1 /* $OpenBSD: sk-usbhid.c,v 1.48 2025/05/12 05:41:20 tb Exp $ */
2 /*
3 * Copyright (c) 2019 Markus Friedl
4 * Copyright (c) 2020 Pedro Martelletto
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include "includes.h"
20
21 #ifdef ENABLE_SK_INTERNAL
22
23 #include <stdint.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <stdio.h>
27 #include <stddef.h>
28 #include <stdarg.h>
29 #include <time.h>
30 #ifdef HAVE_SHA2_H
31 #include <sha2.h>
32 #endif
33
34 /*
35 * Almost every use of OpenSSL in this file is for ECDSA-NISTP256.
36 * This is strictly a larger hammer than necessary, but it reduces changes
37 * with upstream.
38 */
39 #ifndef OPENSSL_HAS_ECC
40 # undef WITH_OPENSSL
41 #endif
42
43 #ifdef WITH_OPENSSL
44 #include <openssl/opensslv.h>
45 #include <openssl/crypto.h>
46 #include <openssl/bn.h>
47 #include <openssl/ec.h>
48 #include <openssl/ecdsa.h>
49 #include <openssl/evp.h>
50 #include "openbsd-compat/openssl-compat.h"
51 #endif /* WITH_OPENSSL */
52
53 #include <fido.h>
54 #include <fido/credman.h>
55
56 /* backwards compat for libfido2 */
57 #ifndef HAVE_FIDO_CRED_PROT
58 #define fido_cred_prot(x) (0)
59 #endif
60 #ifndef HAVE_FIDO_CRED_SET_PROT
61 #define fido_cred_set_prot(x, y) (FIDO_ERR_UNSUPPORTED_OPTION)
62 #endif
63 #ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT
64 #define fido_dev_supports_cred_prot(x) (0)
65 #endif
66 #ifndef HAVE_FIDO_DEV_GET_TOUCH_BEGIN
67 #define fido_dev_get_touch_begin(x) (FIDO_ERR_UNSUPPORTED_OPTION)
68 #endif
69 #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
70 #define fido_dev_get_touch_status(x, y, z) (FIDO_ERR_UNSUPPORTED_OPTION)
71 #endif
72 #ifndef FIDO_CRED_PROT_UV_REQUIRED
73 #define FIDO_CRED_PROT_UV_REQUIRED 0
74 #endif
75 #ifndef FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID
76 #define FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID 0
77 #endif
78
79 # include "misc.h"
80
81 #ifndef SK_STANDALONE
82 # include "log.h"
83 # include "xmalloc.h"
84 /*
85 * If building as part of OpenSSH, then rename exported functions.
86 * This must be done before including sk-api.h.
87 */
88 # define sk_api_version ssh_sk_api_version
89 # define sk_enroll ssh_sk_enroll
90 # define sk_sign ssh_sk_sign
91 # define sk_load_resident_keys ssh_sk_load_resident_keys
92 #endif /* !SK_STANDALONE */
93
94 #include "sk-api.h"
95
96 /* #define SK_DEBUG 1 */
97
98 #ifdef SK_DEBUG
99 #define SSH_FIDO_INIT_ARG FIDO_DEBUG
100 #else
101 #define SSH_FIDO_INIT_ARG 0
102 #endif
103
104 #define MAX_FIDO_DEVICES 8
105 #define FIDO_POLL_MS 50
106 #define SELECT_MS 15000
107 #define POLL_SLEEP_NS 200000000
108
109 #ifndef FIDO_ERR_OPERATION_DENIED
110 #define FIDO_ERR_OPERATION_DENIED 0x27
111 #endif
112
113 struct sk_usbhid {
114 fido_dev_t *dev;
115 char *path;
116 };
117
118 /* Return the version of the middleware API */
119 uint32_t sk_api_version(void);
120
121 /* Enroll a U2F key (private key generation) */
122 int sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
123 const char *application, uint8_t flags, const char *pin,
124 struct sk_option **options, struct sk_enroll_response **enroll_response);
125
126 /* Sign a challenge */
127 int sk_sign(uint32_t alg, const uint8_t *data, size_t data_len,
128 const char *application, const uint8_t *key_handle, size_t key_handle_len,
129 uint8_t flags, const char *pin, struct sk_option **options,
130 struct sk_sign_response **sign_response);
131
132 /* Load resident keys */
133 int sk_load_resident_keys(const char *pin, struct sk_option **options,
134 struct sk_resident_key ***rks, size_t *nrks);
135
136 static void skdebug(const char *func, const char *fmt, ...)
137 __attribute__((__format__ (printf, 2, 3)));
138
139 static void
skdebug(const char * func,const char * fmt,...)140 skdebug(const char *func, const char *fmt, ...)
141 {
142 #if !defined(SK_STANDALONE)
143 char *msg;
144 va_list ap;
145
146 va_start(ap, fmt);
147 xvasprintf(&msg, fmt, ap);
148 va_end(ap);
149 debug("%s: %s", func, msg);
150 free(msg);
151 #elif defined(SK_DEBUG)
152 va_list ap;
153
154 va_start(ap, fmt);
155 fprintf(stderr, "%s: ", func);
156 vfprintf(stderr, fmt, ap);
157 fputc('\n', stderr);
158 va_end(ap);
159 #else
160 (void)func; /* XXX */
161 (void)fmt; /* XXX */
162 #endif
163 }
164
165 uint32_t
sk_api_version(void)166 sk_api_version(void)
167 {
168 return SSH_SK_VERSION_MAJOR;
169 }
170
171 static struct sk_usbhid *
sk_open(const char * path)172 sk_open(const char *path)
173 {
174 struct sk_usbhid *sk;
175 int r;
176
177 if (path == NULL) {
178 skdebug(__func__, "path == NULL");
179 return NULL;
180 }
181 if ((sk = calloc(1, sizeof(*sk))) == NULL) {
182 skdebug(__func__, "calloc sk failed");
183 return NULL;
184 }
185 if ((sk->path = strdup(path)) == NULL) {
186 skdebug(__func__, "strdup path failed");
187 free(sk);
188 return NULL;
189 }
190 if ((sk->dev = fido_dev_new()) == NULL) {
191 skdebug(__func__, "fido_dev_new failed");
192 free(sk->path);
193 free(sk);
194 return NULL;
195 }
196 if ((r = fido_dev_open(sk->dev, sk->path)) != FIDO_OK) {
197 skdebug(__func__, "fido_dev_open %s failed: %s", sk->path,
198 fido_strerr(r));
199 fido_dev_free(&sk->dev);
200 free(sk->path);
201 free(sk);
202 return NULL;
203 }
204 return sk;
205 }
206
207 static void
sk_close(struct sk_usbhid * sk)208 sk_close(struct sk_usbhid *sk)
209 {
210 if (sk == NULL)
211 return;
212 fido_dev_cancel(sk->dev); /* cancel any pending operation */
213 fido_dev_close(sk->dev);
214 fido_dev_free(&sk->dev);
215 free(sk->path);
216 free(sk);
217 }
218
219 static struct sk_usbhid **
sk_openv(const fido_dev_info_t * devlist,size_t ndevs,size_t * nopen)220 sk_openv(const fido_dev_info_t *devlist, size_t ndevs, size_t *nopen)
