From 24978a54765975dd1aa2d5ffa4980395ef304475 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Sun, 8 Mar 2026 19:27:32 +0100 Subject: [PATCH] Apply strict build. Signed-off-by: Pol Henarejos --- CMakeLists.txt | 7 +--- pico-keys-sdk | 2 +- src/fido/cbor.c | 18 ++------- src/fido/cbor_client_pin.c | 35 +++++++++-------- src/fido/cbor_config.c | 3 -- src/fido/cbor_get_assertion.c | 2 +- src/fido/cbor_get_info.c | 2 +- src/fido/cbor_reset.c | 5 +-- src/fido/cbor_selection.c | 3 +- src/fido/cbor_vendor.c | 2 +- src/fido/cmd_authenticate.c | 2 +- src/fido/cmd_register.c | 17 +++------ src/fido/cmd_version.c | 3 +- src/fido/credential.c | 1 - src/fido/ctap2_cbor.h | 14 ++++++- src/fido/fido.c | 59 ++++++++++++++--------------- src/fido/fido.h | 38 +++++++++++++------ src/fido/kek.c | 7 ++-- src/fido/kek.h | 2 +- src/fido/management.c | 22 +++++------ src/fido/management.h | 2 +- src/fido/oath.c | 45 +++++++++++----------- src/fido/otp.c | 71 +++++++++++++++++------------------ 23 files changed, 179 insertions(+), 183 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 13c1e18..a36195a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -148,12 +148,9 @@ if(NOT ESP_PLATFORM) ) target_compile_options(pico_fido PRIVATE ${COMMON_COMPILE_OPTIONS}) - if(NOT MSVC) - set(NON_MSVC_COMPILE_OPTIONS - -Werror - ) - target_compile_options(pico_fido PRIVATE ${NON_MSVC_COMPILE_OPTIONS}) + pico_keys_apply_strict_flags(SOURCES ${SOURCES}) + if(NOT MSVC) string(FIND ${CMAKE_C_COMPILER} ":" COMPILER_COLON) if(${COMPILER_COLON} GREATER_EQUAL 0) target_compile_options(pico_fido PRIVATE diff --git a/pico-keys-sdk b/pico-keys-sdk index 802a706..8e6c6c1 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 802a706587928d2371171aafe3f12c5252a70eda +Subproject commit 8e6c6c1fccdb63c90cea04a7d7583cea6e13939b diff --git a/src/fido/cbor.c b/src/fido/cbor.c index f9ca3ed..8b7983d 100644 --- a/src/fido/cbor.c +++ b/src/fido/cbor.c @@ -30,20 +30,7 @@ const bool _btrue = true, _bfalse = false; -int cbor_reset(); -int cbor_get_info(); -int cbor_make_credential(const uint8_t *data, size_t len); -int cbor_client_pin(const uint8_t *data, size_t len); int cbor_get_assertion(const uint8_t *data, size_t len, bool next); -int cbor_get_next_assertion(const uint8_t *data, size_t len); -int cbor_selection(); -int cbor_cred_mgmt(const uint8_t *data, size_t len); -int cbor_config(const uint8_t *data, size_t len); -int cbor_vendor(const uint8_t *data, size_t len); -int cbor_large_blobs(const uint8_t *data, size_t len); -extern void reset_gna_state(); - -extern int cmd_read_config(); const uint8_t aaguid[16] = { 0x89, 0xFB, 0x94, 0xB7, 0x06, 0xC9, 0x36, 0x73, 0x9B, 0x7E, 0x30, 0x52, 0x6D, 0x96, 0x81, 0x45 }; // First 16 bytes of SHA256("Pico FIDO2") @@ -98,7 +85,7 @@ int cbor_parse(uint8_t cmd, const uint8_t *data, size_t len) { return cbor_vendor(data, len); } else if (cmd == 0xC2) { - if (cmd_read_config() == 0x9000) { + if (man_get_config() == 0) { memmove(res_APDU-1, res_APDU, res_APDU_size); res_APDU_size -= 1; return 0; @@ -108,6 +95,7 @@ int cbor_parse(uint8_t cmd, const uint8_t *data, size_t len) { return CTAP1_ERR_INVALID_CMD; } +void *cbor_thread(void *arg) __attribute__((unused)); void *cbor_thread(void *arg) { (void)arg; card_init_core1(); @@ -152,7 +140,7 @@ int cbor_process(uint8_t last_cmd, const uint8_t *data, size_t len) { return 2; // CBOR processing } -CborError COSE_key_params(int crv, int alg, mbedtls_ecp_group *grp, mbedtls_ecp_point *Q, CborEncoder *mapEncoderParent, CborEncoder *mapEncoder) { +static CborError COSE_key_params(int crv, int alg, mbedtls_ecp_group *grp, mbedtls_ecp_point *Q, CborEncoder *mapEncoderParent, CborEncoder *mapEncoder) { CborError error = CborNoError; int kty = 1; if (crv == FIDO2_CURVE_P256 || crv == FIDO2_CURVE_P384 || crv == FIDO2_CURVE_P521 || diff --git a/src/fido/cbor_client_pin.c b/src/fido/cbor_client_pin.c index b2c6732..cf7a360 100644 --- a/src/fido/cbor_client_pin.c +++ b/src/fido/cbor_client_pin.c @@ -44,9 +44,8 @@ uint32_t max_usage_time_period = 600 * 1000; bool needs_power_cycle = false; static mbedtls_ecdh_context hkey; static bool hkey_init = false; -extern int encrypt_keydev_f1(const uint8_t keydev[32]); -int beginUsingPinUvAuthToken(bool userIsPresent) { +static int beginUsingPinUvAuthToken(bool userIsPresent) { paut.user_present = userIsPresent; paut.user_verified = true; initial_usage_time_limit = board_millis(); @@ -55,25 +54,25 @@ int beginUsingPinUvAuthToken(bool userIsPresent) { return 0; } -void clearUserPresentFlag() { +void clearUserPresentFlag(void) { if (paut.in_use == true) { paut.user_present = false; } } -void clearUserVerifiedFlag() { +void clearUserVerifiedFlag(void) { if (paut.in_use == true) { paut.user_verified = false; } } -void clearPinUvAuthTokenPermissionsExceptLbw() { +void clearPinUvAuthTokenPermissionsExceptLbw(void) { if (paut.in_use == true) { paut.permissions = CTAP_PERMISSION_LBW; } } -void stopUsingPinUvAuthToken() { +static void stopUsingPinUvAuthToken(void) { paut.permissions = 0; usage_timer = 0; paut.in_use = false; @@ -84,21 +83,21 @@ void stopUsingPinUvAuthToken() { user_present_time_limit = 0; } -bool getUserPresentFlagValue() { +bool getUserPresentFlagValue(void) { if (paut.in_use != true) { paut.user_present = false; } return paut.user_present; } -bool getUserVerifiedFlagValue() { +bool getUserVerifiedFlagValue(void) { if (paut.in_use != true) { paut.user_verified = false; } return paut.user_verified; } -int regenerate() { +static int regenerate(void) { if (hkey_init == true) { mbedtls_ecdh_free(&hkey); } @@ -114,7 +113,7 @@ int regenerate() { return 0; } -int kdf(uint8_t protocol, const mbedtls_mpi *z, uint8_t *sharedSecret) { +static int kdf(uint8_t protocol, const mbedtls_mpi *z, uint8_t *sharedSecret) { int ret = 0; uint8_t buf[32]; ret = mbedtls_mpi_write_binary(z, buf, sizeof(buf)); @@ -144,7 +143,7 @@ int ecdh(uint8_t protocol, const mbedtls_ecp_point *Q, uint8_t *sharedSecret) { return ret; } -void resetAuthToken(bool persistent) { +static void resetAuthToken(bool persistent) { uint16_t fid = EF_AUTHTOKEN; if (persistent) { fid = EF_PAUTHTOKEN; @@ -156,7 +155,7 @@ void resetAuthToken(bool persistent) { low_flash_available(); } -int resetPinUvAuthToken() { +int resetPinUvAuthToken(void) { resetAuthToken(false); paut.permissions = 0; paut.data = file_get_data(ef_authtoken); @@ -164,7 +163,7 @@ int resetPinUvAuthToken() { return 0; } -int resetPersistentPinUvAuthToken() { +int resetPersistentPinUvAuthToken(void) { resetAuthToken(true); file_t *ef_pauthtoken = search_by_fid(EF_PAUTHTOKEN, NULL, SPECIFY_EF); ppaut.permissions = 0; @@ -200,7 +199,7 @@ int decrypt(uint8_t protocol, const uint8_t *key, const uint8_t *in, uint16_t in return -1; } -int authenticate(uint8_t protocol, const uint8_t *key, const uint8_t *data, size_t len, uint8_t *sign) { +static int __attribute__((unused)) authenticate(uint8_t protocol, const uint8_t *key, const uint8_t *data, size_t len, uint8_t *sign) { uint8_t hmac[32]; int ret = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), key, 32, data, len, hmac); @@ -236,16 +235,16 @@ int verify(uint8_t protocol, const uint8_t *key, const uint8_t *data, uint16_t l return -1; } -int initialize() { +static int initialize(void) { regenerate(); return resetPinUvAuthToken(); } -int getPublicKey() { +static int __attribute__((unused)) getPublicKey(void) { return 0; } -int pinUvAuthTokenUsageTimerObserver() { +static int __attribute__((unused)) pinUvAuthTokenUsageTimerObserver(void) { if (usage_timer == 0) { return -1; } @@ -266,7 +265,7 @@ int pinUvAuthTokenUsageTimerObserver() { return 0; } -int check_keydev_encrypted(const uint8_t pin_token[32]) { +static int check_keydev_encrypted(const uint8_t pin_token[32]) { if (file_get_data(ef_keydev) && *file_get_data(ef_keydev) == 0x01) { uint8_t tmp_keydev[61]; tmp_keydev[0] = 0x02; // Change format to encrypted diff --git a/src/fido/cbor_config.c b/src/fido/cbor_config.c index 20a2a84..36c91fe 100644 --- a/src/fido/cbor_config.c +++ b/src/fido/cbor_config.c @@ -31,9 +31,6 @@ extern uint8_t keydev_dec[32]; extern bool has_keydev_dec; -extern void resetPersistentPinUvAuthToken(); -extern void resetPinUvAuthToken(); - int cbor_config(const uint8_t *data, size_t len) { CborParser parser; CborValue map; diff --git a/src/fido/cbor_get_assertion.c b/src/fido/cbor_get_assertion.c index 3ba9fb5..8e79805 100644 --- a/src/fido/cbor_get_assertion.c +++ b/src/fido/cbor_get_assertion.c @@ -42,7 +42,7 @@ uint32_t timerx = 0; uint8_t *datax = NULL; size_t lenx = 0; -void reset_gna_state() { +void reset_gna_state(void) { for (int i = 0; i < MAX_CREDENTIAL_COUNT_IN_LIST; i++) { credential_free(&credsx[i]); } diff --git a/src/fido/cbor_get_info.c b/src/fido/cbor_get_info.c index 182e33a..84217c5 100644 --- a/src/fido/cbor_get_info.c +++ b/src/fido/cbor_get_info.c @@ -24,7 +24,7 @@ #include "apdu.h" #include "version.h" -int cbor_get_info() { +int cbor_get_info(void) { CborEncoder encoder, mapEncoder, arrayEncoder, mapEncoder2; CborError error = CborNoError; cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0); diff --git a/src/fido/cbor_reset.c b/src/fido/cbor_reset.c index c09d8c8..3f57f31 100644 --- a/src/fido/cbor_reset.c +++ b/src/fido/cbor_reset.c @@ -18,6 +18,7 @@ #include "pico_keys.h" #include "file.h" #include "fido.h" +#include "ctap2_cbor.h" #include "ctap.h" #if defined(PICO_PLATFORM) #include "bsp/board.h" @@ -27,9 +28,7 @@ #endif #include "fs/phy.h" -extern void scan_all(); - -int cbor_reset() { +int cbor_reset(void) { #ifndef ENABLE_EMULATION #if defined(ENABLE_POWER_ON_RESET) && ENABLE_POWER_ON_RESET == 1 if (!