From cf206bf1581ef8e9d6820d642dc089a8361f635b Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 21 Sep 2022 19:53:36 +0200 Subject: [PATCH] Credentials CANNOT be regenerated, as they depend on random IV. Signed-off-by: Pol Henarejos --- src/fido/cbor_get_assertion.c | 9 ++------- src/fido/credential.c | 11 ++++++----- src/fido/credential.h | 2 +- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/src/fido/cbor_get_assertion.c b/src/fido/cbor_get_assertion.c index 211d89b..bb855c3 100644 --- a/src/fido/cbor_get_assertion.c +++ b/src/fido/cbor_get_assertion.c @@ -292,14 +292,9 @@ int cbor_get_assertion(const uint8_t *data, size_t len) { } } - uint8_t cred_id[MAX_CRED_ID_LENGTH]; - size_t cred_id_len = 0; - if (credential_create_cred(selcred, cred_id, &cred_id_len) != 0) - CBOR_ERROR(CTAP2_ERR_INTEGRITY_FAILURE); - mbedtls_ecdsa_context ekey; mbedtls_ecdsa_init(&ekey); - int ret = fido_load_key(selcred->curve, cred_id, &ekey); + int ret = fido_load_key(selcred->curve, selcred->id.data, &ekey); if (ret != 0) { mbedtls_ecdsa_free(&ekey); CBOR_ERROR(CTAP1_ERR_OTHER); @@ -414,7 +409,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len) { CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01)); CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, 2)); CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "id")); - CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, cred_id, cred_id_len)); + CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, selcred->id.data, selcred->id.len)); CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "type")); CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "public-key")); CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2)); diff --git a/src/fido/credential.c b/src/fido/credential.c index 8062651..637dc72 100644 --- a/src/fido/credential.c +++ b/src/fido/credential.c @@ -38,10 +38,6 @@ int credential_verify(uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id return mbedtls_chachapoly_auth_decrypt(&chatx, cred_id_len - (4 + 12 + 16), iv, rp_id_hash, 32, tag, cipher, cipher); } -int credential_create_cred(Credential *cred, uint8_t *cred_id, size_t *cred_id_len) { - return credential_create(&cred->rpId, &cred->userId, &cred->userName, &cred->userDisplayName, &cred->extensions, cred->use_sign_count, cred->alg, cred->curve, cred_id, cred_id_len); -} - int credential_create(CborCharString *rpId, CborByteString *userId, CborCharString *userName, CborCharString *userDisplayName, CredExtensions *extensions, bool use_sign_count, int alg, int curve, uint8_t *cred_id, size_t *cred_id_len) { CborEncoder encoder, mapEncoder, mapEncoder2; CborError error = CborNoError; @@ -92,6 +88,7 @@ int credential_create(CborCharString *rpId, CborByteString *userId, CborCharStri } memcpy(cred_id, "\xf1\xd0\x02\x00", 4); memcpy(cred_id + 4, iv, 12); + err: if (error != CborNoError) { if (error == CborErrorImproperValue) @@ -151,7 +148,10 @@ int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *r CBOR_ADVANCE(1); } } - + cred->id.present = true; + cred->id.data = (uint8_t *)calloc(1, cred_id_len); + memcpy(cred->id.data, cred_id, cred_id_len); + cred->id.len = cred_id_len; cred->present = true; err: free(copy_cred_id); @@ -168,6 +168,7 @@ void credential_free(Credential *cred) { CBOR_FREE_BYTE_STRING(cred->userId); CBOR_FREE_BYTE_STRING(cred->userName); CBOR_FREE_BYTE_STRING(cred->userDisplayName); + CBOR_FREE_BYTE_STRING(cred->id); cred->present = false; cred->extensions.present = false; } diff --git a/src/fido/credential.h b/src/fido/credential.h index 8a8d786..6e4b4ab 100644 --- a/src/fido/credential.h +++ b/src/fido/credential.h @@ -44,6 +44,7 @@ typedef struct Credential const bool *use_sign_count; int64_t alg; int64_t curve; + CborByteString id; bool present; } Credential; @@ -56,7 +57,6 @@ extern int credential_create(CborCharString *rpId, CborByteString *userId, CborC extern void credential_free(Credential *cred); extern int credential_store(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash); extern int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash, Credential *cred); -extern int credential_create_cred(Credential *cred, uint8_t *cred_id, size_t *cred_id_len); extern int credential_derive_hmac_key(const uint8_t *cred_id, size_t cred_id_len, uint8_t *outk); #endif // _CREDENTIAL_H_