Upgrade to version 5.12

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2024-09-02 20:21:58 +02:00
parent d2c25b69bc 95cae29206
commit 8ae4ab5af4
30 changed files with 474 additions and 575 deletions
--- a/src/fido/fido.c
+++ b/src/fido/fido.c
@@ -43,7 +43,7 @@ pinUvAuthToken_t paut = { 0 };
 uint8_t keydev_dec[32];
 bool has_keydev_dec = false;

-const uint8_t _fido_aid[] = {
+const uint8_t fido_aid[] = {
    8,
    0xA0, 0x00, 0x00, 0x06, 0x47, 0x2F, 0x00, 0x01
 };
@@ -61,7 +61,8 @@ uint8_t fido_get_version_minor() {
    return PICO_FIDO_VERSION_MINOR;
 }

-int fido_select(app_t *a) {
+int fido_select(app_t *a, uint8_t force) {
+    (void) force;
    if (cap_supported(CAP_FIDO2)) {
        a->process_apdu = fido_process_apdu;
        a->unload = fido_unload;
@@ -72,12 +73,6 @@ int fido_select(app_t *a) {

 extern uint8_t (*get_version_major)();
 extern uint8_t (*get_version_minor)();
-extern const uint8_t *fido_aid;
-extern void (*init_fido_cb)();
-extern void (*cbor_thread_func)();
-extern int (*cbor_process_cb)(uint8_t, const uint8_t *, size_t);
-extern void cbor_thread();
-extern int cbor_process(uint8_t last_cmd, const uint8_t *data, size_t len);

 INITIALIZER ( fido_ctor ) {
 #if defined(USB_ITF_CCID) || defined(ENABLE_EMULATION)
@@ -85,12 +80,6 @@ INITIALIZER ( fido_ctor ) {
 #endif
    get_version_major = fido_get_version_major;
    get_version_minor = fido_get_version_minor;
-    fido_aid = _fido_aid;
-    init_fido_cb = init_fido;
-#ifndef ENABLE_EMULATION
-    cbor_thread_func = cbor_thread;
-#endif
-    cbor_process_cb = cbor_process;
    register_app(fido_select, fido_aid);
 }

@@ -174,7 +163,7 @@ int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffe
    mbedtls_x509write_crt_set_validity(&ctx, "20220901000000", "20720831235959");
    mbedtls_x509write_crt_set_issuer_name(&ctx, "C=ES,O=Pico HSM,CN=Pico FIDO");
    mbedtls_x509write_crt_set_subject_name(&ctx, "C=ES,O=Pico HSM,CN=Pico FIDO");
-    uint8_t serial[20];
+    uint8_t serial[16];
    random_gen(NULL, serial, sizeof(serial));
    mbedtls_x509write_crt_set_serial_raw(&ctx, serial, sizeof(serial));
    mbedtls_pk_context key;
@@ -191,6 +180,7 @@ int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffe
                                        MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
                                        MBEDTLS_X509_KU_KEY_CERT_SIGN);
    int ret = mbedtls_x509write_crt_der(&ctx, buffer, buffer_size, random_gen, NULL);
+    mbedtls_x509write_crt_free(&ctx);
    /* pk cannot be freed, as it is freed later */
    //mbedtls_pk_free(&key);
    return ret;
@@ -229,7 +219,7 @@ int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypa
    uint8_t hmac[32], d[32];
    size_t olen = 0;
    int ret = mbedtls_ecp_write_key_ext(key, &olen, d, sizeof(d));
-    if (key == NULL) {
+    if (key == &ctx) {
        mbedtls_ecdsa_free(&ctx);
    }
    if (ret != 0) {
@@ -238,22 +228,12 @@ int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypa
    uint8_t key_base[CTAP_APPID_SIZE + KEY_PATH_LEN];
    memcpy(key_base, appId, CTAP_APPID_SIZE);
    memcpy(key_base + CTAP_APPID_SIZE, keyHandle, KEY_PATH_LEN);
-    ret =
-        mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
-                        d,
-                        32,
-                        key_base,
-                        sizeof(key_base),
-                        hmac);
+    ret = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), d, 32, key_base, sizeof(key_base), hmac);
    mbedtls_platform_zeroize(d, sizeof(d));
    return memcmp(keyHandle + KEY_PATH_LEN, hmac, sizeof(hmac));
 }

