Merge branch 'development'

CMakeLists.txt

@@ -18,6 +18,8 @@
 cmake_minimum_required(VERSION 3.13)
 
 if(ESP_PLATFORM)
+set(DEBUG_APDU 1)
+set(DENABLE_POWER_ON_RESET 0)
 set(EXTRA_COMPONENT_DIRS src pico-keys-sdk/src)
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 else()
@@ -39,14 +41,6 @@ endif()
 
 add_executable(pico_fido)
 endif()
-option(ENABLE_UP_BUTTON "Enable/disable user presence button" ON)
-if(ENABLE_UP_BUTTON)
-    add_definitions(-DENABLE_UP_BUTTON=1)
-    message(STATUS "User presence with button: \t enabled")
-else()
-    add_definitions(-DENABLE_UP_BUTTON=0)
-    message(STATUS "User presence with button: \t disabled")
-endif(ENABLE_UP_BUTTON)
 
 option(ENABLE_POWER_ON_RESET "Enable/disable power cycle on reset" ON)
 if(ENABLE_POWER_ON_RESET)
@@ -85,6 +79,7 @@ endif()
 set(SOURCES ${SOURCES}
         ${CMAKE_CURRENT_LIST_DIR}/src/fido/fido.c
         ${CMAKE_CURRENT_LIST_DIR}/src/fido/files.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/fido/kek.c
         ${CMAKE_CURRENT_LIST_DIR}/src/fido/cmd_register.c
         ${CMAKE_CURRENT_LIST_DIR}/src/fido/cmd_authenticate.c
         ${CMAKE_CURRENT_LIST_DIR}/src/fido/cmd_version.c
@@ -116,6 +111,7 @@ endif()
 
 set(USB_ITF_HID 1)
 include(pico-keys-sdk/pico_keys_sdk_import.cmake)
+SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/fido/version.h" 1)
 if(ESP_PLATFORM)
     project(pico_fido)
 endif()
@@ -161,5 +157,6 @@ if(ENABLE_EMULATION)
     target_link_libraries(pico_fido PRIVATE pthread m)
 else()
 target_link_libraries(pico_fido PRIVATE pico_keys_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id pico_aon_timer tinyusb_device tinyusb_board)
+pico_add_extra_outputs(${CMAKE_PROJECT_NAME})
 endif()
 endif()

sdkconfig.defaults

@@ -4,6 +4,7 @@
 IGNORE_UNKNOWN_FILES_FOR_MANAGED_COMPONENTS=1
 
 CONFIG_TINYUSB=y
+CONFIG_TINYUSB_TASK_STACK_SIZE=16384
 
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="pico-keys-sdk/config/esp32/partitions.csv"

src/fido/cbor_client_pin.c

@@ -37,6 +37,7 @@
 #include "crypto_utils.h"
 #include "pico_keys.h"
 #include "apdu.h"
+#include "kek.h"
 
 uint32_t usage_timer = 0, initial_usage_time_limit = 0;
 uint32_t max_usage_time_period  = 600 * 1000;
@@ -279,6 +280,21 @@ int pinUvAuthTokenUsageTimerObserver() {
     return 0;
 }
 
+int check_mkek_encrypted(const uint8_t *dhash) {
+    if (file_get_size(ef_mkek) == MKEK_IV_SIZE + MKEK_KEY_SIZE) {
+        hash_multi(dhash, 16, session_pin); // Only for storing MKEK
+        uint8_t mkek[MKEK_SIZE] = {0};
+        memcpy(mkek, file_get_data(ef_mkek), MKEK_IV_SIZE + MKEK_KEY_SIZE);
+        int ret = store_mkek(mkek);
+        mbedtls_platform_zeroize(mkek, sizeof(mkek));
+        mbedtls_platform_zeroize(session_pin, sizeof(session_pin));
+        if (ret != PICOKEY_OK) {
+            return CTAP2_ERR_PIN_AUTH_INVALID;
+        }
+    }
+    return PICOKEY_OK;
+}
+
 uint8_t new_pin_mismatches = 0;
 
