Upgrade to version 3.2

Signed-off-by: Pol Henarejos <[email protected]>
polhenarejos · Jan 15, 2025 · 7050e6b · 7050e6b
2 parents b1161c4 + 1015d2f
commit 7050e6b
Show file tree

Hide file tree

Showing 28 changed files with 1,901 additions and 1,475 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -18,83 +18,106 @@
 cmake_minimum_required(VERSION 3.13)
 
 if(ESP_PLATFORM)
-        set(EXTRA_COMPONENT_DIRS src pico-keys-sdk/src)
-        include($ENV{IDF_PATH}/tools/cmake/project.cmake)
+    set(EXTRA_COMPONENT_DIRS src pico-keys-sdk/src)
+    include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 else()
+    if(NOT ENABLE_EMULATION)
+        include(pico_sdk_import.cmake)
+    endif()
 
-        if(ENABLE_EMULATION)
-        else()
-                include(pico_sdk_import.cmake)
-        endif()
+    project(pico_openpgp C CXX ASM)
 
-        project(pico_openpgp C CXX ASM)
+    set(CMAKE_C_STANDARD 11)
+    set(CMAKE_CXX_STANDARD 17)
 
-        set(CMAKE_C_STANDARD 11)
-        set(CMAKE_CXX_STANDARD 17)
+    if(NOT ENABLE_EMULATION)
+        pico_sdk_init()
+    endif()
 
-        if(ENABLE_EMULATION)
-        else()
-                pico_sdk_init()
-        endif()
+    if(NOT DEFINED __FOR_CI)
+        set(__FOR_CI 0)
+    endif()
+    if(__FOR_CI)
+        add_definitions(-D__FOR_CI)
+    endif()
 
-        add_executable(pico_openpgp)
+    add_executable(pico_openpgp)
 endif()
 
 set(SOURCES ${SOURCES}
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/openpgp.c
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/files.c
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/piv.c
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/management.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_select.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_get_data.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_verify.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_put_data.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_select_data.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_import_data.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_version.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_change_pin.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_mse.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_internal_aut.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_challenge.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_activate_file.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_terminate_df.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_pso.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_keypair_gen.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_reset_retry.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/do.c
 )
 
 set(USB_ITF_CCID 1)
 set(USB_ITF_WCID 1)
 include(pico-keys-sdk/pico_keys_sdk_import.cmake)
+
+SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/openpgp/version.h" 1)
+
 if(ESP_PLATFORM)
-        project(pico_openpgp)
+    project(pico_openpgp)
 endif()
 
 set(INCLUDES ${INCLUDES}
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp
 )
 if(NOT ESP_PLATFORM)
-        target_sources(pico_openpgp PUBLIC ${SOURCES})
-        target_include_directories(pico_openpgp PUBLIC ${INCLUDES})
+    target_sources(pico_openpgp PUBLIC ${SOURCES})
+    target_include_directories(pico_openpgp PUBLIC ${INCLUDES})
 
+    target_compile_options(pico_openpgp PUBLIC
+        -Wall
+    )
+    if(NOT MSVC)
         target_compile_options(pico_openpgp PUBLIC
-                -Wall
+            -Werror
         )
+    endif()
+
+    if(ENABLE_EMULATION)
         if(NOT MSVC)
-                target_compile_options(pico_openpgp PUBLIC
-                        -Werror
-                )
+            target_compile_options(pico_openpgp PUBLIC
+                -fdata-sections
+                -ffunction-sections
+            )
         endif()
+        if(APPLE)
+            target_link_options(pico_openpgp PUBLIC
+                -Wl,-dead_strip
+            )
+        elseif(MSVC)
+            target_compile_options(pico_openpgp PUBLIC
+                -WX
+            )
 
