1 /* $OpenBSD: sk-usbhid.c,v 1.45 2022/09/14 00:14:37 djm Exp $ */
3 * Copyright (c) 2019 Markus Friedl
4 * Copyright (c) 2020 Pedro Martelletto
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #ifdef ENABLE_SK_INTERNAL
35 * Almost every use of OpenSSL in this file is for ECDSA-NISTP256.
36 * This is strictly a larger hammer than necessary, but it reduces changes
39 #ifndef OPENSSL_HAS_ECC
44 #include <openssl/opensslv.h>
45 #include <openssl/crypto.h>
46 #include <openssl/bn.h>
47 #include <openssl/ec.h>
48 #include <openssl/ecdsa.h>
49 #include <openssl/evp.h>
50 #endif /* WITH_OPENSSL */
53 #include <fido/credman.h>
55 /* backwards compat for libfido2 */
56 #ifndef HAVE_FIDO_CRED_PROT
57 #define fido_cred_prot(x) (0)
59 #ifndef HAVE_FIDO_CRED_SET_PROT
60 #define fido_cred_set_prot(x, y) (FIDO_ERR_UNSUPPORTED_OPTION)
62 #ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT
63 #define fido_dev_supports_cred_prot(x) (0)
65 #ifndef HAVE_FIDO_DEV_GET_TOUCH_BEGIN
66 #define fido_dev_get_touch_begin(x) (FIDO_ERR_UNSUPPORTED_OPTION)
68 #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
69 #define fido_dev_get_touch_status(x, y, z) (FIDO_ERR_UNSUPPORTED_OPTION)
71 #ifndef FIDO_CRED_PROT_UV_REQUIRED
72 #define FIDO_CRED_PROT_UV_REQUIRED 0
74 #ifndef FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID
75 #define FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID 0
83 * If building as part of OpenSSH, then rename exported functions.
84 * This must be done before including sk-api.h.
86 # define sk_api_version ssh_sk_api_version
87 # define sk_enroll ssh_sk_enroll
88 # define sk_sign ssh_sk_sign
89 # define sk_load_resident_keys ssh_sk_load_resident_keys
90 #endif /* !SK_STANDALONE */
94 /* #define SK_DEBUG 1 */
97 #define SSH_FIDO_INIT_ARG FIDO_DEBUG
99 #define SSH_FIDO_INIT_ARG 0
102 #define MAX_FIDO_DEVICES 8
103 #define FIDO_POLL_MS 50
104 #define SELECT_MS 15000
105 #define POLL_SLEEP_NS 200000000
107 /* Compatibility with OpenSSH 1.0.x */
108 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
109 #define ECDSA_SIG_get0(sig, pr, ps) \
115 #ifndef FIDO_ERR_OPERATION_DENIED
116 #define FIDO_ERR_OPERATION_DENIED 0x27
124 /* Return the version of the middleware API */
125 uint32_t sk_api_version(void);
127 /* Enroll a U2F key (private key generation) */
128 int sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
129 const char *application, uint8_t flags, const char *pin,
130 struct sk_option **options, struct sk_enroll_response **enroll_response);
132 /* Sign a challenge */
133 int sk_sign(uint32_t alg, const uint8_t *data, size_t data_len,
134 const char *application, const uint8_t *key_handle, size_t key_handle_len,
135 uint8_t flags, const char *pin, struct sk_option **options,
136 struct sk_sign_response **sign_response);
138 /* Load resident keys */
139 int sk_load_resident_keys(const char *pin, struct sk_option **options,
140 struct sk_resident_key ***rks, size_t *nrks);
142 static void skdebug(const char *func, const char *fmt, ...)
143 __attribute__((__format__ (printf, 2, 3)));
146 skdebug(const char *func, const char *fmt, ...)
