Random functions shall be called for each core, otherwise it will hung.
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
@@ -420,7 +420,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
|
|||||||
flags |= FIDO2_AUT_FLAG_ED;
|
flags |= FIDO2_AUT_FLAG_ED;
|
||||||
}
|
}
|
||||||
|
|
||||||
uint32_t ctr = *(uint32_t *)file_get_data(ef_counter);
|
uint32_t ctr = get_sign_counter();
|
||||||
|
|
||||||
size_t aut_data_len = 32 + 1 + 4 + ext_len;
|
size_t aut_data_len = 32 + 1 + 4 + ext_len;
|
||||||
aut_data = (uint8_t *)calloc(1, aut_data_len + clientDataHash.len);
|
aut_data = (uint8_t *)calloc(1, aut_data_len + clientDataHash.len);
|
||||||
|
|||||||
@@ -285,7 +285,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
|
|||||||
if (cinfo == NULL)
|
if (cinfo == NULL)
|
||||||
CBOR_ERROR(CTAP1_ERR_OTHER);
|
CBOR_ERROR(CTAP1_ERR_OTHER);
|
||||||
size_t olen = 0, pkey_len = ceil((float)cinfo->bit_size/8);
|
size_t olen = 0, pkey_len = ceil((float)cinfo->bit_size/8);
|
||||||
uint32_t ctr = *(uint32_t *)file_get_data(ef_counter);
|
uint32_t ctr = get_sign_counter();
|
||||||
uint8_t cbor_buf[1024];
|
uint8_t cbor_buf[1024];
|
||||||
cbor_encoder_init(&encoder, cbor_buf, sizeof(cbor_buf), 0);
|
cbor_encoder_init(&encoder, cbor_buf, sizeof(cbor_buf), 0);
|
||||||
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 5));
|
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 5));
|
||||||
|
|||||||
@@ -31,6 +31,6 @@ int cbor_reset() {
|
|||||||
if (check_user_presence() == false)
|
if (check_user_presence() == false)
|
||||||
return CTAP2_ERR_USER_ACTION_TIMEOUT;
|
return CTAP2_ERR_USER_ACTION_TIMEOUT;
|
||||||
initialize_flash(true);
|
initialize_flash(true);
|
||||||
scan_all();
|
init_fido(true);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -26,7 +26,7 @@
|
|||||||
int cmd_authenticate() {
|
int cmd_authenticate() {
|
||||||
CTAP_AUTHENTICATE_REQ *req = (CTAP_AUTHENTICATE_REQ *)apdu.data;
|
CTAP_AUTHENTICATE_REQ *req = (CTAP_AUTHENTICATE_REQ *)apdu.data;
|
||||||
CTAP_AUTHENTICATE_RESP *resp = (CTAP_AUTHENTICATE_RESP *)res_APDU;
|
CTAP_AUTHENTICATE_RESP *resp = (CTAP_AUTHENTICATE_RESP *)res_APDU;
|
||||||
if (scan_files() != CCID_OK)
|
if (scan_files(true) != CCID_OK)
|
||||||
return SW_EXEC_ERROR();
|
return SW_EXEC_ERROR();
|
||||||
if (req->keyHandleLen != KEY_HANDLE_LEN)
|
if (req->keyHandleLen != KEY_HANDLE_LEN)
|
||||||
return SW_WRONG_DATA();
|
return SW_WRONG_DATA();
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ int cmd_register() {
|
|||||||
CTAP_REGISTER_RESP *resp = (CTAP_REGISTER_RESP *)res_APDU;
|
CTAP_REGISTER_RESP *resp = (CTAP_REGISTER_RESP *)res_APDU;
|
||||||
resp->registerId = CTAP_REGISTER_ID;
|
resp->registerId = CTAP_REGISTER_ID;
|
||||||
resp->keyHandleLen = KEY_HANDLE_LEN;
|
resp->keyHandleLen = KEY_HANDLE_LEN;
|
||||||
if (scan_files() != CCID_OK)
|
if (scan_files(true) != CCID_OK)
|
||||||
return SW_EXEC_ERROR();
|
return SW_EXEC_ERROR();
|
||||||
if (apdu.nc != CTAP_APPID_SIZE + CTAP_CHAL_SIZE)
|
if (apdu.nc != CTAP_APPID_SIZE + CTAP_CHAL_SIZE)
|
||||||
return SW_WRONG_LENGTH();
|
return SW_WRONG_LENGTH();
|
||||||
|
|||||||
@@ -33,7 +33,7 @@
|
|||||||
#include <math.h>
|
#include <math.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
|
||||||
void init_fido();
|
void init_fido(bool);
|
||||||
int fido_process_apdu();
|
int fido_process_apdu();
|
||||||
int fido_unload();
|
int fido_unload();
|
||||||
|
|
||||||
@@ -49,7 +49,7 @@ app_t *fido_select(app_t *a) {
|
|||||||
a->process_apdu = fido_process_apdu;
|
a->process_apdu = fido_process_apdu;
|
||||||
a->unload = fido_unload;
|
a->unload = fido_unload;
|
||||||
current_app = a;
|
current_app = a;
|
||||||
init_fido();
|
init_fido(false);
|
||||||
return a;
|
return a;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -90,7 +90,7 @@ int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecdsa_context *key)
