]>
Commit | Line | Data |
---|---|---|
7b78db28 LP |
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | ||
3 | #include <fido.h> | |
4 | ||
5 | #include "hexdecoct.h" | |
6 | #include "homework-fido2.h" | |
7 | #include "strv.h" | |
8 | ||
9 | static int fido2_use_specific_token( | |
10 | const char *path, | |
11 | UserRecord *h, | |
12 | UserRecord *secret, | |
13 | const Fido2HmacSalt *salt, | |
14 | char **ret) { | |
15 | ||
16 | _cleanup_(fido_cbor_info_free) fido_cbor_info_t *di = NULL; | |
17 | _cleanup_(fido_assert_free) fido_assert_t *a = NULL; | |
18 | _cleanup_(fido_dev_free) fido_dev_t *d = NULL; | |
19 | bool found_extension = false; | |
20 | size_t n, hmac_size; | |
21 | const void *hmac; | |
22 | char **e; | |
23 | int r; | |
24 | ||
25 | d = fido_dev_new(); | |
26 | if (!d) | |
27 | return log_oom(); | |
28 | ||
29 | r = fido_dev_open(d, path); | |
30 | if (r != FIDO_OK) | |
31 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
32 | "Failed to open FIDO2 device %s: %s", path, fido_strerr(r)); | |
33 | ||
34 | if (!fido_dev_is_fido2(d)) | |
35 | return log_error_errno(SYNTHETIC_ERRNO(ENODEV), | |
36 | "Specified device %s is not a FIDO2 device.", path); | |
37 | ||
38 | di = fido_cbor_info_new(); | |
39 | if (!di) | |
40 | return log_oom(); | |
41 | ||
42 | r = fido_dev_get_cbor_info(d, di); | |
43 | if (r != FIDO_OK) | |
44 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
45 | "Failed to get CBOR device info for %s: %s", path, fido_strerr(r)); | |
46 | ||
47 | e = fido_cbor_info_extensions_ptr(di); | |
48 | n = fido_cbor_info_extensions_len(di); | |
49 | ||
50 | for (size_t i = 0; i < n; i++) | |
51 | if (streq(e[i], "hmac-secret")) { | |
52 | found_extension = true; | |
53 | break; | |
54 | } | |
55 | ||
56 | if (!found_extension) | |
57 | return log_error_errno(SYNTHETIC_ERRNO(ENODEV), | |
58 | "Specified device %s is a FIDO2 device, but does not support the required HMAC-SECRET extension.", path); | |
59 | ||
60 | a = fido_assert_new(); | |
61 | if (!a) | |
62 | return log_oom(); | |
63 | ||
64 | r = fido_assert_set_extensions(a, FIDO_EXT_HMAC_SECRET); | |
65 | if (r != FIDO_OK) | |
66 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
67 | "Failed to enable HMAC-SECRET extension on FIDO2 assertion: %s", fido_strerr(r)); | |
68 | ||
69 | r = fido_assert_set_hmac_salt(a, salt->salt, salt->salt_size); | |
70 | if (r != FIDO_OK) | |
71 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
72 | "Failed to set salt on FIDO2 assertion: %s", fido_strerr(r)); | |
73 | ||
74 | r = fido_assert_set_rp(a, "io.systemd.home"); | |
75 | if (r != FIDO_OK) | |
76 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
77 | "Failed to set FIDO2 assertion ID: %s", fido_strerr(r)); | |
78 | ||
79 | r = fido_assert_set_clientdata_hash(a, (const unsigned char[32]) {}, 32); | |
80 | if (r != FIDO_OK) | |
81 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
82 | "Failed to set FIDO2 assertion client data hash: %s", fido_strerr(r)); | |
83 | ||
84 | r = fido_assert_allow_cred(a, salt->credential.id, salt->credential.size); | |
85 | if (r != FIDO_OK) | |
86 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
87 | "Failed to add FIDO2 assertion credential ID: %s", fido_strerr(r)); | |
88 | ||
89 | r = fido_assert_set_up(a, h->fido2_user_presence_permitted <= 0 ? FIDO_OPT_FALSE : FIDO_OPT_TRUE); | |
90 | if (r != FIDO_OK) | |
91 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
92 | "Failed to set FIDO2 assertion user presence: %s", fido_strerr(r)); | |
93 | ||
94 | log_info("Asking FIDO2 token for authentication."); | |
95 | ||
96 | r = fido_dev_get_assert(d, a, NULL); /* try without pin first */ | |
97 | if (r == FIDO_ERR_PIN_REQUIRED) { | |