(phy_data.opts & PHY_OPT_DISABLE_POWER_RESET) && board_millis() > 10000) { diff --git a/src/fido/cbor_selection.c b/src/fido/cbor_selection.c index 079d4d6..a98df29 100644 --- a/src/fido/cbor_selection.c +++ b/src/fido/cbor_selection.c @@ -17,9 +17,10 @@ #include "pico_keys.h" #include "fido.h" +#include "ctap2_cbor.h" #include "ctap.h" -int cbor_selection() { +int cbor_selection(void) { if (wait_button_pressed() == true) { return CTAP2_ERR_USER_ACTION_TIMEOUT; } diff --git a/src/fido/cbor_vendor.c b/src/fido/cbor_vendor.c index 658c52e..8f7d80d 100644 --- a/src/fido/cbor_vendor.c +++ b/src/fido/cbor_vendor.c @@ -42,7 +42,7 @@ int mse_decrypt_ct(uint8_t *data, size_t len) { return ret; } -int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) { +static int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) { CborParser parser; CborValue map; CborError error = CborNoError; diff --git a/src/fido/cmd_authenticate.c b/src/fido/cmd_authenticate.c index 2616f42..9f21827 100644 --- a/src/fido/cmd_authenticate.c +++ b/src/fido/cmd_authenticate.c @@ -23,7 +23,7 @@ #include "files.h" #include "credential.h" -int cmd_authenticate() { +int cmd_authenticate(void) { CTAP_AUTHENTICATE_REQ *req = (CTAP_AUTHENTICATE_REQ *) apdu.data; CTAP_AUTHENTICATE_RESP *resp = (CTAP_AUTHENTICATE_RESP *) res_APDU; //if (scan_files_fido(true) != PICOKEY_OK) diff --git a/src/fido/cmd_register.c b/src/fido/cmd_register.c index a545448..c9c32e2 100644 --- a/src/fido/cmd_register.c +++ b/src/fido/cmd_register.c @@ -29,10 +29,10 @@ const uint8_t u2f_aid[] = { 0xA0, 0x00, 0x00, 0x05, 0x27, 0x10, 0x02 }; -int u2f_unload(); -int u2f_process_apdu(); +static int u2f_unload(void); +static int u2f_process_apdu(void); -int u2f_select(app_t *a, uint8_t force) { +static int u2f_select(app_t *a, uint8_t force) { (void) force; if (cap_supported(CAP_U2F)) { a->process_apdu = u2f_process_apdu; @@ -46,15 +46,14 @@ INITIALIZER ( u2f_ctor ) { register_app(u2f_select, u2f_aid); } -int u2f_unload() { +int u2f_unload(void) { return PICOKEY_OK; } const uint8_t *bogus_firefox = (const uint8_t *) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; const uint8_t *bogus_chrome = (const uint8_t *) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; -extern int ctap_error(uint8_t error); -int cmd_register() { +int cmd_register(void) { CTAP_REGISTER_REQ *req = (CTAP_REGISTER_REQ *) apdu.data; CTAP_REGISTER_RESP *resp = (CTAP_REGISTER_RESP *) res_APDU; resp->registerId = CTAP_REGISTER_ID; @@ -116,10 +115,6 @@ int cmd_register() { return SW_OK(); } -extern int cmd_register(); -extern int cmd_authenticate(); -extern int cmd_version(); - static const cmd_t cmds[] = { { CTAP_REGISTER, cmd_register }, { CTAP_AUTHENTICATE, cmd_authenticate }, @@ -127,7 +122,7 @@ static const cmd_t cmds[] = { { 0x00, 0x0 } }; -int u2f_process_apdu() { +int u2f_process_apdu(void) { if (CLA(apdu) != 0x00) { return SW_CLA_NOT_SUPPORTED(); } diff --git a/src/fido/cmd_version.c b/src/fido/cmd_version.c index 2e1062d..74fcb0d 100644 --- a/src/fido/cmd_version.c +++ b/src/fido/cmd_version.c @@ -17,8 +17,9 @@ #include "apdu.h" #include "pico_keys.h" +#include "fido.h" -int cmd_version() { +int cmd_version(void) { memcpy(res_APDU, "U2F_V2", strlen("U2F_V2")); res_APDU_size = (uint16_t)strlen("U2F_V2"); return SW_OK(); diff --git a/src/fido/credential.c b/src/fido/credential.c index 46b079a..398e580 100644 --- a/src/fido/credential.c +++ b/src/fido/credential.c @@ -29,7 +29,6 @@ #include "files.h" #include "otp.h" -extern bool has_set_rtc(); int credential_derive_chacha_key(uint8_t *outk, const uint8_t *); static int credential_silent_tag(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash, uint8_t *outk) { diff --git a/src/fido/ctap2_cbor.h b/src/fido/ctap2_cbor.h index c5d6397..1818d9e 100644 --- a/src/fido/ctap2_cbor.h +++ b/src/fido/ctap2_cbor.h @@ -27,8 +27,20 @@ #include "mbedtls/ecp.h" #include "mbedtls/ecdh.h" -extern uint8_t *driver_prepare_response(); +extern uint8_t *driver_prepare_response(void); extern void driver_exec_finished(size_t size_next); +extern int cbor_parse(uint8_t cmd, const uint8_t *data, size_t len); +extern int cbor_get_info(void); +extern int cbor_reset(void); +extern int