|
|||||||
return derive_key(NULL, false, key_path, mbedtls_curve, key);
|
return derive_key(NULL, false, key_path, mbedtls_curve, key);
|
||||||
}
|
}
|
||||||
|
|
||||||
int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffer_size) {
|
int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffer_size, bool core1) {
|
||||||
mbedtls_x509write_cert ctx;
|
mbedtls_x509write_cert ctx;
|
||||||
mbedtls_x509write_crt_init(&ctx);
|
mbedtls_x509write_crt_init(&ctx);
|
||||||
mbedtls_x509write_crt_set_version(&ctx, MBEDTLS_X509_CRT_VERSION_3);
|
mbedtls_x509write_crt_set_version(&ctx, MBEDTLS_X509_CRT_VERSION_3);
|
||||||
@@ -99,7 +99,7 @@ int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffe
|
|||||||
mbedtls_x509write_crt_set_subject_name(&ctx, "C=ES,O=Pico HSM,CN=Pico FIDO");
|
mbedtls_x509write_crt_set_subject_name(&ctx, "C=ES,O=Pico HSM,CN=Pico FIDO");
|
||||||
mbedtls_mpi serial;
|
mbedtls_mpi serial;
|
||||||
mbedtls_mpi_init(&serial);
|
mbedtls_mpi_init(&serial);
|
||||||
mbedtls_mpi_fill_random(&serial, 32, random_gen_core0, NULL);
|
mbedtls_mpi_fill_random(&serial, 32, core1 ? random_gen : random_gen_core0, NULL);
|
||||||
mbedtls_x509write_crt_set_serial(&ctx, &serial);
|
mbedtls_x509write_crt_set_serial(&ctx, &serial);
|
||||||
mbedtls_pk_context key;
|
mbedtls_pk_context key;
|
||||||
mbedtls_pk_init(&key);
|
mbedtls_pk_init(&key);
|
||||||
@@ -112,7 +112,7 @@ int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffe
|
|||||||
mbedtls_x509write_crt_set_subject_key_identifier(&ctx);
|
mbedtls_x509write_crt_set_subject_key_identifier(&ctx);
|
||||||
mbedtls_x509write_crt_set_authority_key_identifier(&ctx);
|
mbedtls_x509write_crt_set_authority_key_identifier(&ctx);
|
||||||
mbedtls_x509write_crt_set_key_usage(&ctx, MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN);
|
mbedtls_x509write_crt_set_key_usage(&ctx, MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN);
|
||||||
int ret = mbedtls_x509write_crt_der(&ctx, buffer, buffer_size, random_gen_core0, NULL);
|
int ret = mbedtls_x509write_crt_der(&ctx, buffer, buffer_size, core1 ? random_gen : random_gen_core0, NULL);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -171,7 +171,7 @@ int derive_key(const uint8_t *app_id, bool new_key, uint8_t *key_handle, int cur
|
|||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
int scan_files() {
|
int scan_files(bool core1) {
|
||||||
ef_keydev = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
|
ef_keydev = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
|
||||||
if (ef_keydev) {
|
if (ef_keydev) {
|
||||||
if (!file_has_data(ef_keydev)) {
|
if (!file_has_data(ef_keydev)) {
|
||||||
@@ -179,7 +179,7 @@ int scan_files() {
|
|||||||
mbedtls_ecdsa_context ecdsa;
|
mbedtls_ecdsa_context ecdsa;
|
||||||
mbedtls_ecdsa_init(&ecdsa);
|
mbedtls_ecdsa_init(&ecdsa);
|
||||||
uint8_t index = 0;
|
uint8_t index = 0;
|
||||||
int ret = mbedtls_ecdsa_genkey(&ecdsa, MBEDTLS_ECP_DP_SECP256R1, random_gen_core0, &index);
|
int ret = mbedtls_ecdsa_genkey(&ecdsa, MBEDTLS_ECP_DP_SECP256R1, core1 ? random_gen : random_gen_core0, &index);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
mbedtls_ecdsa_free(&ecdsa);
|
mbedtls_ecdsa_free(&ecdsa);
|
||||||
return ret;
|
return ret;
|
||||||
@@ -208,12 +208,12 @@ int scan_files() {
|
|||||||
int ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &key, file_get_data(ef_keydev), 32);
|
int ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &key, file_get_data(ef_keydev), 32);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
return ret;
|
return ret;
|
||||||
ret = x509_create_cert(&key, cert, sizeof(cert));
|
ret = x509_create_cert(&key, cert, sizeof(cert), core1);
|
||||||
mbedtls_ecdsa_free(&key);
|
mbedtls_ecdsa_free(&key);
|
