/* * This file is part of the Pico FIDO distribution (https://github.com/polhenarejos/pico-fido). * Copyright (c) 2022 Pol Henarejos. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, version 3. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ #include "common.h" #include "ctap2_cbor.h" #include "fido.h" #include "ctap.h" #include "files.h" #include "apdu.h" #include "hsm.h" #include "random.h" #include "mbedtls/ecdh.h" #include "mbedtls/chachapoly.h" #include "mbedtls/hkdf.h" extern uint8_t keydev_dec[32]; extern bool has_keydev_dec; mse_t mse = {.init = false}; int mse_decrypt_ct(uint8_t *data, size_t len) { mbedtls_chachapoly_context chatx; mbedtls_chachapoly_init(&chatx); mbedtls_chachapoly_setkey(&chatx, mse.key_enc + 12); int ret = mbedtls_chachapoly_auth_decrypt(&chatx, len - 16, mse.key_enc, mse.Qpt, 65, data + len - 16, data, data); mbedtls_chachapoly_free(&chatx); return ret; } int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) { CborParser parser; CborValue map; CborError error = CborNoError; CborByteString pinUvAuthParam = {0}, vendorParam = {0}, kax = {0}, kay = {0}; size_t resp_size = 0; uint64_t vendorCmd = 0, pinUvAuthProtocol = 0; int64_t kty = 0, alg = 0, crv = 0; CborEncoder encoder, mapEncoder, mapEncoder2; CBOR_CHECK(cbor_parser_init(data, len, 0, &parser, &map)); uint64_t val_c = 1; CBOR_PARSE_MAP_START(map, 1) { uint64_t val_u = 0; CBOR_FIELD_GET_UINT(val_u, 1); if (val_c <= 1 && val_c != val_u) CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER); if (val_u < val_c) CBOR_ERROR(CTAP2_ERR_INVALID_CBOR); val_c = val_u + 1; if (val_u == 0x01) { CBOR_FIELD_GET_UINT(vendorCmd, 1); } else if (val_u == 0x02) { uint64_t subpara = 0; CBOR_PARSE_MAP_START(_f1, 2) { CBOR_FIELD_GET_UINT(subpara, 2); if (subpara == 0x01) { CBOR_FIELD_GET_BYTES(vendorParam, 2); } else if (subpara == 0x02) { int64_t key = 0; CBOR_PARSE_MAP_START(_f2, 3) { CBOR_FIELD_GET_INT(key, 3); if (key == 1) { CBOR_FIELD_GET_INT(kty, 3); } else if (key == 3) { CBOR_FIELD_GET_INT(alg, 3); } else if (key == -1) { CBOR_FIELD_GET_INT(crv, 3); } else if (key == -2) { CBOR_FIELD_GET_BYTES(kax, 3); } else if (key == -3) { CBOR_FIELD_GET_BYTES(kay, 3); } else CBOR_ADVANCE(3); } CBOR_PARSE_MAP_END(_f2, 3); } else CBOR_ADVANCE(2); } CBOR_PARSE_MAP_END(_f1, 2); } else if (val_u == 0x03) { CBOR_FIELD_GET_UINT(pinUvAuthProtocol, 1); } else if (val_u == 0x04) { CBOR_FIELD_GET_BYTES(pinUvAuthParam, 1); } } CBOR_PARSE_MAP_END(map, 1); cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0); if (cmd == CTAP_VENDOR_BACKUP) { if (vendorCmd == 0x01) { if (has_keydev_dec == false) CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID); CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1)); CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01)); CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, file_get_data(ef_keydev_enc), file_get_size(ef_keydev_enc))); } else if (vendorCmd == 0x02) { if (vendorParam.present == false) CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER); uint8_t zeros[32]; memset(zeros, 0, sizeof(zeros)); flash_write_data_to_file(ef_keydev_enc, vendorParam.data, vendorParam.len); flash_write_data_to_file(ef_keydev, zeros, file_get_size(ef_keydev)); // Overwrite ef with 0 flash_write_data_to_file(ef_keydev, NULL, 0); // Set ef to 0 bytes low_flash_available(); goto err; } else { CBOR_ERROR(CTAP2_ERR_INVALID_SUBCOMMAND); } } else if (cmd == CTAP_VENDOR_MSE) { if (vendorCmd == 0x01) { // KeyAgreement if (kax.present == false || kay.present == false || alg == 0) CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER); mbedtls_ecdh_context hkey; mbedtls_ecdh_init(&hkey); mbedtls_ecdh_setup(&hkey, MBEDTLS_ECP_DP_SECP256R1); int ret = mbedtls_ecdh_gen_public(&hkey.ctx.mbed_ecdh.grp, &hkey.ctx.mbed_ecdh.d, &hkey.ctx.mbed_ecdh.Q, random_gen, NULL); mbedtls_mpi_lset(&hkey.ctx.mbed_ecdh.Qp.Z, 1); if (ret != 0) { CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.X, kax.data, kax.len) != 0) { mbedtls_ecdh_free(&hkey); CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) { mbedtls_ecdh_free(&hkey); CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } uint8_t buf[MBEDTLS_ECP_MAX_BYTES]; size_t olen = 0; ret = mbedtls_ecp_point_write_binary(&hkey.ctx.mbed_ecdh.grp, &hkey.ctx.mbed_ecdh.Qp, MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, mse.Qpt, sizeof(mse.Qpt)); if (ret != 0) { mbedtls_ecdh_free(&hkey); CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } ret = mbedtls_ecdh_calc_secret(&hkey, &olen, buf, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL); if (ret != 0) { mbedtls_ecdh_free(&hkey); mbedtls_platform_zeroize(buf, sizeof(buf)); CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } ret = mbedtls_hkdf(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), NULL, 0, buf, olen, mse.Qpt, sizeof(mse.Qpt), mse.key_enc, sizeof(mse.key_enc)); mbedtls_platform_zeroize(buf, sizeof(buf)); if (ret != 0) { mbedtls_ecdh_free(&hkey); CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } mse.init = true; CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1)); CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01)); CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, 5)); CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 1)); CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 2)); CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 3)); CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, -FIDO2_ALG_ECDH_ES_HKDF_256)); CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 1)); CBOR_CHECK(cbor_encode_uint(&mapEncoder2, FIDO2_CURVE_P256)); CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 2)); uint8_t pkey[32]; mbedtls_mpi_write_binary(&hkey.ctx.mbed_ecdh.Q.X, pkey, 32); CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, pkey, 32)); CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 3)); mbedtls_mpi_write_binary(&hkey.ctx.mbed_ecdh.Q.Y, pkey, 32); CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, pkey, 32)); CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2)); mbedtls_ecdh_free(&hkey); } } else if (cmd == CTAP_VENDOR_UNLOCK) { if (mse.init == false) CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED); mbedtls_chachapoly_context chatx; int ret = mse_decrypt_ct(vendorParam.data, vendorParam.len); if (ret != 0) { CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } if (!file_has_data(ef_keydev_enc)) CBOR_ERROR(CTAP2_ERR_INTEGRITY_FAILURE); uint8_t *keyenc = file_get_data(ef_keydev_enc); size_t keyenc_len = file_get_size(ef_keydev_enc); mbedtls_chachapoly_init(&chatx); mbedtls_chachapoly_setkey(&chatx, vendorParam.data); ret = mbedtls_chachapoly_auth_decrypt(&chatx, sizeof(keydev_dec), keyenc, NULL, 0, keyenc + keyenc_len - 16, keyenc + 12, keydev_dec); mbedtls_chachapoly_free(&chatx); if (ret != 0){ CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); } has_keydev_dec = true; goto err; } else CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION); CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder)); resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1); err: CBOR_FREE_BYTE_STRING(pinUvAuthParam); CBOR_FREE_BYTE_STRING(vendorParam); if (error != CborNoError) { if (error == CborErrorImproperValue) return CTAP2_ERR_CBOR_UNEXPECTED_TYPE; return error; } res_APDU_size = resp_size; return 0; } int cbor_vendor(const uint8_t *data, size_t len) { if (len == 0) return CTAP1_ERR_INVALID_LEN; if (data[0] >= CTAP_VENDOR_BACKUP) return cbor_vendor_generic(data[0], data + 1, len - 1); return CTAP2_ERR_INVALID_CBOR; }