Coverage Report

Created: 2022-04-27 14:33

/libfido2/src/u2f.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2018-2021 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 */
6
7
#include <openssl/sha.h>
8
#include <openssl/x509.h>
9
10
#ifdef HAVE_UNISTD_H
11
#include <unistd.h>
12
#endif
13
#include <errno.h>
14
15
#include "fido.h"
16
#include "fido/es256.h"
17
18
995
#define U2F_PACE_MS (100)
19
20
#if defined(_MSC_VER)
21
static int
22
usleep(unsigned int usec)
23
{
24
        Sleep(usec / 1000);
25
26
        return (0);
27
}
28
#endif
29
30
static int
31
delay_ms(unsigned int ms, int *ms_remain)
32
995
{
33
995
        if (*ms_remain > -1 && (unsigned int)*ms_remain < ms)
34
671
                ms = (unsigned int)*ms_remain;
35
36
995
        if (ms > UINT_MAX / 1000) {
37
0
                fido_log_debug("%s: ms=%u", __func__, ms);
38
0
                return (-1);
39
0
        }
40
41
995
        if (usleep(ms * 1000) < 0) {
42
4
                fido_log_error(errno, "%s: usleep", __func__);
43
4
                return (-1);
44
4
        }
45
46
991
        if (*ms_remain > -1)
47
991
                *ms_remain -= (int)ms;
48
49
991
        return (0);
50
995
}
51
52
static int
53
sig_get(fido_blob_t *sig, const unsigned char **buf, size_t *len)
54
239
{
55
239
        sig->len = *len; /* consume the whole buffer */
56
239
        if ((sig->ptr = calloc(1, sig->len)) == NULL ||
57
239
            fido_buf_read(buf, len, sig->ptr, sig->len) < 0) {
58
2
                fido_log_debug("%s: fido_buf_read", __func__);
59
2
                fido_blob_reset(sig);
60
2
                return (-1);
61
2
        }
62
63
237
        return (0);
64
239
}
65
66
static int
67
x5c_get(fido_blob_t *x5c, const unsigned char **buf, size_t *len)
68
138
{
69
138
        X509    *cert = NULL;
70
138
        int      ok = -1;
71
72
138
        if (*len > LONG_MAX) {
73
0
                fido_log_debug("%s: invalid len %zu", __func__, *len);
74
0
                goto fail;
75
0
        }
76
77
        /* find out the certificate's length */
78
138
        const unsigned char *end = *buf;
79
138
        if ((cert = d2i_X509(NULL, &end, (long)*len)) == NULL || end <= *buf ||
80
138
            (x5c->len = (size_t)(end - *buf)) >= *len) {
81
26
                fido_log_debug("%s: d2i_X509", __func__);
82
26
                goto fail;
83
26
        }
84
85
        /* read accordingly */
86
112
        if ((x5c->ptr = calloc(1, x5c->len)) == NULL ||
87
112
            fido_buf_read(buf, len, x5c->ptr, x5c->len) < 0) {
88
1
                fido_log_debug("%s: fido_buf_read", __func__);
89
1
                goto fail;
90
1
        }
91
92
111
        ok = 0;
93
138
fail:
94
138
        if (cert != NULL)
95
112
                X509_free(cert);
96
97
138
        if (ok < 0)
98
27
                fido_blob_reset(x5c);
99
100
138
        return (ok);
101
111
}
102
103
static int
104
authdata_fake(const char *rp_id, uint8_t flags, uint32_t sigcount,
105
    fido_blob_t *fake_cbor_ad)
106
127
{
107
127
        fido_authdata_t  ad;
108
127
        cbor_item_t     *item = NULL;
109
127
        size_t           alloc_len;
110
111
127
        memset(&ad, 0, sizeof(ad));
112
113
127
        if (SHA256((const void *)rp_id, strlen(rp_id),
114
127
            ad.rp_id_hash) != ad.rp_id_hash) {
115
1
                fido_log_debug("%s: sha256", __func__);
116
1
                return (-1);
117
1
        }
118
119
126
        ad.flags = flags; /* XXX translate? */
120
126
        ad.sigcount = sigcount;
121
122
126
        if ((item = cbor_build_bytestring((const unsigned char *)&ad,
123
126
            sizeof(ad))) == NULL) {
124
1
                fido_log_debug("%s: cbor_build_bytestring", __func__);
125
1
                return (-1);
126
1
        }
127
128
125
        if (fake_cbor_ad->ptr != NULL ||
129
125
            (fake_cbor_ad->len = cbor_serialize_alloc(item, &fake_cbor_ad->ptr,
130
125
            &alloc_len)) == 0) {
131
1
                fido_log_debug("%s: cbor_serialize_alloc", __func__);
132
1
                cbor_decref(&item);
133
1
                return (-1);
134
1
        }
135
136
124
        cbor_decref(&item);
137
138
124
        return (0);
139
125
}
140
141
/* TODO: use u2f_get_touch_begin & u2f_get_touch_status instead */
142
static int
143
send_dummy_register(fido_dev_t *dev, int *ms)
144
28
{
145
28
        iso7816_apdu_t  *apdu = NULL;
