1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2022-2023 Vladimir Kondratyev <wulf@FreeBSD.org>
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include "opt_hid.h"
29
30 #include <sys/param.h>
31 #ifdef COMPAT_FREEBSD32
32 #include <sys/abi_compat.h>
33 #endif
34 #include <sys/bus.h>
35 #include <sys/conf.h>
36 #include <sys/fcntl.h>
37 #include <sys/filio.h>
38 #include <sys/ioccom.h>
39 #include <sys/kernel.h>
40 #include <sys/lock.h>
41 #include <sys/malloc.h>
42 #include <sys/module.h>
43 #include <sys/mutex.h>
44 #include <sys/poll.h>
45 #include <sys/priv.h>
46 #include <sys/proc.h>
47 #include <sys/selinfo.h>
48 #include <sys/sysctl.h>
49 #include <sys/systm.h>
50 #include <sys/taskqueue.h>
51 #include <sys/uio.h>
52
53 #include <dev/evdev/input.h>
54
55 #define HID_DEBUG_VAR u2f_debug
56 #include <dev/hid/hid.h>
57 #include <dev/hid/hidbus.h>
58 #include <dev/hid/hidquirk.h>
59
60 #include <dev/usb/usb_ioctl.h>
61
62 #ifdef HID_DEBUG
63 static int u2f_debug = 0;
64 static SYSCTL_NODE(_hw_hid, OID_AUTO, u2f, CTLFLAG_RW, 0,
65 "FIDO/U2F authenticator");
66 SYSCTL_INT(_hw_hid_u2f, OID_AUTO, debug, CTLFLAG_RWTUN,
67 &u2f_debug, 0, "Debug level");
68 #endif
69
70 #define U2F_MAX_REPORT_SIZE 64
71
72 /* A match on these entries will load u2f */
73 static const struct hid_device_id u2f_devs[] = {
74 { HID_BUS(BUS_USB), HID_TLC(HUP_FIDO, HUF_U2FHID) },
75 };
76
77 struct u2f_softc {
78 device_t sc_dev; /* base device */
79 struct cdev *dev;
80
81 struct mtx sc_mtx; /* hidbus private mutex */
82 struct task sc_kqtask; /* kqueue task */
83 void *sc_rdesc;
84 hid_size_t sc_rdesc_size;
85 hid_size_t sc_isize;
86 hid_size_t sc_osize;
87 struct selinfo sc_rsel;
88 struct { /* driver state */
89 bool open:1; /* device is open */
90 bool aslp:1; /* waiting for device data in read() */
91 bool sel:1; /* waiting for device data in poll() */
92 bool data:1; /* input report is stored in sc_buf */
93 int reserved:28;
94 } sc_state;
95 int sc_fflags; /* access mode for open lifetime */
96
97 uint8_t sc_buf[U2F_MAX_REPORT_SIZE];
98 };
99
100 static d_open_t u2f_open;
101 static d_read_t u2f_read;
102 static d_write_t u2f_write;
103 static d_ioctl_t u2f_ioctl;
104 static d_poll_t u2f_poll;
105 static d_kqfilter_t u2f_kqfilter;
106
107 static d_priv_dtor_t u2f_dtor;
108
109 static struct cdevsw u2f_cdevsw = {
110 .d_version = D_VERSION,
111 .d_open = u2f_open,
112 .d_read = u2f_read,
113 .d_write = u2f_write,
114 .d_ioctl = u2f_ioctl,
115 .d_poll = u2f_poll,
116 .d_kqfilter = u2f_kqfilter,
117 .d_name = "u2f",
118 };
119
120 static hid_intr_t u2f_intr;
121
122 static device_probe_t u2f_probe;
123 static device_attach_t u2f_attach;
124 static device_detach_t u2f_detach;
125
126 static void u2f_kqtask(void *context, int pending);
127 static int u2f_kqread(struct knote *, long);
128 static void u2f_kqdetach(struct knote *);
129 static void u2f_notify(struct u2f_softc *);
130
131 static struct filterops u2f_filterops_read = {
132 .f_isfd = 1,
