From 779100f33cd23a6868d23854ab9e62b15bd780bd Mon Sep 17 00:00:00 2001
From: Token2 <6784409+token2@users.noreply.github.com>
Date: Tue, 9 Dec 2025 13:24:22 +0100
Subject: [PATCH] Update cbor_client_pin.c
---
src/fido/cbor_client_pin.c | 399 +++++++++++++++++--------------------
1 file changed, 186 insertions(+), 213 deletions(-)
diff --git a/src/fido/cbor_client_pin.c b/src/fido/cbor_client_pin.c
index 750aa77..b35ac75 100644
--- a/src/fido/cbor_client_pin.c
+++ b/src/fido/cbor_client_pin.c
@@ -1,20 +1,3 @@
-/*
- * This file is part of the Pico FIDO distribution (https://github.com/polhenarejos/pico-fido).
- * Copyright (c) 2022 Pol Henarejos.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, version 3.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see .
- */
-
/*
* Copyright (c) 2025 Token2 Sàrl.
* Modifications:
@@ -25,7 +8,23 @@
* (digits, uppercase, lowercase, special).
*/
-
+/*
+ * This file is part of the Pico FIDO distribution (https://github.com/polhenarejos/pico-fido).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+#include "pico_keys.h"
#ifndef ESP_PLATFORM
#include "common.h"
#else
@@ -38,7 +37,7 @@
#include "cbor.h"
#include "ctap.h"
#include "ctap2_cbor.h"
-#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM)
+#if defined(PICO_PLATFORM)
#include "bsp/board.h"
#endif
#include "hid/ctap_hid.h"
@@ -46,7 +45,6 @@
#include "files.h"
#include "random.h"
#include "crypto_utils.h"
-#include "pico_keys.h"
#include "apdu.h"
#include "kek.h"
@@ -55,7 +53,7 @@ uint32_t max_usage_time_period = 600 * 1000;
bool needs_power_cycle = false;
static mbedtls_ecdh_context hkey;
static bool hkey_init = false;
-
+extern int encrypt_keydev_f1(const uint8_t keydev[32]);
int beginUsingPinUvAuthToken(bool userIsPresent) {
paut.user_present = userIsPresent;
paut.user_verified = true;
@@ -64,25 +62,21 @@ int beginUsingPinUvAuthToken(bool userIsPresent) {
paut.in_use = true;
return 0;
}
-
void clearUserPresentFlag() {
if (paut.in_use == true) {
paut.user_present = false;
}
}
-
void clearUserVerifiedFlag() {
if (paut.in_use == true) {
paut.user_verified = false;
}
}
-
void clearPinUvAuthTokenPermissionsExceptLbw() {
if (paut.in_use == true) {
paut.permissions = CTAP_PERMISSION_LBW;
}
}
-
void stopUsingPinUvAuthToken() {
paut.permissions = 0;
usage_timer = 0;
@@ -93,41 +87,32 @@ void stopUsingPinUvAuthToken() {
paut.user_present = paut.user_verified = false;
user_present_time_limit = 0;
}
-
bool getUserPresentFlagValue() {
if (paut.in_use != true) {
paut.user_present = false;
}
return paut.user_present;
}
-
bool getUserVerifiedFlagValue() {
if (paut.in_use != true) {
paut.user_verified = false;
}
return paut.user_verified;
}
-
int regenerate() {
if (hkey_init == true) {
mbedtls_ecdh_free(&hkey);
}
-
mbedtls_ecdh_init(&hkey);
hkey_init = true;
mbedtls_ecdh_setup(&hkey, MBEDTLS_ECP_DP_SECP256R1);
- int ret = mbedtls_ecdh_gen_public(&hkey.ctx.mbed_ecdh.grp,
- &hkey.ctx.mbed_ecdh.d,
- &hkey.ctx.mbed_ecdh.Q,
- random_gen,
- NULL);
+ int ret = mbedtls_ecdh_gen_public(&hkey.ctx.mbed_ecdh.grp, &hkey.ctx.mbed_ecdh.d, &hkey.ctx.mbed_ecdh.Q, random_gen, NULL);
mbedtls_mpi_lset(&hkey.ctx.mbed_ecdh.Qp.Z, 1);