 int cbor_client_pin(const uint8_t *data, size_t len) {
@@ -415,12 +431,20 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         if (pin_len < minPin) {
             CBOR_ERROR(CTAP2_ERR_PIN_POLICY_VIOLATION);
         }
-        uint8_t hsh[34];
+        uint8_t hsh[34], dhash[32];
         hsh[0] = MAX_PIN_RETRIES;
         hsh[1] = pin_len;
-        mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, hsh + 2);
-        file_put_data(ef_pin, hsh, 2 + 16);
+        mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, dhash);
+        double_hash_pin(dhash, 16, hsh + 2);
+        file_put_data(ef_pin, hsh, 2 + 32);
         low_flash_available();
+
+        ret = check_mkek_encrypted(dhash);
+        if (ret != PICOKEY_OK) {
+            CBOR_ERROR(ret);
+        }
+        mbedtls_platform_zeroize(hsh, sizeof(hsh));
+        mbedtls_platform_zeroize(dhash, sizeof(dhash));
         goto err; //No return
     }
     else if (subcommand == 0x4) { //changePIN
@@ -462,8 +486,8 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
             mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
             CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
         }
-        uint8_t pin_data[18];
-        memcpy(pin_data, file_get_data(ef_pin), 18);
+        uint8_t pin_data[34];
+        memcpy(pin_data, file_get_data(ef_pin), 34);
         pin_data[0] -= 1;
         file_put_data(ef_pin, pin_data, sizeof(pin_data));
         low_flash_available();
@@ -474,7 +498,9 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
             mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
             CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
         }
-        if (memcmp(paddedNewPin, file_get_data(ef_pin) + 2, 16) != 0) {
+        uint8_t dhash[32];
+        double_hash_pin(paddedNewPin, 16, dhash);
+        if (memcmp(dhash, file_get_data(ef_pin) + 2, 32) != 0) {
             regenerate();
             mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
             if (retries == 0) {
@@ -488,6 +514,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
                 CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
             }
         }
+        hash_multi(paddedNewPin, 16, session_pin);
         pin_data[0] = MAX_PIN_RETRIES;
         file_put_data(ef_pin, pin_data, sizeof(pin_data));
         low_flash_available();
@@ -515,12 +542,33 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         uint8_t hsh[34];
         hsh[0] = MAX_PIN_RETRIES;
         hsh[1] = pin_len;
-        mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, hsh + 2);
+        mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, dhash);
+        double_hash_pin(dhash, 16, hsh + 2);
         if (file_has_data(ef_minpin) && file_get_data(ef_minpin)[1] == 1 &&
-            memcmp(hsh + 2, file_get_data(ef_pin) + 2, 16) == 0) {
+            memcmp(hsh + 2, file_get_data(ef_pin) + 2, 32) == 0) {
             CBOR_ERROR(CTAP2_ERR_PIN_POLICY_VIOLATION);
         }
-        file_put_data(ef_pin, hsh, 2 + 16);
+
+        uint8_t mkek[MKEK_SIZE] = {0};
+        ret = load_mkek(mkek);
+        if (ret != PICOKEY_OK) {
+            CBOR_ERROR(ret);
+        }
+        file_put_data(ef_pin, hsh, 2 + 32);
+
+        ret = check_mkek_encrypted(dhash);
+        if (ret != PICOKEY_OK) {
+            CBOR_ERROR(ret);
+        }
+
+        hash_multi(dhash, 16, session_pin);
+        ret = store_mkek(mkek);
+        mbedtls_platform_zeroize(mkek, sizeof(mkek));
+        if (ret != PICOKEY_OK) {
+            CBOR_ERROR(ret);
+        }
+        mbedtls_platform_zeroize(hsh, sizeof(hsh));
+        mbedtls_platform_zeroize(dhash, sizeof(dhash));
         if (file_has_data(ef_minpin) && file_get_data(ef_minpin)[1] == 1) {
             uint8_t *tmpf = (uint8_t *) calloc(1, file_get_size(ef_minpin));
             memcpy(tmpf, file_get_data(ef_minpin), file_get_size(ef_minpin));
@@ -570,8 +618,8 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
             mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
             CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
         }
-        uint8_t pin_data[18];
-        memcpy(pin_data, file_get_data(ef_pin), 18);
+        uint8_t pin_data[34];
+        memcpy(pin_data, file_get_data(ef_pin), 34);
         pin_data[0] -= 1;
         file_put_data(ef_pin, pin_data, sizeof(pin_data));
         low_flash_available();
@@ -582,7 +630,9 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
             mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
             CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
         }
-        if (memcmp(paddedNewPin, file_get_data(ef_pin) + 2, 16) != 0) {
+        uint8_t dhash[32];
+        double_hash_pin(paddedNewPin, 16, dhash);
+        if (memcmp(dhash, file_get_data(ef_pin) + 2, 32) != 0) {
             regenerate();
             mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
             if (retries == 0) {
@@ -596,9 +646,19 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
                 CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
             }
         }
+
+        ret = check_mkek_encrypted(paddedNewPin);
+        if (ret != PICOKEY_OK) {
+            CBOR_ERROR(ret);
+        }
+
+        hash_multi(paddedNewPin, 16, session_pin);
         pin_data[0] = MAX_PIN_RETRIES;
         new_pin_mismatches = 0;
         file_put_data(ef_pin, pin_data, sizeof(pin_data));
+        mbedtls_platform_zeroize(pin_data, sizeof(pin_data));
+        mbedtls_platform_zeroize(dhash, sizeof(dhash));
+
         low_flash_available();
         file_t *ef_minpin = search_by_fid(EF_MINPINLEN, NULL, SPECIFY_EF);
         if (file_has_data(ef_minpin) && file_get_data(ef_minpin)[1] == 1) {