133 .f_detach = u2f_kqdetach,
134 .f_event = u2f_kqread,
135 .f_copy = knote_triv_copy,
136 };
137
138 static int
u2f_probe(device_t dev)139 u2f_probe(device_t dev)
140 {
141 int error;
142
143 error = HIDBUS_LOOKUP_DRIVER_INFO(dev, u2f_devs);
144 if (error != 0)
145 return (error);
146
147 hidbus_set_desc(dev, "Authenticator");
148
149 return (BUS_PROBE_GENERIC);
150 }
151
152 static int
u2f_attach(device_t dev)153 u2f_attach(device_t dev)
154 {
155 struct u2f_softc *sc = device_get_softc(dev);
156 struct hid_device_info *hw = __DECONST(struct hid_device_info *,
157 hid_get_device_info(dev));
158 struct make_dev_args mda;
159 int error;
160
161 sc->sc_dev = dev;
162
163 error = hid_get_report_descr(dev, &sc->sc_rdesc, &sc->sc_rdesc_size);
164 if (error != 0)
165 return (ENXIO);
166 sc->sc_isize = hid_report_size_max(sc->sc_rdesc, sc->sc_rdesc_size,
167 hid_input, NULL);
168 if (sc->sc_isize > U2F_MAX_REPORT_SIZE) {
169 device_printf(dev, "Input report size too large. Truncate.\n");
170 sc->sc_isize = U2F_MAX_REPORT_SIZE;
171 }
172 sc->sc_osize = hid_report_size_max(sc->sc_rdesc, sc->sc_rdesc_size,
173 hid_output, NULL);
174 if (sc->sc_osize > U2F_MAX_REPORT_SIZE) {
175 device_printf(dev, "Output report size too large. Truncate.\n");
176 sc->sc_osize = U2F_MAX_REPORT_SIZE;
177 }
178
179 mtx_init(&sc->sc_mtx, "u2f lock", NULL, MTX_DEF);
180 knlist_init_mtx(&sc->sc_rsel.si_note, &sc->sc_mtx);
181 TASK_INIT(&sc->sc_kqtask, 0, u2f_kqtask, sc);
182
183 make_dev_args_init(&mda);
184 mda.mda_flags = MAKEDEV_WAITOK;
185 mda.mda_devsw = &u2f_cdevsw;
186 mda.mda_uid = UID_ROOT;
187 mda.mda_gid = GID_U2F;
188 mda.mda_mode = 0660;
189 mda.mda_si_drv1 = sc;
190
191 error = make_dev_s(&mda, &sc->dev, "u2f/%d", device_get_unit(dev));
192 if (error) {
193 device_printf(dev, "Can not create character device\n");
194 u2f_detach(dev);
195 return (error);
196 }
197 #ifndef U2F_DROP_UHID_ALIAS
198 (void)make_dev_alias(sc->dev, "uhid%d", device_get_unit(dev));
199 #endif
200
201 hid_add_dynamic_quirk(hw, HQ_NO_READAHEAD);
202
203 hidbus_set_lock(dev, &sc->sc_mtx);
204 hidbus_set_intr(dev, u2f_intr, sc);
205
206 return (0);
207 }
208
209 static int
u2f_detach(device_t dev)210 u2f_detach(device_t dev)
211 {
212 struct u2f_softc *sc = device_get_softc(dev);
213
214 DPRINTF("sc=%p\n", sc);
215
216 if (sc->dev != NULL) {
217 mtx_lock(&sc->sc_mtx);
218 sc->dev->si_drv1 = NULL;
219 /* Wake everyone */
220 u2f_notify(sc);
221 mtx_unlock(&sc->sc_mtx);
222 destroy_dev(sc->dev);
223 }
224
225 taskqueue_drain(taskqueue_thread, &sc->sc_kqtask);
226 hid_intr_stop(sc->sc_dev);
227
228 knlist_clear(&sc->sc_rsel.si_note, 0);
229 knlist_destroy(&sc->sc_rsel.si_note);
230 seldrain(&sc->sc_rsel);
231 mtx_destroy(&sc->sc_mtx);
232
233 return (0);
234 }
235
236 void
u2f_intr(void * context,void * buf,hid_size_t len)237 u2f_intr(void *context, void *buf, hid_size_t len)
238 {
239 struct u2f_softc *sc = context;
240
241 mtx_assert(&sc->sc_mtx, MA_OWNED);
242
243 DPRINTFN(5, "len=%d\n", len);