98 | char **i; | |
99 | ||
100 | /* OK, we needed a pin, try with all pins in turn */ | |
101 | STRV_FOREACH(i, secret->token_pin) { | |
102 | r = fido_dev_get_assert(d, a, *i); | |
103 | if (r != FIDO_ERR_PIN_INVALID) | |
104 | break; | |
105 | } | |
106 | } | |
107 | ||
108 | switch (r) { | |
109 | case FIDO_OK: | |
110 | break; | |
111 | case FIDO_ERR_NO_CREDENTIALS: | |
112 | return log_error_errno(SYNTHETIC_ERRNO(EBADSLT), | |
113 | "Wrong security token; needed credentials not present on token."); | |
114 | case FIDO_ERR_PIN_REQUIRED: | |
115 | return log_error_errno(SYNTHETIC_ERRNO(ENOANO), | |
116 | "Security token requires PIN."); | |
117 | case FIDO_ERR_PIN_AUTH_BLOCKED: | |
118 | return log_error_errno(SYNTHETIC_ERRNO(EOWNERDEAD), | |
119 | "PIN of security token is blocked, please remove/reinsert token."); | |
120 | case FIDO_ERR_PIN_INVALID: | |
121 | return log_error_errno(SYNTHETIC_ERRNO(ENOLCK), | |
122 | "PIN of security token incorrect."); | |
123 | case FIDO_ERR_UP_REQUIRED: | |
124 | return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), | |
125 | "User presence required."); | |
126 | case FIDO_ERR_ACTION_TIMEOUT: | |
127 | return log_error_errno(SYNTHETIC_ERRNO(ENOSTR), | |
128 | "Token action timeout. (User didn't interact with token quickly enough.)"); | |
129 | default: | |
130 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
131 | "Failed to ask token for assertion: %s", fido_strerr(r)); | |
132 | } | |
133 | ||
134 | hmac = fido_assert_hmac_secret_ptr(a, 0); | |
135 | if (!hmac) | |
136 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve HMAC secret."); | |
137 | ||
138 | hmac_size = fido_assert_hmac_secret_len(a, 0); | |
139 | ||
140 | r = base64mem(hmac, hmac_size, ret); | |
141 | if (r < 0) | |
142 | return log_error_errno(r, "Failed to base64 encode HMAC secret: %m"); | |
143 | ||
144 | return 0; | |
145 | } | |
146 | ||
147 | int fido2_use_token(UserRecord *h, UserRecord *secret, const Fido2HmacSalt *salt, char **ret) { | |
148 | size_t allocated = 64, found = 0; | |
149 | fido_dev_info_t *di = NULL; | |
150 | int r; | |
151 | ||
152 | di = fido_dev_info_new(allocated); | |
153 | if (!di) | |
154 | return log_oom(); | |
155 | ||
156 | r = fido_dev_info_manifest(di, allocated, &found); | |
157 | if (r == FIDO_ERR_INTERNAL) { | |
158 | /* The library returns FIDO_ERR_INTERNAL when no devices are found. I wish it wouldn't. */ | |
159 | r = log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "Got FIDO_ERR_INTERNAL, assuming no devices."); | |
160 | goto finish; | |
161 | } | |
162 | if (r != FIDO_OK) { | |
163 | r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to enumerate FIDO2 devices: %s", fido_strerr(r)); | |
164 | goto finish; | |
165 | } | |
166 | ||
167 | for (size_t i = 0; i < found; i++) { | |
168 | const fido_dev_info_t *entry; | |
169 | const char *path; | |
170 | ||
171 | entry = fido_dev_info_ptr(di, i); | |
172 | if (!entry) { | |
173 | r = log_error_errno(SYNTHETIC_ERRNO(EIO), | |
174 | "Failed to get device information for FIDO device %zu.", i); | |
175 | goto finish; | |
176 | } | |
177 | ||
178 | path = fido_dev_info_path(entry); | |
179 | if (!path) { | |
180 | r = log_error_errno(SYNTHETIC_ERRNO(EIO), | |
181 | "Failed to query FIDO device path."); | |
182 | goto finish; | |
183 | } | |
184 | ||
185 | r = fido2_use_specific_token(path, h, secret, salt, ret); | |
186 | if (!IN_SET(r, | |
187 | -EBADSLT, /* device doesn't understand our credential hash */ | |
188 | -ENODEV /* device is not a FIDO2 device with HMAC-SECRET */)) | |
189 | goto finish; | |
190 | } | |
191 | ||
192 | r = -EAGAIN; | |
193 | ||
194 | finish: | |
195 | fido_dev_info_free(&di, allocated); | |
196 | return r; | |
197 | } |