if (ret != 0) {
return ret;
}
return 0;
}
-
int kdf(uint8_t protocol, const mbedtls_mpi *z, uint8_t *sharedSecret) {
int ret = 0;
uint8_t buf[32];
@@ -136,64 +121,52 @@ int kdf(uint8_t protocol, const mbedtls_mpi *z, uint8_t *sharedSecret) {
return ret;
}
if (protocol == 1) {
- return mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
- buf,
- sizeof(buf),
- sharedSecret);
+ return mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), buf, sizeof(buf), sharedSecret);
}
else if (protocol == 2) {
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
- ret = mbedtls_hkdf(md_info,
- NULL,
- 0,
- buf,
- sizeof(buf),
- (uint8_t *) "CTAP2 HMAC key",
- 14,
- sharedSecret,
- 32);
+ ret = mbedtls_hkdf(md_info, NULL, 0, buf, sizeof(buf), (uint8_t *) "CTAP2 HMAC key", 14, sharedSecret, 32);
if (ret != 0) {
return ret;
}
- return mbedtls_hkdf(md_info,
- NULL,
- 0,
- buf,
- sizeof(buf),
- (uint8_t *) "CTAP2 AES key",
- 13,
- sharedSecret + 32,
- 32);
+ return mbedtls_hkdf(md_info, NULL, 0, buf, sizeof(buf), (uint8_t *) "CTAP2 AES key", 13, sharedSecret + 32, 32);
}
return -1;
}
-
int ecdh(uint8_t protocol, const mbedtls_ecp_point *Q, uint8_t *sharedSecret) {
mbedtls_mpi z;
mbedtls_mpi_init(&z);
- int ret = mbedtls_ecdh_compute_shared(&hkey.ctx.mbed_ecdh.grp,
- &z,
- Q,
- &hkey.ctx.mbed_ecdh.d,
- random_gen,
- NULL);
+ int ret = mbedtls_ecdh_compute_shared(&hkey.ctx.mbed_ecdh.grp, &z, Q, &hkey.ctx.mbed_ecdh.d, random_gen, NULL);
ret = kdf(protocol, &z, sharedSecret);
mbedtls_mpi_free(&z);
return ret;
}
-
-int resetPinUvAuthToken() {
+void resetAuthToken(bool persistent) {
+ uint16_t fid = EF_AUTHTOKEN;
+ if (persistent) {
+ fid = EF_PAUTHTOKEN;
+ }
+ file_t *ef = search_by_fid(fid, NULL, SPECIFY_EF);
uint8_t t[32];
random_gen(NULL, t, sizeof(t));
- file_put_data(ef_authtoken, t, sizeof(t));
+ file_put_data(ef, t, sizeof(t));
+ low_flash_available();
+}
+int resetPinUvAuthToken() {
+ resetAuthToken(false);
paut.permissions = 0;
paut.data = file_get_data(ef_authtoken);
paut.len = file_get_size(ef_authtoken);
-
- low_flash_available();
return 0;
}
-
+int resetPersistentPinUvAuthToken() {
+ resetAuthToken(true);
+ file_t *ef_pauthtoken = search_by_fid(EF_PAUTHTOKEN, NULL, SPECIFY_EF);
+ ppaut.permissions = 0;
+ ppaut.data = file_get_data(ef_pauthtoken);
+ ppaut.len = file_get_size(ef_pauthtoken);
+ return 0;
+}
int encrypt(uint8_t protocol, const uint8_t *key, const uint8_t *in, uint16_t in_len, uint8_t *out) {
if (protocol == 1) {
memcpy(out, in, in_len);
@@ -204,10 +177,8 @@ int encrypt(uint8_t protocol, const uint8_t *key, const uint8_t *in, uint16_t in
memcpy(out + IV_SIZE, in, in_len);
return aes_encrypt(key + 32, out, 32 * 8, PICO_KEYS_AES_MODE_CBC, out + IV_SIZE, in_len);
}
-
return -1;
}
-
int decrypt(uint8_t protocol, const uint8_t *key, const uint8_t *in, uint16_t in_len, uint8_t *out) {
if (protocol == 1) {
memcpy(out, in, in_len);
@@ -217,15 +188,9 @@ int decrypt(uint8_t protocol, const uint8_t *key, const uint8_t *in, uint16_t in
memcpy(out, in + IV_SIZE, in_len - IV_SIZE);
return aes_decrypt(key + 32, in, 32 * 8, PICO_KEYS_AES_MODE_CBC, out, in_len - IV_SIZE);
}
-
return -1;
}
-
-int authenticate(uint8_t protocol,
