[fix] Fake register requests are now refused whithout displaying gibb…

…erish
LedgerHQ · Oct 3, 2024 · 59f9c91 · 59f9c91
1 parent 0442270
commit 59f9c91
Show file tree

Hide file tree

Showing 21 changed files with 39 additions and 5 deletions.
diff --git a/include/sw_code.h b/include/sw_code.h
@@ -24,4 +24,5 @@
 #define SW_INCORRECT_P1P2           0x6A86
 #define SW_INS_NOT_SUPPORTED        0x6D00
 #define SW_CLA_NOT_SUPPORTED        0x6E00
+#define SW_USER_REFUSED             0x6F01
 #define SW_PROPRIETARY_INTERNAL     0x6FFF
diff --git a/src/u2f_processing.c b/src/u2f_processing.c
@@ -27,6 +27,12 @@
 #include "nfc_io.h"
 #include "sw_code.h"
 
+// These are used by some services to perform fake register in order to check for user presence
+// As this could be disruptive, we are going to immediately return an error on such request.
+static const uint8_t bogusSize = 32;
+static const uint8_t bogusAppParamValue = 0x41;
+static const uint8_t bogusChallengeParamValue = 0x42;
+
 static int u2f_get_cmd_msg_data(uint8_t *rx, uint16_t rx_length, uint8_t **data, uint32_t *le) {
     uint32_t data_length;
     /* Parse buffer to retrieve the data length.
@@ -189,6 +195,24 @@ static int u2f_handle_apdu_enroll(const uint8_t *rx, uint32_t data_length, const
         return io_send_sw(SW_INCORRECT_P1P2);
     }
 
+    // Hacky behavior in U2F: some browser send this gibberish 'register' command while
+    // waiting answers for authentication.
+    if (sizeof(reg_req->challenge_param) == bogusSize &&
+        sizeof(reg_req->application_param) == bogusSize) {
+        bool fake_register = true;
+        // checking app & challenge parameters are only 0x41s and 0x42s
+        for (int i = 0; i < bogusSize; i++) {
+            if (reg_req->challenge_param[i] != bogusChallengeParamValue ||
+                reg_req->application_param[i] != bogusAppParamValue) {
+                fake_register = false;
+                break;
+            }
+        }
+        if (fake_register) {
+            return io_send_sw(SW_USER_REFUSED);
+        }
+    }
+
     // Backup ins, challenge and application parameters to be used if user accept the request
     globals_get_u2f_data()->ins = FIDO_INS_REGISTER;
     memmove(globals_get_u2f_data()->challenge_param,

diff --git a/src/u2f_processing_flow.c b/src/u2f_processing_flow.c
@@ -256,7 +256,7 @@ static int u2f_process_user_presence_confirmed(void) {
 #if defined(HAVE_BAGL)
 
 static unsigned int u2f_callback_cancel(void) {
-    io_send_sw(SW_PROPRIETARY_INTERNAL);
+    io_send_sw(SW_USER_REFUSED);
     ui_idle();
     return 0;
 }
@@ -346,7 +346,7 @@ static void on_register_choice(bool confirm) {
         u2f_process_user_presence_confirmed();
         app_nbgl_status("Registration details\nsent", true, ui_idle);
     } else {
-        io_send_sw(SW_PROPRIETARY_INTERNAL);
+        io_send_sw(SW_USER_REFUSED);
         app_nbgl_status("Registration cancelled", false, ui_idle);
     }
 }
@@ -356,7 +356,7 @@ static void on_login_choice(bool confirm) {
         u2f_process_user_presence_confirmed();
         app_nbgl_status("Login request signed", true, ui_idle);
     } else {
-        io_send_sw(SW_PROPRIETARY_INTERNAL);
+        io_send_sw(SW_USER_REFUSED);
         app_nbgl_status("Log in cancelled", false, ui_idle);
     }
 }

diff --git a/tests/speculos/ctap1_client.py b/tests/speculos/ctap1_client.py
@@ -26,6 +26,7 @@ class APDU(IntEnum):
 
     # Vendor specific status codes
     SW_INTERNAL_EXCEPTION = 0X6F00,
+    SW_USER_REFUSED = 0x6F01,
     SW_PROPRIETARY_INTERNAL = 0x6FFF,
 