148 #if !defined(SK_STANDALONE)
153 xvasprintf(&msg, fmt, ap);
155 debug("%s: %s", func, msg);
157 #elif defined(SK_DEBUG)
161 fprintf(stderr, "%s: ", func);
162 vfprintf(stderr, fmt, ap);
166 (void)func; /* XXX */
174 return SSH_SK_VERSION_MAJOR;
177 static struct sk_usbhid *
178 sk_open(const char *path)
180 struct sk_usbhid *sk;
184 skdebug(__func__, "path == NULL");
187 if ((sk = calloc(1, sizeof(*sk))) == NULL) {
188 skdebug(__func__, "calloc sk failed");
191 if ((sk->path = strdup(path)) == NULL) {
192 skdebug(__func__, "strdup path failed");
196 if ((sk->dev = fido_dev_new()) == NULL) {
197 skdebug(__func__, "fido_dev_new failed");
202 if ((r = fido_dev_open(sk->dev, sk->path)) != FIDO_OK) {
203 skdebug(__func__, "fido_dev_open %s failed: %s", sk->path,
205 fido_dev_free(&sk->dev);
214 sk_close(struct sk_usbhid *sk)
218 fido_dev_cancel(sk->dev); /* cancel any pending operation */
219 fido_dev_close(sk->dev);
220 fido_dev_free(&sk->dev);
225 static struct sk_usbhid **
226 sk_openv(const fido_dev_info_t *devlist, size_t ndevs, size_t *nopen)
228 const fido_dev_info_t *di;
229 struct sk_usbhid **skv;
233 if ((skv = calloc(ndevs, sizeof(*skv))) == NULL) {
234 skdebug(__func__, "calloc skv failed");
237 for (i = 0; i < ndevs; i++) {
238 if ((di = fido_dev_info_ptr(devlist, i)) == NULL)
239 skdebug(__func__, "fido_dev_info_ptr failed");
240 else if ((skv[*nopen] = sk_open(fido_dev_info_path(di))) == NULL)
241 skdebug(__func__, "sk_open failed");
246 for (i = 0; i < ndevs; i++)
256 sk_closev(struct sk_usbhid **skv, size_t nsk)
260 for (i = 0; i < nsk; i++)
266 sk_touch_begin(struct sk_usbhid **skv, size_t nsk)
271 for (i = 0; i < nsk; i++)
272 if ((r = fido_dev_get_touch_begin(skv[i]->dev)) != FIDO_OK)
273 skdebug(__func__, "fido_dev_get_touch_begin %s failed:"
274 " %s", skv[i]->path, fido_strerr(r));
282 sk_touch_poll(struct sk_usbhid **skv, size_t nsk, int *touch, size_t *idx)
284 struct timespec ts_pause;
289 ts_pause.tv_nsec = POLL_SLEEP_NS;
290 nanosleep(&ts_pause, NULL);
292 for (i = 0; i < nsk; i++) {
294 continue; /* device discarded */
295 skdebug(__func__, "polling %s", skv[i]->path);
296 if ((r = fido_dev_get_touch_status(skv[i]->dev, touch,
297 FIDO_POLL_MS)) != FIDO_OK) {
298 skdebug(__func__, "fido_dev_get_touch_status %s: %s",
299 skv[i]->path, fido_strerr(r));
300 sk_close(skv[i]); /* discard device */
303 skdebug(__func__, "no device left to poll");
315 #if !defined(HAVE_FIDO_ASSERT_SET_CLIENTDATA) || \
316 !defined(HAVE_FIDO_CRED_SET_CLIENTDATA)
317 /* Calculate SHA256(m) */
319 sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)
331 if (!EVP_Digest(m, mlen, d, &mdlen, EVP_sha256(), NULL))
335 SHA256Update(&ctx, (const uint8_t *)m, mlen);
336 SHA256Final(d, &ctx);
340 #endif /* !HAVE_FIDO_ASSERT_SET_CLIENTDATA || !HAVE_FIDO_CRED_SET_CLIENTDATA */
342 #ifndef HAVE_FIDO_CRED_SET_CLIENTDATA
344 fido_cred_set_clientdata(fido_cred_t *cred, const u_char *ptr, size_t len)
349 if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
350 skdebug(__func__, "hash challenge failed");
351 return FIDO_ERR_INTERNAL;
353 r = fido_cred_set_clientdata_hash(cred, d, sizeof(d));
354 explicit_bzero(d, sizeof(d));
356 skdebug(__func__, "fido_cred_set_clientdata_hash failed: %s",
361 #endif /* HAVE_FIDO_CRED_SET_CLIENTDATA */
363 #ifndef HAVE_FIDO_ASSERT_SET_CLIENTDATA
365 fido_assert_set_clientdata(fido_assert_t *assert, const u_char *ptr, size_t len)
370 if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
371 skdebug(__func__, "hash challenge failed");
372 return FIDO_ERR_INTERNAL;
374 r = fido_assert_set_clientdata_hash(assert, d, sizeof(d));
375 explicit_bzero(d, sizeof(d));
377 skdebug(__func__, "fido_assert_set_clientdata_hash failed: %s",
382 #endif /* HAVE_FIDO_ASSERT_SET_CLIENTDATA */
384 #ifndef HAVE_FIDO_DEV_IS_WINHELLO
386 fido_dev_is_winhello(const fido_dev_t *fdev)
390 #endif /* HAVE_FIDO_DEV_IS_WINHELLO */
392 /* Check if the specified key handle exists on a given sk. */
394 sk_try(const struct sk_usbhid *sk, const char *application,
395 const uint8_t *key_handle, size_t key_handle_len)
397 fido_assert_t *assert = NULL;
398 int r = FIDO_ERR_INTERNAL;
401 memset(message, '\0', sizeof(message));
402 if ((assert = fido_assert_new()) == NULL) {
403 skdebug(__func__, "fido_assert_new failed");
406 /* generate an invalid signature on FIDO2 tokens */