221 {
222 const fido_dev_info_t *di;
223 struct sk_usbhid **skv;
224 size_t i;
225
226 *nopen = 0;
227 if ((skv = calloc(ndevs, sizeof(*skv))) == NULL) {
228 skdebug(__func__, "calloc skv failed");
229 return NULL;
230 }
231 for (i = 0; i < ndevs; i++) {
232 if ((di = fido_dev_info_ptr(devlist, i)) == NULL)
233 skdebug(__func__, "fido_dev_info_ptr failed");
234 else if ((skv[*nopen] = sk_open(fido_dev_info_path(di))) == NULL)
235 skdebug(__func__, "sk_open failed");
236 else
237 (*nopen)++;
238 }
239 if (*nopen == 0) {
240 for (i = 0; i < ndevs; i++)
241 sk_close(skv[i]);
242 free(skv);
243 skv = NULL;
244 }
245
246 return skv;
247 }
248
249 static void
sk_closev(struct sk_usbhid ** skv,size_t nsk)250 sk_closev(struct sk_usbhid **skv, size_t nsk)
251 {
252 size_t i;
253
254 for (i = 0; i < nsk; i++)
255 sk_close(skv[i]);
256 free(skv);
257 }
258
259 static int
sk_touch_begin(struct sk_usbhid ** skv,size_t nsk)260 sk_touch_begin(struct sk_usbhid **skv, size_t nsk)
261 {
262 size_t i, ok = 0;
263 int r;
264
265 for (i = 0; i < nsk; i++)
266 if ((r = fido_dev_get_touch_begin(skv[i]->dev)) != FIDO_OK)
267 skdebug(__func__, "fido_dev_get_touch_begin %s failed:"
268 " %s", skv[i]->path, fido_strerr(r));
269 else
270 ok++;
271
272 return ok ? 0 : -1;
273 }
274
275 static int
sk_touch_poll(struct sk_usbhid ** skv,size_t nsk,int * touch,size_t * idx)276 sk_touch_poll(struct sk_usbhid **skv, size_t nsk, int *touch, size_t *idx)
277 {
278 struct timespec ts_pause;
279 size_t npoll, i;
280 int r;
281
282 ts_pause.tv_sec = 0;
283 ts_pause.tv_nsec = POLL_SLEEP_NS;
284 nanosleep(&ts_pause, NULL);
285 npoll = nsk;
286 for (i = 0; i < nsk; i++) {
287 if (skv[i] == NULL)
288 continue; /* device discarded */
289 skdebug(__func__, "polling %s", skv[i]->path);
290 if ((r = fido_dev_get_touch_status(skv[i]->dev, touch,
291 FIDO_POLL_MS)) != FIDO_OK) {
292 skdebug(__func__, "fido_dev_get_touch_status %s: %s",
293 skv[i]->path, fido_strerr(r));
294 sk_close(skv[i]); /* discard device */
295 skv[i] = NULL;
296 if (--npoll == 0) {
297 skdebug(__func__, "no device left to poll");
298 return -1;
299 }
300 } else if (*touch) {
301 *idx = i;
302 return 0;
303 }
304 }
305 *touch = 0;
306 return 0;
307 }
308
309 #if !defined(HAVE_FIDO_ASSERT_SET_CLIENTDATA) || \
310 !defined(HAVE_FIDO_CRED_SET_CLIENTDATA)
311 /* Calculate SHA256(m) */
312 static int
sha256_mem(const void * m,size_t mlen,u_char * d,size_t dlen)313 sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)
314 {
315 #ifdef WITH_OPENSSL
316 u_int mdlen;
317 #else
318 SHA2_CTX ctx;
319 #endif
320
321 if (dlen != 32)
322 return -1;
323 #ifdef WITH_OPENSSL
324 mdlen = dlen;
325 if (!EVP_Digest(m, mlen, d, &mdlen, EVP_sha256(), NULL))
326 return -1;
327 #else
328 SHA256Init(&ctx);
329 SHA256Update(&ctx, (const uint8_t *)m, mlen);
330 SHA256Final(d, &ctx);
331 #endif
332 return 0;
333 }
334 #endif /* !HAVE_FIDO_ASSERT_SET_CLIENTDATA || !HAVE_FIDO_CRED_SET_CLIENTDATA */
335
336 #ifndef HAVE_FIDO_CRED_SET_CLIENTDATA
337 static int
fido_cred_set_clientdata(fido_cred_t * cred,const u_char * ptr,size_t len)338 fido_cred_set_clientdata(fido_cred_t *cred, const u_char *ptr, size_t len)
339 {
340 uint8_t d[32];
341 int r;
342
343 if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
344 skdebug(__func__, "hash challenge failed");
345 return FIDO_ERR_INTERNAL;
346 }
347 r = fido_cred_set_clientdata_hash(cred, d, sizeof(d));
348 explicit_bzero(d, sizeof(d));
349 if (r != FIDO_OK) {
350 skdebug(__func__, "fido_cred_set_clientdata_hash failed: %s",
351 fido_strerr(r));
352 }
353 return r;
354 }
355 #endif /* HAVE_FIDO_CRED_SET_CLIENTDATA */
356
357 #ifndef HAVE_FIDO_ASSERT_SET_CLIENTDATA
358 static int
fido_assert_set_clientdata(fido_assert_t * assert,const u_char * ptr,size_t len)359 fido_assert_set_clientdata(fido_assert_t *assert, const u_char *ptr, size_t len)
360 {
361 uint8_t d[32];
362 int r;
363
364 if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
365 skdebug(__func__, "hash challenge failed");
366 return FIDO_ERR_INTERNAL;
367 }
368 r = fido_assert_set_clientdata_hash(assert, d, sizeof(d));
369 explicit_bzero(d, sizeof(d));
370 if (r != FIDO_OK) {
371 skdebug(__func__, "fido_assert_set_clientdata_hash failed: %s",
372 fido_strerr(r));
373 }
374 return r;
375 }
376 #endif /* HAVE_FIDO_ASSERT_SET_CLIENTDATA */
377
378 #ifndef HAVE_FIDO_DEV_IS_WINHELLO
379 static bool
fido_dev_is_winhello(const fido_dev_t * fdev)380 fido_dev_is_winhello(const fido_dev_t *fdev)
381 {
382 return 0;
383 }
384 #endif /* HAVE_FIDO_DEV_IS_WINHELLO */
385
386 /* Check if the specified key handle exists on a given sk. */
387 static int
sk_try(const struct sk_usbhid * sk,const char * application,const uint8_t * key_handle,size_t key_handle_len)388 sk_try(const struct sk_usbhid *sk, const char *application,
389 const uint8_t *key_handle, size_t key_handle_len)
390 {
391 fido_assert_t *assert = NULL;
392 int r = FIDO_ERR_INTERNAL;
393 uint8_t message[32];
394
395 memset(message, '\0', sizeof(message));
396 if ((assert = fido_assert_new()) == NULL) {
397 skdebug(__func__, "fido_assert_new failed");
398 goto out;
399 }
400 /* generate an invalid signature on FIDO2 tokens */
401 if ((r = fido_assert_set_clientdata(assert, message,
402 sizeof(message))) != FIDO_OK) {
403 skdebug(__func__, "fido_assert_set_clientdata: %s",
404 fido_strerr(r));
405 goto out;
406 }
407 if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
408 skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
409 goto out;
410 }
411 if ((r = fido_assert_allow_cred(assert, key_handle,
