sk-usbhid.c - OpenGrok cross reference for /freebsd/crypto/openssh/sk-usbhid.c

Lines Matching +full:touch +full:- +full:keys
1 /* $OpenBSD: sk-usbhid.c,v 1.46 2023/03/28 06:12:38 dtucker Exp $ */
37  * Almost every use of OpenSSL in this file is for ECDSA-NISTP256.
86  * This must be done before including sk-api.h.
94 #include "sk-api.h"
132 /* Load resident keys */
185 	if ((sk->path = strdup(path)) == NULL) {  in sk_open()
190 	if ((sk->dev = fido_dev_new()) == NULL) {  in sk_open()
192 		free(sk->path);  in sk_open()
196 	if ((r = fido_dev_open(sk->dev, sk->path)) != FIDO_OK) {  in sk_open()
197 		skdebug(__func__, "fido_dev_open %s failed: %s", sk->path,  in sk_open()
199 		fido_dev_free(&sk->dev);  in sk_open()
200 		free(sk->path);  in sk_open()
212 	fido_dev_cancel(sk->dev); /* cancel any pending operation */  in sk_close()
213 	fido_dev_close(sk->dev);  in sk_close()
214 	fido_dev_free(&sk->dev);  in sk_close()
215 	free(sk->path);  in sk_close()
266 		if ((r = fido_dev_get_touch_begin(skv[i]->dev)) != FIDO_OK)  in sk_touch_begin()
268 			    " %s", skv[i]->path, fido_strerr(r));  in sk_touch_begin()
272 	return ok ? 0 : -1;  in sk_touch_begin()
276 sk_touch_poll(struct sk_usbhid **skv, size_t nsk, int *touch, size_t *idx)  in sk_touch_poll()  argument
289 		skdebug(__func__, "polling %s", skv[i]->path);  in sk_touch_poll()
290 		if ((r = fido_dev_get_touch_status(skv[i]->dev, touch,  in sk_touch_poll()
293 			    skv[i]->path, fido_strerr(r));  in sk_touch_poll()
296 			if (--npoll == 0) {  in sk_touch_poll()
298 				return -1;  in sk_touch_poll()
300 		} else if (*touch) {  in sk_touch_poll()
305 	*touch = 0;  in sk_touch_poll()
322 		return -1;  in sha256_mem()
326 		return -1;  in sha256_mem()
420 	r = fido_dev_get_assert(sk->dev, assert, NULL);  in sk_try()
429 	return r != FIDO_OK ? -1 : 0;  in sk_try()
441 	*ret = -1;  in check_sk_options()
449 		return -1;  in check_sk_options()
454 		return -1;  in check_sk_options()
466 	if (*ret == -1)  in check_sk_options()
486 	if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv",  in sk_select_by_cred()
487 	    &internal_uv) == 0 && internal_uv != -1) {  in sk_select_by_cred()
498 			skdebug(__func__, "found key in %s", sk->path);  in sk_select_by_cred()
513 	int touch, ms_remain;  in sk_select_by_touch()  local
533 	if (sk_touch_begin(skv, skvcnt) == -1) {  in sk_select_by_touch()
539 		if (sk_touch_poll(skv, skvcnt, &touch, &idx) == -1) {  in sk_select_by_touch()
543 		if (touch) {  in sk_select_by_touch()
550 		ms_remain = SELECT_MS - tv_delta.tv_sec * 1000 -  in sk_select_by_touch()
591 		skdebug(__func__, "selecting sk by touch");  in sk_probe()
611 	int ret = -1;  in pack_public_key_ecdsa()
613 	response->public_key = NULL;  in pack_public_key_ecdsa()
614 	response->public_key_len = 0;  in pack_public_key_ecdsa()
642 	response->public_key_len = EC_POINT_point2oct(g, q,  in pack_public_key_ecdsa()
644 	if (response->public_key_len == 0 || response->public_key_len > 2048) {  in pack_public_key_ecdsa()
646 		    response->public_key_len);  in pack_public_key_ecdsa()
649 	if ((response->public_key = malloc(response->public_key_len)) == NULL) {  in pack_public_key_ecdsa()
654 	    response->public_key, response->public_key_len, NULL) == 0) {  in pack_public_key_ecdsa()
661 	if (ret != 0 && response->public_key != NULL) {  in pack_public_key_ecdsa()
662 		memset(response->public_key, 0, response->public_key_len);  in pack_public_key_ecdsa()
663 		free(response->public_key);  in pack_public_key_ecdsa()
664 		response->public_key = NULL;  in pack_public_key_ecdsa()
680 	int ret = -1;  in pack_public_key_ed25519()
682 	response->public_key = NULL;  in pack_public_key_ed25519()
683 	response->public_key_len = 0;  in pack_public_key_ed25519()