407 if ((r = fido_assert_set_clientdata(assert, message,
408 sizeof(message))) != FIDO_OK) {
409 skdebug(__func__, "fido_assert_set_clientdata: %s",
413 if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
414 skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
417 if ((r = fido_assert_allow_cred(assert, key_handle,
418 key_handle_len)) != FIDO_OK) {
419 skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
422 if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
423 skdebug(__func__, "fido_assert_up: %s", fido_strerr(r));
426 r = fido_dev_get_assert(sk->dev, assert, NULL);
427 skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
428 if (r == FIDO_ERR_USER_PRESENCE_REQUIRED) {
429 /* U2F tokens may return this */
433 fido_assert_free(&assert);
435 return r != FIDO_OK ? -1 : 0;
439 check_sk_options(fido_dev_t *dev, const char *opt, int *ret)
441 fido_cbor_info_t *info;
449 if (!fido_dev_is_fido2(dev)) {
450 skdebug(__func__, "device is not fido2");
453 if ((info = fido_cbor_info_new()) == NULL) {
454 skdebug(__func__, "fido_cbor_info_new failed");
457 if ((r = fido_dev_get_cbor_info(dev, info)) != FIDO_OK) {
458 skdebug(__func__, "fido_dev_get_cbor_info: %s", fido_strerr(r));
459 fido_cbor_info_free(&info);
462 name = fido_cbor_info_options_name_ptr(info);
463 value = fido_cbor_info_options_value_ptr(info);
464 len = fido_cbor_info_options_len(info);
465 for (i = 0; i < len; i++) {
466 if (!strcmp(name[i], opt)) {
471 fido_cbor_info_free(&info);
473 skdebug(__func__, "option %s is unknown", opt);
475 skdebug(__func__, "option %s is %s", opt, *ret ? "on" : "off");
480 static struct sk_usbhid *
481 sk_select_by_cred(const fido_dev_info_t *devlist, size_t ndevs,
482 const char *application, const uint8_t *key_handle, size_t key_handle_len)
484 struct sk_usbhid **skv, *sk;
488 if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
489 skdebug(__func__, "sk_openv failed");
492 if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv",
493 &internal_uv) == 0 && internal_uv != -1) {
499 for (i = 0; i < skvcnt; i++) {
500 if (sk_try(skv[i], application, key_handle,
501 key_handle_len) == 0) {
504 skdebug(__func__, "found key in %s", sk->path);
509 sk_closev(skv, skvcnt);
513 static struct sk_usbhid *
514 sk_select_by_touch(const fido_dev_info_t *devlist, size_t ndevs)
516 struct sk_usbhid **skv, *sk;
517 struct timeval tv_start, tv_now, tv_delta;
519 int touch, ms_remain;
521 if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
522 skdebug(__func__, "sk_openv failed");
528 /* single candidate */
534 #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
535 skdebug(__func__, "libfido2 version does not support a feature needed for multiple tokens. Please upgrade to >=1.5.0");
539 if (sk_touch_begin(skv, skvcnt) == -1) {
540 skdebug(__func__, "sk_touch_begin failed");
543 monotime_tv(&tv_start);
545 if (sk_touch_poll(skv, skvcnt, &touch, &idx) == -1) {
546 skdebug(__func__, "sk_touch_poll failed");
554 monotime_tv(&tv_now);
555 timersub(&tv_now, &tv_start, &tv_delta);
556 ms_remain = SELECT_MS - tv_delta.tv_sec * 1000 -
557 tv_delta.tv_usec / 1000;
558 } while (ms_remain >= FIDO_POLL_MS);
559 skdebug(__func__, "timeout");
561 sk_closev(skv, skvcnt);
565 static struct sk_usbhid *
566 sk_probe(const char *application, const uint8_t *key_handle,
567 size_t key_handle_len, int probe_resident)
569 struct sk_usbhid *sk;
570 fido_dev_info_t *devlist;
575 if (!probe_resident && (sk = sk_open("windows://hello")) != NULL)
577 #endif /* HAVE_CYGWIN */
578 if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) {
579 skdebug(__func__, "fido_dev_info_new failed");
582 if ((r = fido_dev_info_manifest(devlist, MAX_FIDO_DEVICES,
583 &ndevs)) != FIDO_OK) {
584 skdebug(__func__, "fido_dev_info_manifest failed: %s",
586 fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
589 skdebug(__func__, "%zu device(s) detected", ndevs);
592 } else if (application != NULL && key_handle != NULL) {
593 skdebug(__func__, "selecting sk by cred");
594 sk = sk_select_by_cred(devlist, ndevs, application, key_handle,
597 skdebug(__func__, "selecting sk by touch");
598 sk = sk_select_by_touch(devlist, ndevs);
600 fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
606 * The key returned via fido_cred_pubkey_ptr() is in affine coordinates,
607 * but the API expects a SEC1 octet string.