cbor_make_credential(const uint8_t *data, size_t len); +extern int cbor_client_pin(const uint8_t *data, size_t len); +extern int cbor_selection(void); +extern int cbor_get_next_assertion(const uint8_t *data, size_t len); +extern int cbor_cred_mgmt(const uint8_t *data, size_t len); +extern int cbor_config(const uint8_t *data, size_t len); +extern int cbor_large_blobs(const uint8_t *data, size_t len); +extern int cbor_vendor(const uint8_t *data, size_t len); +extern void reset_gna_state(void); extern int cbor_process(uint8_t, const uint8_t *data, size_t len); extern const uint8_t aaguid[16]; diff --git a/src/fido/fido.c b/src/fido/fido.c index 5c4b456..79d98fe 100644 --- a/src/fido/fido.c +++ b/src/fido/fido.c @@ -34,12 +34,12 @@ #include #include "management.h" #include "hid/ctap_hid.h" +#include "ctap2_cbor.h" #include "version.h" #include "crypto_utils.h" #include "otp.h" -int fido_process_apdu(); -int fido_unload(); +static int fido_unload(void); pinUvAuthToken_t paut = { 0 }; persistentPinUvAuthToken_t ppaut = { 0 }; @@ -64,14 +64,14 @@ const uint8_t atr_fido[] = { 0x75, 0x62, 0x69, 0x4b, 0x65, 0x79, 0x40 }; -uint8_t fido_get_version_major() { +static uint8_t fido_get_version_major(void) { return PICO_FIDO_VERSION_MAJOR; } -uint8_t fido_get_version_minor() { +static uint8_t fido_get_version_minor(void) { return PICO_FIDO_VERSION_MINOR; } -int fido_select(app_t *a, uint8_t force) { +static int fido_select(app_t *a, uint8_t force) { (void) force; if (cap_supported(CAP_FIDO2)) { a->process_apdu = fido_process_apdu; @@ -81,8 +81,8 @@ int fido_select(app_t *a, uint8_t force) { return PICOKEY_ERR_FILE_NOT_FOUND; } -extern uint8_t (*get_version_major)(); -extern uint8_t (*get_version_minor)(); +extern uint8_t (*get_version_major)(void); +extern uint8_t (*get_version_minor)(void); INITIALIZER ( fido_ctor ) { #if defined(USB_ITF_CCID) || defined(ENABLE_EMULATION) @@ -94,7 +94,7 @@ INITIALIZER ( fido_ctor ) { register_app(fido_select, fido_aid_backup); } -int fido_unload() { +static int fido_unload(void) { return PICOKEY_OK; } @@ -173,14 +173,18 @@ int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecp_keypair *key) { } uint8_t key_path[KEY_PATH_LEN]; memcpy(key_path, cred_id, KEY_PATH_LEN); - *(uint32_t *) key_path = 0x80000000 | 10022; + uint32_t key_path_first = 0x80000000u | 10022u; + memcpy(key_path, &key_path_first, sizeof(key_path_first)); for (size_t i = 1; i < KEY_PATH_ENTRIES; i++) { - *(uint32_t *) (key_path + i * sizeof(uint32_t)) |= 0x80000000; + uint32_t part = 0; + memcpy(&part, key_path + i * sizeof(uint32_t), sizeof(part)); + part |= 0x80000000u; + memcpy(key_path + i * sizeof(uint32_t), &part, sizeof(part)); } return derive_key(NULL, false, key_path, mbedtls_curve, key); } -int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffer_size) { +static int x509_create_cert(mbedtls_ecdsa_context *ecdsa, uint8_t *buffer, size_t buffer_size) { mbedtls_x509write_cert ctx; mbedtls_x509write_crt_init(&ctx); mbedtls_x509write_crt_set_version(&ctx, MBEDTLS_X509_CRT_VERSION_3); @@ -260,7 +264,8 @@ int load_keydev(uint8_t key[32]) { int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypair *key) { for (size_t i = 0; i < KEY_PATH_ENTRIES; i++) { - uint32_t k = *(uint32_t *) &keyHandle[i * sizeof(uint32_t)]; + uint32_t k = 0; + memcpy(&k, &keyHandle[i * sizeof(uint32_t)], sizeof(k)); if (!(k & 0x80000000)) { return -1; } @@ -331,7 +336,7 @@ int derive_key(const uint8_t *app_id, bool new_key, uint8_t *key_handle, int cur if (cinfo->bit_size % 8 != 0) { outk[0] >>= 8 - (cinfo->bit_size % 8); } - r = mbedtls_ecp_read_key(curve, key, outk, (size_t)ceil((float) cinfo->bit_size / 8)); + r = mbedtls_ecp_read_key(curve, key, outk, (size_t)((cinfo->bit_size + 7) / 8)); mbedtls_platform_zeroize(outk, sizeof(outk)); if (r != 0) { return r; @@ -364,7 +369,7 @@ int encrypt_keydev_f1(const uint8_t keydev[32]) { return ret; } -int scan_files_fido() { +int scan_files_fido(void) { ef_keydev = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF); ef_keydev_enc = search_by_fid(EF_KEY_DEV_ENC, NULL, SPECIFY_EF); ef_mkek = search_by_fid(EF_MKEK, NULL, SPECIFY_EF); @@ -478,14 +483,13 @@ int scan_files_fido() { return PICOKEY_OK; } -void scan_all() { +void scan_all(void) { scan_flash(); scan_files_fido(); } -extern void init_otp(); extern bool needs_power_cycle; -void init_fido() { +void init_fido(void) { scan_all(); #ifdef ENABLE_OTP_APP init_otp(); @@ -493,7 +497,7 @@ void init_fido() { needs_power_cycle = false; } -bool wait_button_pressed() { +bool wait_button_pressed(void) { uint32_t val = EV_PRESS_BUTTON; #if