244 DPRINTFN(5, "data = %*D\n", len, buf, " ");
245
246 if (sc->sc_state.data)
247 return;
248
249 if (len > sc->sc_isize)
250 len = sc->sc_isize;
251
252 bcopy(buf, sc->sc_buf, len);
253
254 /* Make sure we don't process old data */
255 if (len < sc->sc_isize)
256 bzero(sc->sc_buf + len, sc->sc_isize - len);
257
258 sc->sc_state.data = true;
259
260 u2f_notify(sc);
261 }
262
263 static int
u2f_open(struct cdev * dev,int flag,int mode,struct thread * td)264 u2f_open(struct cdev *dev, int flag, int mode, struct thread *td)
265 {
266 struct u2f_softc *sc = dev->si_drv1;
267 int error;
268
269 if (sc == NULL)
270 return (ENXIO);
271
272 DPRINTF("sc=%p\n", sc);
273
274 mtx_lock(&sc->sc_mtx);
275 if (sc->sc_state.open) {
276 mtx_unlock(&sc->sc_mtx);
277 return (EBUSY);
278 }
279 sc->sc_state.open = true;
280 mtx_unlock(&sc->sc_mtx);
281
282 error = devfs_set_cdevpriv(sc, u2f_dtor);
283 if (error != 0) {
284 mtx_lock(&sc->sc_mtx);
285 sc->sc_state.open = false;
286 mtx_unlock(&sc->sc_mtx);
287 return (error);
288 }
289
290 /* Set up interrupt pipe. */
291 sc->sc_state.data = false;
292 sc->sc_fflags = flag;
293
294 return (0);
295 }
296
297
298 static void
u2f_dtor(void * data)299 u2f_dtor(void *data)
300 {
301 struct u2f_softc *sc = data;
302
303 #ifdef NOT_YET
304 /* Disable interrupts. */
305 hid_intr_stop(sc->sc_dev);
306 #endif
307
308 mtx_lock(&sc->sc_mtx);
309 sc->sc_state.open = false;
310 mtx_unlock(&sc->sc_mtx);
311 }
312
313 static int
u2f_read(struct cdev * dev,struct uio * uio,int flag)314 u2f_read(struct cdev *dev, struct uio *uio, int flag)
315 {
316 uint8_t buf[U2F_MAX_REPORT_SIZE];
317 struct u2f_softc *sc = dev->si_drv1;
318 size_t length = 0;
319 int error;
320
321 DPRINTFN(1, "\n");
322
323 if (sc == NULL)
324 return (EIO);
325
326 if (!sc->sc_state.data)
327 hid_intr_start(sc->sc_dev);
328
329 mtx_lock(&sc->sc_mtx);
330 if (dev->si_drv1 == NULL) {
331 error = EIO;
332 goto exit;
333 }
334
335 while (!sc->sc_state.data) {
336 if (flag & O_NONBLOCK) {
337 error = EWOULDBLOCK;
338 goto exit;
339 }
340 sc->sc_state.aslp = true;
341 DPRINTFN(5, "sleep on %p\n", &sc->sc_buf);
342 error = mtx_sleep(&sc->sc_buf, &sc->sc_mtx, PZERO | PCATCH,
343 "u2frd", 0);
344 DPRINTFN(5, "woke, error=%d\n", error);
345 if (dev->si_drv1 == NULL)
346 error = EIO;
347 if (error) {
348 sc->sc_state.aslp = false;
349 goto exit;
350 }
351 }
352
353 if (sc->sc_state.data && uio->uio_resid > 0) {
354 length = min(uio->uio_resid, sc->sc_isize);
355 memcpy(buf, sc->sc_buf, length);
356 sc->sc_state.data = false;
357 }
358 exit:
359 mtx_unlock(&sc->sc_mtx);
360 if (length != 0) {
361 /* Copy the data to the user process. */
362 DPRINTFN(5, "got %lu chars\n", (u_long)length);
363 error = uiomove(buf, length, uio);
364 }
365
366 return (error);
367 }
368
369 static int
u2f_write(struct cdev * dev,struct uio * uio,int flag)370 u2f_write(struct cdev *dev, struct uio *uio, int flag)
371 {
372 uint8_t buf[U2F_MAX_REPORT_SIZE];
373 struct u2f_softc *sc = dev->si_drv1;
