Upgrade to v6.4

Signed-off-by: Pol Henarejos <[email protected]>
polhenarejos · Feb 19, 2025 · 964184c · 964184c
2 parents d6a060f + 3969fd5
commit 964184c
Show file tree

Hide file tree

Showing 15 changed files with 253 additions and 201 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -26,6 +26,7 @@ else()
 
 if(ENABLE_EMULATION)
 else()
+set(PICO_USE_FASTEST_SUPPORTED_CLOCK 1)
 include(pico_sdk_import.cmake)
 endif()
 

diff --git a/build_pico_fido.sh b/build_pico_fido.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 VERSION_MAJOR="6"
-VERSION_MINOR="2-eddsa1"
+VERSION_MINOR="4-eddsa1"
 SUFFIX="${VERSION_MAJOR}.${VERSION_MINOR}"
 #if ! [[ -z "${GITHUB_SHA}" ]]; then
 #    SUFFIX="${SUFFIX}.${GITHUB_SHA}"
@@ -11,98 +11,13 @@ rm -rf release/*
 mkdir -p build_release
 mkdir -p release
 cd build_release
-
-for board in 0xcb_helios \
-    adafruit_feather_rp2040_usb_host \
-    adafruit_feather_rp2040 \
-    adafruit_itsybitsy_rp2040 \
-    adafruit_kb2040 \
-    adafruit_macropad_rp2040 \
-    adafruit_qtpy_rp2040 \
-    adafruit_trinkey_qt2040 \
-    amethyst_fpga \
-    archi \
-    arduino_nano_rp2040_connect \
-    cytron_maker_pi_rp2040 \
-    datanoisetv_rp2040_dsp \
-    eetree_gamekit_rp2040 \
-    garatronic_pybstick26_rp2040 \
-    gen4_rp2350_24 \
-    gen4_rp2350_24ct \
-    gen4_rp2350_24t \
-    gen4_rp2350_28 \
-    gen4_rp2350_28ct \
-    gen4_rp2350_28t \
-    gen4_rp2350_32 \
-    gen4_rp2350_32ct \
-    gen4_rp2350_32t \
-    gen4_rp2350_35 \
-    gen4_rp2350_35ct \
-    gen4_rp2350_35t \
-    hellbender_2350A_devboard \
-    ilabs_challenger_rp2350_bconnect \
-    ilabs_challenger_rp2350_wifi_ble \
-    ilabs_opendec02 \
-    melopero_perpetuo_rp2350_lora \
-    melopero_shake_rp2040 \
-    metrotech_xerxes_rp2040 \
-    net8086_usb_interposer \
-    nullbits_bit_c_pro \
-    phyx_rick_tny_rp2350 \
-    pi-plates_micropi \
-    pico \
-    pico_w \
-    pico2 \
-    pimoroni_badger2040 \
-    pimoroni_interstate75 \
-    pimoroni_keybow2040 \
-    pimoroni_motor2040 \
-    pimoroni_pga2040 \
-    pimoroni_pga2350 \
-    pimoroni_pico_plus2_rp2350 \
-    pimoroni_picolipo_4mb \
-    pimoroni_picolipo_16mb \
-    pimoroni_picosystem \
-    pimoroni_plasma2040 \
-    pimoroni_plasma2350 \
-    pimoroni_servo2040 \
-    pimoroni_tiny2040 \
-    pimoroni_tiny2040_2mb \
-    pimoroni_tiny2350 \
-    pololu_3pi_2040_robot \
-    pololu_zumo_2040_robot \
-    seeed_xiao_rp2040 \
-    seeed_xiao_rp2350 \
-    solderparty_rp2040_stamp \
-    solderparty_rp2040_stamp_carrier \
-    solderparty_rp2040_stamp_round_carrier \
-    solderparty_rp2350_stamp_xl \
-    solderparty_rp2350_stamp \
-    sparkfun_micromod \
-    sparkfun_promicro \
-    sparkfun_promicro_rp2350 \
-    sparkfun_thingplus \
-    switchscience_picossci2_conta_base \
-    switchscience_picossci2_dev_board \
-    switchscience_picossci2_micro \
-    switchscience_picossci2_rp2350_breakout \
-    switchscience_picossci2_tiny \
-    tinycircuits_thumby_color_rp2350 \
-    vgaboard \
-    waveshare_rp2040_lcd_0.96 \
-    waveshare_rp2040_lcd_1.28 \
-    waveshare_rp2040_one \
-    waveshare_rp2040_plus_4mb \
-    waveshare_rp2040_plus_16mb \
-    waveshare_rp2040_zero \
-    weact_studio_rp2040_2mb \
-    weact_studio_rp2040_4mb \
-    weact_studio_rp2040_8mb \
-    weact_studio_rp2040_16mb \
-    wiznet_w5100s_evb_pico
+PICO_SDK_PATH="${PICO_SDK_PATH:-../../pico-sdk}"
+board_dir=${PICO_SDK_PATH}/src/boards/include/boards
+for board in "$board_dir"/*
 do
+    board_name="$(basename -- $board .h)"
     rm -rf *
-    PICO_SDK_PATH="${PICO_SDK_PATH:-../../pico-sdk}" cmake .. -DPICO_BOARD=$board
+    PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name
     make -j`nproc`
-    mv pico_fido.uf2 ../release/pico_fido_$board-$SUFFIX.uf2
+    mv pico_fido.uf2 ../release/pico_fido_$board_name-$SUFFIX.uf2
 done
diff --git a/pico-keys-sdk b/pico-keys-sdk
diff --git a/src/fido/cbor_config.c b/src/fido/cbor_config.c
@@ -246,14 +246,9 @@ int cbor_config(const uint8_t *data, size_t len) {
         else {
             CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
         }
-        uint8_t tmp[PHY_MAX_SIZE];
-        uint16_t tmp_len = 0;
-        memset(tmp, 0, sizeof(tmp));
-        if (phy_serialize_data(&phy_data, tmp, &tmp_len) != PICOKEY_OK) {
+        if (phy_save() != PICOKEY_OK) {
             CBOR_ERROR(CTAP2_ERR_PROCESSING);
         }
-        file_put_data(ef_phy, tmp, tmp_len);
-        low_flash_available();
     }
 #endif
     else {