- const uint8_t *key,
- const uint8_t *data,
- size_t len,
- uint8_t *sign) {
+int authenticate(uint8_t protocol, const uint8_t *key, const uint8_t *data, size_t len, uint8_t *sign) {
uint8_t hmac[32];
int ret =
mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), key, 32, data, len, hmac);
@@ -243,33 +208,27 @@ int authenticate(uint8_t protocol,
}
return 0;
}
-
int verify(uint8_t protocol, const uint8_t *key, const uint8_t *data, uint16_t len, uint8_t *sign) {
uint8_t hmac[32];
- //if (paut.in_use == false)
- // return -2;
int ret = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), key, 32, data, len, hmac);
if (ret != 0) {
return ret;
}
if (protocol == 1) {
- return memcmp(sign, hmac, 16);
+ return ct_memcmp(sign, hmac, 16);
}
else if (protocol == 2) {
- return memcmp(sign, hmac, 32);
+ return ct_memcmp(sign, hmac, 32);
}
return -1;
}
-
int initialize() {
regenerate();
return resetPinUvAuthToken();
}
-
int getPublicKey() {
return 0;
}
-
int pinUvAuthTokenUsageTimerObserver() {
if (usage_timer == 0) {
return -1;
@@ -286,71 +245,59 @@ int pinUvAuthTokenUsageTimerObserver() {
return 1;
}
}
- // TO DO: implement a rolling timer
}
return 0;
}
-
-int check_mkek_encrypted(const uint8_t *dhash) {
- if (file_get_size(ef_mkek) == MKEK_IV_SIZE + MKEK_KEY_SIZE) {
- hash_multi(dhash, 16, session_pin); // Only for storing MKEK
- uint8_t mkek[MKEK_SIZE] = {0};
- memcpy(mkek, file_get_data(ef_mkek), MKEK_IV_SIZE + MKEK_KEY_SIZE);
- int ret = store_mkek(mkek);
- mbedtls_platform_zeroize(mkek, sizeof(mkek));
- mbedtls_platform_zeroize(session_pin, sizeof(session_pin));
- if (ret != PICOKEY_OK) {
- return CTAP2_ERR_PIN_AUTH_INVALID;
- }
+int check_keydev_encrypted(const uint8_t pin_token[32]) {
+ if (file_get_data(ef_keydev) && *file_get_data(ef_keydev) == 0x01) {
+ uint8_t tmp_keydev[61];
+ tmp_keydev[0] = 0x02;
+ encrypt_with_aad(pin_token, file_get_data(ef_keydev) + 1, 32, tmp_keydev + 1);
+ file_put_data(ef_keydev, tmp_keydev, sizeof(tmp_keydev));
+ mbedtls_platform_zeroize(tmp_keydev, sizeof(tmp_keydev));
+ low_flash_available();
}
return PICOKEY_OK;
}
+uint8_t new_pin_mismatches = 0;
-
-static bool is_sequential(const uint8_t *pin, size_t len) {
- for (size_t i = 1; i < len; i++) {
- if (!(pin[i] == pin[i-1] + 1 || pin[i] == pin[i-1] - 1)) {
+// --- PIN Complexity Helpers ---
+static bool is_sequential(const uint8_t *pin, size_t pin_len) {
+ for (size_t i = 1; i < pin_len; i++) {
+ if (pin[i] != pin[i-1] + 1) {
return false;
}
}
return true;
}
-
-static bool is_repeated(const uint8_t *pin, size_t len) {
- for (size_t i = 1; i < len; i++) {
- if (pin[i] != pin[0]) {
+static bool is_repeated(const uint8_t *pin, size_t pin_len) {
+ uint8_t first = pin[0];
+ for (size_t i = 1; i < pin_len; i++) {
+ if (pin[i] != first) {
return false;
}
}
return true;
}
-
-static bool is_palindrome(const uint8_t *pin, size_t len) {
- for (size_t i = 0; i < len / 2; i++) {
- if (pin[i] != pin[len - i - 1]) {
+static bool is_palindrome(const uint8_t *pin, size_t pin_len) {
+ for (size_t i = 0; i < pin_len / 2; i++) {
+ if (pin[i] != pin[pin_len - 1 - i]) {
return false;
}
}
return true;
}
-
