[thirdparty/systemd.git] / src / home / homework-fido2.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <fido.h>

#include "hexdecoct.h"
#include "homework-fido2.h"
#include "strv.h"

static int fido2_use_specific_token(
                const char *path,
                UserRecord *h,
                UserRecord *secret,
                const Fido2HmacSalt *salt,
                char **ret) {

        _cleanup_(fido_cbor_info_free) fido_cbor_info_t *di = NULL;
        _cleanup_(fido_assert_free) fido_assert_t *a = NULL;
        _cleanup_(fido_dev_free) fido_dev_t *d = NULL;
        bool found_extension = false;
        size_t n, hmac_size;
        const void *hmac;
        char **e;
        int r;

        d = fido_dev_new();
        if (!d)
                return log_oom();

        r = fido_dev_open(d, path);
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to open FIDO2 device %s: %s", path, fido_strerr(r));

        if (!fido_dev_is_fido2(d))
                return log_error_errno(SYNTHETIC_ERRNO(ENODEV),
                                       "Specified device %s is not a FIDO2 device.", path);

        di = fido_cbor_info_new();
        if (!di)
                return log_oom();

        r = fido_dev_get_cbor_info(d, di);
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to get CBOR device info for %s: %s", path, fido_strerr(r));

        e = fido_cbor_info_extensions_ptr(di);
        n = fido_cbor_info_extensions_len(di);

        for (size_t i = 0; i < n; i++)
                if (streq(e[i], "hmac-secret")) {
                        found_extension = true;
                        break;
                }

        if (!found_extension)
                return log_error_errno(SYNTHETIC_ERRNO(ENODEV),
                                       "Specified device %s is a FIDO2 device, but does not support the required HMAC-SECRET extension.", path);

        a = fido_assert_new();
        if (!a)
                return log_oom();

        r = fido_assert_set_extensions(a, FIDO_EXT_HMAC_SECRET);
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to enable HMAC-SECRET extension on FIDO2 assertion: %s", fido_strerr(r));

        r = fido_assert_set_hmac_salt(a, salt->salt, salt->salt_size);
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to set salt on FIDO2 assertion: %s", fido_strerr(r));

        r = fido_assert_set_rp(a, "io.systemd.home");
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to set FIDO2 assertion ID: %s", fido_strerr(r));

        r = fido_assert_set_clientdata_hash(a, (const unsigned char[32]) {}, 32);
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to set FIDO2 assertion client data hash: %s", fido_strerr(r));

        r = fido_assert_allow_cred(a, salt->credential.id, salt->credential.size);
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to add FIDO2 assertion credential ID: %s", fido_strerr(r));

        r = fido_assert_set_up(a, h->fido2_user_presence_permitted <= 0 ? FIDO_OPT_FALSE : FIDO_OPT_TRUE);
        if (r != FIDO_OK)
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to set FIDO2 assertion user presence: %s", fido_strerr(r));

        log_info("Asking FIDO2 token for authentication.");

        r = fido_dev_get_assert(d, a, NULL); /* try without pin first */
        if (r == FIDO_ERR_PIN_REQUIRED) {
                char **i;

                /* OK, we needed a pin, try with all pins in turn */
                STRV_FOREACH(i, secret->token_pin) {
                        r = fido_dev_get_assert(d, a, *i);
                        if (r != FIDO_ERR_PIN_INVALID)
                                break;
                }
        }

        switch (r) {
        case FIDO_OK:
                break;
        case FIDO_ERR_NO_CREDENTIALS:
                return log_error_errno(SYNTHETIC_ERRNO(EBADSLT),
                                       "Wrong security token; needed credentials not present on token.");
        case FIDO_ERR_PIN_REQUIRED:
                return log_error_errno(SYNTHETIC_ERRNO(ENOANO),
                                       "Security token requires PIN.");
        case FIDO_ERR_PIN_AUTH_BLOCKED:
                return log_error_errno(SYNTHETIC_ERRNO(EOWNERDEAD),
                                       "PIN of security token is blocked, please remove/reinsert token.");
        case FIDO_ERR_PIN_INVALID:
                return log_error_errno(SYNTHETIC_ERRNO(ENOLCK),
                                       "PIN of security token incorrect.");
        case FIDO_ERR_UP_REQUIRED:
                return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE),
                                       "User presence required.");
        case FIDO_ERR_ACTION_TIMEOUT:
                return log_error_errno(SYNTHETIC_ERRNO(ENOSTR),
                                       "Token action timeout. (User didn't interact with token quickly enough.)");
        default:
                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                       "Failed to ask token for assertion: %s", fido_strerr(r));
        }

        hmac = fido_assert_hmac_secret_ptr(a, 0);
        if (!hmac)
                return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve HMAC secret.");

        hmac_size = fido_assert_hmac_secret_len(a, 0);

        r = base64mem(hmac, hmac_size, ret);
        if (r < 0)
                return log_error_errno(r, "Failed to base64 encode HMAC secret: %m");