src/fido/cbor_get_assertion.c

@@ -519,10 +519,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
     uint8_t *pa = aut_data;
     memcpy(pa, rp_id_hash, 32); pa += 32;
     *pa++ = flags;
-    *pa++ = (ctr >> 24) & 0xFF;
-    *pa++ = (ctr >> 16) & 0xFF;
-    *pa++ = (ctr >> 8) & 0xFF;
-    *pa++ = ctr & 0xFF;
+    pa += put_uint32_t_be(ctr, pa);
     memcpy(pa, ext, ext_len); pa += ext_len;
     if ((size_t)(pa - aut_data) != aut_data_len) {
         CBOR_ERROR(CTAP1_ERR_OTHER);

src/fido/cbor_large_blobs.c

@@ -129,10 +129,7 @@ int cbor_large_blobs(const uint8_t *data, size_t len) {
         uint8_t verify_data[70] = { 0 };
         memset(verify_data, 0xff, 32);
         verify_data[32] = 0x0C;
-        verify_data[34] = offset & 0xFF;
-        verify_data[35] = (offset >> 8) & 0xFF;
-        verify_data[36] = (offset >> 16) & 0xFF;
-        verify_data[37] = (offset >> 24) & 0xFF;
+        put_uint32_t_le(offset, verify_data + 34);
         mbedtls_sha256(set.data, set.len, verify_data + 38, 0);
         if (verify((uint8_t)pinUvAuthProtocol, paut.data, verify_data, (uint16_t)sizeof(verify_data), pinUvAuthParam.data) != 0) {
             CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);

src/fido/cbor_make_credential.c

@@ -286,7 +286,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
         if (strcmp(excludeList[e].type.data, (char *)"public-key") != 0) {
             continue;
         }
-        Credential ecred;
+        Credential ecred = {0};
         if (credential_load(excludeList[e].id.data, excludeList[e].id.len, rp_id_hash,
                             &ecred) == 0 &&
             (ecred.extensions.credProtect != CRED_PROT_UV_REQUIRED ||
@@ -409,13 +409,9 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
     uint8_t *pa = aut_data;
     memcpy(pa, rp_id_hash, 32); pa += 32;
     *pa++ = flags;
-    *pa++ = (ctr >> 24) & 0xFF;
-    *pa++ = (ctr >> 16) & 0xFF;
-    *pa++ = (ctr >> 8) & 0xFF;
-    *pa++ = ctr & 0xFF;
+    pa += put_uint32_t_be(ctr, pa);
     memcpy(pa, aaguid, 16); pa += 16;
-    *pa++ = ((uint16_t)cred_id_len >> 8) & 0xFF;
-    *pa++ = (uint16_t)cred_id_len & 0xFF;
+    pa += put_uint16_t_be(cred_id_len, pa);
     memcpy(pa, cred_id, cred_id_len); pa += (uint16_t)cred_id_len;
     memcpy(pa, cbor_buf, rs); pa += (uint16_t)rs;
     memcpy(pa, ext, ext_len); pa += (uint16_t)ext_len;

src/fido/cbor_reset.c

@@ -24,13 +24,14 @@
 #ifdef ESP_PLATFORM
 #include "esp_compat.h"
 #endif
+#include "fs/phy.h"
 
 extern void scan_all();
 