146
28
        unsigned char    challenge[SHA256_DIGEST_LENGTH];
147
28
        unsigned char    application[SHA256_DIGEST_LENGTH];
148
28
        unsigned char    reply[FIDO_MAXMSG];
149
28
        int              r;
150
151
        /* dummy challenge & application */
152
28
        memset(&challenge, 0xff, sizeof(challenge));
153
28
        memset(&application, 0xff, sizeof(application));
154
155
28
        if ((apdu = iso7816_new(0, U2F_CMD_REGISTER, 0, 2 *
156
28
            SHA256_DIGEST_LENGTH)) == NULL ||
157
28
            iso7816_add(apdu, &challenge, sizeof(challenge)) < 0 ||
158
28
            iso7816_add(apdu, &application, sizeof(application)) < 0) {
159
1
                fido_log_debug("%s: iso7816", __func__);
160
1
                r = FIDO_ERR_INTERNAL;
161
1
                goto fail;
162
1
        }
163
164
73
        do {
165
73
                if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu),
166
73
                    iso7816_len(apdu), ms) < 0) {
167
1
                        fido_log_debug("%s: fido_tx", __func__);
168
1
                        r = FIDO_ERR_TX;
169
1
                        goto fail;
170
1
                }
171
72
                if (fido_rx(dev, CTAP_CMD_MSG, &reply, sizeof(reply), ms) < 2) {
172
14
                        fido_log_debug("%s: fido_rx", __func__);
173
14
                        r = FIDO_ERR_RX;
174
14
                        goto fail;
175
14
                }
176
58
                if (delay_ms(U2F_PACE_MS, ms) != 0) {
177
1
                        fido_log_debug("%s: delay_ms", __func__);
178
1
                        r = FIDO_ERR_RX;
179
1
                        goto fail;
180
1
                }
181
58
        } while (((reply[0] << 8) | reply[1]) == SW_CONDITIONS_NOT_SATISFIED);
182
183
11
        r = FIDO_OK;
184
28
fail:
185
28
        iso7816_free(&apdu);
186
187
28
        return (r);
188
11
}
189
190
static int
191
key_lookup(fido_dev_t *dev, const char *rp_id, const fido_blob_t *key_id,
192
    int *found, int *ms)
193
948
{
194
948
        iso7816_apdu_t  *apdu = NULL;
195
948
        unsigned char    challenge[SHA256_DIGEST_LENGTH];
196
948
        unsigned char    rp_id_hash[SHA256_DIGEST_LENGTH];
197
948
        unsigned char    reply[FIDO_MAXMSG];
198
948
        uint8_t          key_id_len;
199
948
        int              r;
200
201
948
        if (key_id->len > UINT8_MAX || rp_id == NULL) {
202
9
                fido_log_debug("%s: key_id->len=%zu, rp_id=%p", __func__,
203
9
                    key_id->len, (const void *)rp_id);
204
9
                r = FIDO_ERR_INVALID_ARGUMENT;
205
9
                goto fail;
206
9
        }
207
208
939
        memset(&challenge, 0xff, sizeof(challenge));
209
939
        memset(&rp_id_hash, 0, sizeof(rp_id_hash));
210
211
939
        if (SHA256((const void *)rp_id, strlen(rp_id),
212
939
            rp_id_hash) != rp_id_hash) {
213
3
                fido_log_debug("%s: sha256", __func__);
214
3
                r = FIDO_ERR_INTERNAL;
215
3
                goto fail;
216
3
        }
217
218
936
        key_id_len = (uint8_t)key_id->len;
219
220
936
        if ((apdu = iso7816_new(0, U2F_CMD_AUTH, U2F_AUTH_CHECK, (uint16_t)(2 *
221
936
            SHA256_DIGEST_LENGTH + sizeof(key_id_len) + key_id_len))) == NULL ||
222
936
            iso7816_add(apdu, &challenge, sizeof(challenge)) < 0 ||
223
936
            iso7816_add(apdu, &rp_id_hash, sizeof(rp_id_hash)) < 0 ||
224
936
            iso7816_add(apdu, &key_id_len, sizeof(key_id_len)) < 0 ||
225
936
            iso7816_add(apdu, key_id->ptr, key_id_len) < 0) {
226
3
                fido_log_debug("%s: iso7816", __func__);
227
3
                r = FIDO_ERR_INTERNAL;
228
3
                goto fail;
229
3
        }
230
231
933
        if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu),
232
933
            iso7816_len(apdu), ms) < 0) {
233
82
                fido_log_debug("%s: fido_tx", __func__);
234
82
                r = FIDO_ERR_TX;
235
82
                goto fail;
236
82
        }
237
851
        if (fido_rx(dev, CTAP_CMD_MSG, &reply, sizeof(reply), ms) != 2) {
238
449
                fido_log_debug("%s: fido_rx", __func__);
239
449
                r = FIDO_ERR_RX;
240
449
                goto fail;
241
449
        }
242
243
402
        switch ((reply[0] << 8) | reply[1]) {
244
279
        case SW_CONDITIONS_NOT_SATISFIED:
245
279