610 pack_public_key_ecdsa(const fido_cred_t *cred,
611 struct sk_enroll_response *response)
614 BIGNUM *x = NULL, *y = NULL;
619 response->public_key = NULL;
620 response->public_key_len = 0;
622 if ((x = BN_new()) == NULL ||
623 (y = BN_new()) == NULL ||
624 (g = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL ||
625 (q = EC_POINT_new(g)) == NULL) {
626 skdebug(__func__, "libcrypto setup failed");
629 if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
630 skdebug(__func__, "fido_cred_pubkey_ptr failed");
633 if (fido_cred_pubkey_len(cred) != 64) {
634 skdebug(__func__, "bad fido_cred_pubkey_len %zu",
635 fido_cred_pubkey_len(cred));
639 if (BN_bin2bn(ptr, 32, x) == NULL ||
640 BN_bin2bn(ptr + 32, 32, y) == NULL) {
641 skdebug(__func__, "BN_bin2bn failed");
644 if (EC_POINT_set_affine_coordinates_GFp(g, q, x, y, NULL) != 1) {
645 skdebug(__func__, "EC_POINT_set_affine_coordinates_GFp failed");
648 response->public_key_len = EC_POINT_point2oct(g, q,
649 POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
650 if (response->public_key_len == 0 || response->public_key_len > 2048) {
651 skdebug(__func__, "bad pubkey length %zu",
652 response->public_key_len);
655 if ((response->public_key = malloc(response->public_key_len)) == NULL) {
656 skdebug(__func__, "malloc pubkey failed");
659 if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
660 response->public_key, response->public_key_len, NULL) == 0) {
661 skdebug(__func__, "EC_POINT_point2oct failed");
667 if (ret != 0 && response->public_key != NULL) {
668 memset(response->public_key, 0, response->public_key_len);
669 free(response->public_key);
670 response->public_key = NULL;
678 #endif /* WITH_OPENSSL */
681 pack_public_key_ed25519(const fido_cred_t *cred,
682 struct sk_enroll_response *response)
688 response->public_key = NULL;
689 response->public_key_len = 0;
691 if ((len = fido_cred_pubkey_len(cred)) != 32) {
692 skdebug(__func__, "bad fido_cred_pubkey_len len %zu", len);
695 if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
696 skdebug(__func__, "fido_cred_pubkey_ptr failed");
699 response->public_key_len = len;
700 if ((response->public_key = malloc(response->public_key_len)) == NULL) {
701 skdebug(__func__, "malloc pubkey failed");
704 memcpy(response->public_key, ptr, len);
708 free(response->public_key);
713 pack_public_key(uint32_t alg, const fido_cred_t *cred,
714 struct sk_enroll_response *response)
719 return pack_public_key_ecdsa(cred, response);
720 #endif /* WITH_OPENSSL */
722 return pack_public_key_ed25519(cred, response);
729 fidoerr_to_skerr(int fidoerr)
732 case FIDO_ERR_UNSUPPORTED_OPTION:
733 case FIDO_ERR_UNSUPPORTED_ALGORITHM:
734 return SSH_SK_ERR_UNSUPPORTED;
735 case FIDO_ERR_PIN_REQUIRED:
736 case FIDO_ERR_PIN_INVALID:
737 case FIDO_ERR_OPERATION_DENIED:
738 return SSH_SK_ERR_PIN_REQUIRED;
745 check_enroll_options(struct sk_option **options, char **devicep,
746 uint8_t *user_id, size_t user_id_len)
752 for (i = 0; options[i] != NULL; i++) {
753 if (strcmp(options[i]->name, "device") == 0) {
754 if ((*devicep = strdup(options[i]->value)) == NULL) {
755 skdebug(__func__, "strdup device failed");
758 skdebug(__func__, "requested device %s", *devicep);
759 } else if (strcmp(options[i]->name, "user") == 0) {
760 if (strlcpy(user_id, options[i]->value, user_id_len) >=
762 skdebug(__func__, "user too long");
765 skdebug(__func__, "requested user %s",
768 skdebug(__func__, "requested unsupported option %s",
770 if (options[i]->required) {
771 skdebug(__func__, "unknown required option");
780 key_lookup(fido_dev_t *dev, const char *application, const uint8_t *user_id,
781 size_t user_id_len, const char *pin)
783 fido_assert_t *assert = NULL;
785 int r = FIDO_ERR_INTERNAL;
786 int sk_supports_uv, uv;
789 memset(message, '\0', sizeof(message));
790 if ((assert = fido_assert_new()) == NULL) {
791 skdebug(__func__, "fido_assert_new failed");
794 /* generate an invalid signature on FIDO2 tokens */
795 if ((r = fido_assert_set_clientdata(assert, message,
796 sizeof(message))) != FIDO_OK) {
797 skdebug(__func__, "fido_assert_set_clientdata: %s",
801 if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
802 skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
805 if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
806 skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
810 if (pin == NULL && check_sk_options(dev, "uv", &sk_supports_uv) == 0 &&
811 sk_supports_uv != -1)
813 if ((r = fido_assert_set_uv(assert, uv)) != FIDO_OK) {
814 skdebug(__func__, "fido_assert_set_uv: %s", fido_strerr(r));
817 if ((r = fido_dev_get_assert(dev, assert, pin)) != FIDO_OK) {
818 skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
821 r = FIDO_ERR_NO_CREDENTIALS;
