}
|
||||
else
|
||||
numberOfCredentials++;
|
||||
creds[numberOfCredentials++] = creds[i];
|
||||
}
|
||||
}
|
||||
printf("!! %d %d %d\n", numberOfCredentials, creds_len, allowList_len);
|
||||
if (numberOfCredentials == 0)
|
||||
CBOR_ERROR(CTAP2_ERR_NO_CREDENTIALS);
|
||||
|
||||
@@ -287,30 +304,33 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
}
|
||||
if (numberOfCredentials == 0)
|
||||
CBOR_ERROR(CTAP2_ERR_NO_CREDENTIALS);
|
||||
Credential *selcred = NULL;
|
||||
if (resident == false) {
|
||||
|
||||
if (!(flags & FIDO2_AUT_FLAG_UP) && !(flags & FIDO2_AUT_FLAG_UV)) {
|
||||
selcred = &creds[0];
|
||||
}
|
||||
else {
|
||||
if (numberOfCredentials == 1)
|
||||
selcred = &creds[0];
|
||||
else {
|
||||
if (numberOfCredentials > 1) {
|
||||
asserted = true;
|
||||
rpIdx = rpId;
|
||||
pinUvAuthParamx = pinUvAuthParamx;
|
||||
clientDataHashx = clientDataHash;
|
||||
residentx = resident;
|
||||
for (int i = 0; i < MAX_CREDENTIAL_COUNT_IN_LIST; i++)
|
||||
credsx[i] = creds[i];
|
||||
numberOfCredentialsx = numberOfCredentials;
|
||||
pinUvAuthProtocolx = pinUvAuthProtocol;
|
||||
extensionx = extensions;
|
||||
optionsx = options;
|
||||
datax = (uint8_t *)calloc(1, len);
|
||||
memcpy(datax, data, len);
|
||||
lenx = len;
|
||||
flagsx = flags;
|
||||
timerx = board_millis();
|
||||
credentialCounter = 1;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
resident = residentx;
|
||||
numberOfCredentials = numberOfCredentialsx;
|
||||
flags = flagsx;
|
||||
selcred = &credsx[credentialCounter];
|
||||
}
|
||||
mbedtls_ecdsa_context ekey;
|
||||
mbedtls_ecdsa_init(&ekey);
|
||||
int ret = fido_load_key(selcred->curve, selcred->id.data, &ekey);
|
||||
@@ -419,7 +439,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
uint8_t lfields = 3;
|
||||
if (resident)
|
||||
lfields++;
|
||||
if (numberOfCredentials > 1)
|
||||
if (numberOfCredentials > 1 && next == false)
|
||||
lfields++;
|
||||
cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
|
||||
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, lfields));
|
||||
@@ -444,7 +464,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
|
||||
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, selcred->userId.data, selcred->userId.len));
|
||||
CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2));
|
||||
}
|
||||
if (numberOfCredentials > 1) {
|
||||
if (numberOfCredentials > 1 && next == false) {
|
||||
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x05));
|
||||
CBOR_CHECK(cbor_encode_uint(&mapEncoder, numberOfCredentials));
|
||||
}
|
||||
|
||||
@@ -30,7 +30,8 @@ extern int cbor_reset();
|
||||
extern int cbor_get_info();
|
||||
extern int cbor_make_credential(const uint8_t *data, size_t len);
|
||||
extern int cbor_client_pin(const uint8_t *data, size_t len);
|
||||
extern int cbor_get_assertion(const uint8_t *data, size_t len);
|
||||
extern int cbor_get_assertion(const uint8_t *data, size_t len, bool next);
|
||||
extern int cbor_get_next_assertion(const uint8_t *data, size_t len);
|
||||
extern const uint8_t aaguid[16];
|
||||
|
||||
extern const bool _btrue, _bfalse;
|
||||
|
||||
Reference in New Issue
Block a user