                *found = 1; /* key exists */
246
279
                break;
247
16
        case SW_WRONG_DATA:
248
16
                *found = 0; /* key does not exist */
249
16
                break;
250
107
        default:
251
                /* unexpected sw */
252
107
                r = FIDO_ERR_INTERNAL;
253
107
                goto fail;
254
402
        }
255
256
295
        r = FIDO_OK;
257
948
fail:
258
948
        iso7816_free(&apdu);
259
260
948
        return (r);
261
295
}
262
263
static int
264
parse_auth_reply(fido_blob_t *sig, fido_blob_t *ad, const char *rp_id,
265
    const unsigned char *reply, size_t len)
266
159
{
267
159
        uint8_t         flags;
268
159
        uint32_t        sigcount;
269
270
159
        if (len < 2 || ((reply[len - 2] << 8) | reply[len - 1]) != SW_NO_ERROR) {
271
30
                fido_log_debug("%s: unexpected sw", __func__);
272
30
                return (FIDO_ERR_RX);
273
30
        }
274
275
129
        len -= 2;
276
277
129
        if (fido_buf_read(&reply, &len, &flags, sizeof(flags)) < 0 ||
278
129
            fido_buf_read(&reply, &len, &sigcount, sizeof(sigcount)) < 0) {
279
1
                fido_log_debug("%s: fido_buf_read", __func__);
280
1
                return (FIDO_ERR_RX);
281
1
        }
282
283
128
        if (sig_get(sig, &reply, &len) < 0) {
284
1
                fido_log_debug("%s: sig_get", __func__);
285
1
                return (FIDO_ERR_RX);
286
1
        }
287
288
127
        if (authdata_fake(rp_id, flags, sigcount, ad) < 0) {
289
3
                fido_log_debug("%s; authdata_fake", __func__);
290
3
                return (FIDO_ERR_RX);
291
3
        }
292
293
124
        return (FIDO_OK);
294
127
}
295
296
static int
297
do_auth(fido_dev_t *dev, const fido_blob_t *cdh, const char *rp_id,
298
    const fido_blob_t *key_id, fido_blob_t *sig, fido_blob_t *ad, int *ms)
299
191
{
300
191
        iso7816_apdu_t  *apdu = NULL;
301
191
        unsigned char    rp_id_hash[SHA256_DIGEST_LENGTH];
302
191
        unsigned char    reply[FIDO_MAXMSG];
303
191
        int              reply_len;
304
191
        uint8_t          key_id_len;
305
191
        int              r;
306
307
191
#ifdef FIDO_FUZZ
308
191
        *ms = 0; /* XXX */
309
191
#endif
310
311
191
        if (cdh->len != SHA256_DIGEST_LENGTH || key_id->len > UINT8_MAX ||
312
191
            rp_id == NULL) {
313
13
                r = FIDO_ERR_INVALID_ARGUMENT;
314
13
                goto fail;
315
13
        }
316
317
178
        memset(&rp_id_hash, 0, sizeof(rp_id_hash));
318
319
178
        if (SHA256((const void *)rp_id, strlen(rp_id),
320
178
            rp_id_hash) != rp_id_hash) {
321
1
                fido_log_debug("%s: sha256", __func__);
322
1
                r = FIDO_ERR_INTERNAL;
323
1
                goto fail;
324
1
        }
325
326
177
        key_id_len = (uint8_t)key_id->len;
327
328
177
        if ((apdu = iso7816_new(0, U2F_CMD_AUTH, U2F_AUTH_SIGN, (uint16_t)(2 *
329
177
            SHA256_DIGEST_LENGTH + sizeof(key_id_len) + key_id_len))) == NULL ||
330
177
            iso7816_add(apdu, cdh->ptr, cdh->len) < 0 ||
331
177
            iso7816_add(apdu, &rp_id_hash, sizeof(rp_id_hash)) < 0 ||
332
177
            iso7816_add(apdu, &key_id_len, sizeof(key_id_len)) < 0 ||
333
177
            iso7816_add(apdu, key_id->ptr, key_id_len) < 0) {
334
1
                fido_log_debug("%s: iso7816", __func__);
335
1
                r = FIDO_ERR_INTERNAL;
336
1
                goto fail;
337
1
        }
338
339
356
        do {
340
356
                if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu),
341
356
                    iso7816_len(apdu), ms) < 0) {
342
2
                        fido_log_debug("%s: fido_tx", __func__);
343
2
                        r = FIDO_ERR_TX;
344
2
                        goto fail;
345
2
                }
346
354
                if ((reply_len = fido_rx(dev, CTAP_CMD_MSG, &reply,
347
354
                    sizeof(reply), ms)) < 2) {
348
14
                        fido_log_debug("%s: fido_rx", __func__);
349
14
                        r = FIDO_ERR_RX;
350
14
                        goto fail;
351
14
                }
352
340
                if (delay_ms(U2F_PACE_MS, ms) != 0) {
353
1
                        fido_log_debug("%s: delay_ms", __func__);
354
1
                        r = FIDO_ERR_RX;
355
1
                        goto fail;
356
1
                }