822 skdebug(__func__, "%zu signatures returned", fido_assert_count(assert));
823 for (i = 0; i < fido_assert_count(assert); i++) {
824 if (fido_assert_user_id_len(assert, i) == user_id_len &&
825 memcmp(fido_assert_user_id_ptr(assert, i), user_id,
827 skdebug(__func__, "credential exists");
833 fido_assert_free(&assert);
839 sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
840 const char *application, uint8_t flags, const char *pin,
841 struct sk_option **options, struct sk_enroll_response **enroll_response)
843 fido_cred_t *cred = NULL;
846 struct sk_usbhid *sk = NULL;
847 struct sk_enroll_response *response = NULL;
851 int ret = SSH_SK_ERR_GENERAL;
855 fido_init(SSH_FIDO_INIT_ARG);
857 if (enroll_response == NULL) {
858 skdebug(__func__, "enroll_response == NULL");
861 *enroll_response = NULL;
862 memset(user_id, 0, sizeof(user_id));
863 if (check_enroll_options(options, &device, user_id,
864 sizeof(user_id)) != 0)
865 goto out; /* error already logged */
870 cose_alg = COSE_ES256;
872 #endif /* WITH_OPENSSL */
874 cose_alg = COSE_EDDSA;
877 skdebug(__func__, "unsupported key type %d", alg);
881 sk = sk_open(device);
883 sk = sk_probe(NULL, NULL, 0, 0);
885 ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
886 skdebug(__func__, "failed to find sk");
889 skdebug(__func__, "using device %s", sk->path);
890 if ((flags & SSH_SK_RESIDENT_KEY) != 0 &&
891 (flags & SSH_SK_FORCE_OPERATION) == 0 &&
892 (r = key_lookup(sk->dev, application, user_id, sizeof(user_id),
893 pin)) != FIDO_ERR_NO_CREDENTIALS) {
895 ret = fidoerr_to_skerr(r);
896 skdebug(__func__, "key_lookup failed");
898 ret = SSH_SK_ERR_CREDENTIAL_EXISTS;
899 skdebug(__func__, "key exists");
903 if ((cred = fido_cred_new()) == NULL) {
904 skdebug(__func__, "fido_cred_new failed");
907 if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) {
908 skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
911 if ((r = fido_cred_set_clientdata(cred,
912 challenge, challenge_len)) != FIDO_OK) {
913 skdebug(__func__, "fido_cred_set_clientdata: %s",
917 if ((r = fido_cred_set_rk(cred, (flags & SSH_SK_RESIDENT_KEY) != 0 ?
918 FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
919 skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
922 if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
923 "openssh", "openssh", NULL)) != FIDO_OK) {
924 skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));
927 if ((r = fido_cred_set_rp(cred, application, NULL)) != FIDO_OK) {
928 skdebug(__func__, "fido_cred_set_rp: %s", fido_strerr(r));
931 if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) {
932 #if !defined(HAVE_FIDO_DEV_SUPPORTS_CRED_PROT) || \
933 !defined(HAVE_FIDO_CRED_SET_PROT)
934 skdebug(__func__, "libfido2 version does not support a feature required for this operation. Please upgrade to >=1.5.0");
935 ret = SSH_SK_ERR_UNSUPPORTED;
937 credprot = 0; (void)credprot; /* avoid warning */
939 if (!fido_dev_supports_cred_prot(sk->dev)) {
940 skdebug(__func__, "%s does not support credprot, "
941 "refusing to create unprotected "
942 "resident/verify-required key", sk->path);
943 ret = SSH_SK_ERR_UNSUPPORTED;
946 if ((flags & SSH_SK_USER_VERIFICATION_REQD))
947 credprot = FIDO_CRED_PROT_UV_REQUIRED;
949 credprot = FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID;
951 if ((r = fido_cred_set_prot(cred, credprot)) != FIDO_OK) {
952 skdebug(__func__, "fido_cred_set_prot: %s",
954 ret = fidoerr_to_skerr(r);
958 if ((r = fido_dev_make_cred(sk->dev, cred, pin)) != FIDO_OK) {
959 skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r));
960 ret = fidoerr_to_skerr(r);
963 if (fido_cred_x5c_ptr(cred) != NULL) {
964 if ((r = fido_cred_verify(cred)) != FIDO_OK) {
965 skdebug(__func__, "fido_cred_verify: %s",
970 skdebug(__func__, "self-attested credential");
971 if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {
972 skdebug(__func__, "fido_cred_verify_self: %s",
977 if ((response = calloc(1, sizeof(*response))) == NULL) {
978 skdebug(__func__, "calloc response failed");
981 response->flags = flags;
982 if (pack_public_key(alg, cred, response) != 0) {
983 skdebug(__func__, "pack_public_key failed");
986 if ((ptr = fido_cred_id_ptr(cred)) != NULL) {
987 len = fido_cred_id_len(cred);
988 if ((response->key_handle = calloc(1, len)) == NULL) {
989 skdebug(__func__, "calloc key handle failed");
992 memcpy(response->key_handle, ptr, len);
993 response->key_handle_len = len;
995 if ((ptr = fido_cred_sig_ptr(cred)) != NULL) {
996 len = fido_cred_sig_len(cred);
997 if ((response->signature = calloc(1, len)) == NULL) {
998 skdebug(__func__, "calloc signature failed");
1001 memcpy(response->signature, ptr, len);
1002 response->signature_len = len;
1004 if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) {