-int derive_key(const uint8_t *app_id,
-               bool new_key,
-               uint8_t *key_handle,
-               int curve,
-               mbedtls_ecp_keypair *key) {
+int derive_key(const uint8_t *app_id, bool new_key, uint8_t *key_handle, int curve, mbedtls_ecp_keypair *key) {
    uint8_t outk[67] = { 0 }; //SECP521R1 key is 66 bytes length
    int r = 0;
    memset(outk, 0, sizeof(outk));
@@ -268,15 +248,7 @@ int derive_key(const uint8_t *app_id,
            val |= 0x80000000;
            memcpy(&key_handle[i * sizeof(uint32_t)], &val, sizeof(uint32_t));
        }
-        r = mbedtls_hkdf(md_info,
-                         &key_handle[i * sizeof(uint32_t)],
-                         sizeof(uint32_t),
-                         outk,
-                         32,
-                         outk + 32,
-                         32,
-                         outk,
-                         sizeof(outk));
+        r = mbedtls_hkdf(md_info, &key_handle[i * sizeof(uint32_t)], sizeof(uint32_t), outk, 32, outk + 32, 32, outk, sizeof(outk));
        if (r != 0) {
            mbedtls_platform_zeroize(outk, sizeof(outk));
            return r;
@@ -286,9 +258,7 @@ int derive_key(const uint8_t *app_id,
        uint8_t key_base[CTAP_APPID_SIZE + KEY_PATH_LEN];
        memcpy(key_base, app_id, CTAP_APPID_SIZE);
        memcpy(key_base + CTAP_APPID_SIZE, key_handle, KEY_PATH_LEN);
-        if ((r =
-                 mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), outk, 32, key_base,
-                                 sizeof(key_base), key_handle + 32)) != 0) {
+        if ((r = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), outk, 32, key_base, sizeof(key_base), key_handle + 32)) != 0) {
            mbedtls_platform_zeroize(outk, sizeof(outk));
            return r;
        }
@@ -302,7 +272,7 @@ int derive_key(const uint8_t *app_id,
        if (cinfo->bit_size % 8 != 0) {
            outk[0] >>= 8 - (cinfo->bit_size % 8);
        }
-        r = mbedtls_ecp_read_key(curve, key, outk, ceil((float) cinfo->bit_size / 8));
+        r = mbedtls_ecp_read_key(curve, key, outk, (size_t)ceil((float) cinfo->bit_size / 8));
        mbedtls_platform_zeroize(outk, sizeof(outk));
        if (r != 0) {
            return r;
@@ -336,7 +306,7 @@ int scan_files() {
            if (ret != CCID_OK) {
                return ret;
            }
-            ret = file_put_data(ef_keydev, kdata, key_size);
+            ret = file_put_data(ef_keydev, kdata, (uint16_t)key_size);
            mbedtls_platform_zeroize(kdata, sizeof(kdata));
            mbedtls_ecdsa_free(&ecdsa);
            if (ret != CCID_OK) {
@@ -354,10 +324,7 @@ int scan_files() {
            uint8_t cert[2048];
            mbedtls_ecdsa_context key;
            mbedtls_ecdsa_init(&key);
-            int ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1,
-                                           &key,
-                                           file_get_data(ef_keydev),
-                                           file_get_size(ef_keydev));
+            int ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &key, file_get_data(ef_keydev), file_get_size(ef_keydev));
            if (ret != 0) {
                mbedtls_ecdsa_free(&key);
                return ret;
@@ -372,7 +339,7 @@ int scan_files() {
            if (ret <= 0) {
                return ret;
            }
-            file_put_data(ef_certdev, cert + sizeof(cert) - ret, ret);
+            file_put_data(ef_certdev, cert + sizeof(cert) - ret, (uint16_t)ret);
        }
    }
    else {
@@ -404,9 +371,7 @@ int scan_files() {
    }
    ef_largeblob = search_by_fid(EF_LARGEBLOB, NULL, SPECIFY_EF);
    if (!file_has_data(ef_largeblob)) {
-        file_put_data(ef_largeblob,
-                                 (const uint8_t *) "\x80\x76\xbe\x8b\x52\x8d\x00\x75\xf7\xaa\xe9\x8d\x6f\xa5\x7a\x6d\x3c",
-                                 17);
+        file_put_data(ef_largeblob, (const uint8_t *) "\x80\x76\xbe\x8b\x52\x8d\x00\x75\xf7\xaa\xe9\x8d\x6f\xa5\x7a\x6d\x3c", 17);
    }
    low_flash_available();
    return CCID_OK;