357
340
        } while (((reply[0] << 8) | reply[1]) == SW_CONDITIONS_NOT_SATISFIED);
358
359
159
        if ((r = parse_auth_reply(sig, ad, rp_id, reply,
360
159
            (size_t)reply_len)) != FIDO_OK) {
361
35
                fido_log_debug("%s: parse_auth_reply", __func__);
362
35
                goto fail;
363
35
        }
364
365
191
fail:
366
191
        iso7816_free(&apdu);
367
368
191
        return (r);
369
159
}
370
371
static int
372
cbor_blob_from_ec_point(const uint8_t *ec_point, size_t ec_point_len,
373
    fido_blob_t *cbor_blob)
374
97
{
375
97
        es256_pk_t      *pk = NULL;
376
97
        cbor_item_t     *pk_cbor = NULL;
377
97
        size_t           alloc_len;
378
97
        int              ok = -1;
379
380
        /* only handle uncompressed points */
381
97
        if (ec_point_len != 65 || ec_point[0] != 0x04) {
382
5
                fido_log_debug("%s: unexpected format", __func__);
383
5
                goto fail;
384
5
        }
385
386
92
        if ((pk = es256_pk_new()) == NULL ||
387
92
            es256_pk_set_x(pk, &ec_point[1]) < 0 ||
388
92
            es256_pk_set_y(pk, &ec_point[33]) < 0) {
389
1
                fido_log_debug("%s: es256_pk_set", __func__);
390
1
                goto fail;
391
1
        }
392
393
91
        if ((pk_cbor = es256_pk_encode(pk, 0)) == NULL) {
394
1
                fido_log_debug("%s: es256_pk_encode", __func__);
395
1
                goto fail;
396
1
        }
397
398
90
        if ((cbor_blob->len = cbor_serialize_alloc(pk_cbor, &cbor_blob->ptr,
399
90
            &alloc_len)) != 77) {
400
1
                fido_log_debug("%s: cbor_serialize_alloc", __func__);
401
1
                goto fail;
402
1
        }
403
404
89
        ok = 0;
405
97
fail:
406
97
        es256_pk_free(&pk);
407
408
97
        if (pk_cbor)
409
90
                cbor_decref(&pk_cbor);
410
411
97
        return (ok);
412
89
}
413
414
static int
415
encode_cred_attstmt(int cose_alg, const fido_blob_t *x5c,
416
    const fido_blob_t *sig, fido_blob_t *out)
417
110
{
418
110
        cbor_item_t             *item = NULL;
419
110
        cbor_item_t             *x5c_cbor = NULL;
420
110
        const uint8_t            alg_cbor = (uint8_t)(-cose_alg - 1);
421
110
        struct cbor_pair         kv[3];
422
110
        size_t                   alloc_len;
423
110
        int                      ok = -1;
424
425
110
        memset(&kv, 0, sizeof(kv));
426
110
        memset(out, 0, sizeof(*out));
427
428
110
        if ((item = cbor_new_definite_map(3)) == NULL) {
429
1
                fido_log_debug("%s: cbor_new_definite_map", __func__);
430
1
                goto fail;
431
1
        }
432
433
109
        if ((kv[0].key = cbor_build_string("alg")) == NULL ||
434
109
            (kv[0].value = cbor_build_negint8(alg_cbor)) == NULL ||
435
109
            !cbor_map_add(item, kv[0])) {
436
3
                fido_log_debug("%s: alg", __func__);
437
3
                goto fail;
438
3
        }
439
440
106
        if ((kv[1].key = cbor_build_string("sig")) == NULL ||
441
106
            (kv[1].value = fido_blob_encode(sig)) == NULL ||
442
106
            !cbor_map_add(item, kv[1])) {
443
3
                fido_log_debug("%s: sig", __func__);
444
3
                goto fail;
445
3
        }
446
447
103
        if ((kv[2].key = cbor_build_string("x5c")) == NULL ||
448
103
            (kv[2].value = cbor_new_definite_array(1)) == NULL ||
449
103
            (x5c_cbor = fido_blob_encode(x5c)) == NULL ||
450
103
            !cbor_array_push(kv[2].value, x5c_cbor) ||
451
103
            !cbor_map_add(item, kv[2])) {
452
5
                fido_log_debug("%s: x5c", __func__);
453
5
                goto fail;
454
5
        }
455
456
98
        if ((out->len = cbor_serialize_alloc(item, &out->ptr,
457
98
            &alloc_len)) == 0) {
458
1
                fido_log_debug("%s: cbor_serialize_alloc", __func__);
459
1
                goto fail;
460
1
        }
461
462
97
        ok = 0;
463
110
fail:
464
110
        if (item != NULL)
465
109
                cbor_decref(&item);
466
110
        if (x5c_cbor != NULL)
467
100
                cbor_decref(&x5c_cbor);
468
469
440
        for (size_t i = 0; i < nitems(kv); i++) {
470
330
                if (kv[i].key)
471
315
                        cbor_decref(&kv[i].key);
472
330
                if (kv[i].value)
473
312
                        cbor_decref(&kv[i].value);