-        if(ENABLE_EMULATION)
-                if(NOT MSVC)
-                        target_compile_options(pico_openpgp PUBLIC
-                                -fdata-sections
-                                -ffunction-sections
-                        )
-                endif()
-                if(APPLE)
-                        target_link_options(pico_openpgp PUBLIC
-                                -Wl,-dead_strip
-                        )
-                elseif(MSVC)
-                        target_compile_options(pico_openpgp PUBLIC
-                                -WX
-                        )
-
-                        target_link_libraries(pico_openpgp PUBLIC wsock32 ws2_32 Bcrypt)
-                else()
-                        target_link_options(pico_openpgp PUBLIC
-                                -Wl,--gc-sections
-                        )
-                endif(APPLE)
-                target_link_libraries(pico_openpgp PRIVATE pthread m)
+            target_link_libraries(pico_openpgp PUBLIC wsock32 ws2_32 Bcrypt)
         else()
-                pico_add_extra_outputs(${CMAKE_PROJECT_NAME})
-        endif()
+            target_link_options(pico_openpgp PUBLIC
+                -Wl,--gc-sections
+            )
+        endif(APPLE)
+        target_link_libraries(pico_openpgp PRIVATE pthread m)
+    else()
+        pico_add_extra_outputs(${CMAKE_PROJECT_NAME})
+    endif()
 endif()
-
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-Version=2.2
+Version=3.2
diff --git a/build_pico_openpgp.sh b/build_pico_openpgp.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 VERSION_MAJOR="3"
-VERSION_MINOR="0-eddsa1"
+VERSION_MINOR="2-eddsa1"
 SUFFIX="${VERSION_MAJOR}.${VERSION_MINOR}"
 #if ! [[ -z "${GITHUB_SHA}" ]]; then
 #    SUFFIX="${SUFFIX}.${GITHUB_SHA}"