-static bool has_excessive_repeats(const uint8_t *pin, size_t len) {
- uint8_t counts[256] = {0};
- for (size_t i = 0; i < len; i++) {
- counts[pin[i]]++;
- }
- for (int i = 0; i < 256; i++) {
- if (counts[i] > 3) {
+static bool has_excessive_repeats(const uint8_t *pin, size_t pin_len) {
+ for (size_t i = 0; i < pin_len - 2; i++) {
+ if (pin[i] == pin[i+1] && pin[i] == pin[i+2]) {
return true;
}
}
return false;
}
-
static int check_pin_complexity(const uint8_t *pin, size_t pin_len) {
bool has_digit = false, has_upper = false, has_lower = false, has_special = false;
bool is_all_digits = true;
-
for (size_t i = 0; i < pin_len; i++) {
if (pin[i] >= '0' && pin[i] <= '9') {
has_digit = true;
@@ -365,9 +312,7 @@ static int check_pin_complexity(const uint8_t *pin, size_t pin_len) {
is_all_digits = false;
}
}
-
if (is_all_digits) {
- // Numeric PIN rules
if (pin_len < 6) {
return CTAP2_ERR_PIN_POLICY_VIOLATION;
}
@@ -384,7 +329,6 @@ static int check_pin_complexity(const uint8_t *pin, size_t pin_len) {
return CTAP2_ERR_PIN_POLICY_VIOLATION;
}
} else {
- // Alphanumeric password rules
if (pin_len < 10) {
return CTAP2_ERR_PIN_POLICY_VIOLATION;
}
@@ -394,13 +338,9 @@ static int check_pin_complexity(const uint8_t *pin, size_t pin_len) {
return CTAP2_ERR_PIN_POLICY_VIOLATION;
}
}
-
- return 0; // OK
+ return 0;
}
-
-uint8_t new_pin_mismatches = 0;
-
int cbor_client_pin(const uint8_t *data, size_t len) {
size_t resp_size = 0;
uint64_t subcommand = 0x0, pinUvAuthProtocol = 0, permissions = 0;
@@ -409,11 +349,11 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
CborEncoder encoder, mapEncoder;
CborValue map;
CborError error = CborNoError;
- CborByteString pinUvAuthParam = { 0 }, newPinEnc = { 0 }, pinHashEnc = { 0 }, kax = { 0 },
- kay = { 0 };
+ CborByteString pinUvAuthParam = { 0 }, newPinEnc = { 0 }, pinHashEnc = { 0 }, kax = { 0 }, kay = { 0 };
CborCharString rpId = { 0 };
CBOR_CHECK(cbor_parser_init(data, len, 0, &parser, &map));
uint64_t val_c = 1;
+ uint8_t keydev[32] = {0};
if (hkey_init == false) {
initialize();
}
@@ -454,7 +394,6 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
}
}
CBOR_PARSE_MAP_END(map, 1);
-
cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0);
if (subcommand == 0x0) {
CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
@@ -473,7 +412,6 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
CborEncoder mapEncoder2;
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
-
CBOR_CHECK(COSE_key_shared(&hkey, &mapEncoder, &mapEncoder2));
}
else if (pinUvAuthProtocol == 0) {
@@ -527,12 +465,12 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
while (paddedNewPin[pin_len] != 0 && pin_len < sizeof(paddedNewPin)) {
pin_len++;
}
- uint8_t minPin = 6;
- int complexity_ret = check_pin_complexity(paddedNewPin, pin_len);
- if (complexity_ret != 0) {
- CBOR_ERROR(complexity_ret);
- }
-
+ // --- Check PIN Complexity ---
+ ret = check_pin_complexity(paddedNewPin, pin_len);
+ if (ret != 0) {
+ CBOR_ERROR(ret);
+ }
+ uint8_t minPin = 4;
file_t *ef_minpin = search_by_fid(EF_MINPINLEN, NULL, SPECIFY_EF);
if (file_has_data(ef_minpin)) {
minPin = *file_get_data(ef_minpin);
@@ -540,18 +478,16 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