        return 0;
}

int fido2_use_token(UserRecord *h, UserRecord *secret, const Fido2HmacSalt *salt, char **ret) {
        size_t allocated = 64, found = 0;
        fido_dev_info_t *di = NULL;
        int r;

        di = fido_dev_info_new(allocated);
        if (!di)
                return log_oom();

        r = fido_dev_info_manifest(di, allocated, &found);
        if (r == FIDO_ERR_INTERNAL) {
                /* The library returns FIDO_ERR_INTERNAL when no devices are found. I wish it wouldn't. */
                r = log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "Got FIDO_ERR_INTERNAL, assuming no devices.");
                goto finish;
        }
        if (r != FIDO_OK) {
                r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to enumerate FIDO2 devices: %s", fido_strerr(r));
                goto finish;
        }

        for (size_t i = 0; i < found; i++) {
                const fido_dev_info_t *entry;
                const char *path;

                entry = fido_dev_info_ptr(di, i);
                if (!entry) {
                        r = log_error_errno(SYNTHETIC_ERRNO(EIO),
                                            "Failed to get device information for FIDO device %zu.", i);
                        goto finish;
                }

                path = fido_dev_info_path(entry);
                if (!path) {
                        r = log_error_errno(SYNTHETIC_ERRNO(EIO),
                                            "Failed to query FIDO device path.");
                        goto finish;
                }

                r = fido2_use_specific_token(path, h, secret, salt, ret);
                if (!IN_SET(r,
                            -EBADSLT, /* device doesn't understand our credential hash */
                            -ENODEV   /* device is not a FIDO2 device with HMAC-SECRET */))
                        goto finish;
        }

        r = -EAGAIN;