defined(PICO_PLATFORM) || defined(ESP_PLATFORM) queue_try_add(&card_to_usb_q, &val); @@ -506,7 +510,7 @@ bool wait_button_pressed() { uint32_t user_present_time_limit = 0; -bool check_user_presence() { +bool check_user_presence(void) { if (user_present_time_limit == 0 || user_present_time_limit + TRANSPORT_TIME_LIMIT < board_millis()) { if (wait_button_pressed() == true) { //timeout return false; @@ -516,12 +520,12 @@ bool check_user_presence() { return true; } -uint32_t get_sign_counter() { +uint32_t get_sign_counter(void) { uint8_t *caddr = file_get_data(ef_counter); return get_uint32_t_le(caddr); } -uint8_t get_opts() { +uint8_t get_opts(void) { file_t *ef = search_by_fid(EF_OPTS, NULL, SPECIFY_EF); if (file_has_data(ef)) { return *file_get_data(ef); @@ -535,16 +539,9 @@ void set_opts(uint8_t opts) { low_flash_available(); } -extern int cmd_register(); -extern int cmd_authenticate(); -extern int cmd_version(); -extern int cbor_parse(int, uint8_t *, size_t); -extern int cbor_vendor(const uint8_t *data, size_t len); -extern void driver_init_hid(); - #define CTAP_CBOR 0x10 -int cmd_vendor() { +static int cmd_vendor(void) { uint8_t *old_buf = res_APDU; driver_init_hid(); int ret = cbor_vendor(apdu.data, apdu.nc); @@ -557,7 +554,7 @@ int cmd_vendor() { return SW_OK(); } -int cmd_cbor() { +static int cmd_cbor(void) { uint8_t *old_buf = res_APDU; driver_init_hid(); int ret = cbor_parse(0x90, apdu.data, apdu.nc); @@ -579,7 +576,7 @@ static const cmd_t cmds[] = { { 0x00, 0x0 } }; -int fido_process_apdu() { +int fido_process_apdu(void) { if (CLA(apdu) != 0x00 && CLA(apdu) != 0x80) { return SW_CLA_NOT_SUPPORTED(); } diff --git a/src/fido/fido.h b/src/fido/fido.h index 481aa6c..271471b 100644 --- a/src/fido/fido.h +++ b/src/fido/fido.h @@ -39,15 +39,17 @@ #define SHA256_DIGEST_LENGTH (32) #define KEY_HANDLE_LEN (KEY_PATH_LEN + SHA256_DIGEST_LENGTH) -extern int scan_files_fido(); +extern int scan_files_fido(void); extern int derive_key(const uint8_t *app_id, bool new_key, uint8_t *key_handle, int, mbedtls_ecp_keypair *key); extern int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypair *); -extern bool wait_button_pressed(); -extern void init_fido(); +extern bool wait_button_pressed(void); +extern void init_fido(void); +extern void init_otp(void); +extern void scan_all(void); extern mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve); extern int mbedtls_curve_to_fido(mbedtls_ecp_group_id id); extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecp_keypair *key); @@ -95,14 +97,14 @@ extern int ecdh(uint8_t protocol, const mbedtls_ecp_point *Q, uint8_t *sharedSec #define FIDO2_OPT_AUV 0x02 // User Verification #define MAX_PIN_RETRIES 8 -extern bool getUserPresentFlagValue(); -extern bool getUserVerifiedFlagValue(); -extern void clearUserPresentFlag(); -extern void clearUserVerifiedFlag(); -extern void clearPinUvAuthTokenPermissionsExceptLbw(); -extern void send_keepalive(); -extern uint32_t get_sign_counter(); -extern uint8_t get_opts(); +extern bool getUserPresentFlagValue(void); +extern bool getUserVerifiedFlagValue(void); +extern void clearUserPresentFlag(void); +extern void clearUserVerifiedFlag(void); +extern void clearPinUvAuthTokenPermissionsExceptLbw(void); +extern void send_keepalive(void); +extern uint32_t get_sign_counter(void); +extern uint8_t get_opts(void); extern void set_opts(uint8_t); #define MAX_CREDENTIAL_COUNT_IN_LIST 16 #define MAX_CRED_ID_LENGTH 1024 @@ -123,7 +125,19 @@ extern const known_app_t *find_app_by_rp_id_hash(const uint8_t *rp_id_hash); #define TRANSPORT_TIME_LIMIT (30 * 1000) //USB -bool check_user_presence(); +bool check_user_presence(void); +int fido_process_apdu(void); +int cmd_register(void); +int cmd_authenticate(void); +int cmd_version(void); +int calculate_oath(uint8_t truncate, + const uint8_t *key, + size_t key_len, + const uint8_t *chal, + size_t chal_len); +int encrypt_keydev_f1(const uint8_t keydev[32]); +int resetPinUvAuthToken(void); +int resetPersistentPinUvAuthToken(void); typedef struct pinUvAuthToken { uint8_t *data; diff --git a/src/fido/kek.c b/src/fido/kek.c index 5110eef..7277a48 100644 --- a/src/fido/kek.c +++ b/src/fido/kek.c @@ -32,11 +32,10 @@ #include "files.h" #include "otp.h" -extern uint8_t session_pin[32]; uint8_t mkek_mask[MKEK_KEY_SIZE]; bool has_mkek_mask = false; -void mkek_masked(uint8_t *mkek, const uint8_t *mask) { +static void mkek_masked(uint8_t *mkek, const uint8_t *mask) { if (mask) { for (int i = 0; i < MKEK_KEY_SIZE; i++) { MKEK_KEY(mkek)[i] ^= mask[i]; @@ -58,7 +57,9 @@ int load_mkek(uint8_t *mkek) { if (ret != 0) { return PICOKEY_EXEC_ERROR; } - if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != *(uint32_t *) MKEK_CHECKSUM(mkek)) { + uint32_t mkek_checksum = 0; + memcpy(&mkek_checksum, MKEK_CHECKSUM(mkek), sizeof(mkek_checksum)); + if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != mkek_checksum) { return PICOKEY_WRONG_DKEK; } if (otp_key_1) { diff --git a/src/fido/kek.h b/src/fido/kek.h index d0c990f..9540620 100644 --- a/src/fido/kek.h +++ b/src/fido/kek.h @@ -26,7 +26,7 @@ extern int load_mkek(uint8_t *); extern int store_mkek(const uint8_t *); -extern void init_mkek(); +extern void init_mkek(void); extern void release_mkek(uint8_t *); extern int mkek_encrypt(uint8_t *data, uint16_t len); extern int mkek_decrypt(uint8_t *data, uint16_t len); diff --git a/src/fido/management.c b/src/fido/management.c index af3a67d..5c06307 100644 --- a/src/fido/management.c +++ b/src/fido/management.c @@ -25,16 +25,14 @@ bool is_gpg = true; -int man_process_apdu(); -int man_unload(); +static int man_process_apdu(void); +static int man_unload(void); const uint8_t man_aid[] = { 8, 0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17 }; -extern void scan_all(); -extern void init_otp(); -int man_select(app_t *a, uint8_t force) { +static int man_select(app_t *a, uint8_t force) { a->process_apdu = man_process_apdu; a->unload = man_unload; sprintf((char *) res_APDU, "%d.%d.0", PICO_FIDO_VERSION_MAJOR, PICO_FIDO_VERSION_MINOR); @@ -54,7 +52,7 @@ INITIALIZER ( man_ctor ) { register_app(man_select, man_aid); } -int man_unload() { +static int man_unload(void) { return PICOKEY_OK; } @@ -88,7 +86,7 @@ static uint8_t _piv_aid[] = { 0xA0, 0x00, 0x00, 0x03, 0x8, }; -int man_get_config() { +int man_get_config(void) { file_t *ef = search_dynamic_file(EF_DEV_CONF); res_APDU_size = 0; res_APDU[res_APDU_size++] = 0; // Overall length. Filled later @@ -155,12 +153,12 @@ int man_get_config() { return 0; } -int cmd_read_config() { +static int cmd_read_config(void) { man_get_config(); return SW_OK(); } -int cmd_write_config() { +static int cmd_write_config(void) { if (apdu.data[0] != apdu.nc - 1) { return SW_WRONG_DATA(); } @@ -179,8 +177,8 @@ int cmd_write_config() { return SW_OK(); } -extern int cbor_reset(); -int cmd_factory_reset() { +extern int cbor_reset(void); +static int cmd_factory_reset(void) { cbor_reset(); return SW_OK(); } @@ -196,7 +194,7 @@ static const cmd_t cmds[] = { { 0x00, 0x0 } }; -int man_process_apdu() { +static int man_process_apdu(void) { if (CLA(apdu) != 0x00) { return SW_CLA_NOT_SUPPORTED(); } diff --git a/src/fido/management.h b/src/fido/management.h index 4651c61..60eb2de 100644 --- a/src/fido/management.h +++ b/src/fido/management.h @@ -50,6 +50,6 @@ #define FLAG_EJECT 0x80 extern bool cap_supported(uint16_t cap); -extern int man_get_config(); +extern int man_get_config(void); #endif //_MANAGEMENT_H diff --git a/src/fido/oath.c b/src/fido/oath.c index 46a9d5e..a2b4ca4 100644 --- a/src/fido/oath.c +++ b/src/fido/oath.c @@ -24,7 +24,6 @@ #include "asn1.h" #include "crypto_utils.h" #include "management.h" -extern bool is_nk; #define MAX_OATH_CRED 255 #define CHALLENGE_LEN 8 @@ -63,8 +62,8 @@ extern bool is_nk; #define PROP_TOUCH 0x02 #define PROP_PIN 0x03 -int oath_process_apdu(); -int oath_unload(); +static int oath_process_apdu(void); +static int oath_unload(void); static bool validated = true; static uint8_t challenge[CHALLENGE_LEN] = { 0 }; @@ -74,7 +73,7 @@ const uint8_t oath_aid[] = { 0xa0, 0x00, 0x00, 0x05, 0x27, 0x21, 0x01 }; -int oath_select(app_t *a, uint8_t force) { +static int oath_select(app_t *a, uint8_t force) { (void) force; if (cap_supported(CAP_OATH)) { a->process_apdu = oath_process_apdu; @@ -121,11 +120,11 @@ INITIALIZER ( oath_ctor ) { register_app(oath_select, oath_aid); } -int oath_unload() { +static int oath_unload(void) { return PICOKEY_OK; } -file_t *find_oath_cred(const uint8_t *name, size_t name_len) { +static file_t *find_oath_cred(const uint8_t *name, size_t name_len) { for (int i = 0; i < MAX_OATH_CRED; i++) { file_t *ef = search_dynamic_file((uint16_t)(EF_OATH_CRED + i)); asn1_ctx_t ctxi, ef_tag = { 0 }; @@ -137,7 +136,7 @@ file_t *find_oath_cred(const uint8_t *name, size_t name_len) { return NULL; } -int cmd_put() { +static int cmd_put(void) { if (validated == false) { return SW_SECURITY_STATUS_NOT_SATISFIED(); } @@ -185,7 +184,7 @@ int cmd_put() { } -int cmd_delete() { +static int cmd_delete(void) { if (validated == false) { return SW_SECURITY_STATUS_NOT_SATISFIED(); } @@ -202,7 +201,7 @@ int cmd_delete() { return SW_INCORRECT_PARAMS(); } -const mbedtls_md_info_t *get_oath_md_info(uint8_t alg) { +static const mbedtls_md_info_t *get_oath_md_info(uint8_t