374 int error;
375
376 DPRINTFN(1, "\n");
377
378 if (sc == NULL)
379 return (EIO);
380
381 if (uio->uio_resid != sc->sc_osize)
382 return (EINVAL);
383 error = uiomove(buf, uio->uio_resid, uio);
384 if (error == 0)
385 error = hid_write(sc->sc_dev, buf, sc->sc_osize);
386
387 return (error);
388 }
389
390 #ifdef COMPAT_FREEBSD32
391 static void
update_ugd32(const struct usb_gen_descriptor * ugd,struct usb_gen_descriptor32 * ugd32)392 update_ugd32(const struct usb_gen_descriptor *ugd,
393 struct usb_gen_descriptor32 *ugd32)
394 {
395 /* Don't update hgd_data pointer */
396 CP(*ugd, *ugd32, ugd_lang_id);
397 CP(*ugd, *ugd32, ugd_maxlen);
398 CP(*ugd, *ugd32, ugd_actlen);
399 CP(*ugd, *ugd32, ugd_offset);
400 CP(*ugd, *ugd32, ugd_config_index);
401 CP(*ugd, *ugd32, ugd_string_index);
402 CP(*ugd, *ugd32, ugd_iface_index);
403 CP(*ugd, *ugd32, ugd_altif_index);
404 CP(*ugd, *ugd32, ugd_endpt_index);
405 CP(*ugd, *ugd32, ugd_report_type);
406 /* Don't update reserved */
407 }
408 #endif
409
410 static int
u2f_ioctl(struct cdev * dev,u_long cmd,caddr_t addr,int flag,struct thread * td)411 u2f_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
412 struct thread *td)
413 {
414 #ifdef COMPAT_FREEBSD32
415 struct usb_gen_descriptor local_ugd;
416 struct usb_gen_descriptor32 *ugd32 = NULL;
417 #endif
418 struct u2f_softc *sc = dev->si_drv1;
419 struct usb_gen_descriptor *ugd = (struct usb_gen_descriptor *)addr;
420 uint32_t size;
421
422 DPRINTFN(2, "cmd=%lx\n", cmd);
423
424 if (sc == NULL)
425 return (EIO);
426
427 #ifdef COMPAT_FREEBSD32
428 switch (cmd) {
429 case USB_GET_REPORT_DESC32:
430 cmd = _IOC_NEWTYPE(cmd, struct usb_gen_descriptor);
431 ugd32 = (struct usb_gen_descriptor32 *)addr;
432 ugd = &local_ugd;
433 PTRIN_CP(*ugd32, *ugd, ugd_data);
434 CP(*ugd32, *ugd, ugd_lang_id);
435 CP(*ugd32, *ugd, ugd_maxlen);
436 CP(*ugd32, *ugd, ugd_actlen);
437 CP(*ugd32, *ugd, ugd_offset);
438 CP(*ugd32, *ugd, ugd_config_index);
439 CP(*ugd32, *ugd, ugd_string_index);
440 CP(*ugd32, *ugd, ugd_iface_index);
441 CP(*ugd32, *ugd, ugd_altif_index);
442 CP(*ugd32, *ugd, ugd_endpt_index);
443 CP(*ugd32, *ugd, ugd_report_type);
444 /* Don't copy reserved */
445 break;
446 }
447 #endif
448
449 /* fixed-length ioctls handling */
450 switch (cmd) {
451 case FIONBIO:
452 /* All handled in the upper FS layer. */
453 return (0);
454
455 case USB_GET_REPORT_DESC:
456 size = MIN(sc->sc_rdesc_size, ugd->ugd_maxlen);
457 ugd->ugd_actlen = size;
458 #ifdef COMPAT_FREEBSD32
459 if (ugd32 != NULL)
460 update_ugd32(ugd, ugd32);
461 #endif
462 if (ugd->ugd_data == NULL)
463 return (0); /* descriptor length only */
464
465 return (copyout(sc->sc_rdesc, ugd->ugd_data, size));
466
467 case USB_GET_DEVICEINFO:
468 return(hid_ioctl(
469 sc->sc_dev, USB_GET_DEVICEINFO, (uintptr_t)addr));
470 }
471
472 return (EINVAL);
473 }
474
475 static int
u2f_poll(struct cdev * dev,int events,struct thread * td)476 u2f_poll(struct cdev *dev, int events, struct thread *td)
477 {