finish:
        fido_dev_info_free(&di, allocated);
        return r;
}
Commit	Line	Data
7b78db28 LP	1	/* SPDX-License-Identifier: LGPL-2.1+ */
	2
	3	#include <fido.h>
	4
	5	#include "hexdecoct.h"
	6	#include "homework-fido2.h"
	7	#include "strv.h"
	8
	9	static int fido2_use_specific_token(
	10	const char *path,
	11	UserRecord *h,
	12	UserRecord *secret,
	13	const Fido2HmacSalt *salt,
	14	char **ret) {
	15
	16	_cleanup_(fido_cbor_info_free) fido_cbor_info_t *di = NULL;
	17	_cleanup_(fido_assert_free) fido_assert_t *a = NULL;
	18	_cleanup_(fido_dev_free) fido_dev_t *d = NULL;
	19	bool found_extension = false;
	20	size_t n, hmac_size;
	21	const void *hmac;
	22	char **e;
	23	int r;
	24
	25	d = fido_dev_new();
	26	if (!d)
	27	return log_oom();
	28
	29	r = fido_dev_open(d, path);
	30	if (r != FIDO_OK)
	31	return log_error_errno(SYNTHETIC_ERRNO(EIO),
	32	"Failed to open FIDO2 device %s: %s", path, fido_strerr(r));
	33
	34	if (!fido_dev_is_fido2(d))
	35	return log_error_errno(SYNTHETIC_ERRNO(ENODEV),
	36	"Specified device %s is not a FIDO2 device.", path);
	37
	38	di = fido_cbor_info_new();
	39	if (!di)
	40	return log_oom();
	41
	42	r = fido_dev_get_cbor_info(d, di);
	43	if (r != FIDO_OK)
	44	return log_error_errno(SYNTHETIC_ERRNO(EIO),
	45	"Failed to get CBOR device info for %s: %s", path, fido_strerr(r));
	46
	47	e = fido_cbor_info_extensions_ptr(di);
	48	n = fido_cbor_info_extensions_len(di);
	49
	50	for (size_t i = 0; i < n; i++)
	51	if (streq(e[i], "hmac-secret")) {
	52	found_extension = true;
	53	break;
	54	}
	55
	56	if (!found_extension)
	57	return log_error_errno(SYNTHETIC_ERRNO(ENODEV),
	58	"Specified device %s is a FIDO2 device, but does not support the required HMAC-SECRET extension.", path);
	59
	60	a = fido_assert_new();
	61	if (!a)
	62	return log_oom();
	63
	64	r = fido_assert_set_extensions(a, FIDO_EXT_HMAC_SECRET);
65	if (r != FIDO_OK)
66	return log_error_errno(SYNTHETIC_ERRNO(EIO),
67	"Failed to enable HMAC-SECRET extension on FIDO2 assertion: %s", fido_strerr(r));
68
69	r = fido_assert_set_hmac_salt(a, salt->salt, salt->salt_size);
70	if (r != FIDO_OK)
71	return log_error_errno(SYNTHETIC_ERRNO(EIO),
72	"Failed to set salt on FIDO2 assertion: %s", fido_strerr(r));
73
74	r = fido_assert_set_rp(a, "io.systemd.home");
75	if (r != FIDO_OK)
76	return log_error_errno(SYNTHETIC_ERRNO(EIO),
77	"Failed to set FIDO2 assertion ID: %s", fido_strerr(r));
78
79	r = fido_assert_set_clientdata_hash(a, (const unsigned char[32]) {}, 32);
80	if (r != FIDO_OK)
81	return log_error_errno(SYNTHETIC_ERRNO(EIO),
82	"Failed to set FIDO2 assertion client data hash: %s", fido_strerr(r));
83
84	r = fido_assert_allow_cred(a, salt->credential.id, salt->credential.size);
85	if (r != FIDO_OK)
86	return log_error_errno(SYNTHETIC_ERRNO(EIO),
87	"Failed to add FIDO2 assertion credential ID: %s", fido_strerr(r));
88
89	r = fido_assert_set_up(a, h->fido2_user_presence_permitted <= 0 ? FIDO_OPT_FALSE : FIDO_OPT_TRUE);
90	if (r != FIDO_OK)
91	return log_error_errno(SYNTHETIC_ERRNO(EIO),
92	"Failed to set FIDO2 assertion user presence: %s", fido_strerr(r));
93
94	log_info("Asking FIDO2 token for authentication.");
95
96	r = fido_dev_get_assert(d, a, NULL); /* try without pin first */
97	if (r == FIDO_ERR_PIN_REQUIRED) {
98	char **i;
99
100	/* OK, we needed a pin, try with all pins in turn */
101	STRV_FOREACH(i, secret->token_pin) {
102	r = fido_dev_get_assert(d, a, *i);
103	if (r != FIDO_ERR_PIN_INVALID)
104	break;
105	}
106	}
107
108	switch (r) {
109	case FIDO_OK:
110	break;
111	case FIDO_ERR_NO_CREDENTIALS:
112	return log_error_errno(SYNTHETIC_ERRNO(EBADSLT),
113	"Wrong security token; needed credentials not present on token.");
114	case FIDO_ERR_PIN_REQUIRED:
115	return log_error_errno(SYNTHETIC_ERRNO(ENOANO),
116	"Security token requires PIN.");
117	case FIDO_ERR_PIN_AUTH_BLOCKED:
118	return log_error_errno(SYNTHETIC_ERRNO(EOWNERDEAD),
119	"PIN of security token is blocked, please remove/reinsert token.");
120	case FIDO_ERR_PIN_INVALID:
121	return log_error_errno(SYNTHETIC_ERRNO(ENOLCK),
122	"PIN of security token incorrect.");
123	case FIDO_ERR_UP_REQUIRED:
124	return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE),
125	"User presence required.");
126	case FIDO_ERR_ACTION_TIMEOUT:
127	return log_error_errno(SYNTHETIC_ERRNO(ENOSTR),
128	"Token action timeout. (User didn't interact with token quickly enough.)");
129	default:
130	return log_error_errno(SYNTHETIC_ERRNO(EIO),
131	"Failed to ask token for assertion: %s", fido_strerr(r));
132	}
133
134	hmac = fido_assert_hmac_secret_ptr(a, 0);
135	if (!hmac)
136	return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve HMAC secret.");
137
138	hmac_size = fido_assert_hmac_secret_len(a, 0);
139
140	r = base64mem(hmac, hmac_size, ret);
141	if (r < 0)
142	return log_error_errno(r, "Failed to base64 encode HMAC secret: %m");
143
144	return 0;
145	}
146
147	int fido2_use_token(UserRecord h, UserRecord secret, const Fido2HmacSalt salt, char *ret) {
148	size_t allocated = 64, found = 0;
149	fido_dev_info_t *di = NULL;
150	int r;
151
152	di = fido_dev_info_new(allocated);
153	if (!di)
154	return log_oom();
155
156	r = fido_dev_info_manifest(di, allocated, &found);
157	if (r == FIDO_ERR_INTERNAL) {
158	/* The library returns FIDO_ERR_INTERNAL when no devices are found. I wish it wouldn't. */
159	r = log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "Got FIDO_ERR_INTERNAL, assuming no devices.");
160	goto finish;
161	}
162	if (r != FIDO_OK) {
163	r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to enumerate FIDO2 devices: %s", fido_strerr(r));
164	goto finish;
165	}
166
167	for (size_t i = 0; i < found; i++) {
168	const fido_dev_info_t *entry;
169	const char *path;
170
171	entry = fido_dev_info_ptr(di, i);
172	if (!entry) {
173	r = log_error_errno(SYNTHETIC_ERRNO(EIO),
174	"Failed to get device information for FIDO device %zu.", i);
175	goto finish;
176	}
177
178	path = fido_dev_info_path(entry);
179	if (!path) {
180	r = log_error_errno(SYNTHETIC_ERRNO(EIO),
181	"Failed to query FIDO device path.");
182	goto finish;
183	}
184
185	r = fido2_use_specific_token(path, h, secret, salt, ret);
186	if (!IN_SET(r,
187	-EBADSLT, /* device doesn't understand our credential hash */
188	-ENODEV /* device is not a FIDO2 device with HMAC-SECRET */))
189	goto finish;
190	}
191
192	r = -EAGAIN;
193
194	finish:
195	fido_dev_info_free(&di, allocated);
196	return r;
197	}