From b31e63960d90434725e088698f19e3dbac27546f Mon Sep 17 00:00:00 2001 From: Antonio Alvarez Feijoo Date: Wed, 11 Dec 2024 17:28:30 +0100 Subject: [PATCH] libfido2-util: show also verity features when listing FIDO2 devices This way, users don't have to check those features using an external program, or wait for later failure when trying to enroll using an unsupported feature. --- src/shared/libfido2-util.c | 43 +++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index 455696bb8e7..b518dec7fa8 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -4,6 +4,7 @@ #if HAVE_LIBFIDO2 #include "alloc-util.h" +#include "ansi-color.h" #include "ask-password-api.h" #include "dlfcn-util.h" #include "format-table.h" @@ -1074,7 +1075,13 @@ int fido2_generate_hmac_hash( #endif #if HAVE_LIBFIDO2 -static int check_device_is_fido2_with_hmac_secret(const char *path) { +static int check_device_is_fido2_with_hmac_secret( + const char *path, + bool *ret_has_rk, + bool *ret_has_client_pin, + bool *ret_has_up, + bool *ret_has_uv) { + _cleanup_(fido_dev_free_wrapper) fido_dev_t *d = NULL; int r; @@ -1087,9 +1094,11 @@ static int check_device_is_fido2_with_hmac_secret(const char *path) { return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to open FIDO2 device %s: %s", path, sym_fido_strerr(r)); - r = verify_features(d, path, LOG_DEBUG, NULL, NULL, NULL, NULL); - if (r == -ENODEV) /* Not a FIDO2 device, or not implementing 'hmac-secret' */ + r = verify_features(d, path, LOG_DEBUG, ret_has_rk, ret_has_client_pin, ret_has_up, ret_has_uv); + if (r == -ENODEV) { /* Not a FIDO2 device, or not implementing 'hmac-secret' */ + *ret_has_rk = *ret_has_client_pin = *ret_has_up = *ret_has_uv = false; return false; + } if (r < 0) return r; @@ -1125,7 +1134,7 @@ int fido2_list_devices(void) { goto finish; } - t = table_new("path", "manufacturer", "product", "compatible"); + t = table_new("path", "manufacturer", "product", "compatible", "rk", "clientpin", "up", "uv"); if (!t) { r = log_oom(); goto finish; @@ -1133,6 +1142,7 @@ int fido2_list_devices(void) { for (size_t i = 0; i < found; i++) { const fido_dev_info_t *entry; + bool has_rk, has_client_pin, has_up, has_uv; entry = sym_fido_dev_info_ptr(di, i); if (!entry) { @@ -1141,7 +1151,7 @@ int fido2_list_devices(void) { goto finish; } - r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry)); + r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry), &has_rk, &has_client_pin, &has_up, &has_uv); if (r < 0) goto finish; bool compatible = r > 0; @@ -1151,7 +1161,11 @@ int fido2_list_devices(void) { TABLE_PATH, sym_fido_dev_info_path(entry), TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry), TABLE_STRING, sym_fido_dev_info_product_string(entry), - TABLE_BOOLEAN_CHECKMARK, compatible); + TABLE_BOOLEAN_CHECKMARK, compatible, + TABLE_BOOLEAN_CHECKMARK, has_rk, + TABLE_BOOLEAN_CHECKMARK, has_client_pin, + TABLE_BOOLEAN_CHECKMARK, has_up, + TABLE_BOOLEAN_CHECKMARK, has_uv); if (r < 0) { table_log_add_error(r); goto finish; @@ -1164,6 +1178,16 @@ int fido2_list_devices(void) { goto finish; } + if (table_get_rows(t) > 1) + printf("\n" + "%1$sLegend: RK %2$s Resident key%3$s\n" + "%1$s CLIENTPIN %2$s PIN request%3$s\n" + "%1$s UP %2$s User presence%3$s\n" + "%1$s UV %2$s User verification%3$s\n", + ansi_grey(), + special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), + ansi_normal()); + r = 0; finish: @@ -1214,7 +1238,12 @@ int fido2_find_device_auto(char **ret) { goto finish; } - r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry)); + r = check_device_is_fido2_with_hmac_secret( + sym_fido_dev_info_path(entry), + /* ret_has_rk= */ NULL, + /* ret_has_client_pin= */ NULL, + /* ret_has_up= */ NULL, + /* ret_has_uv= */ NULL); if (r < 0) goto finish; if (!r) { -- 2.47.3