Arduino/pico-fido
1
0
Fork 1
mirror of https://github.com/polhenarejos/pico-fido.git synced 2025-12-19 10:54:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix OTP/MKEK secure system.

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2025-01-08 17:25:04 +01:00
parent 6a67800057
commit 77dd1c4b98
3 changed files with 30 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pico-keys-sdk

Submodule pico-keys-sdk updated: 68a816895e...3d912878f1

39
src/fido/fido.c
View File

@@ -322,13 +322,33 @@ int scan_files() {
else { else {
printf("FATAL ERROR: KEY DEV not found in memory!\r\n"); printf("FATAL ERROR: KEY DEV not found in memory!\r\n");
} }
if (ef_mkek) { // No encrypted MKEK
if (!file_has_data(ef_mkek)) {
uint8_t mkek[MKEK_IV_SIZE + MKEK_KEY_SIZE];
random_gen(NULL, mkek, sizeof(mkek));
file_put_data(ef_mkek, mkek, sizeof(mkek));
int ret = aes_encrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), file_get_data(ef_keydev), 32);
mbedtls_platform_zeroize(mkek, sizeof(mkek));
if (ret != 0) {
printf("FATAL ERROR: MKEK encryption failed!\r\n");
}
}
}
else {
printf("FATAL ERROR: MKEK not found in memory!\r\n");
}
ef_certdev = search_by_fid(EF_EE_DEV, NULL, SPECIFY_EF); ef_certdev = search_by_fid(EF_EE_DEV, NULL, SPECIFY_EF);
if (ef_certdev) { if (ef_certdev) {
if (!file_has_data(ef_certdev)) { if (!file_has_data(ef_certdev)) {
uint8_t cert[2048]; uint8_t cert[2048], outk[32];
memset(outk, 0, sizeof(outk));
int ret = 0;
if ((ret = load_keydev(outk)) != 0) {
return ret;
}
mbedtls_ecdsa_context key; mbedtls_ecdsa_context key;
mbedtls_ecdsa_init(&key); mbedtls_ecdsa_init(&key);
int ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &key, file_get_data(ef_keydev), file_get_size(ef_keydev)); ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &key, outk, sizeof(outk));
if (ret != 0) { if (ret != 0) {
mbedtls_ecdsa_free(&key); mbedtls_ecdsa_free(&key);
return ret; return ret;
@@ -385,21 +405,6 @@ int scan_files() {
file_put_data(ef_largeblob, (const uint8_t *) "\x80\x76\xbe\x8b\x52\x8d\x00\x75\xf7\xaa\xe9\x8d\x6f\xa5\x7a\x6d\x3c", 17); file_put_data(ef_largeblob, (const uint8_t *) "\x80\x76\xbe\x8b\x52\x8d\x00\x75\xf7\xaa\xe9\x8d\x6f\xa5\x7a\x6d\x3c", 17);
} }
if (ef_mkek) { // No encrypted MKEK
if (!file_has_data(ef_mkek)) {
uint8_t mkek[MKEK_IV_SIZE + MKEK_KEY_SIZE];
random_gen(NULL, mkek, sizeof(mkek));
file_put_data(ef_mkek, mkek, sizeof(mkek));
int ret = aes_encrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), file_get_data(ef_keydev), 32);
mbedtls_platform_zeroize(mkek, sizeof(mkek));
if (ret != 0) {
printf("FATAL ERROR: MKEK encryption failed!\r\n");
}
}
}
else {
printf("FATAL ERROR: MKEK not found in memory!\r\n");
}
low_flash_available(); low_flash_available();
return PICOKEY_OK; return PICOKEY_OK;
} }

11
src/fido/kek.c
View File

@@ -56,13 +56,9 @@ void mkek_masked(uint8_t *mkek, const uint8_t *mask) {
} }
} }
} }
#include <stdio.h>
int load_mkek(uint8_t *mkek) { int load_mkek(uint8_t *mkek) {
if (paut.in_use == false) {
return PICOKEY_NO_LOGIN;
}
file_t *tf = search_file(EF_MKEK); file_t *tf = search_file(EF_MKEK);
printf("file_size = %d\n", file_get_size(tf));
if (file_has_data(tf)) { if (file_has_data(tf)) {
memcpy(mkek, file_get_data(tf), MKEK_SIZE); memcpy(mkek, file_get_data(tf), MKEK_SIZE);
} }
@@ -78,10 +74,10 @@ int load_mkek(uint8_t *mkek) {
if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != *(uint32_t *) MKEK_CHECKSUM(mkek)) { if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != *(uint32_t *) MKEK_CHECKSUM(mkek)) {
return PICOKEY_WRONG_DKEK; return PICOKEY_WRONG_DKEK;
} }
}
if (otp_key_1) { if (otp_key_1) {
mkek_masked(mkek, otp_key_1); mkek_masked(mkek, otp_key_1);
} }
}
return PICOKEY_OK; return PICOKEY_OK;
} }
@@ -98,6 +94,9 @@ int store_mkek(const uint8_t *mkek) {
else { else {
memcpy(tmp_mkek, mkek, MKEK_SIZE); memcpy(tmp_mkek, mkek, MKEK_SIZE);
} }
if (otp_key_1) {
mkek_masked(tmp_mkek, otp_key_1);
}
*(uint32_t *) MKEK_CHECKSUM(tmp_mkek) = crc32c(MKEK_KEY(tmp_mkek), MKEK_KEY_SIZE); *(uint32_t *) MKEK_CHECKSUM(tmp_mkek) = crc32c(MKEK_KEY(tmp_mkek), MKEK_KEY_SIZE);
uint8_t tmp_mkek_pin[MKEK_SIZE]; uint8_t tmp_mkek_pin[MKEK_SIZE];
memcpy(tmp_mkek_pin, tmp_mkek, MKEK_SIZE); memcpy(tmp_mkek_pin, tmp_mkek, MKEK_SIZE);