412 key_handle_len)) != FIDO_OK) {
413 skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
414 goto out;
415 }
416 if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
417 skdebug(__func__, "fido_assert_up: %s", fido_strerr(r));
418 goto out;
419 }
420 r = fido_dev_get_assert(sk->dev, assert, NULL);
421 skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
422 if (r == FIDO_ERR_USER_PRESENCE_REQUIRED) {
423 /* U2F tokens may return this */
424 r = FIDO_OK;
425 }
426 out:
427 fido_assert_free(&assert);
428
429 return r != FIDO_OK ? -1 : 0;
430 }
431
432 static int
check_sk_options(fido_dev_t * dev,const char * opt,int * ret)433 check_sk_options(fido_dev_t *dev, const char *opt, int *ret)
434 {
435 fido_cbor_info_t *info;
436 char * const *name;
437 const bool *value;
438 size_t len, i;
439 int r;
440
441 *ret = -1;
442
443 if (!fido_dev_is_fido2(dev)) {
444 skdebug(__func__, "device is not fido2");
445 return 0;
446 }
447 if ((info = fido_cbor_info_new()) == NULL) {
448 skdebug(__func__, "fido_cbor_info_new failed");
449 return -1;
450 }
451 if ((r = fido_dev_get_cbor_info(dev, info)) != FIDO_OK) {
452 skdebug(__func__, "fido_dev_get_cbor_info: %s", fido_strerr(r));
453 fido_cbor_info_free(&info);
454 return -1;
455 }
456 name = fido_cbor_info_options_name_ptr(info);
457 value = fido_cbor_info_options_value_ptr(info);
458 len = fido_cbor_info_options_len(info);
459 for (i = 0; i < len; i++) {
460 if (!strcmp(name[i], opt)) {
461 *ret = value[i];
462 break;
463 }
464 }
465 fido_cbor_info_free(&info);
466 if (*ret == -1)
467 skdebug(__func__, "option %s is unknown", opt);
468 else
469 skdebug(__func__, "option %s is %s", opt, *ret ? "on" : "off");
470
471 return 0;
472 }
473
474 static struct sk_usbhid *
sk_select_by_cred(const fido_dev_info_t * devlist,size_t ndevs,const char * application,const uint8_t * key_handle,size_t key_handle_len)475 sk_select_by_cred(const fido_dev_info_t *devlist, size_t ndevs,
476 const char *application, const uint8_t *key_handle, size_t key_handle_len)
477 {
478 struct sk_usbhid **skv, *sk;
479 size_t skvcnt, i;
480 int internal_uv;
481
482 if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
483 skdebug(__func__, "sk_openv failed");
484 return NULL;
485 }
486 if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv",
487 &internal_uv) == 0 && internal_uv != -1) {
488 sk = skv[0];
489 skv[0] = NULL;
490 goto out;
491 }
492 sk = NULL;
493 for (i = 0; i < skvcnt; i++) {
494 if (sk_try(skv[i], application, key_handle,
495 key_handle_len) == 0) {
496 sk = skv[i];
497 skv[i] = NULL;
498 skdebug(__func__, "found key in %s", sk->path);
499 break;
500 }
501 }
502 out:
503 sk_closev(skv, skvcnt);
504 return sk;
505 }
506
507 static struct sk_usbhid *
sk_select_by_touch(const fido_dev_info_t * devlist,size_t ndevs)508 sk_select_by_touch(const fido_dev_info_t *devlist, size_t ndevs)
509 {
510 struct sk_usbhid **skv, *sk;
511 struct timeval tv_start, tv_now, tv_delta;
512 size_t skvcnt, idx;
513 int touch, ms_remain;
514
515 if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
516 skdebug(__func__, "sk_openv failed");
517 return NULL;
518 }
519 sk = NULL;
520 if (skvcnt < 2) {
521 if (skvcnt == 1) {
522 /* single candidate */
523 sk = skv[0];
524 skv[0] = NULL;
525 }
526 goto out;
527 }
528 #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
529 skdebug(__func__, "libfido2 version does not support a feature needed for multiple tokens. Please upgrade to >=1.5.0");
530 goto out;
531 #endif
532
533 if (sk_touch_begin(skv, skvcnt) == -1) {
534 skdebug(__func__, "sk_touch_begin failed");
535 goto out;
536 }
537 monotime_tv(&tv_start);
538 do {
539 if (sk_touch_poll(skv, skvcnt, &touch, &idx) == -1) {
540 skdebug(__func__, "sk_touch_poll failed");
541 goto out;
542 }
543 if (touch) {
544 sk = skv[idx];
545 skv[idx] = NULL;
546 goto out;
547 }
548 monotime_tv(&tv_now);
549 timersub(&tv_now, &tv_start, &tv_delta);
550 ms_remain = SELECT_MS - tv_delta.tv_sec * 1000 -
551 tv_delta.tv_usec / 1000;
552 } while (ms_remain >= FIDO_POLL_MS);
553 skdebug(__func__, "timeout");
554 out:
555 sk_closev(skv, skvcnt);
556 return sk;
557 }
558
559 static struct sk_usbhid *
sk_probe(const char * application,const uint8_t * key_handle,size_t key_handle_len,int probe_resident)560 sk_probe(const char *application, const uint8_t *key_handle,
561 size_t key_handle_len, int probe_resident)
562 {
563 struct sk_usbhid *sk;
564 fido_dev_info_t *devlist;
565 size_t ndevs;
566 int r;
567
568 #ifdef HAVE_CYGWIN
569 if (!probe_resident && (sk = sk_open("windows://hello")) != NULL)
570 return sk;
571 #endif /* HAVE_CYGWIN */
572 if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) {
573 skdebug(__func__, "fido_dev_info_new failed");
574 return NULL;
575 }
576 if ((r = fido_dev_info_manifest(devlist, MAX_FIDO_DEVICES,
577 &ndevs)) != FIDO_OK) {
578 skdebug(__func__, "fido_dev_info_manifest failed: %s",
579 fido_strerr(r));
580 fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
581 return NULL;
582 }
583 skdebug(__func__, "%zu device(s) detected", ndevs);
584 if (ndevs == 0) {
585 sk = NULL;
586 } else if (application != NULL && key_handle != NULL) {
587 skdebug(__func__, "selecting sk by cred");
588 sk = sk_select_by_cred(devlist, ndevs, application, key_handle,
589 key_handle_len);
590 } else {
591 skdebug(__func__, "selecting sk by touch");
592 sk = sk_select_by_touch(devlist, ndevs);
593 }
594 fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
595 return sk;
596 }
597
598 #ifdef WITH_OPENSSL
599 /*
600 * The key returned via fido_cred_pubkey_ptr() is in affine coordinates,
601 * but the API expects a SEC1 octet string.