474
330
        }
475
476
110
        return (ok);
477
97
}
478
479
static int
480
encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len,
481
    const uint8_t *pubkey, size_t pubkey_len, fido_blob_t *out)
482
97
{
483
97
        fido_authdata_t          authdata;
484
97
        fido_attcred_raw_t       attcred_raw;
485
97
        fido_blob_t              pk_blob;
486
97
        fido_blob_t              authdata_blob;
487
97
        cbor_item_t             *authdata_cbor = NULL;
488
97
        unsigned char           *ptr;
489
97
        size_t                   len;
490
97
        size_t                   alloc_len;
491
97
        int                      ok = -1;
492
493
97
        memset(&pk_blob, 0, sizeof(pk_blob));
494
97
        memset(&authdata, 0, sizeof(authdata));
495
97
        memset(&authdata_blob, 0, sizeof(authdata_blob));
496
97
        memset(out, 0, sizeof(*out));
497
498
97
        if (rp_id == NULL) {
499
0
                fido_log_debug("%s: NULL rp_id", __func__);
500
0
                goto fail;
501
0
        }
502
503
97
        if (cbor_blob_from_ec_point(pubkey, pubkey_len, &pk_blob) < 0) {
504
8
                fido_log_debug("%s: cbor_blob_from_ec_point", __func__);
505
8
                goto fail;
506
8
        }
507
508
89
        if (SHA256((const void *)rp_id, strlen(rp_id),
509
89
            authdata.rp_id_hash) != authdata.rp_id_hash) {
510
1
                fido_log_debug("%s: sha256", __func__);
511
1
                goto fail;
512
1
        }
513
514
88
        authdata.flags = (CTAP_AUTHDATA_ATT_CRED | CTAP_AUTHDATA_USER_PRESENT);
515
88
        authdata.sigcount = 0;
516
517
88
        memset(&attcred_raw.aaguid, 0, sizeof(attcred_raw.aaguid));
518
88
        attcred_raw.id_len = htobe16(kh_len);
519
520
88
        len = authdata_blob.len = sizeof(authdata) + sizeof(attcred_raw) +
521
88
            kh_len + pk_blob.len;
522
88
        ptr = authdata_blob.ptr = calloc(1, authdata_blob.len);
523
524
88
        fido_log_debug("%s: ptr=%p, len=%zu", __func__, (void *)ptr, len);
525
526
88
        if (authdata_blob.ptr == NULL)
527
1
                goto fail;
528
529
87
        if (fido_buf_write(&ptr, &len, &authdata, sizeof(authdata)) < 0 ||
530
87
            fido_buf_write(&ptr, &len, &attcred_raw, sizeof(attcred_raw)) < 0 ||
531
87
            fido_buf_write(&ptr, &len, kh, kh_len) < 0 ||
532
87
            fido_buf_write(&ptr, &len, pk_blob.ptr, pk_blob.len) < 0) {
533
0
                fido_log_debug("%s: fido_buf_write", __func__);
534
0
                goto fail;
535
0
        }
536
537
87
        if ((authdata_cbor = fido_blob_encode(&authdata_blob)) == NULL) {
538
1
                fido_log_debug("%s: fido_blob_encode", __func__);
539
1
                goto fail;
540
1
        }
541
542
86
        if ((out->len = cbor_serialize_alloc(authdata_cbor, &out->ptr,
543
86
            &alloc_len)) == 0) {
544
1
                fido_log_debug("%s: cbor_serialize_alloc", __func__);
545
1
                goto fail;
546
1
        }
547
548
85
        ok = 0;
549
97
fail:
550
97
        if (authdata_cbor)
551
86
                cbor_decref(&authdata_cbor);
552
553
97
        fido_blob_reset(&pk_blob);
554
97
        fido_blob_reset(&authdata_blob);
555
556
97
        return (ok);
557
85
}
558
559
static int
560
parse_register_reply(fido_cred_t *cred, const unsigned char *reply, size_t len)
561
190
{
562
190
        fido_blob_t      x5c;
563
190
        fido_blob_t      sig;
564
190
        fido_blob_t      ad;
565
190
        fido_blob_t      stmt;
566
190
        uint8_t          dummy;
567
190
        uint8_t          pubkey[65];
568
190
        uint8_t          kh_len = 0;
569
190
        uint8_t         *kh = NULL;
570
190
        int              r;
571
572
190
        memset(&x5c, 0, sizeof(x5c));
573
190
        memset(&sig, 0, sizeof(sig));
574
190
        memset(&ad, 0, sizeof(ad));
575
190
        memset(&stmt, 0, sizeof(stmt));
576
190
        r = FIDO_ERR_RX;
577
578
        /* status word */
579
190
        if (len < 2 || ((reply[len - 2] << 8) | reply[len - 1]) != SW_NO_ERROR) {
580
42
                fido_log_debug("%s: unexpected sw", __func__);
581
42
                goto fail;
582
42
        }
583
584
148
        len -= 2;
585
586
        /* reserved byte */
587
148
        if (fido_buf_read(&reply, &len, &dummy, sizeof(dummy)) < 0 ||
588
148
            dummy != 0x05) {