1005 len = fido_cred_x5c_len(cred);
1006 skdebug(__func__, "attestation cert len=%zu", len);
1007 if ((response->attestation_cert = calloc(1, len)) == NULL) {
1008 skdebug(__func__, "calloc attestation cert failed");
1011 memcpy(response->attestation_cert, ptr, len);
1012 response->attestation_cert_len = len;
1014 if ((ptr = fido_cred_authdata_ptr(cred)) != NULL) {
1015 len = fido_cred_authdata_len(cred);
1016 skdebug(__func__, "authdata len=%zu", len);
1017 if ((response->authdata = calloc(1, len)) == NULL) {
1018 skdebug(__func__, "calloc authdata failed");
1021 memcpy(response->authdata, ptr, len);
1022 response->authdata_len = len;
1024 *enroll_response = response;
1029 if (response != NULL) {
1030 free(response->public_key);
1031 free(response->key_handle);
1032 free(response->signature);
1033 free(response->attestation_cert);
1034 free(response->authdata);
1038 fido_cred_free(&cred);
1044 pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response)
1046 ECDSA_SIG *sig = NULL;
1047 const BIGNUM *sig_r, *sig_s;
1048 const unsigned char *cp;
1052 cp = fido_assert_sig_ptr(assert, 0);
1053 sig_len = fido_assert_sig_len(assert, 0);
1054 if ((sig = d2i_ECDSA_SIG(NULL, &cp, sig_len)) == NULL) {
1055 skdebug(__func__, "d2i_ECDSA_SIG failed");
1058 ECDSA_SIG_get0(sig, &sig_r, &sig_s);
1059 response->sig_r_len = BN_num_bytes(sig_r);
1060 response->sig_s_len = BN_num_bytes(sig_s);
1061 if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
1062 (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
1063 skdebug(__func__, "calloc signature failed");
1066 BN_bn2bin(sig_r, response->sig_r);
1067 BN_bn2bin(sig_s, response->sig_s);
1070 ECDSA_SIG_free(sig);
1072 free(response->sig_r);
1073 free(response->sig_s);
1074 response->sig_r = NULL;
1075 response->sig_s = NULL;
1079 #endif /* WITH_OPENSSL */
1082 pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response)
1084 const unsigned char *ptr;
1088 ptr = fido_assert_sig_ptr(assert, 0);
1089 len = fido_assert_sig_len(assert, 0);
1091 skdebug(__func__, "bad length %zu", len);
1094 response->sig_r_len = len;
1095 if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
1096 skdebug(__func__, "calloc signature failed");
1099 memcpy(response->sig_r, ptr, len);
1103 free(response->sig_r);
1104 response->sig_r = NULL;
1110 pack_sig(uint32_t alg, fido_assert_t *assert,
1111 struct sk_sign_response *response)
1116 return pack_sig_ecdsa(assert, response);
1117 #endif /* WITH_OPENSSL */
1118 case SSH_SK_ED25519:
1119 return pack_sig_ed25519(assert, response);
1125 /* Checks sk_options for sk_sign() and sk_load_resident_keys() */
1127 check_sign_load_resident_options(struct sk_option **options, char **devicep)
1131 if (options == NULL)
1133 for (i = 0; options[i] != NULL; i++) {
1134 if (strcmp(options[i]->name, "device") == 0) {
1135 if ((*devicep = strdup(options[i]->value)) == NULL) {
1136 skdebug(__func__, "strdup device failed");
1139 skdebug(__func__, "requested device %s", *devicep);
1141 skdebug(__func__, "requested unsupported option %s",
1143 if (options[i]->required) {
1144 skdebug(__func__, "unknown required option");
1153 sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
1154 const char *application,
1155 const uint8_t *key_handle, size_t key_handle_len,
1156 uint8_t flags, const char *pin, struct sk_option **options,
1157 struct sk_sign_response **sign_response)
1159 fido_assert_t *assert = NULL;
1160 char *device = NULL;
1161 struct sk_usbhid *sk = NULL;
1162 struct sk_sign_response *response = NULL;
1163 int ret = SSH_SK_ERR_GENERAL, internal_uv;
1166 fido_init(SSH_FIDO_INIT_ARG);
1168 if (sign_response == NULL) {
1169 skdebug(__func__, "sign_response == NULL");
1172 *sign_response = NULL;
1173 if (check_sign_load_resident_options(options, &device) != 0)
1174 goto out; /* error already logged */
1176 sk = sk_open(device);
1177 else if (pin != NULL || (flags & SSH_SK_USER_VERIFICATION_REQD))
1178 sk = sk_probe(NULL, NULL, 0, 0);
1180 sk = sk_probe(application, key_handle, key_handle_len, 0);
1182 ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
1183 skdebug(__func__, "failed to find sk");
1186 if ((assert = fido_assert_new()) == NULL) {
1187 skdebug(__func__, "fido_assert_new failed");
1190 if ((r = fido_assert_set_clientdata(assert,
1191 data, datalen)) != FIDO_OK) {
1192 skdebug(__func__, "fido_assert_set_clientdata: %s",
1196 if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
1197 skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
1200 if ((r = fido_assert_allow_cred(assert, key_handle,
1201 key_handle_len)) != FIDO_OK) {
1202 skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
1205 if ((r = fido_assert_set_up(assert,
1206 (flags & SSH_SK_USER_PRESENCE_REQD) ?