602 */
603 static int
pack_public_key_ecdsa(const fido_cred_t * cred,struct sk_enroll_response * response)604 pack_public_key_ecdsa(const fido_cred_t *cred,
605 struct sk_enroll_response *response)
606 {
607 const uint8_t *ptr;
608 BIGNUM *x = NULL, *y = NULL;
609 EC_POINT *q = NULL;
610 EC_GROUP *g = NULL;
611 int ret = -1;
612
613 response->public_key = NULL;
614 response->public_key_len = 0;
615
616 if ((x = BN_new()) == NULL ||
617 (y = BN_new()) == NULL ||
618 (g = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL ||
619 (q = EC_POINT_new(g)) == NULL) {
620 skdebug(__func__, "libcrypto setup failed");
621 goto out;
622 }
623 if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
624 skdebug(__func__, "fido_cred_pubkey_ptr failed");
625 goto out;
626 }
627 if (fido_cred_pubkey_len(cred) != 64) {
628 skdebug(__func__, "bad fido_cred_pubkey_len %zu",
629 fido_cred_pubkey_len(cred));
630 goto out;
631 }
632
633 if (BN_bin2bn(ptr, 32, x) == NULL ||
634 BN_bin2bn(ptr + 32, 32, y) == NULL) {
635 skdebug(__func__, "BN_bin2bn failed");
636 goto out;
637 }
638 if (EC_POINT_set_affine_coordinates(g, q, x, y, NULL) != 1) {
639 skdebug(__func__, "EC_POINT_set_affine_coordinates failed");
640 goto out;
641 }
642 response->public_key_len = EC_POINT_point2oct(g, q,
643 POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
644 if (response->public_key_len == 0 || response->public_key_len > 2048) {
645 skdebug(__func__, "bad pubkey length %zu",
646 response->public_key_len);
647 goto out;
648 }
649 if ((response->public_key = malloc(response->public_key_len)) == NULL) {
650 skdebug(__func__, "malloc pubkey failed");
651 goto out;
652 }
653 if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
654 response->public_key, response->public_key_len, NULL) == 0) {
655 skdebug(__func__, "EC_POINT_point2oct failed");
656 goto out;
657 }
658 /* success */
659 ret = 0;
660 out:
661 if (ret != 0 && response->public_key != NULL) {
662 memset(response->public_key, 0, response->public_key_len);
663 free(response->public_key);
664 response->public_key = NULL;
665 }
666 EC_POINT_free(q);
667 EC_GROUP_free(g);
668 BN_clear_free(x);
669 BN_clear_free(y);
670 return ret;
671 }
672 #endif /* WITH_OPENSSL */
673
674 static int
pack_public_key_ed25519(const fido_cred_t * cred,struct sk_enroll_response * response)675 pack_public_key_ed25519(const fido_cred_t *cred,
676 struct sk_enroll_response *response)
677 {
678 const uint8_t *ptr;
679 size_t len;
680 int ret = -1;
681
682 response->public_key = NULL;
683 response->public_key_len = 0;
684
685 if ((len = fido_cred_pubkey_len(cred)) != 32) {
686 skdebug(__func__, "bad fido_cred_pubkey_len len %zu", len);
687 goto out;
688 }
689 if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
690 skdebug(__func__, "fido_cred_pubkey_ptr failed");
691 goto out;
692 }
693 response->public_key_len = len;
694 if ((response->public_key = malloc(response->public_key_len)) == NULL) {
695 skdebug(__func__, "malloc pubkey failed");
696 goto out;
697 }
698 memcpy(response->public_key, ptr, len);
699 ret = 0;
700 out:
701 if (ret != 0)
702 free(response->public_key);
703 return ret;
704 }
705
706 static int
pack_public_key(uint32_t alg,const fido_cred_t * cred,struct sk_enroll_response * response)707 pack_public_key(uint32_t alg, const fido_cred_t *cred,
708 struct sk_enroll_response *response)
709 {
710 switch(alg) {
711 #ifdef WITH_OPENSSL
712 case SSH_SK_ECDSA:
713 return pack_public_key_ecdsa(cred, response);
714 #endif /* WITH_OPENSSL */
715 case SSH_SK_ED25519:
716 return pack_public_key_ed25519(cred, response);
717 default:
718 return -1;
719 }
720 }
721
722 static int
fidoerr_to_skerr(int fidoerr)723 fidoerr_to_skerr(int fidoerr)
724 {
725 switch (fidoerr) {
726 case FIDO_ERR_UNSUPPORTED_OPTION:
727 case FIDO_ERR_UNSUPPORTED_ALGORITHM:
728 return SSH_SK_ERR_UNSUPPORTED;
729 case FIDO_ERR_PIN_REQUIRED:
730 case FIDO_ERR_PIN_INVALID:
731 case FIDO_ERR_OPERATION_DENIED:
732 return SSH_SK_ERR_PIN_REQUIRED;
733 default:
734 return -1;
735 }
736 }
737
738 static int
check_enroll_options(struct sk_option ** options,char ** devicep,uint8_t * user_id,size_t user_id_len)739 check_enroll_options(struct sk_option **options, char **devicep,
740 uint8_t *user_id, size_t user_id_len)
741 {
742 size_t i;
743
744 if (options == NULL)
745 return 0;
746 for (i = 0; options[i] != NULL; i++) {
747 if (strcmp(options[i]->name, "device") == 0) {
748 if ((*devicep = strdup(options[i]->value)) == NULL) {
749 skdebug(__func__, "strdup device failed");
750 return -1;
751 }
752 skdebug(__func__, "requested device %s", *devicep);
753 } else if (strcmp(options[i]->name, "user") == 0) {
754 if (strlcpy(user_id, options[i]->value, user_id_len) >=
755 user_id_len) {
756 skdebug(__func__, "user too long");
757 return -1;
758 }