diff --git a/src/fido/cbor_get_assertion.c b/src/fido/cbor_get_assertion.c
@@ -279,6 +279,8 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
             }
         }
 
+        bool silent = (up == false && uv == false);
+
         if (allowList_len > 0) {
             for (size_t e = 0; e < allowList_len; e++) {
                 if (allowList[e].type.present == false || allowList[e].id.present == false) {
@@ -288,7 +290,6 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                     continue;
                 }
                 if (credential_load(allowList[e].id.data, allowList[e].id.len, rp_id_hash, &creds[creds_len]) != 0) {
-                    CBOR_FREE_BYTE_STRING(allowList[e].id);
                     credential_free(&creds[creds_len]);
                 }
                 else {
@@ -342,15 +343,32 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
             }
         }
         if (numberOfCredentials == 0) {
-            CBOR_ERROR(CTAP2_ERR_NO_CREDENTIALS);
+            if (silent && allowList_len > 0) {
+                for (size_t e = 0; e < allowList_len; e++) {
+                    if (allowList[e].type.present == false || allowList[e].id.present == false) {
+                        CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
+                    }
+                    if (strcmp(allowList[e].type.data, "public-key") != 0) {
+                        continue;
+                    }
+                    if (credential_verify(allowList[e].id.data, allowList[e].id.len, rp_id_hash, true) == 0) {
+                        numberOfCredentials++;
+                    }
+                }
+            }
+            if (numberOfCredentials == 0) {
+                CBOR_ERROR(CTAP2_ERR_NO_CREDENTIALS);
+            }
         }
 