if (pin_len < minPin) {
CBOR_ERROR(CTAP2_ERR_PIN_POLICY_VIOLATION);
}
-
-
-
- uint8_t hsh[34], dhash[32];
+ uint8_t hsh[35], dhash[32];
hsh[0] = MAX_PIN_RETRIES;
hsh[1] = pin_len;
+ hsh[2] = 1; // New format indicator
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, dhash);
- double_hash_pin(dhash, 16, hsh + 2);
- file_put_data(ef_pin, hsh, 2 + 32);
+ pin_derive_verifier(dhash, 16, hsh + 3);
+ file_put_data(ef_pin, hsh, sizeof(hsh));
low_flash_available();
-
- ret = check_mkek_encrypted(dhash);
+ pin_derive_session(dhash, 16, session_pin);
+ ret = check_keydev_encrypted(session_pin);
if (ret != PICOKEY_OK) {
CBOR_ERROR(ret);
}
@@ -598,10 +534,10 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
}
- uint8_t pin_data[34];
- memcpy(pin_data, file_get_data(ef_pin), 34);
+ uint8_t pin_data[35];
+ memcpy(pin_data, file_get_data(ef_pin), file_get_size(ef_pin));
pin_data[0] -= 1;
- file_put_data(ef_pin, pin_data, sizeof(pin_data));
+ file_put_data(ef_pin, pin_data, file_get_size(ef_pin));
low_flash_available();
uint8_t retries = pin_data[0];
uint8_t paddedNewPin[64];
@@ -610,9 +546,15 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
}
- uint8_t dhash[32];
- double_hash_pin(paddedNewPin, 16, dhash);
- if (memcmp(dhash, file_get_data(ef_pin) + 2, 32) != 0) {
+ uint8_t dhash[32], off = 3;
+ if (file_get_size(ef_pin) == 34) {
+ off = 2;
+ double_hash_pin(paddedNewPin, 16, dhash);
+ }
+ else {
+ pin_derive_verifier(paddedNewPin, 16, dhash);
+ }
+ if (ct_memcmp(dhash, file_get_data(ef_pin) + off, 32) != 0) {
regenerate();
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
if (retries == 0) {
@@ -626,10 +568,24 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
}
}
- hash_multi(paddedNewPin, 16, session_pin);
+ if (off == 2) {
+ pin_data[2] = 1;
+ pin_derive_verifier(paddedNewPin, 16, pin_data + 3);
+ hash_multi(paddedNewPin, 16, session_pin);
+ ret = load_keydev(keydev);
+ if (ret != PICOKEY_OK) {
+ CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
+ }
+ encrypt_keydev_f1(keydev);
+ }
+ pin_derive_session(paddedNewPin, 16, session_pin);
pin_data[0] = MAX_PIN_RETRIES;
file_put_data(ef_pin, pin_data, sizeof(pin_data));
low_flash_available();
+ ret = check_keydev_encrypted(session_pin);
+ if (ret != PICOKEY_OK) {
+ CBOR_ERROR(ret);
+ }
new_pin_mismatches = 0;
ret = decrypt((uint8_t)pinUvAuthProtocol, sharedSecret, newPinEnc.data, (uint16_t)newPinEnc.len, paddedNewPin);
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
@@ -640,14 +596,14 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
uint8_t pin_len = 0;
- int complexity_ret = check_pin_complexity(paddedNewPin, pin_len);
-if (complexity_ret != 0) {
- CBOR_ERROR(complexity_ret);
-}
-
- while (paddedNewPin[pin_len] != 0 && pin_len < sizeof(paddedNewPin)) {
+ while (paddedNewPin[pin_len] != 0 && pin_len < sizeof(paddedNewPin)) {
pin_len++;
}
+ // --- Check PIN Complexity ---
+ ret = check_pin_complexity(paddedNewPin, pin_len);
+ if (ret != 0) {
+ CBOR_ERROR(ret);
+ }
uint8_t minPin = 4;
file_t *ef_minpin = search_by_fid(EF_MINPINLEN, NULL, SPECIFY_EF);
if (file_has_data(ef_minpin)) {
