From 75073d0a8478441cc97a6efa10b566c5fb1dac81 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 17 Apr 2020 20:57:17 +0100 Subject: New upstream version 1.4.0 --- src/u2f.c | 69 +++++++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 28 deletions(-) (limited to 'src/u2f.c') diff --git a/src/u2f.c b/src/u2f.c index 82b289f..19a959d 100644 --- a/src/u2f.c +++ b/src/u2f.c @@ -125,11 +125,10 @@ authdata_fake(const char *rp_id, uint8_t flags, uint32_t sigcount, static int send_dummy_register(fido_dev_t *dev, int ms) { - const uint8_t cmd = CTAP_FRAME_INIT | CTAP_CMD_MSG; iso7816_apdu_t *apdu = NULL; unsigned char challenge[SHA256_DIGEST_LENGTH]; unsigned char application[SHA256_DIGEST_LENGTH]; - unsigned char reply[2048]; + unsigned char reply[FIDO_MAXMSG]; int r; #ifdef FIDO_FUZZ @@ -150,13 +149,13 @@ send_dummy_register(fido_dev_t *dev, int ms) } do { - if (fido_tx(dev, cmd, iso7816_ptr(apdu), + if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu), iso7816_len(apdu)) < 0) { fido_log_debug("%s: fido_tx", __func__); r = FIDO_ERR_TX; goto fail; } - if (fido_rx(dev, cmd, &reply, sizeof(reply), ms) < 2) { + if (fido_rx(dev, CTAP_CMD_MSG, &reply, sizeof(reply), ms) < 2) { fido_log_debug("%s: fido_rx", __func__); r = FIDO_ERR_RX; goto fail; @@ -179,11 +178,10 @@ static int key_lookup(fido_dev_t *dev, const char *rp_id, const fido_blob_t *key_id, int *found, int ms) { - const uint8_t cmd = CTAP_FRAME_INIT | CTAP_CMD_MSG; iso7816_apdu_t *apdu = NULL; unsigned char challenge[SHA256_DIGEST_LENGTH]; unsigned char rp_id_hash[SHA256_DIGEST_LENGTH]; - unsigned char reply[8]; + unsigned char reply[FIDO_MAXMSG]; uint8_t key_id_len; int r; @@ -217,12 +215,13 @@ key_lookup(fido_dev_t *dev, const char *rp_id, const fido_blob_t *key_id, goto fail; } - if (fido_tx(dev, cmd, iso7816_ptr(apdu), iso7816_len(apdu)) < 0) { + if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu), + iso7816_len(apdu)) < 0) { fido_log_debug("%s: fido_tx", __func__); r = FIDO_ERR_TX; goto fail; } - if (fido_rx(dev, cmd, &reply, sizeof(reply), ms) != 2) { + if (fido_rx(dev, CTAP_CMD_MSG, &reply, sizeof(reply), ms) != 2) { fido_log_debug("%s: fido_rx", __func__); r = FIDO_ERR_RX; goto fail; @@ -285,10 +284,9 @@ static int do_auth(fido_dev_t *dev, const fido_blob_t *cdh, const char *rp_id, const fido_blob_t *key_id, fido_blob_t *sig, fido_blob_t *ad, int ms) { - const uint8_t cmd = CTAP_FRAME_INIT | CTAP_CMD_MSG; iso7816_apdu_t *apdu = NULL; unsigned char rp_id_hash[SHA256_DIGEST_LENGTH]; - unsigned char reply[128]; + unsigned char reply[FIDO_MAXMSG]; int reply_len; uint8_t key_id_len; int r; @@ -326,14 +324,14 @@ do_auth(fido_dev_t *dev, const fido_blob_t *cdh, const char *rp_id, } do { - if (fido_tx(dev, cmd, iso7816_ptr(apdu), + if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu), iso7816_len(apdu)) < 0) { fido_log_debug("%s: fido_tx", __func__); r = FIDO_ERR_TX; goto fail; } - if ((reply_len = fido_rx(dev, cmd, &reply, sizeof(reply), - ms)) < 