||||||
if (ret <= 0)
|
if (ret <= 0)
|
||||||
return ret;
|
return ret;
|
||||||
flash_write_data_to_file(ef_certdev, cert + sizeof(cert) - ret, ret);
|
flash_write_data_to_file(ef_certdev, cert + sizeof(cert) - ret, ret);
|
||||||
DEBUG_PAYLOAD(cert + sizeof(cert) - ret, ret);
|
// DEBUG_PAYLOAD(cert + sizeof(cert) - ret, ret);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
@@ -234,7 +234,10 @@ int scan_files() {
|
|||||||
if (ef_authtoken) {
|
if (ef_authtoken) {
|
||||||
if (!file_has_data(ef_authtoken)) {
|
if (!file_has_data(ef_authtoken)) {
|
||||||
uint8_t t[32];
|
uint8_t t[32];
|
||||||
random_gen_core0(NULL, t, sizeof(t));
|
if (core1)
|
||||||
|
random_gen(NULL, t, sizeof(t));
|
||||||
|
else
|
||||||
|
random_gen_core0(NULL, t, sizeof(t));
|
||||||
flash_write_data_to_file(ef_authtoken, t, sizeof(t));
|
flash_write_data_to_file(ef_authtoken, t, sizeof(t));
|
||||||
}
|
}
|
||||||
paut.data = file_get_data(ef_authtoken);
|
paut.data = file_get_data(ef_authtoken);
|
||||||
@@ -247,13 +250,13 @@ int scan_files() {
|
|||||||
return CCID_OK;
|
return CCID_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
void scan_all() {
|
void scan_all(bool core1) {
|
||||||
scan_flash();
|
scan_flash();
|
||||||
scan_files();
|
scan_files(core1);
|
||||||
}
|
}
|
||||||
|
|
||||||
void init_fido() {
|
void init_fido(bool core1) {
|
||||||
scan_all();
|
scan_all(core1);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool wait_button_pressed() {
|
bool wait_button_pressed() {
|
||||||
@@ -276,6 +279,11 @@ bool check_user_presence() {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
uint32_t get_sign_counter() {
|
||||||
|
uint8_t *caddr = file_get_data(ef_counter);
|
||||||
|
return (*caddr) | (*(caddr + 1) << 8) | (*(caddr + 2) << 16) | (*(caddr + 3) << 24);
|
||||||
|
}
|
||||||
|
|
||||||
typedef struct cmd
|
typedef struct cmd
|
||||||
{
|
{
|
||||||
uint8_t ins;
|
uint8_t ins;
|
||||||
|
|||||||
@@ -30,11 +30,11 @@
|
|||||||
#define SHA256_DIGEST_LENGTH (32)
|
#define SHA256_DIGEST_LENGTH (32)
|
||||||
#define KEY_HANDLE_LEN (KEY_PATH_LEN + SHA256_DIGEST_LENGTH)
|
#define KEY_HANDLE_LEN (KEY_PATH_LEN + SHA256_DIGEST_LENGTH)
|
||||||
|
|
||||||
extern int scan_files();
|
extern int scan_files(bool);
|
||||||
extern int derive_key(const uint8_t *app_id, bool new_key, uint8_t *key_handle, int, mbedtls_ecdsa_context *key);
|
extern int derive_key(const uint8_t *app_id, bool new_key, uint8_t *key_handle, int, mbedtls_ecdsa_context *key);
|
||||||
extern bool wait_button_pressed();
|
extern bool wait_button_pressed();
|
||||||
extern CTAPHID_FRAME *ctap_req, *ctap_resp;
|
extern CTAPHID_FRAME *ctap_req, *ctap_resp;
|
||||||
extern void init_fido();
|
extern void init_fido(bool);
|
||||||
extern mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve);
|
extern mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve);
|
||||||
extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecdsa_context *key);
|
extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecdsa_context *key);
|
||||||
extern int load_keydev(uint8_t *key);
|
extern int load_keydev(uint8_t *key);
|
||||||
@@ -76,6 +76,7 @@ extern void clearUserPresentFlag();
|
|||||||
extern void clearUserVerifiedFlag();
|
extern void clearUserVerifiedFlag();
|
||||||
extern void clearPinUvAuthTokenPermissionsExceptLbw();
|
extern void clearPinUvAuthTokenPermissionsExceptLbw();
|
||||||
extern void send_keepalive();
|
extern void send_keepalive();
|
||||||
|
extern uint32_t get_sign_counter();
|
||||||
#define MAX_CREDENTIAL_COUNT_IN_LIST 16
|
#define MAX_CREDENTIAL_COUNT_IN_LIST 16
|
||||||
#define MAX_CRED_ID_LENGTH 1024
|
#define MAX_CRED_ID_LENGTH 1024
|
||||||
#define MAX_RESIDENT_CREDENTIALS 256
|
#define MAX_RESIDENT_CREDENTIALS 256
|
||||||
|
|||||||
Reference in New Issue
Block a user