759 skdebug(__func__, "requested user %s",
760 (char *)user_id);
761 } else {
762 skdebug(__func__, "requested unsupported option %s",
763 options[i]->name);
764 if (options[i]->required) {
765 skdebug(__func__, "unknown required option");
766 return -1;
767 }
768 }
769 }
770 return 0;
771 }
772
773 static int
key_lookup(fido_dev_t * dev,const char * application,const uint8_t * user_id,size_t user_id_len,const char * pin)774 key_lookup(fido_dev_t *dev, const char *application, const uint8_t *user_id,
775 size_t user_id_len, const char *pin)
776 {
777 fido_assert_t *assert = NULL;
778 uint8_t message[32];
779 int r = FIDO_ERR_INTERNAL;
780 int sk_supports_uv, uv;
781 size_t i;
782
783 memset(message, '\0', sizeof(message));
784 if ((assert = fido_assert_new()) == NULL) {
785 skdebug(__func__, "fido_assert_new failed");
786 goto out;
787 }
788 /* generate an invalid signature on FIDO2 tokens */
789 if ((r = fido_assert_set_clientdata(assert, message,
790 sizeof(message))) != FIDO_OK) {
791 skdebug(__func__, "fido_assert_set_clientdata: %s",
792 fido_strerr(r));
793 goto out;
794 }
795 if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
796 skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
797 goto out;
798 }
799 if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
800 skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
801 goto out;
802 }
803 uv = FIDO_OPT_OMIT;
804 if (pin == NULL && check_sk_options(dev, "uv", &sk_supports_uv) == 0 &&
805 sk_supports_uv != -1)
806 uv = FIDO_OPT_TRUE;
807 if ((r = fido_assert_set_uv(assert, uv)) != FIDO_OK) {
808 skdebug(__func__, "fido_assert_set_uv: %s", fido_strerr(r));
809 goto out;
810 }
811 if ((r = fido_dev_get_assert(dev, assert, pin)) != FIDO_OK) {
812 skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
813 goto out;
814 }
815 r = FIDO_ERR_NO_CREDENTIALS;
816 skdebug(__func__, "%zu signatures returned", fido_assert_count(assert));
817 for (i = 0; i < fido_assert_count(assert); i++) {
818 if (fido_assert_user_id_len(assert, i) == user_id_len &&
819 memcmp(fido_assert_user_id_ptr(assert, i), user_id,
820 user_id_len) == 0) {
821 skdebug(__func__, "credential exists");
822 r = FIDO_OK;
823 goto out;
824 }
825 }
826 out:
827 fido_assert_free(&assert);
828
829 return r;
830 }
831
832 int
sk_enroll(uint32_t alg,const uint8_t * challenge,size_t challenge_len,const char * application,uint8_t flags,const char * pin,struct sk_option ** options,struct sk_enroll_response ** enroll_response)833 sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
834 const char *application, uint8_t flags, const char *pin,
835 struct sk_option **options, struct sk_enroll_response **enroll_response)
836 {
837 fido_cred_t *cred = NULL;
838 const uint8_t *ptr;
839 uint8_t user_id[32];
840 struct sk_usbhid *sk = NULL;
841 struct sk_enroll_response *response = NULL;
842 size_t len;
843 int credprot;
844 int cose_alg;
845 int ret = SSH_SK_ERR_GENERAL;
846 int r;
847 char *device = NULL;
848
849 fido_init(SSH_FIDO_INIT_ARG);
850
851 if (enroll_response == NULL) {
852 skdebug(__func__, "enroll_response == NULL");
853 goto out;
854 }
855 *enroll_response = NULL;
856 memset(user_id, 0, sizeof(user_id));
857 if (check_enroll_options(options, &device, user_id,
858 sizeof(user_id)) != 0)
859 goto out; /* error already logged */
860
861 switch(alg) {
862 #ifdef WITH_OPENSSL
863 case SSH_SK_ECDSA:
864 cose_alg = COSE_ES256;
865 break;
866 #endif /* WITH_OPENSSL */
867 case SSH_SK_ED25519:
868 cose_alg = COSE_EDDSA;
869 break;
870 default:
871 skdebug(__func__, "unsupported key type %d", alg);
872 goto out;
873 }
874 if (device != NULL)
875 sk = sk_open(device);
876 else
877 sk = sk_probe(NULL, NULL, 0, 0);
878 if (sk == NULL) {
879 ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
880 skdebug(__func__, "failed to find sk");
881 goto out;
882 }
883 skdebug(__func__, "using device %s", sk->path);
884 if ((flags & SSH_SK_RESIDENT_KEY) != 0 &&
885 (flags & SSH_SK_FORCE_OPERATION) == 0 &&
886 (r = key_lookup(sk->dev, application, user_id, sizeof(user_id),
887 pin)) != FIDO_ERR_NO_CREDENTIALS) {
888 if (r != FIDO_OK) {
889 ret = fidoerr_to_skerr(r);
890 skdebug(__func__, "key_lookup failed");
891 } else {
892 ret = SSH_SK_ERR_CREDENTIAL_EXISTS;
893 skdebug(__func__, "key exists");
894 }
895 goto out;
896 }
897 if ((cred = fido_cred_new()) == NULL) {
898 skdebug(__func__, "fido_cred_new failed");
899 goto out;
900 }
901 if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) {
902 skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
903 goto out;
904 }
905 if ((r = fido_cred_set_clientdata(cred,
906 challenge, challenge_len)) != FIDO_OK) {
907 skdebug(__func__, "fido_cred_set_clientdata: %s",
908 fido_strerr(r));
909 goto out;
910 }
911 if ((r = fido_cred_set_rk(cred, (flags & SSH_SK_RESIDENT_KEY) != 0 ?