478 struct u2f_softc *sc = dev->si_drv1;
479 int revents = 0;
480 bool start_intr = false;
481
482 if (sc == NULL)
483 return (POLLHUP);
484
485 if (events & (POLLOUT | POLLWRNORM) && (sc->sc_fflags & FWRITE))
486 revents |= events & (POLLOUT | POLLWRNORM);
487 if (events & (POLLIN | POLLRDNORM) && (sc->sc_fflags & FREAD)) {
488 mtx_lock(&sc->sc_mtx);
489 if (sc->sc_state.data)
490 revents |= events & (POLLIN | POLLRDNORM);
491 else {
492 sc->sc_state.sel = true;
493 start_intr = true;
494 selrecord(td, &sc->sc_rsel);
495 }
496 mtx_unlock(&sc->sc_mtx);
497 if (start_intr)
498 hid_intr_start(sc->sc_dev);
499 }
500
501 return (revents);
502 }
503
504 static int
u2f_kqfilter(struct cdev * dev,struct knote * kn)505 u2f_kqfilter(struct cdev *dev, struct knote *kn)
506 {
507 struct u2f_softc *sc = dev->si_drv1;
508
509 if (sc == NULL)
510 return (ENXIO);
511
512 switch(kn->kn_filter) {
513 case EVFILT_READ:
514 if (sc->sc_fflags & FREAD) {
515 kn->kn_fop = &u2f_filterops_read;
516 break;
517 }
518 /* FALLTHROUGH */
519 default:
520 return(EINVAL);
521 }
522 kn->kn_hook = sc;
523
524 knlist_add(&sc->sc_rsel.si_note, kn, 0);
525 return (0);
526 }
527
528 static void
u2f_kqtask(void * context,int pending)529 u2f_kqtask(void *context, int pending)
530 {
531 struct u2f_softc *sc = context;
532
533 hid_intr_start(sc->sc_dev);
534 }
535
536 static int
u2f_kqread(struct knote * kn,long hint)537 u2f_kqread(struct knote *kn, long hint)
538 {
539 struct u2f_softc *sc = kn->kn_hook;
540 int ret;
541
542 mtx_assert(&sc->sc_mtx, MA_OWNED);
543
544 if (sc->dev->si_drv1 == NULL) {
545 kn->kn_flags |= EV_EOF;
546 ret = 1;
547 } else {
548 ret = sc->sc_state.data ? 1 : 0;
549 if (!sc->sc_state.data)
550 taskqueue_enqueue(taskqueue_thread, &sc->sc_kqtask);
551 }
552
553 return (ret);
554 }
555
556 static void
u2f_kqdetach(struct knote * kn)557 u2f_kqdetach(struct knote *kn)
558 {
559 struct u2f_softc *sc = kn->kn_hook;
560
561 knlist_remove(&sc->sc_rsel.si_note, kn, 0);
562 }
563
564 static void
u2f_notify(struct u2f_softc * sc)565 u2f_notify(struct u2f_softc *sc)
566 {
567 mtx_assert(&sc->sc_mtx, MA_OWNED);
568
569 if (sc->sc_state.aslp) {
570 sc->sc_state.aslp = false;
571 DPRINTFN(5, "waking %p\n", &sc->sc_buf);
572 wakeup(&sc->sc_buf);
573 }
574 if (sc->sc_state.sel) {
575 sc->sc_state.sel = false;
576 selwakeuppri(&sc->sc_rsel, PZERO);
577 }
578 KNOTE_LOCKED(&sc->sc_rsel.si_note, 0);
579 }
580
581 static device_method_t u2f_methods[] = {
582 /* Device interface */
583 DEVMETHOD(device_probe, u2f_probe),
584 DEVMETHOD(device_attach, u2f_attach),
585 DEVMETHOD(device_detach, u2f_detach),
586
587 DEVMETHOD_END
588 };
589
590 static driver_t u2f_driver = {
591 #ifdef U2F_DROP_UHID_ALIAS
592 "uf2",
593 #else
594 "uhid",
595 #endif
596 u2f_methods,
597 sizeof(struct u2f_softc)
598 };
599
600 DRIVER_MODULE(u2f, hidbus, u2f_driver, NULL, NULL);
601 MODULE_DEPEND(u2f, hidbus, 1, 1, 1);
602 MODULE_DEPEND(u2f, hid, 1, 1, 1);
603 MODULE_VERSION(u2f, 1);
604 HID_PNP_INFO(u2f_devs);
605