693 	response->public_key_len = len;  in pack_public_key_ed25519()
694 	if ((response->public_key = malloc(response->public_key_len)) == NULL) {  in pack_public_key_ed25519()
698 	memcpy(response->public_key, ptr, len);  in pack_public_key_ed25519()
702 		free(response->public_key);  in pack_public_key_ed25519()
718 		return -1;  in pack_public_key()
734 		return -1;  in fidoerr_to_skerr()
747 		if (strcmp(options[i]->name, "device") == 0) {  in check_enroll_options()
748 			if ((*devicep = strdup(options[i]->value)) == NULL) {  in check_enroll_options()
750 				return -1;  in check_enroll_options()
753 		} else if (strcmp(options[i]->name, "user") == 0) {  in check_enroll_options()
754 			if (strlcpy(user_id, options[i]->value, user_id_len) >=  in check_enroll_options()
757 				return -1;  in check_enroll_options()
763 			    options[i]->name);  in check_enroll_options()
764 			if (options[i]->required) {  in check_enroll_options()
766 				return -1;  in check_enroll_options()
805 	    sk_supports_uv != -1)  in key_lookup()
883 	skdebug(__func__, "using device %s", sk->path);  in sk_enroll()
886 	    (r = key_lookup(sk->dev, application, user_id, sizeof(user_id),  in sk_enroll()
933 		if (!fido_dev_supports_cred_prot(sk->dev)) {  in sk_enroll()
936 			    "resident/verify-required key", sk->path);  in sk_enroll()
952 	if ((r = fido_dev_make_cred(sk->dev, cred, pin)) != FIDO_OK) {  in sk_enroll()
964 		skdebug(__func__, "self-attested credential");  in sk_enroll()
975 	response->flags = flags;  in sk_enroll()
982 		if ((response->key_handle = calloc(1, len)) == NULL) {  in sk_enroll()
986 		memcpy(response->key_handle, ptr, len);  in sk_enroll()
987 		response->key_handle_len = len;  in sk_enroll()
991 		if ((response->signature = calloc(1, len)) == NULL) {  in sk_enroll()
995 		memcpy(response->signature, ptr, len);  in sk_enroll()
996 		response->signature_len = len;  in sk_enroll()
1001 		if ((response->attestation_cert = calloc(1, len)) == NULL) {  in sk_enroll()
1005 		memcpy(response->attestation_cert, ptr, len);  in sk_enroll()
1006 		response->attestation_cert_len = len;  in sk_enroll()
1011 		if ((response->authdata = calloc(1, len)) == NULL) {  in sk_enroll()
1015 		memcpy(response->authdata, ptr, len);  in sk_enroll()
1016 		response->authdata_len = len;  in sk_enroll()
1024 		free(response->public_key);  in sk_enroll()
1025 		free(response->key_handle);  in sk_enroll()
1026 		free(response->signature);  in sk_enroll()
1027 		free(response->attestation_cert);  in sk_enroll()
1028 		free(response->authdata);  in sk_enroll()
1044 	int ret = -1;  in pack_sig_ecdsa()
1053 	response->sig_r_len = BN_num_bytes(sig_r);  in pack_sig_ecdsa()
1054 	response->sig_s_len = BN_num_bytes(sig_s);  in pack_sig_ecdsa()
1055 	if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||  in pack_sig_ecdsa()
1056 	    (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {  in pack_sig_ecdsa()
1060 	BN_bn2bin(sig_r, response->sig_r);  in pack_sig_ecdsa()
1061 	BN_bn2bin(sig_s, response->sig_s);  in pack_sig_ecdsa()
1066 		free(response->sig_r);  in pack_sig_ecdsa()
1067 		free(response->sig_s);  in pack_sig_ecdsa()
1068 		response->sig_r = NULL;  in pack_sig_ecdsa()
1069 		response->sig_s = NULL;  in pack_sig_ecdsa()
1080 	int ret = -1;  in pack_sig_ed25519()
1088 	response->sig_r_len = len;  in pack_sig_ed25519()
1089 	if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {  in pack_sig_ed25519()
1093 	memcpy(response->sig_r, ptr, len);  in pack_sig_ed25519()
1097 		free(response->sig_r);  in pack_sig_ed25519()
1098 		response->sig_r = NULL;  in pack_sig_ed25519()
1115 		return -1;  in pack_sig()
1128 		if (strcmp(options[i]->name, "device") == 0) {  in check_sign_load_resident_options()
1129 			if ((*devicep = strdup(options[i]->value)) == NULL) {  in check_sign_load_resident_options()