912 FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
913 skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
914 goto out;
915 }
916 if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
917 "openssh", "openssh", NULL)) != FIDO_OK) {
918 skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));
919 goto out;
920 }
921 if ((r = fido_cred_set_rp(cred, application, NULL)) != FIDO_OK) {
922 skdebug(__func__, "fido_cred_set_rp: %s", fido_strerr(r));
923 goto out;
924 }
925 if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) {
926 #if !defined(HAVE_FIDO_DEV_SUPPORTS_CRED_PROT) || \
927 !defined(HAVE_FIDO_CRED_SET_PROT)
928 skdebug(__func__, "libfido2 version does not support a feature required for this operation. Please upgrade to >=1.5.0");
929 ret = SSH_SK_ERR_UNSUPPORTED;
930 goto out;
931 credprot = 0; (void)credprot; /* avoid warning */
932 #endif
933 if (!fido_dev_supports_cred_prot(sk->dev)) {
934 skdebug(__func__, "%s does not support credprot, "
935 "refusing to create unprotected "
936 "resident/verify-required key", sk->path);
937 ret = SSH_SK_ERR_UNSUPPORTED;
938 goto out;
939 }
940 if ((flags & SSH_SK_USER_VERIFICATION_REQD))
941 credprot = FIDO_CRED_PROT_UV_REQUIRED;
942 else
943 credprot = FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID;
944
945 if ((r = fido_cred_set_prot(cred, credprot)) != FIDO_OK) {
946 skdebug(__func__, "fido_cred_set_prot: %s",
947 fido_strerr(r));
948 ret = fidoerr_to_skerr(r);
949 goto out;
950 }
951 }
952 if ((r = fido_dev_make_cred(sk->dev, cred, pin)) != FIDO_OK) {
953 skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r));
954 ret = fidoerr_to_skerr(r);
955 goto out;
956 }
957 if (fido_cred_x5c_ptr(cred) != NULL) {
958 if ((r = fido_cred_verify(cred)) != FIDO_OK) {
959 skdebug(__func__, "fido_cred_verify: %s",
960 fido_strerr(r));
961 goto out;
962 }
963 } else if (strcmp(fido_cred_fmt(cred), "none") != 0) {
964 skdebug(__func__, "self-attested credential");
965 if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {
966 skdebug(__func__, "fido_cred_verify_self: %s",
967 fido_strerr(r));
968 goto out;
969 }
970 } else {
971 skdebug(__func__, "no attestation data");
972 }
973 if ((response = calloc(1, sizeof(*response))) == NULL) {
974 skdebug(__func__, "calloc response failed");
975 goto out;
976 }
977 response->flags = flags;
978 if (pack_public_key(alg, cred, response) != 0) {
979 skdebug(__func__, "pack_public_key failed");
980 goto out;
981 }
982 if ((ptr = fido_cred_id_ptr(cred)) != NULL) {
983 len = fido_cred_id_len(cred);
984 if ((response->key_handle = calloc(1, len)) == NULL) {
985 skdebug(__func__, "calloc key handle failed");
986 goto out;
987 }
988 memcpy(response->key_handle, ptr, len);
989 response->key_handle_len = len;
990 }
991 if ((ptr = fido_cred_sig_ptr(cred)) != NULL) {
992 len = fido_cred_sig_len(cred);
993 if ((response->signature = calloc(1, len)) == NULL) {
994 skdebug(__func__, "calloc signature failed");
995 goto out;
996 }
997 memcpy(response->signature, ptr, len);
998 response->signature_len = len;
999 }
1000 if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) {
1001 len = fido_cred_x5c_len(cred);
1002 skdebug(__func__, "attestation cert len=%zu", len);
1003 if ((response->attestation_cert = calloc(1, len)) == NULL) {
1004 skdebug(__func__, "calloc attestation cert failed");
1005 goto out;
1006 }
1007 memcpy(response->attestation_cert, ptr, len);
1008 response->attestation_cert_len = len;
1009 }
1010 if ((ptr = fido_cred_authdata_ptr(cred)) != NULL) {
1011 len = fido_cred_authdata_len(cred);
1012 skdebug(__func__, "authdata len=%zu", len);
1013 if ((response->authdata = calloc(1, len)) == NULL) {
1014 skdebug(__func__, "calloc authdata failed");
1015 goto out;
1016 }
1017 memcpy(response->authdata, ptr, len);
1018 response->authdata_len = len;
1019 }
1020 *enroll_response = response;
1021 response = NULL;
1022 ret = 0;
1023 out:
1024 free(device);
1025 if (response != NULL) {
1026 free(response->public_key);
1027 free(response->key_handle);
1028 free(response->signature);
1029 free(response->attestation_cert);
1030 free(response->authdata);
1031 free(response);
1032 }
1033 sk_close(sk);
1034 fido_cred_free(&cred);
1035 return ret;
1036 }
1037
1038 #ifdef WITH_OPENSSL
1039 static int
pack_sig_ecdsa(fido_assert_t * assert,struct sk_sign_response * response)1040 pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response)
1041 {
1042 ECDSA_SIG *sig = NULL;
1043 const BIGNUM *sig_r, *sig_s;
1044 const unsigned char *cp;
1045 size_t sig_len;
1046 int ret = -1;
1047
1048 cp = fido_assert_sig_ptr(assert, 0);
1049 sig_len = fido_assert_sig_len(assert, 0);
1050 if ((sig = d2i_ECDSA_SIG(NULL, &cp, sig_len)) == NULL) {
1051 skdebug(__func__, "d2i_ECDSA_SIG failed");
1052 goto out;
1053 }
1054 ECDSA_SIG_get0(sig, &sig_r, &sig_s);
1055 response->sig_r_len = BN_num_bytes(sig_r);
1056 response->sig_s_len = BN_num_bytes(sig_s);
1057 if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
1058 (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
1059 skdebug(__func__, "calloc signature failed");
1060 goto out;
1061 }
1062 BN_bn2bin(sig_r, response->sig_r);
1063 BN_bn2bin(sig_s, response->sig_s);
1064 ret = 0;
1065 out:
1066 ECDSA_SIG_free(sig);
1067 if (ret != 0) {
1068 free(response->sig_r);
1069 free(response->sig_s);
1070 response->sig_r = NULL;
1071 response->sig_s = NULL;
1072 }
1073 return ret;
1074 }
1075 #endif /* WITH_OPENSSL */
1076
1077 static int
pack_sig_ed25519(fido_assert_t * assert,struct sk_sign_response * response)1078 pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response)
1079 {
1080 const unsigned char *ptr;
1081 size_t len;
1082 int ret = -1;
1083
1084 ptr = fido_assert_sig_ptr(assert, 0);
1085 len = fido_assert_sig_len(assert, 0);
1086 if (len != 64) {
1087 skdebug(__func__, "bad length %zu", len);
1088 goto out;
1089 }
1090 response->sig_r_len = len;
1091 if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
1092 skdebug(__func__, "calloc signature failed");
1093 goto out;
1094 }
1095 memcpy(response->sig_r, ptr, len);
1096 ret = 0;
1097 out:
1098 if (ret != 0) {
1099 free(response->sig_r);
1100 response->sig_r = NULL;
1101 }
1102 return ret;
1103 }
1104
1105 static int