1207 FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) {
1208 skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
1212 * WinHello requests the PIN by default. Make "uv" request explicit
1213 * to allow keys with and without -O verify-required to make sense.
1215 if (pin == NULL && fido_dev_is_winhello (sk->dev) &&
1216 (r = fido_assert_set_uv(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
1217 skdebug(__func__, "fido_assert_set_uv: %s", fido_strerr(r));
1219 if (pin == NULL && (flags & SSH_SK_USER_VERIFICATION_REQD)) {
1220 if (check_sk_options(sk->dev, "uv", &internal_uv) < 0 ||
1222 skdebug(__func__, "check_sk_options uv");
1223 ret = SSH_SK_ERR_PIN_REQUIRED;
1226 if ((r = fido_assert_set_uv(assert,
1227 FIDO_OPT_TRUE)) != FIDO_OK) {
1228 skdebug(__func__, "fido_assert_set_uv: %s",
1230 ret = fidoerr_to_skerr(r);
1234 if ((r = fido_dev_get_assert(sk->dev, assert, pin)) != FIDO_OK) {
1235 skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
1236 ret = fidoerr_to_skerr(r);
1239 if ((response = calloc(1, sizeof(*response))) == NULL) {
1240 skdebug(__func__, "calloc response failed");
1243 response->flags = fido_assert_flags(assert, 0);
1244 response->counter = fido_assert_sigcount(assert, 0);
1245 if (pack_sig(alg, assert, response) != 0) {
1246 skdebug(__func__, "pack_sig failed");
1249 *sign_response = response;
1254 if (response != NULL) {
1255 free(response->sig_r);
1256 free(response->sig_s);
1260 fido_assert_free(&assert);
1265 read_rks(struct sk_usbhid *sk, const char *pin,
1266 struct sk_resident_key ***rksp, size_t *nrksp)
1268 int ret = SSH_SK_ERR_GENERAL, r = -1, internal_uv;
1269 fido_credman_metadata_t *metadata = NULL;
1270 fido_credman_rp_t *rp = NULL;
1271 fido_credman_rk_t *rk = NULL;
1272 size_t i, j, nrp, nrk, user_id_len;
1273 const fido_cred_t *cred;
1274 const char *rp_id, *rp_name, *user_name;
1275 struct sk_resident_key *srk = NULL, **tmp;
1276 const u_char *user_id;
1279 skdebug(__func__, "no PIN specified");
1280 ret = SSH_SK_ERR_PIN_REQUIRED;
1283 if ((metadata = fido_credman_metadata_new()) == NULL) {
1284 skdebug(__func__, "alloc failed");
1287 if (check_sk_options(sk->dev, "uv", &internal_uv) != 0) {
1288 skdebug(__func__, "check_sk_options failed");
1292 if ((r = fido_credman_get_dev_metadata(sk->dev, metadata, pin)) != 0) {
1293 if (r == FIDO_ERR_INVALID_COMMAND) {
1294 skdebug(__func__, "device %s does not support "
1295 "resident keys", sk->path);
1299 skdebug(__func__, "get metadata for %s failed: %s",
1300 sk->path, fido_strerr(r));
1301 ret = fidoerr_to_skerr(r);
1304 skdebug(__func__, "existing %llu, remaining %llu",
1305 (unsigned long long)fido_credman_rk_existing(metadata),
1306 (unsigned long long)fido_credman_rk_remaining(metadata));
1307 if ((rp = fido_credman_rp_new()) == NULL) {
1308 skdebug(__func__, "alloc rp failed");
1311 if ((r = fido_credman_get_dev_rp(sk->dev, rp, pin)) != 0) {
1312 skdebug(__func__, "get RPs for %s failed: %s",
1313 sk->path, fido_strerr(r));
1316 nrp = fido_credman_rp_count(rp);
1317 skdebug(__func__, "Device %s has resident keys for %zu RPs",
1320 /* Iterate over RP IDs that have resident keys */
1321 for (i = 0; i < nrp; i++) {
1322 rp_id = fido_credman_rp_id(rp, i);
1323 rp_name = fido_credman_rp_name(rp, i);
1324 skdebug(__func__, "rp %zu: name=\"%s\" id=\"%s\" hashlen=%zu",
1325 i, rp_name == NULL ? "(none)" : rp_name,
1326 rp_id == NULL ? "(none)" : rp_id,
1327 fido_credman_rp_id_hash_len(rp, i));
1329 /* Skip non-SSH RP IDs */
1330 if (rp_id == NULL ||
1331 strncasecmp(fido_credman_rp_id(rp, i), "ssh:", 4) != 0)
1334 fido_credman_rk_free(&rk);
1335 if ((rk = fido_credman_rk_new()) == NULL) {