1131 				return -1;  in check_sign_load_resident_options()
1136 			    options[i]->name);  in check_sign_load_resident_options()
1137 			if (options[i]->required) {  in check_sign_load_resident_options()
1139 				return -1;  in check_sign_load_resident_options()
1207 	 * to allow keys with and without -O verify-required to make sense.  in sk_sign()
1209 	if (pin == NULL && fido_dev_is_winhello (sk->dev) &&  in sk_sign()
1214 		if (check_sk_options(sk->dev, "uv", &internal_uv) < 0 ||  in sk_sign()
1228 	if ((r = fido_dev_get_assert(sk->dev, assert, pin)) != FIDO_OK) {  in sk_sign()
1237 	response->flags = fido_assert_flags(assert, 0);  in sk_sign()
1238 	response->counter = fido_assert_sigcount(assert, 0);  in sk_sign()
1249 		free(response->sig_r);  in sk_sign()
1250 		free(response->sig_s);  in sk_sign()
1262 	int ret = SSH_SK_ERR_GENERAL, r = -1, internal_uv;  in read_rks()
1281 	if (check_sk_options(sk->dev, "uv", &internal_uv) != 0) {  in read_rks()
1286 	if ((r = fido_credman_get_dev_metadata(sk->dev, metadata, pin)) != 0) {  in read_rks()
1289 			    "resident keys", sk->path);  in read_rks()
1294 		    sk->path, fido_strerr(r));  in read_rks()
1305 	if ((r = fido_credman_get_dev_rp(sk->dev, rp, pin)) != 0) {  in read_rks()
1307 		    sk->path, fido_strerr(r));  in read_rks()
1311 	skdebug(__func__, "Device %s has resident keys for %zu RPs",  in read_rks()
1312 	    sk->path, nrp);  in read_rks()
1314 	/* Iterate over RP IDs that have resident keys */  in read_rks()
1323 		/* Skip non-SSH RP IDs */  in read_rks()
1333 		if ((r = fido_credman_get_dev_rk(sk->dev,  in read_rks()
1336 			    sk->path, i, fido_strerr(r));  in read_rks()
1340 		skdebug(__func__, "RP \"%s\" has %zu resident keys",  in read_rks()
1343 		/* Iterate over resident keys for this RP ID */  in read_rks()
1355 			    "prot 0x%02x", sk->path, rp_id, user_name,  in read_rks()
1361 			    (srk->key.key_handle = calloc(1,  in read_rks()
1363 			    (srk->application = strdup(rp_id)) == NULL ||  in read_rks()
1365 			     (srk->user_id = calloc(1, user_id_len)) == NULL)) {  in read_rks()
1370 			srk->key.key_handle_len = fido_cred_id_len(cred);  in read_rks()
1371 			memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),  in read_rks()
1372 			    srk->key.key_handle_len);  in read_rks()
1373 			srk->user_id_len = user_id_len;  in read_rks()
1374 			if (srk->user_id_len != 0)  in read_rks()
1375 				memcpy(srk->user_id, user_id, srk->user_id_len);  in read_rks()
1379 				srk->alg = SSH_SK_ECDSA;  in read_rks()
1382 				srk->alg = SSH_SK_ED25519;  in read_rks()
1391 			    && internal_uv == -1)  in read_rks()
1392 				srk->flags |=  SSH_SK_USER_VERIFICATION_REQD;  in read_rks()
1394 			if ((r = pack_public_key(srk->alg, cred,  in read_rks()
1395 			    &srk->key)) != 0) {  in read_rks()
1414 		free(srk->application);  in read_rks()
1415 		freezero(srk->key.public_key, srk->key.public_key_len);  in read_rks()
1416 		freezero(srk->key.key_handle, srk->key.key_handle_len);  in read_rks()
1417 		freezero(srk->user_id, srk->user_id_len);  in read_rks()
1430 	int ret = SSH_SK_ERR_GENERAL, r = -1;  in sk_load_resident_keys()
1452 	skdebug(__func__, "trying %s", sk->path);  in sk_load_resident_keys()
1454 		skdebug(__func__, "read_rks failed for %s", sk->path);  in sk_load_resident_keys()
1458 	/* success, unless we have no keys but a specific error */  in sk_load_resident_keys()
1468 		free(rks[i]->application);  in sk_load_resident_keys()
1469 		freezero(rks[i]->key.public_key, rks[i]->key.public_key_len);  in sk_load_resident_keys()
1470 		freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len);  in sk_load_resident_keys()
1471 		freezero(rks[i]->user_id, rks[i]->user_id_len);  in sk_load_resident_keys()