diff --git a/pico-keys-sdk b/pico-keys-sdk
diff --git a/src/openpgp/cmd_activate_file.c b/src/openpgp/cmd_activate_file.c
@@ -0,0 +1,22 @@
+/*
+ * This file is part of the Pico OpenPGP distribution (https://github.com/polhenarejos/pico-openpgp).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "openpgp.h"
+
+int cmd_activate_file() {
+    return SW_OK();
+}
diff --git a/src/openpgp/cmd_challenge.c b/src/openpgp/cmd_challenge.c
@@ -0,0 +1,29 @@
+/*
+ * This file is part of the Pico OpenPGP distribution (https://github.com/polhenarejos/pico-openpgp).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "openpgp.h"
+#include "random.h"
+
+int cmd_challenge() {
+    uint8_t *rb = (uint8_t *) random_bytes_get(apdu.ne);
+    if (!rb) {
+        return SW_WRONG_LENGTH();
+    }
+    memcpy(res_APDU, rb, apdu.ne);
+    res_APDU_size = apdu.ne;
+    return SW_OK();
+}
diff --git a/src/openpgp/cmd_change_pin.c b/src/openpgp/cmd_change_pin.c
@@ -0,0 +1,69 @@
+/*
+ * This file is part of the Pico OpenPGP distribution (https://github.com/polhenarejos/pico-openpgp).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "openpgp.h"
+#include "otp.h"
+
+int cmd_change_pin() {
+    if (P1(apdu) != 0x0) {
+        return SW_WRONG_P1P2();
+    }
+    uint16_t fid = 0x1000 | P2(apdu);
+    file_t *pw;
+    if (!(pw = search_by_fid(fid, NULL, SPECIFY_EF))) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    uint8_t pin_len = file_get_data(pw)[0];
+    uint16_t r = 0;
+    if ((r = load_dek()) != PICOKEY_OK) {
+        return SW_EXEC_ERROR();
+    }
+
+    if (otp_key_1) {
+        for (int i = 0; i < 32; i++) {
+            dek[IV_SIZE + i] ^= otp_key_1[i];
+        }
+    }
+    r = check_pin(pw, apdu.data, pin_len);
+    if (r != 0x9000) {
+        return r;
+    }
+    uint8_t dhash[33];
+    dhash[0] = apdu.nc - pin_len;
+    double_hash_pin(apdu.data + pin_len, apdu.nc - pin_len, dhash + 1);
+    file_put_data(pw, dhash, sizeof(dhash));
+
+    file_t *tf = search_by_fid(EF_DEK, NULL, SPECIFY_EF);
+    if (!tf) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    uint8_t def[IV_SIZE + 32 + 32 + 32 + 32] = {0};
+    memcpy(def, file_get_data(tf), file_get_size(tf));
+    if (P2(apdu) == 0x81) {
+        hash_multi(apdu.data + pin_len, apdu.nc - pin_len, session_pw1);
+        memcpy(def + IV_SIZE, dek + IV_SIZE, 32);
+        aes_encrypt_cfb_256(session_pw1, def, def + IV_SIZE, 32);
+    }
+    else if (P2(apdu) == 0x83) {
+        hash_multi(apdu.data + pin_len, apdu.nc - pin_len, session_pw3);
+        memcpy(def + IV_SIZE + 32 + 32, dek + IV_SIZE, 32);
+        aes_encrypt_cfb_256(session_pw3, def, def + IV_SIZE + 32 + 32, 32);
+    }
+    file_put_data(tf, def, sizeof(def));
+    low_flash_available();
+    return SW_OK();
+}
diff --git a/src/openpgp/cmd_get_data.c b/src/openpgp/cmd_get_data.c
@@ -0,0 +1,91 @@
+/*
+ * This file is part of the Pico OpenPGP distribution (https://github.com/polhenarejos/pico-openpgp).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "openpgp.h"
+#include "asn1.h"
+
+int cmd_get_data() {
+    if (apdu.nc > 0) {
+        return SW_WRONG_LENGTH();
+    }
+    uint16_t fid = (P1(apdu) << 8) | P2(apdu);
+    file_t *ef;
+    if (!(ef = search_by_fid(fid, NULL, SPECIFY_EF))) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    if (!authenticate_action(ef, ACL_OP_READ_SEARCH)) {
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    }
+    if (currentEF && (currentEF->fid & 0x1FF0) == (fid & 0x1FF0)) { //previously selected
+        ef = currentEF;
+    }
+    else {
+        select_file(ef);
+    }
+    if (ef->data) {
+        uint16_t fids[] = { 1, fid };
+        uint16_t data_len = parse_do(fids, 1);
+        uint8_t *p = NULL;
+        uint16_t tg = 0;
+        uint16_t tg_len = 0;
+        asn1_ctx_t ctxi;
+        asn1_ctx_init(res_APDU, data_len, &ctxi);
+        if (walk_tlv(&ctxi, &p, &tg, &tg_len, NULL)) {
+            uint8_t dec = 2;
+            if ((tg & 0x1f) == 0x1f) {
+                dec++;
+            }
+            if ((res_APDU[dec - 1] & 0xF0) == 0x80) {
+                dec += (res_APDU[dec - 1] & 0x0F);
+            }
+            if (tg_len + dec == data_len) {
+                memmove(res_APDU, res_APDU + dec, data_len - dec);
+                data_len -= dec;
+                res_APDU_size -= dec;
+            }
+        }
+        //if (apdu.ne > data_len)
+        //    apdu.ne = data_len;
+    }
+    return SW_OK();
+}
+
+int cmd_get_next_data() {
+    file_t *ef = NULL;
+    if (apdu.nc > 0) {
+        return SW_WRONG_LENGTH();
+    }
+    if (!currentEF) {
+        return SW_RECORD_NOT_FOUND();
+    }
+    uint16_t fid = (P1(apdu) << 8) | P2(apdu);
+    if (!(ef = search_by_fid(fid, NULL, SPECIFY_EF))) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    if (!authenticate_action(ef, ACL_OP_UPDATE_ERASE)) {
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    }
+    if ((currentEF->fid & 0x1FF0) != (fid & 0x1FF0)) {
+        return SW_WRONG_P1P2();
+    }
+    fid = currentEF->fid + 1; //curentEF contains private DO. so, we select the next one
+    if (!(ef = search_by_fid(fid, NULL, SPECIFY_EF))) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    select_file(ef);
+    return cmd_get_data();
+}