@@ -656,35 +612,27 @@ if (complexity_ret != 0) {
if (pin_len < minPin) {
CBOR_ERROR(CTAP2_ERR_PIN_POLICY_VIOLATION);
}
- uint8_t hsh[34];
- hsh[0] = MAX_PIN_RETRIES;
- hsh[1] = pin_len;
+ ret = load_keydev(keydev);
+ if (ret != PICOKEY_OK) {
+ CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
+ }
+ encrypt_keydev_f1(keydev);
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, dhash);
- double_hash_pin(dhash, 16, hsh + 2);
- if (file_has_data(ef_minpin) && file_get_data(ef_minpin)[1] == 1 &&
- memcmp(hsh + 2, file_get_data(ef_pin) + 2, 32) == 0) {
+ pin_derive_session(dhash, 16, session_pin);
+ ret = check_keydev_encrypted(session_pin);
+ if (ret != PICOKEY_OK) {
+ CBOR_ERROR(ret);
+ }
+ low_flash_available();
+ pin_data[0] = MAX_PIN_RETRIES;
+ pin_data[1] = pin_len;
+ pin_data[2] = 1;
+ pin_derive_verifier(dhash, 16, pin_data + 3);
+ if (file_has_data(ef_minpin) && file_get_data(ef_minpin)[1] == 1 && ct_memcmp(pin_data + 3, file_get_data(ef_pin) + 3, 32) == 0) {
CBOR_ERROR(CTAP2_ERR_PIN_POLICY_VIOLATION);
}
-
- uint8_t mkek[MKEK_SIZE] = {0};
- ret = load_mkek(mkek);
- if (ret != PICOKEY_OK) {
- CBOR_ERROR(ret);
- }
- file_put_data(ef_pin, hsh, 2 + 32);
-
- ret = check_mkek_encrypted(dhash);
- if (ret != PICOKEY_OK) {
- CBOR_ERROR(ret);
- }
-
- hash_multi(dhash, 16, session_pin);
- ret = store_mkek(mkek);
- mbedtls_platform_zeroize(mkek, sizeof(mkek));
- if (ret != PICOKEY_OK) {
- CBOR_ERROR(ret);
- }
- mbedtls_platform_zeroize(hsh, sizeof(hsh));
+ file_put_data(ef_pin, pin_data, sizeof(pin_data));
+ mbedtls_platform_zeroize(pin_data, sizeof(pin_data));
mbedtls_platform_zeroize(dhash, sizeof(dhash));
if (file_has_data(ef_minpin) && file_get_data(ef_minpin)[1] == 1) {
uint8_t *tmpf = (uint8_t *) calloc(1, file_get_size(ef_minpin));
@@ -695,6 +643,7 @@ if (complexity_ret != 0) {
}
low_flash_available();
resetPinUvAuthToken();
+ resetPersistentPinUvAuthToken();
goto err; // No return
}
else if (subcommand == 0x9 || subcommand == 0x5) { //getPinUvAuthTokenUsingPinWithPermissions
@@ -712,10 +661,12 @@ if (complexity_ret != 0) {
if (permissions == 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
- if ((permissions & CTAP_PERMISSION_BE)) { // Not supported yet
+ if ((permissions & CTAP_PERMISSION_BE)) {
+ CBOR_ERROR(CTAP2_ERR_UNAUTHORIZED_PERMISSION);
+ }
+ if ((permissions & CTAP_PERMISSION_PCMR) && permissions != CTAP_PERMISSION_PCMR) {
CBOR_ERROR(CTAP2_ERR_UNAUTHORIZED_PERMISSION);
}
-
}
if (!file_has_data(ef_pin)) {
CBOR_ERROR(CTAP2_ERR_PIN_NOT_SET);
@@ -735,10 +686,10 @@ if (complexity_ret != 0) {
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
- uint8_t pin_data[34];
- memcpy(pin_data, file_get_data(ef_pin), 34);
+ uint8_t pin_data[35];
+ memcpy(pin_data, file_get_data(ef_pin), file_get_size(ef_pin));
pin_data[0] -= 1;
- file_put_data(ef_pin, pin_data, sizeof(pin_data));
+ file_put_data(ef_pin, pin_data, file_get_size(ef_pin));
low_flash_available();
uint8_t retries = pin_data[0];
uint8_t paddedNewPin[64], poff = ((uint8_t)pinUvAuthProtocol - 1) * IV_SIZE;
@@ -747,11 +698,18 @@ if (complexity_ret != 0) {
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
}
- uint8_t dhash[32];
- double_hash_pin(paddedNewPin, 16, dhash);