-        for (int i = 0; i < numberOfCredentials; i++) {
-            for (int j = i + 1; j < numberOfCredentials; j++) {
-                if (creds[j].creation > creds[i].creation) {
-                    Credential tmp = creds[j];
-                    creds[j] = creds[i];
-                    creds[i] = tmp;
+        if (!silent) {
+            for (int i = 0; i < numberOfCredentials; i++) {
+                for (int j = i + 1; j < numberOfCredentials; j++) {
+                    if (creds[j].creation > creds[i].creation) {
+                        Credential tmp = creds[j];
+                        creds[j] = creds[i];
+                        creds[i] = tmp;
+                    }
                 }
             }
         }
@@ -380,8 +398,8 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
             CBOR_ERROR(CTAP2_ERR_INVALID_OPTION);
         }
 
-        if (up == false && uv == false) {
-            selcred = &creds[0];
+        if (silent && !resident) {
+            // Silent authentication, do nothing
         }
         else {
             selcred = &creds[0];
@@ -410,16 +428,18 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
 
     int ret = 0;
     uint8_t largeBlobKey[32] = {0};
-    if (extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
-        ret = credential_derive_large_blob_key(selcred->id.data, selcred->id.len, largeBlobKey);
-        if (ret != 0) {
-            CBOR_ERROR(CTAP2_ERR_PROCESSING);
+    if (selcred) {
+        if (extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
+            ret = credential_derive_large_blob_key(selcred->id.data, selcred->id.len, largeBlobKey);
+            if (ret != 0) {
+                CBOR_ERROR(CTAP2_ERR_PROCESSING);
+            }
         }
     }
 
     size_t ext_len = 0;
     uint8_t ext[512] = {0};
-    if (extensions.present == true) {
+    if (selcred && extensions.present == true) {
         cbor_encoder_init(&encoder, ext, sizeof(ext), 0);
         int l = 0;
         if (options.up == pfalse) {
@@ -530,43 +550,51 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
     const mbedtls_md_info_t *md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
     mbedtls_ecdsa_context ekey;
     mbedtls_ecdsa_init(&ekey);
-    ret = fido_load_key((int)selcred->curve, selcred->id.data, &ekey);
-    if (ret != 0) {
-        if (derive_key(rp_id_hash, false, selcred->id.data, MBEDTLS_ECP_DP_SECP256R1, &ekey) != 0) {
-            mbedtls_ecdsa_free(&ekey);
-            CBOR_ERROR(CTAP1_ERR_OTHER);
-        }
-    }
-    if (ekey.grp.id == MBEDTLS_ECP_DP_SECP384R1) {
-        md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA384);
-    }
-    else if (ekey.grp.id == MBEDTLS_ECP_DP_SECP521R1) {
-        md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
-    }
-    else if (ekey.grp.id == MBEDTLS_ECP_DP_ED25519) {
-        md = NULL;
-    }
     size_t olen = 0;
-    if (md != NULL) {
-        ret = mbedtls_md(md, aut_data, aut_data_len + clientDataHash.len, hash);
-        ret = mbedtls_ecdsa_write_signature(&ekey, mbedtls_md_get_type(md), hash, mbedtls_md_get_size(md), sig, sizeof(sig), &olen, random_gen, NULL);
+    if (selcred) {
+        ret = fido_load_key((int)selcred->curve, selcred->id.data, &ekey);
+        if (ret != 0) {
+            if (derive_key(rp_id_hash, false, selcred->id.data, MBEDTLS_ECP_DP_SECP256R1, &ekey) != 0) {
+                mbedtls_ecdsa_free(&ekey);
+                CBOR_ERROR(CTAP1_ERR_OTHER);
+            }
+        }
+        if (ekey.grp.id == MBEDTLS_ECP_DP_SECP384R1) {
+            md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA384);
+        }
+        else if (ekey.grp.id == MBEDTLS_ECP_DP_SECP521R1) {
+            md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
+        }
+        else if (ekey.grp.id == MBEDTLS_ECP_DP_ED25519) {
+            md = NULL;
+        }
+
+        if (md != NULL) {
+            ret = mbedtls_md(md, aut_data, aut_data_len + clientDataHash.len, hash);
+            ret = mbedtls_ecdsa_write_signature(&ekey, mbedtls_md_get_type(md), hash, mbedtls_md_get_size(md), sig, sizeof(sig), &olen, random_gen, NULL);
+        }
+        else {
+            ret = mbedtls_eddsa_write_signature(&ekey, aut_data, aut_data_len + clientDataHash.len, sig, sizeof(sig), &olen, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL);
+        }
     }
     else {
-        ret = mbedtls_eddsa_write_signature(&ekey, aut_data, aut_data_len + clientDataHash.len, sig, sizeof(sig), &olen, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL);
+        // Bogus signature
+        olen = 64;
+        memset(sig, 0x0B, olen);
     }
     mbedtls_ecp_keypair_free(&ekey);
     if (ret != 0) {
         CBOR_ERROR(CTAP2_ERR_PROCESSING);
     }
 