1336 skdebug(__func__, "alloc rk failed");
1339 if ((r = fido_credman_get_dev_rk(sk->dev,
1340 fido_credman_rp_id(rp, i), rk, pin)) != 0) {
1341 skdebug(__func__, "get RKs for %s slot %zu failed: %s",
1342 sk->path, i, fido_strerr(r));
1345 nrk = fido_credman_rk_count(rk);
1346 skdebug(__func__, "RP \"%s\" has %zu resident keys",
1347 fido_credman_rp_id(rp, i), nrk);
1349 /* Iterate over resident keys for this RP ID */
1350 for (j = 0; j < nrk; j++) {
1351 if ((cred = fido_credman_rk(rk, j)) == NULL) {
1352 skdebug(__func__, "no RK in slot %zu", j);
1355 if ((user_name = fido_cred_user_name(cred)) == NULL)
1357 user_id = fido_cred_user_id_ptr(cred);
1358 user_id_len = fido_cred_user_id_len(cred);
1359 skdebug(__func__, "Device %s RP \"%s\" user \"%s\" "
1360 "uidlen %zu slot %zu: type %d flags 0x%02x "
1361 "prot 0x%02x", sk->path, rp_id, user_name,
1362 user_id_len, j, fido_cred_type(cred),
1363 fido_cred_flags(cred), fido_cred_prot(cred));
1365 /* build response entry */
1366 if ((srk = calloc(1, sizeof(*srk))) == NULL ||
1367 (srk->key.key_handle = calloc(1,
1368 fido_cred_id_len(cred))) == NULL ||
1369 (srk->application = strdup(rp_id)) == NULL ||
1371 (srk->user_id = calloc(1, user_id_len)) == NULL)) {
1372 skdebug(__func__, "alloc sk_resident_key");
1376 srk->key.key_handle_len = fido_cred_id_len(cred);
1377 memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
1378 srk->key.key_handle_len);
1379 srk->user_id_len = user_id_len;
1380 if (srk->user_id_len != 0)
1381 memcpy(srk->user_id, user_id, srk->user_id_len);
1383 switch (fido_cred_type(cred)) {
1385 srk->alg = SSH_SK_ECDSA;
1388 srk->alg = SSH_SK_ED25519;
1391 skdebug(__func__, "unsupported key type %d",
1392 fido_cred_type(cred));
1393 goto out; /* XXX free rk and continue */
1396 if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED
1397 && internal_uv == -1)
1398 srk->flags |= SSH_SK_USER_VERIFICATION_REQD;
1400 if ((r = pack_public_key(srk->alg, cred,
1402 skdebug(__func__, "pack public key failed");
1406 if ((tmp = recallocarray(*rksp, *nrksp, (*nrksp) + 1,
1407 sizeof(**rksp))) == NULL) {
1408 skdebug(__func__, "alloc rksp");
1412 (*rksp)[(*nrksp)++] = srk;
1420 free(srk->application);
1421 freezero(srk->key.public_key, srk->key.public_key_len);
1422 freezero(srk->key.key_handle, srk->key.key_handle_len);
1423 freezero(srk->user_id, srk->user_id_len);
1424 freezero(srk, sizeof(*srk));
1426 fido_credman_rp_free(&rp);
1427 fido_credman_rk_free(&rk);
1428 fido_credman_metadata_free(&metadata);
1433 sk_load_resident_keys(const char *pin, struct sk_option **options,
1434 struct sk_resident_key ***rksp, size_t *nrksp)
1436 int ret = SSH_SK_ERR_GENERAL, r = -1;
1438 struct sk_resident_key **rks = NULL;
1439 struct sk_usbhid *sk = NULL;
1440 char *device = NULL;
1445 fido_init(SSH_FIDO_INIT_ARG);
1447 if (check_sign_load_resident_options(options, &device) != 0)
1448 goto out; /* error already logged */
1450 sk = sk_open(device);
1452 sk = sk_probe(NULL, NULL, 0, 1);
1454 ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
1455 skdebug(__func__, "failed to find sk");
1458 skdebug(__func__, "trying %s", sk->path);
1459 if ((r = read_rks(sk, pin, &rks, &nrks)) != 0) {
1460 skdebug(__func__, "read_rks failed for %s", sk->path);
1464 /* success, unless we have no keys but a specific error */
1465 if (nrks > 0 || ret == SSH_SK_ERR_GENERAL)
1473 for (i = 0; i < nrks; i++) {
1474 free(rks[i]->application);
1475 freezero(rks[i]->key.public_key, rks[i]->key.public_key_len);
1476 freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len);
1477 freezero(rks[i]->user_id, rks[i]->user_id_len);
1478 freezero(rks[i], sizeof(*rks[i]));
1485 #endif /* ENABLE_SK_INTERNAL */