- if (memcmp(dhash, file_get_data(ef_pin) + 2, 32) != 0) {
+ uint8_t dhash[32], off = 3;
+ if (file_get_size(ef_pin) == 34) {
+ off = 2;
+ double_hash_pin(paddedNewPin, 16, dhash);
+ }
+ else {
+ pin_derive_verifier(paddedNewPin, 16, dhash);
+ }
+ if (ct_memcmp(dhash, file_get_data(ef_pin) + off, 32) != 0) {
regenerate();
mbedtls_platform_zeroize(sharedSecret, sizeof(sharedSecret));
+ mbedtls_platform_zeroize(dhash, sizeof(dhash));
if (retries == 0) {
CBOR_ERROR(CTAP2_ERR_PIN_BLOCKED);
}
@@ -763,39 +721,53 @@ if (complexity_ret != 0) {
CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
}
}
-
- ret = check_mkek_encrypted(paddedNewPin);
+ mbedtls_platform_zeroize(dhash, sizeof(dhash));
+ if (off == 2) {
+ pin_data[2] = 1;
+ pin_derive_verifier(paddedNewPin, 16, pin_data + 3);
+ hash_multi(paddedNewPin, 16, session_pin);
+ ret = load_keydev(keydev);
+ if (ret != PICOKEY_OK) {
+ CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
+ }
+ encrypt_keydev_f1(keydev);
+ }
+ pin_derive_session(paddedNewPin, 16, session_pin);
+ ret = check_keydev_encrypted(session_pin);
if (ret != PICOKEY_OK) {
CBOR_ERROR(ret);
}
-
- hash_multi(paddedNewPin, 16, session_pin);
pin_data[0] = MAX_PIN_RETRIES;
new_pin_mismatches = 0;
file_put_data(ef_pin, pin_data, sizeof(pin_data));
mbedtls_platform_zeroize(pin_data, sizeof(pin_data));
- mbedtls_platform_zeroize(dhash, sizeof(dhash));
-
low_flash_available();
file_t *ef_minpin = search_by_fid(EF_MINPINLEN, NULL, SPECIFY_EF);
if (file_has_data(ef_minpin) && file_get_data(ef_minpin)[1] == 1) {
CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
}
- resetPinUvAuthToken();
- beginUsingPinUvAuthToken(false);
- if (subcommand == 0x05) {
- permissions = CTAP_PERMISSION_MC | CTAP_PERMISSION_GA;
- }
- paut.permissions = (uint8_t)permissions;
- if (rpId.present == true) {
- mbedtls_sha256((uint8_t *) rpId.data, rpId.len, paut.rp_id_hash, 0);
- paut.has_rp_id = true;
+ uint8_t pinUvAuthToken_enc[32 + IV_SIZE], *pdata = NULL;
+ if (permissions & CTAP_PERMISSION_PCMR) {
+ ppaut.permissions = CTAP_PERMISSION_PCMR;
+ pdata = ppaut.data;
}
else {
- paut.has_rp_id = false;
+ resetPinUvAuthToken();
+ beginUsingPinUvAuthToken(false);
+ if (subcommand == 0x05) {
+ permissions = CTAP_PERMISSION_MC | CTAP_PERMISSION_GA;
+ }
+ paut.permissions = (uint8_t)permissions;
+ if (rpId.present == true) {
+ mbedtls_sha256((uint8_t *) rpId.data, rpId.len, paut.rp_id_hash, 0);
+ paut.has_rp_id = true;
+ }
+ else {
+ paut.has_rp_id = false;
+ }
+ pdata = paut.data;
}
- uint8_t pinUvAuthToken_enc[32 + IV_SIZE];
- encrypt((uint8_t)pinUvAuthProtocol, sharedSecret, paut.data, 32, pinUvAuthToken_enc);
+ encrypt((uint8_t)pinUvAuthProtocol, sharedSecret, pdata, 32, pinUvAuthToken_enc);
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x02));
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, pinUvAuthToken_enc, 32 + poff));
@@ -812,6 +784,7 @@ err:
CBOR_FREE_BYTE_STRING(kax);
CBOR_FREE_BYTE_STRING(kay);
CBOR_FREE_BYTE_STRING(rpId);
+ mbedtls_platform_zeroize(keydev, sizeof(keydev));
if (error != CborNoError) {
if (error == CborErrorImproperValue) {
return CTAP2_ERR_CBOR_UNEXPECTED_TYPE;