     uint8_t lfields = 3;
-    if (selcred->opts.present == true && selcred->opts.rk == ptrue) {
+    if (selcred && selcred->opts.present == true && selcred->opts.rk == ptrue) {
         lfields++;
     }
     if (numberOfCredentials > 1 && next == false) {
         lfields++;
     }
-    if (extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
+    if (selcred && extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
         lfields++;
     }
     cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0);
@@ -575,7 +603,12 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
     CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, 2));
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "id"));
-    CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, selcred->id.data, selcred->id.len));
+    if (selcred) {
+        CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, selcred->id.data, selcred->id.len));
+    }
+    else {
+        CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, (uint8_t *)"\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01", 16));
+    }
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "type"));
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "public-key"));
     CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2));
@@ -585,7 +618,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x03));
     CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, sig, olen));
 
-    if (selcred->opts.present == true && selcred->opts.rk == ptrue) {
+    if (selcred && selcred->opts.present == true && selcred->opts.rk == ptrue) {
         CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04));
         uint8_t lu = 1;
         if (numberOfCredentials > 1 && allowList_len == 0) {
@@ -616,7 +649,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
         CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x05));
         CBOR_CHECK(cbor_encode_uint(&mapEncoder, numberOfCredentials));
     }
-    if (extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
+    if (selcred && extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
         CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x07));
         CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, largeBlobKey, sizeof(largeBlobKey)));
     }

diff --git a/src/fido/cbor_make_credential.c b/src/fido/cbor_make_credential.c
@@ -473,14 +473,13 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
             if (memcmp(p, "CommissionProfile", 17) == 0) {
                 ret = phy_unserialize_data(user.id.data, user.id.len, &phy_data);
                 if (ret == PICOKEY_OK) {
-                    file_put_data(ef_phy, user.id.data, user.id.len);
+                    ret = phy_save();
                 }
             }
 #endif
-            if (ret != 0) {
+            if (ret != PICOKEY_OK) {
                 CBOR_ERROR(CTAP2_ERR_PROCESSING);
             }
-            low_flash_available();
        }
     }
 

diff --git a/src/fido/cmd_authenticate.c b/src/fido/cmd_authenticate.c
@@ -43,7 +43,7 @@ int cmd_authenticate() {
     int ret = 0;
     uint8_t *tmp_kh = (uint8_t *) calloc(1, req->keyHandleLen);
     memcpy(tmp_kh, req->keyHandle, req->keyHandleLen);
-    if (credential_verify(tmp_kh, req->keyHandleLen, req->appId) == 0) {
+    if (credential_verify(tmp_kh, req->keyHandleLen, req->appId, false) == 0) {
         ret = fido_load_key(FIDO2_CURVE_P256, req->keyHandle, &key);
     }
     else {
-Original file line number
+Diff line change
@@ Expand Up / @@ -26,6 +26,7 @@ else() @@
     if(ENABLE_EMULATION)
     else()
+    set(PICO_USE_FASTEST_SUPPORTED_CLOCK 1)
     include(pico_sdk_import.cmake)
     endif()
@@ Expand Down @@
+0 −70		cmake/boards.cmake
+9 −10		pico_keys_sdk_import.cmake
+2 −2		src/debug.h
+18 −8		src/fs/phy.c
+4 −3		src/fs/phy.h
+9 −7		src/led/led.c
+6 −0		src/led/led_neopixel.c
+1 −1		src/led/led_pico.c
+54 −27		src/led/led_ws2812.c
+3 −2		src/rescue.c
+1 −1		src/usb/usb.h
+5 −4		src/usb/usb_descriptors.c