pack_sig(uint32_t alg,fido_assert_t * assert,struct sk_sign_response * response)1106 pack_sig(uint32_t alg, fido_assert_t *assert,
1107 struct sk_sign_response *response)
1108 {
1109 switch(alg) {
1110 #ifdef WITH_OPENSSL
1111 case SSH_SK_ECDSA:
1112 return pack_sig_ecdsa(assert, response);
1113 #endif /* WITH_OPENSSL */
1114 case SSH_SK_ED25519:
1115 return pack_sig_ed25519(assert, response);
1116 default:
1117 return -1;
1118 }
1119 }
1120
1121 /* Checks sk_options for sk_sign() and sk_load_resident_keys() */
1122 static int
check_sign_load_resident_options(struct sk_option ** options,char ** devicep)1123 check_sign_load_resident_options(struct sk_option **options, char **devicep)
1124 {
1125 size_t i;
1126
1127 if (options == NULL)
1128 return 0;
1129 for (i = 0; options[i] != NULL; i++) {
1130 if (strcmp(options[i]->name, "device") == 0) {
1131 if ((*devicep = strdup(options[i]->value)) == NULL) {
1132 skdebug(__func__, "strdup device failed");
1133 return -1;
1134 }
1135 skdebug(__func__, "requested device %s", *devicep);
1136 } else {
1137 skdebug(__func__, "requested unsupported option %s",
1138 options[i]->name);
1139 if (options[i]->required) {
1140 skdebug(__func__, "unknown required option");
1141 return -1;
1142 }
1143 }
1144 }
1145 return 0;
1146 }
1147
1148 int
sk_sign(uint32_t alg,const uint8_t * data,size_t datalen,const char * application,const uint8_t * key_handle,size_t key_handle_len,uint8_t flags,const char * pin,struct sk_option ** options,struct sk_sign_response ** sign_response)1149 sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
1150 const char *application,
1151 const uint8_t *key_handle, size_t key_handle_len,
1152 uint8_t flags, const char *pin, struct sk_option **options,
1153 struct sk_sign_response **sign_response)
1154 {
1155 fido_assert_t *assert = NULL;
1156 char *device = NULL;
1157 struct sk_usbhid *sk = NULL;
1158 struct sk_sign_response *response = NULL;
1159 int ret = SSH_SK_ERR_GENERAL, internal_uv;
1160 int r;
1161
1162 fido_init(SSH_FIDO_INIT_ARG);
1163
1164 if (sign_response == NULL) {
1165 skdebug(__func__, "sign_response == NULL");
1166 goto out;
1167 }
1168 *sign_response = NULL;
1169 if (check_sign_load_resident_options(options, &device) != 0)
1170 goto out; /* error already logged */
1171 if (device != NULL)
1172 sk = sk_open(device);
1173 else if (pin != NULL || (flags & SSH_SK_USER_VERIFICATION_REQD))
1174 sk = sk_probe(NULL, NULL, 0, 0);
1175 else
1176 sk = sk_probe(application, key_handle, key_handle_len, 0);
1177 if (sk == NULL) {
1178 ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
1179 skdebug(__func__, "failed to find sk");
1180 goto out;
1181 }
1182 if ((assert = fido_assert_new()) == NULL) {
1183 skdebug(__func__, "fido_assert_new failed");
1184 goto out;
1185 }
1186 if ((r = fido_assert_set_clientdata(assert,
1187 data, datalen)) != FIDO_OK) {
1188 skdebug(__func__, "fido_assert_set_clientdata: %s",
1189 fido_strerr(r));
1190 goto out;
1191 }
1192 if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
1193 skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
1194 goto out;
1195 }
1196 if ((r = fido_assert_allow_cred(assert, key_handle,
1197 key_handle_len)) != FIDO_OK) {
1198 skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
1199 goto out;
1200 }
1201 if ((r = fido_assert_set_up(assert,
1202 (flags & SSH_SK_USER_PRESENCE_REQD) ?
1203 FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) {
1204 skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
1205 goto out;
1206 }
1207 /*
1208 * WinHello requests the PIN by default. Make "uv" request explicit
1209 * to allow keys with and without -O verify-required to make sense.
1210 */
1211 if (pin == NULL && fido_dev_is_winhello (sk->dev) &&
1212 (r = fido_assert_set_uv(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
1213 skdebug(__func__, "fido_assert_set_uv: %s", fido_strerr(r));
1214 }
1215 if (pin == NULL && (flags & SSH_SK_USER_VERIFICATION_REQD)) {
1216 if (check_sk_options(sk->dev, "uv", &internal_uv) < 0 ||
1217 internal_uv != 1) {
1218 skdebug(__func__, "check_sk_options uv");
1219 ret = SSH_SK_ERR_PIN_REQUIRED;
1220 goto out;
1221 }
1222 if ((r = fido_assert_set_uv(assert,
1223 FIDO_OPT_TRUE)) != FIDO_OK) {
1224 skdebug(__func__, "fido_assert_set_uv: %s",
1225 fido_strerr(r));
1226 ret = fidoerr_to_skerr(r);
1227 goto out;
1228 }
1229 }
1230 if ((r = fido_dev_get_assert(sk->dev, assert, pin)) != FIDO_OK) {
1231 skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
1232 ret = fidoerr_to_skerr(r);
1233 goto out;
1234 }
1235 if ((response = calloc(1, sizeof(*response))) == NULL) {
1236 skdebug(__func__, "calloc response failed");
1237 goto out;
1238 }
1239 response->flags = fido_assert_flags(assert, 0);
1240 response->counter = fido_assert_sigcount(assert, 0);
1241 if (pack_sig(alg, assert, response) != 0) {
1242 skdebug(__func__, "pack_sig failed");
1243 goto out;
1244 }
1245 *sign_response = response;
1246 response = NULL;
1247 ret = 0;
1248 out:
1249 free(device);
1250 if (response != NULL) {
1251 free(response->sig_r);
1252 free(response->sig_s);
1253 free(response);
1254 }
1255 sk_close(sk);
1256 fido_assert_free(&assert);
1257 return ret;
1258 }
1259
1260 static int
read_rks(struct sk_usbhid * sk,const char * pin,struct sk_resident_key *** rksp,size_t * nrksp)1261 read_rks(struct sk_usbhid *sk, const char *pin,
1262 struct sk_resident_key ***rksp, size_t *nrksp)
1263 {
1264 int ret = SSH_SK_ERR_GENERAL, r = -1, internal_uv;
1265 fido_credman_metadata_t *metadata = NULL;
1266 fido_credman_rp_t *rp = NULL;
1267 fido_credman_rk_t *rk = NULL;
1268 size_t i, j, nrp, nrk, user_id_len;
1269 const fido_cred_t *cred;
1270 const char *rp_id, *rp_name, *user_name;
1271 struct sk_resident_key *srk = NULL, **tmp;
1272 const u_char *user_id;
1273
1274 if (pin == NULL) {
1275 skdebug(__func__, "no PIN specified");
1276 ret = SSH_SK_ERR_PIN_REQUIRED;
1277 goto out;
1278 }
1279 if ((metadata = fido_credman_metadata_new()) == NULL) {
1280 skdebug(__func__, "alloc failed");
1281 goto out;
1282 }
1283 if (check_sk_options(sk->dev, "uv", &internal_uv) != 0) {
1284 skdebug(__func__, "check_sk_options failed");
1285 goto out;
1286 }
1287
1288 if ((r = fido_credman_get_dev_metadata(sk->dev, metadata, pin)) != 0) {