589
9
                fido_log_debug("%s: reserved byte", __func__);
590
9
                goto fail;
591
9
        }
592
593
        /* pubkey + key handle */
594
139
        if (fido_buf_read(&reply, &len, &pubkey, sizeof(pubkey)) < 0 ||
595
139
            fido_buf_read(&reply, &len, &kh_len, sizeof(kh_len)) < 0 ||
596
139
            (kh = calloc(1, kh_len)) == NULL ||
597
139
            fido_buf_read(&reply, &len, kh, kh_len) < 0) {
598
1
                fido_log_debug("%s: fido_buf_read", __func__);
599
1
                goto fail;
600
1
        }
601
602
        /* x5c + sig */
603
138
        if (x5c_get(&x5c, &reply, &len) < 0 ||
604
138
            sig_get(&sig, &reply, &len) < 0) {
605
28
                fido_log_debug("%s: x5c || sig", __func__);
606
28
                goto fail;
607
28
        }
608
609
        /* attstmt */
610
110
        if (encode_cred_attstmt(COSE_ES256, &x5c, &sig, &stmt) < 0) {
611
13
                fido_log_debug("%s: encode_cred_attstmt", __func__);
612
13
                goto fail;
613
13
        }
614
615
        /* authdata */
616
97
        if (encode_cred_authdata(cred->rp.id, kh, kh_len, pubkey,
617
97
            sizeof(pubkey), &ad) < 0) {
618
12
                fido_log_debug("%s: encode_cred_authdata", __func__);
619
12
                goto fail;
620
12
        }
621
622
85
        if (fido_cred_set_fmt(cred, "fido-u2f") != FIDO_OK ||
623
85
            fido_cred_set_authdata(cred, ad.ptr, ad.len) != FIDO_OK ||
624
85
            fido_cred_set_attstmt(cred, stmt.ptr, stmt.len) != FIDO_OK) {
625
12
                fido_log_debug("%s: fido_cred_set", __func__);
626
12
                r = FIDO_ERR_INTERNAL;
627
12
                goto fail;
628
12
        }
629
630
73
        r = FIDO_OK;
631
190
fail:
632
190
        freezero(kh, kh_len);
633
190
        fido_blob_reset(&x5c);
634
190
        fido_blob_reset(&sig);
635
190
        fido_blob_reset(&ad);
636
190
        fido_blob_reset(&stmt);
637
638
190
        return (r);
639
73
}
640
641
int
642
u2f_register(fido_dev_t *dev, fido_cred_t *cred, int *ms)
643
449
{
644
449
        iso7816_apdu_t  *apdu = NULL;
645
449
        unsigned char    rp_id_hash[SHA256_DIGEST_LENGTH];
646
449
        unsigned char    reply[FIDO_MAXMSG];
647
449
        int              reply_len;
648
449
        int              found;
649
449
        int              r;
650
651
449
        if (cred->rk == FIDO_OPT_TRUE || cred->uv == FIDO_OPT_TRUE) {
652
13
                fido_log_debug("%s: rk=%d, uv=%d", __func__, cred->rk,
653
13
                    cred->uv);
654
13
                return (FIDO_ERR_UNSUPPORTED_OPTION);
655
13
        }
656
657
436
        if (cred->type != COSE_ES256 || cred->cdh.ptr == NULL ||
658
436
            cred->rp.id == NULL || cred->cdh.len != SHA256_DIGEST_LENGTH) {
659
36
                fido_log_debug("%s: type=%d, cdh=(%p,%zu)" , __func__,
660
36
                    cred->type, (void *)cred->cdh.ptr, cred->cdh.len);
661
36
                return (FIDO_ERR_INVALID_ARGUMENT);
662
36
        }
663
664
409
        for (size_t i = 0; i < cred->excl.len; i++) {
665
195
                if ((r = key_lookup(dev, cred->rp.id, &cred->excl.ptr[i],
666
195
                    &found, ms)) != FIDO_OK) {
667
158
                        fido_log_debug("%s: key_lookup", __func__);
668
158
                        return (r);
669
158
                }
670
37
                if (found) {
671
28
                        if ((r = send_dummy_register(dev, ms)) != FIDO_OK) {
672
17
                                fido_log_debug("%s: send_dummy_register",
673
17
                                    __func__);
674
17
                                return (r);
675
17
                        }
676
11
                        return (FIDO_ERR_CREDENTIAL_EXCLUDED);
677
28
                }
678
37
        }
679
680
214
        memset(&rp_id_hash, 0, sizeof(rp_id_hash));
681
682
214
        if (SHA256((const void *)cred->rp.id, strlen(cred->rp.id),
683
214
            rp_id_hash) != rp_id_hash) {
684
1
                fido_log_debug("%s: sha256", __func__);
685
1
                return (FIDO_ERR_INTERNAL);
686
1
        }
687
688
213
        if ((apdu = iso7816_new(0, U2F_CMD_REGISTER, 0, 2 *
689
213
            SHA256_DIGEST_LENGTH)) == NULL ||
690
213
            iso7816_add(apdu, cred->cdh.ptr, cred->cdh.len) < 0 ||
691
213
