apps.fido_u2f: fix authenticate

2024-11-22 07:28:10 +00:00 · 2017-05-31 13:15:50 +02:00 · 2017-05-31 13:15:50 +02:00 · 7a5377e385
commit 7a5377e385
parent 36fc87bd46
1 changed files with 14 additions and 6 deletions
--- a/src/apps/fido_u2f/init.py
+++ b/src/apps/fido_u2f/init.py
@ -461,15 +461,18 @@ def msg_register_sign(challenge: bytes, app_id: bytes) -> bytes:


 _authenticate_state = 0
+_authenticate_lastreq = None


 async def msg_authenticate(req: Msg) -> Cmd:

    global _authenticate_state
+    global _authenticate_lastreq

    from apps.common import storage

    if not storage.is_initialized():
+        log.warning(__name__, 'not initialized')
        return msg_error(req, _SW_CONDITIONS_NOT_SATISFIED)

    # we need at least keyHandleLen
@ -488,28 +491,33 @@ async def msg_authenticate(req: Msg) -> Cmd:
    # check the keyHandle and generate the signing key
    node = msg_authenticate_genkey(auth.appId, auth.keyHandle)
    if node is None:
+        # specific error logged in msg_authenticate_genkey
        return msg_error(req, _SW_WRONG_DATA)

    # if _AUTH_CHECK_ONLY is requested, return, because keyhandle has been checked already
    if req.p1 == _AUTH_CHECK_ONLY:
-        log.warning(__name__, '_SW_CONDITIONS_NOT_SATISFIED')
+        log.info(__name__, '_AUTH_CHECK_ONLY')
        return msg_error(req, _SW_CONDITIONS_NOT_SATISFIED)

    # from now on, only _AUTH_ENFORCE is supported
    if req.p1 != _AUTH_ENFORCE:
-        log.warning(__name__, '_SW_WRONG_DATA')
+        log.info(__name__, '_AUTH_ENFORCE')
        return msg_error(req, _SW_WRONG_DATA)

-    # TODO: check equality with last request
+    # check equality with last request
+    if _authenticate_lastreq is None or _authenticate_lastreq.__dict__ != req.__dict__:
+        _authenticate_lastreq = req
+        _authenticate_state = 0

    # TODO: wait for a button press
    if _authenticate_state == 0:
        _authenticate_state = utime.ticks_ms()
    if utime.ticks_ms() - _authenticate_state < 500:
+        log.info(__name__, 'waiting for button')
        return msg_error(req, _SW_CONDITIONS_NOT_SATISFIED)
    _authenticate_state = 0

-    buf = msg_authenticate_sign(auth.chal, auth.appId, auth.keyHandle)
+    buf = msg_authenticate_sign(auth.chal, auth.appId, node.private_key())

    return Cmd(req.cid, _CMD_MSG, buf)

@ -555,7 +563,7 @@ def msg_authenticate_sign(challenge: bytes, app_id: bytes, privkey: bytes) -> by

    global _authenticate_ctr

-    flags = _AUTH_FLAG_TUP
+    flags = bytes([_AUTH_FLAG_TUP])

    # get next counter
    ctr = _authenticate_ctr
@ -576,7 +584,7 @@ def msg_authenticate_sign(challenge: bytes, app_id: bytes, privkey: bytes) -> by

    # pack to a response
    buf, resp = make_struct(resp_cmd_authenticate(len(sig)))
-    resp.flags = flags
+    resp.flags = flags[0]
    resp.ctr = ctr
    utils.memcpy(resp.sig, 0, sig, 0, len(sig))
    resp.status = _SW_NO_ERROR