1289 if (r == FIDO_ERR_INVALID_COMMAND) {
1290 skdebug(__func__, "device %s does not support "
1291 "resident keys", sk->path);
1292 ret = 0;
1293 goto out;
1294 }
1295 skdebug(__func__, "get metadata for %s failed: %s",
1296 sk->path, fido_strerr(r));
1297 ret = fidoerr_to_skerr(r);
1298 goto out;
1299 }
1300 skdebug(__func__, "existing %llu, remaining %llu",
1301 (unsigned long long)fido_credman_rk_existing(metadata),
1302 (unsigned long long)fido_credman_rk_remaining(metadata));
1303 if ((rp = fido_credman_rp_new()) == NULL) {
1304 skdebug(__func__, "alloc rp failed");
1305 goto out;
1306 }
1307 if ((r = fido_credman_get_dev_rp(sk->dev, rp, pin)) != 0) {
1308 skdebug(__func__, "get RPs for %s failed: %s",
1309 sk->path, fido_strerr(r));
1310 goto out;
1311 }
1312 nrp = fido_credman_rp_count(rp);
1313 skdebug(__func__, "Device %s has resident keys for %zu RPs",
1314 sk->path, nrp);
1315
1316 /* Iterate over RP IDs that have resident keys */
1317 for (i = 0; i < nrp; i++) {
1318 rp_id = fido_credman_rp_id(rp, i);
1319 rp_name = fido_credman_rp_name(rp, i);
1320 skdebug(__func__, "rp %zu: name=\"%s\" id=\"%s\" hashlen=%zu",
1321 i, rp_name == NULL ? "(none)" : rp_name,
1322 rp_id == NULL ? "(none)" : rp_id,
1323 fido_credman_rp_id_hash_len(rp, i));
1324
1325 /* Skip non-SSH RP IDs */
1326 if (rp_id == NULL ||
1327 strncasecmp(fido_credman_rp_id(rp, i), "ssh:", 4) != 0)
1328 continue;
1329
1330 fido_credman_rk_free(&rk);
1331 if ((rk = fido_credman_rk_new()) == NULL) {
1332 skdebug(__func__, "alloc rk failed");
1333 goto out;
1334 }
1335 if ((r = fido_credman_get_dev_rk(sk->dev,
1336 fido_credman_rp_id(rp, i), rk, pin)) != 0) {
1337 skdebug(__func__, "get RKs for %s slot %zu failed: %s",
1338 sk->path, i, fido_strerr(r));
1339 goto out;
1340 }
1341 nrk = fido_credman_rk_count(rk);
1342 skdebug(__func__, "RP \"%s\" has %zu resident keys",
1343 fido_credman_rp_id(rp, i), nrk);
1344
1345 /* Iterate over resident keys for this RP ID */
1346 for (j = 0; j < nrk; j++) {
1347 if ((cred = fido_credman_rk(rk, j)) == NULL) {
1348 skdebug(__func__, "no RK in slot %zu", j);
1349 continue;
1350 }
1351 if ((user_name = fido_cred_user_name(cred)) == NULL)
1352 user_name = "";
1353 user_id = fido_cred_user_id_ptr(cred);
1354 user_id_len = fido_cred_user_id_len(cred);
1355 skdebug(__func__, "Device %s RP \"%s\" user \"%s\" "
1356 "uidlen %zu slot %zu: type %d flags 0x%02x "
1357 "prot 0x%02x", sk->path, rp_id, user_name,
1358 user_id_len, j, fido_cred_type(cred),
1359 fido_cred_flags(cred), fido_cred_prot(cred));
1360
1361 /* build response entry */
1362 if ((srk = calloc(1, sizeof(*srk))) == NULL ||
1363 (srk->key.key_handle = calloc(1,
1364 fido_cred_id_len(cred))) == NULL ||
1365 (srk->application = strdup(rp_id)) == NULL ||
1366 (user_id_len > 0 &&
1367 (srk->user_id = calloc(1, user_id_len)) == NULL)) {
1368 skdebug(__func__, "alloc sk_resident_key");
1369 goto out;
1370 }
1371
1372 srk->key.key_handle_len = fido_cred_id_len(cred);
1373 memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
1374 srk->key.key_handle_len);
1375 srk->user_id_len = user_id_len;
1376 if (srk->user_id_len != 0)
1377 memcpy(srk->user_id, user_id, srk->user_id_len);
1378
1379 switch (fido_cred_type(cred)) {
1380 case COSE_ES256:
1381 srk->alg = SSH_SK_ECDSA;
1382 break;
1383 case COSE_EDDSA:
1384 srk->alg = SSH_SK_ED25519;
1385 break;
1386 default:
1387 skdebug(__func__, "unsupported key type %d",
1388 fido_cred_type(cred));
1389 goto out; /* XXX free rk and continue */
1390 }
1391
1392 if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED
1393 && internal_uv == -1)
1394 srk->flags |= SSH_SK_USER_VERIFICATION_REQD;
1395
1396 if ((r = pack_public_key(srk->alg, cred,
1397 &srk->key)) != 0) {
1398 skdebug(__func__, "pack public key failed");
1399 goto out;
1400 }
1401 /* append */
1402 if ((tmp = recallocarray(*rksp, *nrksp, (*nrksp) + 1,
1403 sizeof(**rksp))) == NULL) {
1404 skdebug(__func__, "alloc rksp");
1405 goto out;
1406 }
1407 *rksp = tmp;
1408 (*rksp)[(*nrksp)++] = srk;
1409 srk = NULL;
1410 }
1411 }
1412 /* Success */
1413 ret = 0;
1414 out:
1415 if (srk != NULL) {
1416 free(srk->application);
1417 freezero(srk->key.public_key, srk->key.public_key_len);
1418 freezero(srk->key.key_handle, srk->key.key_handle_len);
1419 freezero(srk->user_id, srk->user_id_len);
1420 freezero(srk, sizeof(*srk));
1421 }
1422 fido_credman_rp_free(&rp);
1423 fido_credman_rk_free(&rk);
1424 fido_credman_metadata_free(&metadata);
1425 return ret;
1426 }
1427
1428 int
sk_load_resident_keys(const char * pin,struct sk_option ** options,struct sk_resident_key *** rksp,size_t * nrksp)1429 sk_load_resident_keys(const char *pin, struct sk_option **options,
1430 struct sk_resident_key ***rksp, size_t *nrksp)
1431 {
1432 int ret = SSH_SK_ERR_GENERAL, r = -1;
1433 size_t i, nrks = 0;
1434 struct sk_resident_key **rks = NULL;
1435 struct sk_usbhid *sk = NULL;
1436 char *device = NULL;
1437
1438 *rksp = NULL;
1439 *nrksp = 0;
1440
1441 fido_init(SSH_FIDO_INIT_ARG);
1442
1443 if (check_sign_load_resident_options(options, &device) != 0)
1444 goto out; /* error already logged */
1445 if (device != NULL)
1446 sk = sk_open(device);
1447 else
1448 sk = sk_probe(NULL, NULL, 0, 1);
1449 if (sk == NULL) {
1450 ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
1451 skdebug(__func__, "failed to find sk");
1452 goto out;
1453 }
1454 skdebug(__func__, "trying %s", sk->path);
1455 if ((r = read_rks(sk, pin, &rks, &nrks)) != 0) {
1456 skdebug(__func__, "read_rks failed for %s", sk->path);
1457 ret = r;
1458 goto out;
1459 }
1460 /* success, unless we have no keys but a specific error */
1461 if (nrks > 0 || ret == SSH_SK_ERR_GENERAL)
1462 ret = 0;
1463 *rksp = rks;
1464 *nrksp = nrks;
1465 rks = NULL;
1466 nrks = 0;
1467 out:
1468 sk_close(sk);
1469 for (i = 0; i < nrks; i++) {
1470 free(rks[i]->application);
1471 freezero(rks[i]->key.public_key, rks[i]->key.public_key_len);
1472 freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len);
1473 freezero(rks[i]->user_id, rks[i]->user_id_len);
1474 freezero(rks[i], sizeof(*rks[i]));
1475 }
1476 free(device);
1477 free(rks);
1478 return ret;
1479 }
1480
1481 #endif /* ENABLE_SK_INTERNAL */
1482