alg) { if ((alg & ALG_MASK) == ALG_HMAC_SHA1) { return mbedtls_md_info_from_type(MBEDTLS_MD_SHA1); } @@ -215,7 +214,7 @@ const mbedtls_md_info_t *get_oath_md_info(uint8_t alg) { return NULL; } -int cmd_set_code() { +static int cmd_set_code(void) { if (validated == false) { return SW_SECURITY_STATUS_NOT_SATISFIED(); } @@ -261,7 +260,7 @@ int cmd_set_code() { return SW_OK(); } -int cmd_reset() { +static int cmd_reset(void) { if (P1(apdu) != 0xde || P2(apdu) != 0xad) { return SW_INCORRECT_P1P2(); } @@ -278,7 +277,7 @@ int cmd_reset() { return SW_OK(); } -int cmd_list() { +static int cmd_list(void) { if (validated == false) { return SW_SECURITY_STATUS_NOT_SATISFIED(); } @@ -310,7 +309,7 @@ int cmd_list() { return SW_OK(); } -int cmd_validate() { +static int cmd_validate(void) { asn1_ctx_t ctxi, key = { 0 }, chal = { 0 }, resp = { 0 }; asn1_ctx_init(apdu.data, (uint16_t)apdu.nc, &ctxi); if (asn1_find_tag(&ctxi, TAG_CHALLENGE, &chal) == false) { @@ -380,7 +379,7 @@ int calculate_oath(uint8_t truncate, const uint8_t *key, size_t key_len, const u return PICOKEY_OK; } -int cmd_calculate() { +static int cmd_calculate(void) { if (P2(apdu) != 0x0 && P2(apdu) != 0x1) { return SW_INCORRECT_P1P2(); } @@ -435,7 +434,7 @@ int cmd_calculate() { return SW_OK(); } -int cmd_calculate_all() { +static int cmd_calculate_all(void) { asn1_ctx_t ctxi, key = { 0 }, chal = { 0 }, name = { 0 }, prop = { 0 }; asn1_ctx_init(apdu.data, (uint16_t)apdu.nc, &ctxi); if (P2(apdu) != 0x0 && P2(apdu) != 0x1) { @@ -485,11 +484,11 @@ int cmd_calculate_all() { return SW_OK(); } -int cmd_send_remaining() { +static int cmd_send_remaining(void) { return SW_OK(); } -int cmd_set_otp_pin() { +static int cmd_set_otp_pin(void) { uint8_t hsh[33] = { 0 }; file_t *ef_otp_pin = search_by_fid(EF_OTP_PIN, NULL, SPECIFY_EF); if (file_has_data(ef_otp_pin)) { @@ -507,7 +506,7 @@ int cmd_set_otp_pin() { return SW_OK(); } -int cmd_change_otp_pin() { +static int cmd_change_otp_pin(void) { uint8_t hsh[33] = { 0 }; file_t *ef_otp_pin = search_by_fid(EF_OTP_PIN, NULL, SPECIFY_EF); if (!file_has_data(ef_otp_pin)) { @@ -532,7 +531,7 @@ int cmd_change_otp_pin() { return SW_OK(); } -int cmd_verify_otp_pin() { +static int cmd_verify_otp_pin(void) { uint8_t hsh[33] = { 0 }, data_hsh[33]; file_t *ef_otp_pin = search_by_fid(EF_OTP_PIN, NULL, SPECIFY_EF); if (!file_has_data(ef_otp_pin)) { @@ -561,7 +560,7 @@ int cmd_verify_otp_pin() { return SW_OK(); } -int cmd_verify_hotp() { +static int cmd_verify_hotp(void) { asn1_ctx_t ctxi, key = { 0 }, chal = { 0 }, name = { 0 }, code = { 0 }; asn1_ctx_init(apdu.data, (uint16_t)apdu.nc, &ctxi); uint32_t code_int = 0; @@ -607,7 +606,7 @@ int cmd_verify_hotp() { return SW_OK(); } -int cmd_rename() { +static int cmd_rename(void) { asn1_ctx_t ctxi, name = { 0 }, new_name = { 0 }; if (validated == false) { @@ -649,7 +648,7 @@ int cmd_rename() { return SW_OK(); } -int cmd_get_credential() { +static int cmd_get_credential(void) { asn1_ctx_t ctxi, name = { 0 }; if (apdu.nc < 3) { return SW_INCORRECT_PARAMS(); @@ -731,7 +730,7 @@ static const cmd_t cmds[] = { { 0x00, 0x0 } }; -int oath_process_apdu() { +static int oath_process_apdu(void) { if (CLA(apdu) != 0x00) { return SW_CLA_NOT_SUPPORTED(); } diff --git a/src/fido/otp.c b/src/fido/otp.c index 3cc5811..dd2ded3 100644 --- a/src/fido/otp.c +++ b/src/fido/otp.c @@ -28,8 +28,15 @@ #include "bsp/board.h" #endif #ifdef ENABLE_EMULATION -void add_keyboard_buffer(const uint8_t *buf, size_t len, bool press_enter) {} -void append_keyboard_buffer(const uint8_t *buf, size_t len) {} +void add_keyboard_buffer(const uint8_t *buf, size_t len, bool press_enter) { + (void)buf; + (void)len; + (void)press_enter; +} +void append_keyboard_buffer(const uint8_t *buf, size_t len) { + (void)buf; + (void)len; +} #else #include "tusb.h" #endif @@ -119,22 +126,21 @@ typedef struct otp_config { }) otp_config_t; #define otp_config_size sizeof(otp_config_t) -uint16_t otp_status(bool is_otp); - -int otp_process_apdu(); -int otp_unload(); +static uint16_t otp_status(bool is_otp); +static int otp_process_apdu(void); +static int otp_unload(void); extern int (*hid_set_report_cb)(uint8_t, uint8_t, hid_report_type_t, uint8_t const *, uint16_t); extern uint16_t (*hid_get_report_cb)(uint8_t, uint8_t, hid_report_type_t, uint8_t *, uint16_t); -int otp_hid_set_report_cb(uint8_t, uint8_t, hid_report_type_t, uint8_t const *, uint16_t); -uint16_t otp_hid_get_report_cb(uint8_t, uint8_t, hid_report_type_t, uint8_t *, uint16_t); +static int otp_hid_set_report_cb(uint8_t, uint8_t, hid_report_type_t, uint8_t const *, uint16_t); +static uint16_t