            iso7816_add(apdu, rp_id_hash, sizeof(rp_id_hash)) < 0) {
692
1
                fido_log_debug("%s: iso7816", __func__);
693
1
                r = FIDO_ERR_INTERNAL;
694
1
                goto fail;
695
1
        }
696
697
617
        do {
698
617
                if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu),
699
617
                    iso7816_len(apdu), ms) < 0) {
700
4
                        fido_log_debug("%s: fido_tx", __func__);
701
4
                        r = FIDO_ERR_TX;
702
4
                        goto fail;
703
4
                }
704
613
                if ((reply_len = fido_rx(dev, CTAP_CMD_MSG, &reply,
705
613
                    sizeof(reply), ms)) < 2) {
706
16
                        fido_log_debug("%s: fido_rx", __func__);
707
16
                        r = FIDO_ERR_RX;
708
16
                        goto fail;
709
16
                }
710
597
                if (delay_ms(U2F_PACE_MS, ms) != 0) {
711
2
                        fido_log_debug("%s: delay_ms", __func__);
712
2
                        r = FIDO_ERR_RX;
713
2
                        goto fail;
714
2
                }
715
597
        } while (((reply[0] << 8) | reply[1]) == SW_CONDITIONS_NOT_SATISFIED);
716
717
190
        if ((r = parse_register_reply(cred, reply,
718
190
            (size_t)reply_len)) != FIDO_OK) {
719
117
                fido_log_debug("%s: parse_register_reply", __func__);
720
117
                goto fail;
721
117
        }
722
213
fail:
723
213
        iso7816_free(&apdu);
724
725
213
        return (r);
726
190
}
727
728
static int
729
u2f_authenticate_single(fido_dev_t *dev, const fido_blob_t *key_id,
730
    fido_assert_t *fa, size_t idx, int *ms)
731
753
{
732
753
        fido_blob_t     sig;
733
753
        fido_blob_t     ad;
734
753
        int             found;
735
753
        int             r;
736
737
753
        memset(&sig, 0, sizeof(sig));
738
753
        memset(&ad, 0, sizeof(ad));
739
740
753
        if ((r = key_lookup(dev, fa->rp_id, key_id, &found, ms)) != FIDO_OK) {
741
495
                fido_log_debug("%s: key_lookup", __func__);
742
495
                goto fail;
743
495
        }
744
745
258
        if (!found) {
746
7
                fido_log_debug("%s: not found", __func__);
747
7
                r = FIDO_ERR_CREDENTIAL_EXCLUDED;
748
7
                goto fail;
749
7
        }
750
751
251
        if (fido_blob_set(&fa->stmt[idx].id, key_id->ptr, key_id->len) < 0) {
752
1
                fido_log_debug("%s: fido_blob_set", __func__);
753
1
                r = FIDO_ERR_INTERNAL;
754
1
                goto fail;
755
1
        }
756
757
250
        if (fa->up == FIDO_OPT_FALSE) {
758
59
                fido_log_debug("%s: checking for key existence only", __func__);
759
59
                r = FIDO_ERR_USER_PRESENCE_REQUIRED;
760
59
                goto fail;
761
59
        }
762
763
191
        if ((r = do_auth(dev, &fa->cdh, fa->rp_id, key_id, &sig, &ad,
764
191
            ms)) != FIDO_OK) {
765
67
                fido_log_debug("%s: do_auth", __func__);
766
67
                goto fail;
767
67
        }
768
769
124
        if (fido_assert_set_authdata(fa, idx, ad.ptr, ad.len) != FIDO_OK ||
770
124
            fido_assert_set_sig(fa, idx, sig.ptr, sig.len) != FIDO_OK) {
771
3
                fido_log_debug("%s: fido_assert_set", __func__);
772
3
                r = FIDO_ERR_INTERNAL;
773
3
                goto fail;
774
3
        }
775
776
121
        r = FIDO_OK;
777
753
fail:
778
753
        fido_blob_reset(&sig);
779
753
        fido_blob_reset(&ad);
780
781
753
        return (r);
782
121
}
783
784
int
785
u2f_authenticate(fido_dev_t *dev, fido_assert_t *fa, int *ms)
786
642
{
787
642
        size_t  nfound = 0;
788
642
        size_t  nauth_ok = 0;
789
642
        int     r;
790
791
642
        if (fa->uv == FIDO_OPT_TRUE || fa->allow_list.ptr == NULL) {
792
68
                fido_log_debug("%s: uv=%d, allow_list=%p", __func__, fa->uv,
793
68
                    (void *)fa->allow_list.ptr);
794
68
                return (FIDO_ERR_UNSUPPORTED_OPTION);
795
68
        }
796
797
574
        if ((r = fido_assert_set_count(fa, fa->allow_list.len)) != FIDO_OK) {
798
1
                fido_log_debug("%s: fido_assert_set_count", __func__);
799
1
                return (r);
800
1
        }
801
802
760
        for (size_t i = 0; i < fa->allow_list.len; i++) {
803
753
                switch ((r = u2f_authenticate_single(dev,