 

diff --git a/tests/speculos/fido2/test_client_pin.py → tests/speculos/ctap2/test_client_pin.py b/tests/speculos/fido2/test_client_pin.py → tests/speculos/ctap2/test_client_pin.py
diff --git a/...culos/fido2/test_extension_hmac_secret.py → ...culos/ctap2/test_extension_hmac_secret.py b/...culos/fido2/test_extension_hmac_secret.py → ...culos/ctap2/test_extension_hmac_secret.py
diff --git a/tests/speculos/fido2/test_fido2_screens.py → tests/speculos/ctap2/test_fido2_screens.py b/tests/speculos/fido2/test_fido2_screens.py → tests/speculos/ctap2/test_fido2_screens.py
diff --git a/tests/speculos/fido2/test_get_assertion.py → tests/speculos/ctap2/test_get_assertion.py b/tests/speculos/fido2/test_get_assertion.py → tests/speculos/ctap2/test_get_assertion.py
diff --git a/tests/speculos/fido2/test_get_info.py → tests/speculos/ctap2/test_get_info.py b/tests/speculos/fido2/test_get_info.py → tests/speculos/ctap2/test_get_info.py
diff --git a/...speculos/fido2/test_get_next_assertion.py → ...speculos/ctap2/test_get_next_assertion.py b/...speculos/fido2/test_get_next_assertion.py → ...speculos/ctap2/test_get_next_assertion.py
diff --git a/tests/speculos/fido2/test_interop.py → tests/speculos/ctap2/test_interop.py b/tests/speculos/fido2/test_interop.py → tests/speculos/ctap2/test_interop.py
diff --git a/tests/speculos/fido2/test_make_credential.py → tests/speculos/ctap2/test_make_credential.py b/tests/speculos/fido2/test_make_credential.py → tests/speculos/ctap2/test_make_credential.py
diff --git a/tests/speculos/fido2/test_option_rk.py → tests/speculos/ctap2/test_option_rk.py b/tests/speculos/fido2/test_option_rk.py → tests/speculos/ctap2/test_option_rk.py
diff --git a/tests/speculos/fido2/test_reset.py → tests/speculos/ctap2/test_reset.py b/tests/speculos/fido2/test_reset.py → tests/speculos/ctap2/test_reset.py
diff --git a/tests/speculos/fido2/test_u2f_fido2_proxy.py → tests/speculos/ctap2/test_u2f_fido2_proxy.py b/tests/speculos/fido2/test_u2f_fido2_proxy.py → tests/speculos/ctap2/test_u2f_fido2_proxy.py
diff --git a/tests/speculos/snapshots/flex/test_u2f_screens_idle/00000.png b/tests/speculos/snapshots/flex/test_u2f_screens_idle/00000.png
diff --git a/tests/speculos/snapshots/flex/test_u2f_screens_idle/00002.png b/tests/speculos/snapshots/flex/test_u2f_screens_idle/00002.png
diff --git a/tests/speculos/snapshots/stax/test_u2f_screens_idle/00000.png b/tests/speculos/snapshots/stax/test_u2f_screens_idle/00000.png
diff --git a/tests/speculos/snapshots/stax/test_u2f_screens_idle/00002.png b/tests/speculos/snapshots/stax/test_u2f_screens_idle/00002.png
diff --git a/tests/speculos/u2f/test_authenticate_cmd.py b/tests/speculos/u2f/test_authenticate_cmd.py
@@ -108,7 +108,7 @@ def test_authenticate_user_refused(client, test_name):
                                   check_screens="full",
                                   compare_args=compare_args)
 
-    assert e.value.code == APDU.SW_PROPRIETARY_INTERNAL
+    assert e.value.code == APDU.SW_USER_REFUSED
 
 
 def test_authenticate_with_reboot_ok(client):

diff --git a/tests/speculos/u2f/test_register_cmd.py b/tests/speculos/u2f/test_register_cmd.py
@@ -64,7 +64,15 @@ def test_register_user_refused(client, test_name):
                               check_screens="full",
                               compare_args=compare_args)
 
-    assert e.value.code == APDU.SW_PROPRIETARY_INTERNAL
+    assert e.value.code == APDU.SW_USER_REFUSED
+
+
+def test_register_fake_refused(client):
+    # challenge parameter + application parameter
+    data = b'\x42' * 32 + b'\x41' * 32
+    with pytest.raises(ApduError) as e:
+        client.ctap1.send_apdu(ins=Ctap1.INS.REGISTER, data=data)
+    assert e.value.code == APDU.SW_USER_REFUSED
 
 
 def test_register_duplicate(client):