 int cbor_reset() {
 #ifndef ENABLE_EMULATION
 #if defined(ENABLE_POWER_ON_RESET) && ENABLE_POWER_ON_RESET == 1
-    if (board_millis() > 10000) {
+    if (!(phy_data.opts & PHY_OPT_DISABLE_POWER_RESET) && board_millis() > 10000) {
         return CTAP2_ERR_NOT_ALLOWED;
     }
 #endif

src/fido/cbor_vendor.c

@@ -255,7 +255,7 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
             uint16_t opts = 0;
             if (file_has_data(ef_phy)) {
                 uint8_t *data = file_get_data(ef_phy);
-                opts = (data[PHY_OPTS] << 8) | data[PHY_OPTS+1];
+                opts = get_uint16_t_be(data + PHY_OPTS);
             }
             CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
             CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
@@ -266,6 +266,24 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
         }
     }
  #endif
+    else if (cmd == CTAP_VENDOR_MEMORY) {
+        if (vendorCmd == 0x01) {
+            CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 5));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_free_space()));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x02));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_used_space()));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x03));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_total_space()));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_num_files()));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x05));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_size()));
+        }
+        else {
+            CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
+        }
+    }
     else {
         CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
     }

src/fido/cmd_authenticate.c

@@ -66,10 +66,7 @@ int cmd_authenticate() {
     resp->flags = 0;
     resp->flags |= P1(apdu) == CTAP_AUTH_ENFORCE ? CTAP_AUTH_FLAG_TUP : 0x0;
     uint32_t ctr = get_sign_counter();
-    resp->ctr[0] = (ctr >> 24) & 0xFF;
-    resp->ctr[1] = (ctr >> 16) & 0xFF;
-    resp->ctr[2] = (ctr >> 8) & 0xFF;
-    resp->ctr[3] = ctr & 0xFF;
+    put_uint32_t_be(ctr, resp->ctr);
     uint8_t hash[32], sig_base[CTAP_APPID_SIZE + 1 + 4 + CTAP_CHAL_SIZE];
     memcpy(sig_base, req->appId, CTAP_APPID_SIZE);
     memcpy(sig_base + CTAP_APPID_SIZE, &resp->flags, sizeof(uint8_t));

src/fido/credential.c

@@ -147,6 +147,10 @@ int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *r
     int ret = 0;
     CborError error = CborNoError;
     uint8_t *copy_cred_id = (uint8_t *) calloc(1, cred_id_len);
+    if (!cred) {
+        CBOR_ERROR(CTAP2_ERR_INVALID_CREDENTIAL);
+    }
+    memset(cred, 0, sizeof(Credential));
     memcpy(copy_cred_id, cred_id, cred_id_len);
     ret = credential_verify(copy_cred_id, cred_id_len, rp_id_hash);
     if (ret != 0) { // U2F?
@@ -236,17 +240,19 @@ int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *r
 }
 
 void credential_free(Credential *cred) {
-    CBOR_FREE_BYTE_STRING(cred->rpId);
-    CBOR_FREE_BYTE_STRING(cred->userId);
-    CBOR_FREE_BYTE_STRING(cred->userName);
-    CBOR_FREE_BYTE_STRING(cred->userDisplayName);
-    CBOR_FREE_BYTE_STRING(cred->id);
-    if (cred->extensions.present) {
-        CBOR_FREE_BYTE_STRING(cred->extensions.credBlob);
+    if (cred) {
+        CBOR_FREE_BYTE_STRING(cred->rpId);
+        CBOR_FREE_BYTE_STRING(cred->userId);
+        CBOR_FREE_BYTE_STRING(cred->userName);
+        CBOR_FREE_BYTE_STRING(cred->userDisplayName);
+        CBOR_FREE_BYTE_STRING(cred->id);
+        if (cred->extensions.present) {
+            CBOR_FREE_BYTE_STRING(cred->extensions.credBlob);
+        }
+        cred->present = false;
+        cred->extensions.present = false;
+        cred->opts.present = false;
     }
-    cred->present = false;
-    cred->extensions.present = false;
-    cred->opts.present = false;
 }
 
 int credential_store(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash) {

src/fido/ctap.h

@@ -126,6 +126,7 @@ typedef struct {
 #define CTAP_VENDOR_UNLOCK              0x03
 #define CTAP_VENDOR_EA                  0x04
 #define CTAP_VENDOR_PHY_OPTS            0x05
+#define CTAP_VENDOR_MEMORY              0x06
 
 #define CTAP_PERMISSION_MC              0x01  // MakeCredential
 #define CTAP_PERMISSION_GA              0x02  // GetAssertion