804
753
                    &fa->allow_list.ptr[i], fa, nfound, ms))) {
805
121
                case FIDO_OK:
806
121
                        nauth_ok++;
807
                        /* FALLTHROUGH */
808
180
                case FIDO_ERR_USER_PRESENCE_REQUIRED:
809
180
                        nfound++;
810
180
                        break;
811
573
                default:
812
573
                        if (r != FIDO_ERR_CREDENTIAL_EXCLUDED) {
813
566
                                fido_log_debug("%s: u2f_authenticate_single",
814
566
                                    __func__);
815
566
                                return (r);
816
566
                        }
817
                        /* ignore credentials that don't exist */
818
753
                }
819
753
        }
820
821
7
        fa->stmt_len = nfound;
822
823
7
        if (nfound == 0)
824
1
                return (FIDO_ERR_NO_CREDENTIALS);
825
6
        if (nauth_ok == 0)
826
1
                return (FIDO_ERR_USER_PRESENCE_REQUIRED);
827
828
5
        return (FIDO_OK);
829
6
}
830
831
int
832
u2f_get_touch_begin(fido_dev_t *dev, int *ms)
833
2.08k
{
834
2.08k
        iso7816_apdu_t  *apdu = NULL;
835
2.08k
        const char      *clientdata = FIDO_DUMMY_CLIENTDATA;
836
2.08k
        const char      *rp_id = FIDO_DUMMY_RP_ID;
837
2.08k
        unsigned char    clientdata_hash[SHA256_DIGEST_LENGTH];
838
2.08k
        unsigned char    rp_id_hash[SHA256_DIGEST_LENGTH];
839
2.08k
        unsigned char    reply[FIDO_MAXMSG];
840
2.08k
        int              r;
841
842
2.08k
        memset(&clientdata_hash, 0, sizeof(clientdata_hash));
843
2.08k
        memset(&rp_id_hash, 0, sizeof(rp_id_hash));
844
845
2.08k
        if (SHA256((const void *)clientdata, strlen(clientdata),
846
2.08k
            clientdata_hash) != clientdata_hash || SHA256((const void *)rp_id,
847
2.07k
            strlen(rp_id), rp_id_hash) != rp_id_hash) {
848
24
                fido_log_debug("%s: sha256", __func__);
849
24
                return (FIDO_ERR_INTERNAL);
850
24
        }
851
852
2.06k
        if ((apdu = iso7816_new(0, U2F_CMD_REGISTER, 0, 2 *
853
2.06k
            SHA256_DIGEST_LENGTH)) == NULL ||
854
2.06k
            iso7816_add(apdu, clientdata_hash, sizeof(clientdata_hash)) < 0 ||
855
2.06k
            iso7816_add(apdu, rp_id_hash, sizeof(rp_id_hash)) < 0) {
856
15
                fido_log_debug("%s: iso7816", __func__);
857
15
                r = FIDO_ERR_INTERNAL;
858
15
                goto fail;
859
15
        }
860
861
2.04k
        if (dev->attr.flags & FIDO_CAP_WINK) {
862
1.28k
                fido_tx(dev, CTAP_CMD_WINK, NULL, 0, ms);
863
1.28k
                fido_rx(dev, CTAP_CMD_WINK, &reply, sizeof(reply), ms);
864
1.28k
        }
865
866
2.04k
        if (fido_tx(dev, CTAP_CMD_MSG, iso7816_ptr(apdu),
867
2.04k
            iso7816_len(apdu), ms) < 0) {
868
123
                fido_log_debug("%s: fido_tx", __func__);
869
123
                r = FIDO_ERR_TX;
870
123
                goto fail;
871
123
        }
872
873
1.92k
        r = FIDO_OK;
874
2.06k
fail:
875
2.06k
        iso7816_free(&apdu);
876
877
2.06k
        return (r);
878
1.92k
}
879
880
int
881
u2f_get_touch_status(fido_dev_t *dev, int *touched, int *ms)
882
2.06k
{
883
2.06k
        unsigned char   reply[FIDO_MAXMSG];
884
2.06k
        int             reply_len;
885
2.06k
        int             r;
886
887
2.06k
        if ((reply_len = fido_rx(dev, CTAP_CMD_MSG, &reply, sizeof(reply),
888
2.06k
            ms)) < 2) {
889
1.87k
                fido_log_debug("%s: fido_rx", __func__);
890
1.87k
                return (FIDO_OK); /* ignore */
891
1.87k
        }
892
893
197
        switch ((reply[reply_len - 2] << 8) | reply[reply_len - 1]) {
894
21
        case SW_CONDITIONS_NOT_SATISFIED:
895
21
                if ((r = u2f_get_touch_begin(dev, ms)) != FIDO_OK) {
896
6
                        fido_log_debug("%s: u2f_get_touch_begin", __func__);
897
6
                        return (r);
898
6
                }
899
15
                *touched = 0;
900
15
                break;
901
1
        case SW_NO_ERROR:
902
1
                *touched = 1;
903
1
                break;
904
175
        default:
905
175
                fido_log_debug("%s: unexpected sw", __func__);
906
175
                return (FIDO_ERR_RX);
907
197
        }
908
909
16
        return (FIDO_OK);
910
197
}