otp_hid_get_report_cb(uint8_t, uint8_t, hid_report_type_t, uint8_t *, uint16_t); const uint8_t otp_aid[] = { 7, 0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01 }; -int otp_select(app_t *a, uint8_t force) { +static int otp_select(app_t *a, uint8_t force) { (void) force; if (cap_supported(CAP_OTP)) { a->process_apdu = otp_process_apdu; @@ -154,7 +160,7 @@ int otp_select(app_t *a, uint8_t force) { uint8_t modhex_tab[] = { 'c', 'b', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'n', 'r', 't', 'u', 'v' }; -int encode_modhex(const uint8_t *in, size_t len, uint8_t *out) { +static int encode_modhex(const uint8_t *in, size_t len, uint8_t *out) { for (size_t l = 0; l < len; l++) { *out++ = modhex_tab[in[l] >> 4]; *out++ = modhex_tab[in[l] & 0xf]; @@ -162,8 +168,7 @@ int encode_modhex(const uint8_t *in, size_t len, uint8_t *out) { return 0; } static bool scanned = false; -extern void scan_all(); -void init_otp() { +void init_otp(void) { if (scanned == false) { scan_all(); for (uint8_t i = 0; i < 4; i++) { @@ -185,13 +190,7 @@ void init_otp() { low_flash_available(); } } -extern int calculate_oath(uint8_t truncate, - const uint8_t *key, - size_t key_len, - const uint8_t *chal, - size_t chal_len); - -uint16_t calculate_crc(const uint8_t *data, size_t data_len) { +static uint16_t calculate_crc(const uint8_t *data, size_t data_len) { uint16_t crc = 0xFFFF; for (size_t idx = 0; idx < data_len; idx++) { crc ^= data[idx]; @@ -207,7 +206,7 @@ uint16_t calculate_crc(const uint8_t *data, size_t data_len) { } static uint8_t session_counter[2] = { 0 }; -int otp_button_pressed(uint8_t slot) { +static int otp_button_pressed(uint8_t slot) { init_otp(); if (!cap_supported(CAP_OTP)) { return 3; @@ -334,12 +333,12 @@ INITIALIZER( otp_ctor ) { hid_get_report_cb = otp_hid_get_report_cb; } -int otp_unload() { +static int otp_unload(void) { return PICOKEY_OK; } uint8_t status_byte = 0x0; -uint16_t otp_status_ext() { +static uint16_t otp_status_ext(void) { for (int i = 0; i < 4; i++) { file_t *ef = search_dynamic_file(EF_OTP_SLOT1 + i); if (file_has_data(ef)) { @@ -372,7 +371,7 @@ uint16_t otp_status_ext() { return SW_OK(); } -uint16_t otp_status(bool is_otp) { +static uint16_t otp_status(bool is_otp) { if (scanned == false) { scan_all(); scanned = true; @@ -415,13 +414,13 @@ uint16_t otp_status(bool is_otp) { return SW_OK(); } -bool check_crc(const otp_config_t *data) { +static bool check_crc(const otp_config_t *data) { uint16_t crc = calculate_crc((const uint8_t *) data, otp_config_size); return crc == 0xF0B8; } bool _is_otp = false; -int cmd_otp() { +static int cmd_otp(void) { uint8_t p1 = P1(apdu), p2 = P2(apdu); if (p1 == 0x01 || p1 == 0x03) { // Configure slot otp_config_t *odata = (otp_config_t *) apdu.data; @@ -436,7 +435,7 @@ int cmd_otp() { return SW_SECURITY_STATUS_NOT_SATISFIED(); } } - for (int c = 0; c < otp_config_size; c++) { + for (size_t c = 0; c < otp_config_size; c++) { if (apdu.data[c] != 0) { if (odata->rfu[0] != 0 || odata->rfu[1] != 0 || check_crc(odata) == false) { return SW_WRONG_DATA(); @@ -608,7 +607,7 @@ static const cmd_t cmds[] = { { 0x00, 0x0 } }; -int otp_process_apdu() { +static int otp_process_apdu(void) { if (CLA(apdu) != 0x00) { return SW_CLA_NOT_SUPPORTED(); } @@ -628,9 +627,7 @@ uint8_t otp_frame_tx[70] = {0}; uint8_t otp_exp_seq = 0, otp_curr_seq = 0; uint8_t otp_header[4] = {0}; -extern uint16_t *get_send_buffer_size(uint8_t itf); - -int otp_send_frame(uint8_t *frame, size_t frame_len) { +static int otp_send_frame(uint8_t *frame, size_t frame_len) { uint16_t crc = calculate_crc(frame, frame_len); frame_len += put_uint16_t_le(~crc, frame + frame_len); *get_send_buffer_size(ITF_KEYBOARD) = frame_len; @@ -642,7 +639,9 @@ int otp_send_frame(uint8_t *frame, size_t frame_len) { return 0; } -int otp_hid_set_report_cb(uint8_t itf, uint8_t report_id, hid_report_type_t report_type, uint8_t const *buffer, uint16_t bufsize) { +static int otp_hid_set_report_cb(uint8_t itf, uint8_t report_id, hid_report_type_t report_type, uint8_t const *buffer, uint16_t bufsize) { + (void)itf; + (void)report_id; if (report_type == 3) { DEBUG_PAYLOAD(buffer, bufsize); if (buffer[7] == 0xFF) { // reset @@ -690,11 +689,11 @@ int otp_hid_set_report_cb(uint8_t itf, uint8_t report_id, hid_report_type_t repo return 0; } -uint16_t otp_hid_get_report_cb(uint8_t itf, - uint8_t report_id, - hid_report_type_t report_type, - uint8_t *buffer, - uint16_t reqlen) { +static uint16_t otp_hid_get_report_cb(uint8_t itf, + uint8_t report_id, + hid_report_type_t report_type, + uint8_t *buffer, + uint16_t reqlen) { // TODO not Implemented (void) itf; (void) report_id;