From: Antonio Alvarez Feijoo Date: Wed, 11 Dec 2024 16:28:30 +0000 (+0100) Subject: libfido2-util: show also verity features when listing FIDO2 devices X-Git-Tag: v258-rc1~1902^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F35295%2Fhead;p=thirdparty%2Fsystemd.git libfido2-util: show also verity features when listing FIDO2 devices This way, users don't have to check those features using an external program, or wait for later failure when trying to enroll using an unsupported feature. --- diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index 455696bb8e7..b518dec7fa8 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -4,6 +4,7 @@ #if HAVE_LIBFIDO2 #include "alloc-util.h" +#include "ansi-color.h" #include "ask-password-api.h" #include "dlfcn-util.h" #include "format-table.h" @@ -1074,7 +1075,13 @@ int fido2_generate_hmac_hash( #endif #if HAVE_LIBFIDO2 -static int check_device_is_fido2_with_hmac_secret(const char *path) { +static int check_device_is_fido2_with_hmac_secret( + const char *path, + bool *ret_has_rk, + bool *ret_has_client_pin, + bool *ret_has_up, + bool *ret_has_uv) { + _cleanup_(fido_dev_free_wrapper) fido_dev_t *d = NULL; int r; @@ -1087,9 +1094,11 @@ static int check_device_is_fido2_with_hmac_secret(const char *path) { return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to open FIDO2 device %s: %s", path, sym_fido_strerr(r)); - r = verify_features(d, path, LOG_DEBUG, NULL, NULL, NULL, NULL); - if (r == -ENODEV) /* Not a FIDO2 device, or not implementing 'hmac-secret' */ + r = verify_features(d, path, LOG_DEBUG, ret_has_rk, ret_has_client_pin, ret_has_up, ret_has_uv); + if (r == -ENODEV) { /* Not a FIDO2 device, or not implementing 'hmac-secret' */ + *ret_has_rk = *ret_has_client_pin = *ret_has_up = *ret_has_uv = false; return false; + } if (r < 0) return r; @@ -1125,7 +1134,7 @@ int fido2_list_devices(void) { goto finish; } - t = table_new("path", "manufacturer", "product", "compatible"); + t = table_new("path", "manufacturer", "product", "compatible", "rk", "clientpin", "up", "uv"); if (!t) { r = log_oom(); goto finish; @@ -1133,6 +1142,7 @@ int fido2_list_devices(void) { for (size_t i = 0; i < found; i++) { const fido_dev_info_t *entry; + bool has_rk, has_client_pin, has_up, has_uv; entry = sym_fido_dev_info_ptr(di, i); if (!entry) { @@ -1141,7 +1151,7 @@ int fido2_list_devices(void) { goto finish; } - r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry)); + r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry), &has_rk, &has_client_pin, &has_up, &has_uv); if (r < 0) goto finish; bool compatible = r > 0; @@ -1151,7 +1161,11 @@ int fido2_list_devices(void) { TABLE_PATH, sym_fido_dev_info_path(entry), TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry), TABLE_STRING, sym_fido_dev_info_product_string(entry), - TABLE_BOOLEAN_CHECKMARK, compatible); + TABLE_BOOLEAN_CHECKMARK, compatible, + TABLE_BOOLEAN_CHECKMARK, has_rk, + TABLE_BOOLEAN_CHECKMARK, has_client_pin, + TABLE_BOOLEAN_CHECKMARK, has_up, + TABLE_BOOLEAN_CHECKMARK, has_uv); if (r < 0) { table_log_add_error(r); goto finish; @@ -1164,6 +1178,16 @@ int fido2_list_devices(void) { goto finish; } + if (table_get_rows(t) > 1) + printf("\n" + "%1$sLegend: RK %2$s Resident key%3$s\n" + "%1$s CLIENTPIN %2$s PIN request%3$s\n" + "%1$s UP %2$s User presence%3$s\n" + "%1$s UV %2$s User verification%3$s\n", + ansi_grey(), + special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), + ansi_normal()); + r = 0; finish: @@ -1214,7 +1238,12 @@ int fido2_find_device_auto(char **ret) { goto finish; } - r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry)); + r = check_device_is_fido2_with_hmac_secret( + sym_fido_dev_info_path(entry), + /* ret_has_rk= */ NULL, + /* ret_has_client_pin= */ NULL, + /* ret_has_up= */ NULL, + /* ret_has_uv= */ NULL); if (r < 0) goto finish; if (!r) {