2) { + if ((reply_len = fido_rx(dev, CTAP_CMD_MSG, &reply, + sizeof(reply), ms)) < 2) { fido_log_debug("%s: fido_rx", __func__); r = FIDO_ERR_RX; goto fail; @@ -575,10 +573,9 @@ fail: int u2f_register(fido_dev_t *dev, fido_cred_t *cred, int ms) { - const uint8_t cmd = CTAP_FRAME_INIT | CTAP_CMD_MSG; iso7816_apdu_t *apdu = NULL; unsigned char rp_id_hash[SHA256_DIGEST_LENGTH]; - unsigned char reply[2048]; + unsigned char reply[FIDO_MAXMSG]; int reply_len; int found; int r; @@ -634,14 +631,14 @@ u2f_register(fido_dev_t *dev, fido_cred_t *cred, int ms) } do { - if (fido_tx(dev, cmd, iso7816_ptr(apdu), + if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu), iso7816_len(apdu)) < 0) { fido_log_debug("%s: fido_tx", __func__); r = FIDO_ERR_TX; goto fail; } - if ((reply_len = fido_rx(dev, cmd, &reply, sizeof(reply), - ms)) < 2) { + if ((reply_len = fido_rx(dev, CTAP_CMD_MSG, &reply, + sizeof(reply), ms)) < 2) { fido_log_debug("%s: fido_rx", __func__); r = FIDO_ERR_RX; goto fail; @@ -687,6 +684,12 @@ u2f_authenticate_single(fido_dev_t *dev, const fido_blob_t *key_id, goto fail; } + if (fido_blob_set(&fa->stmt[idx].id, key_id->ptr, key_id->len) < 0) { + fido_log_debug("%s: fido_blob_set", __func__); + r = FIDO_ERR_INTERNAL; + goto fail; + } + if (fa->up == FIDO_OPT_FALSE) { fido_log_debug("%s: checking for key existence only", __func__); r = FIDO_ERR_USER_PRESENCE_REQUIRED; @@ -699,8 +702,7 @@ u2f_authenticate_single(fido_dev_t *dev, const fido_blob_t *key_id, goto fail; } - if (fido_blob_set(&fa->stmt[idx].id, key_id->ptr, key_id->len) < 0 || - fido_assert_set_authdata(fa, idx, ad.ptr, ad.len) != FIDO_OK || + if (fido_assert_set_authdata(fa, idx, ad.ptr, ad.len) != FIDO_OK || fido_assert_set_sig(fa, idx, sig.ptr, sig.len) != FIDO_OK) { fido_log_debug("%s: fido_assert_set", __func__); r = FIDO_ERR_INTERNAL; @@ -724,6 +726,7 @@ fail: int u2f_authenticate(fido_dev_t *dev, fido_assert_t *fa, int ms) { + int nfound = 0; int nauth_ok = 0; int r; @@ -739,20 +742,30 @@ u2f_authenticate(fido_dev_t *dev, fido_assert_t *fa, int ms) } for (size_t i = 0; i < fa->allow_list.len; i++) { - if ((r = u2f_authenticate_single(dev, &fa->allow_list.ptr[i], - fa, nauth_ok, ms)) == FIDO_OK) { + switch ((r = u2f_authenticate_single(dev, + &fa->allow_list.ptr[i], fa, nfound, ms))) { + case FIDO_OK: nauth_ok++; - } else if (r != FIDO_ERR_CREDENTIAL_EXCLUDED) { - fido_log_debug("%s: u2f_authenticate_single", __func__); - return (r); + /* FALLTHROUGH */ + case FIDO_ERR_USER_PRESENCE_REQUIRED: + nfound++; + break; + default: + if (r != FIDO_ERR_CREDENTIAL_EXCLUDED) { + fido_log_debug("%s: u2f_authenticate_single", + __func__); + return (r); + } + /* ignore credentials that don't exist */ } - /* ignore credentials that don't exist */ } - fa->stmt_len = nauth_ok; + fa->stmt_len = nfound; - if (nauth_ok == 0) + if (nfound == 0) return (FIDO_ERR_NO_CREDENTIALS); + if (nauth_ok == 0) + return (FIDO_ERR_USER_PRESENCE_REQUIRED); return (FIDO_OK); } -- cgit v1.2.3