diff options
author | nicoo <nicoo@debian.org> | 2020-02-23 15:31:16 +0100 |
---|---|---|
committer | Nicolas Braud-Santoni <nicolas@braud-santoni.eu> | 2020-02-23 15:31:16 +0100 |
commit | c923f422b1e455bdd8ec3bdb10d005e3bfbacfe0 (patch) | |
tree | fdc9b1a9da716cf0ad70efbeafaf62151f997064 | |
parent | c79050aa44b8836d836c5dd22a383a073c28b74b (diff) |
New upstream version 1.3.1
33 files changed, 923 insertions, 813 deletions
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml new file mode 100644 index 0000000..eb953db --- /dev/null +++ b/.github/workflows/windows.yml | |||
@@ -0,0 +1,14 @@ | |||
1 | name: windows | ||
2 | |||
3 | on: [push] | ||
4 | |||
5 | jobs: | ||
6 | build: | ||
7 | |||
8 | runs-on: windows-latest | ||
9 | |||
10 | steps: | ||
11 | - uses: actions/checkout@v1 | ||
12 | - name: build | ||
13 | run: .\windows\build.ps1 | ||
14 | |||
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..329c184 --- /dev/null +++ b/.gitignore | |||
@@ -0,0 +1,6 @@ | |||
1 | build/ | ||
2 | cscope.out | ||
3 | fuzz/build/ | ||
4 | fuzz/obj/ | ||
5 | fuzz/*.so | ||
6 | output/ | ||
diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..5ddf36f --- /dev/null +++ b/.travis.yml | |||
@@ -0,0 +1,86 @@ | |||
1 | language: c | ||
2 | |||
3 | matrix: | ||
4 | include: | ||
5 | - os: linux | ||
6 | compiler: clang-7 | ||
7 | dist: xenial | ||
8 | sudo: required | ||
9 | addons: | ||
10 | apt: | ||
11 | sources: | ||
12 | - ubuntu-toolchain-r-test | ||
13 | - llvm-toolchain-xenial-7 | ||
14 | packages: | ||
15 | - clang-7 | ||
16 | - cmake | ||
17 | - libssl-dev | ||
18 | - libudev-dev | ||
19 | script: /bin/sh -eux .travis/build-linux-clang | ||
20 | - os: linux | ||
21 | compiler: gcc-7 | ||
22 | dist: xenial | ||
23 | sudo: required | ||
24 | addons: | ||
25 | apt: | ||
26 | sources: | ||
27 | - ubuntu-toolchain-r-test | ||
28 | packages: | ||
29 | - gcc-7 | ||
30 | - cmake | ||
31 | - libssl-dev | ||
32 | - libudev-dev | ||
33 | script: /bin/sh -eux .travis/build-linux-gcc | ||
34 | - os: linux | ||
35 | compiler: i686-w64-mingw32-gcc-4.8 | ||
36 | dist: xenial | ||
37 | sudo: required | ||
38 | addons: | ||
39 | apt: | ||
40 | sources: | ||
41 | - ubuntu-toolchain-r-test | ||
42 | packages: | ||
43 | - binutils-mingw-w64-i686 | ||
44 | - gcc-mingw-w64 | ||
45 | - g++-mingw-w64 | ||
46 | - mingw-w64-i686-dev | ||
47 | - cmake | ||
48 | script: /bin/sh -eux .travis/build-linux-mingw | ||
49 | - os: osx | ||
50 | osx_image: xcode10.2 | ||
51 | compiler: clang | ||
52 | sudo: required | ||
53 | script: /bin/sh -eux .travis/build-osx-clang | ||
54 | - os: linux | ||
55 | compiler: clang-7 | ||
56 | dist: xenial | ||
57 | sudo: required | ||
58 | addons: | ||
59 | apt: | ||
60 | sources: | ||
61 | - ubuntu-toolchain-r-test | ||
62 | - llvm-toolchain-xenial-7 | ||
63 | packages: | ||
64 | - clang-7 | ||
65 | - cmake | ||
66 | - libssl-dev | ||
67 | - libudev-dev | ||
68 | script: /bin/sh -eux .travis/fuzz-linux-asan | ||
69 | - os: linux | ||
70 | compiler: clang-7 | ||
71 | dist: xenial | ||
72 | sudo: required | ||
73 | addons: | ||
74 | apt: | ||
75 | sources: | ||
76 | - ubuntu-toolchain-r-test | ||
77 | - llvm-toolchain-xenial-7 | ||
78 | packages: | ||
79 | - clang-7 | ||
80 | - cmake | ||
81 | - libssl-dev | ||
82 | - libudev-dev | ||
83 | script: /bin/sh -eux .travis/fuzz-linux-msan | ||
84 | |||
85 | notifications: | ||
86 | email: false | ||
diff --git a/.travis/build-linux-clang b/.travis/build-linux-clang new file mode 100644 index 0000000..8938461 --- /dev/null +++ b/.travis/build-linux-clang | |||
@@ -0,0 +1,22 @@ | |||
1 | #!/bin/sh -eux | ||
2 | |||
3 | ${CC} --version | ||
4 | |||
5 | # Check exports. | ||
6 | (cd src && ./diff_exports.sh) | ||
7 | |||
8 | # Build and install libcbor. | ||
9 | git clone git://github.com/pjk/libcbor | ||
10 | cd libcbor | ||
11 | git checkout v0.5.0 | ||
12 | mkdir build | ||
13 | (cd build && cmake ..) | ||
14 | make -C build | ||
15 | sudo make -C build install | ||
16 | cd .. | ||
17 | |||
18 | # Build, analyze, and install libfido2. | ||
19 | mkdir build | ||
20 | (cd build && scan-build cmake -DCMAKE_BUILD_TYPE=Debug ..) | ||
21 | scan-build --status-bugs make -C build | ||
22 | sudo make -C build install | ||
diff --git a/.travis/build-linux-gcc b/.travis/build-linux-gcc new file mode 100644 index 0000000..be1e0a9 --- /dev/null +++ b/.travis/build-linux-gcc | |||
@@ -0,0 +1,19 @@ | |||
1 | #!/bin/sh -eux | ||
2 | |||
3 | ${CC} --version | ||
4 | |||
5 | # Build and install libcbor. | ||
6 | git clone git://github.com/pjk/libcbor | ||
7 | cd libcbor | ||
8 | git checkout v0.5.0 | ||
9 | mkdir build | ||
10 | (cd build && cmake ..) | ||
11 | make -C build | ||
12 | sudo make -C build install | ||
13 | cd .. | ||
14 | |||
15 | # Build and install libfido2. | ||
16 | mkdir build | ||
17 | (cd build && cmake -DCMAKE_BUILD_TYPE=Debug ..) | ||
18 | make -C build | ||
19 | sudo make -C build install | ||
diff --git a/.travis/build-linux-mingw b/.travis/build-linux-mingw new file mode 100644 index 0000000..c88ddca --- /dev/null +++ b/.travis/build-linux-mingw | |||
@@ -0,0 +1,47 @@ | |||
1 | #!/bin/sh -eux | ||
2 | |||
3 | # XXX defining CC and cross-compiling confuses OpenSSL's build. | ||
4 | unset CC | ||
5 | |||
6 | sudo mkdir /fakeroot | ||
7 | sudo chmod 755 /fakeroot | ||
8 | |||
9 | cat << EOF > /tmp/mingw.cmake | ||
10 | SET(CMAKE_SYSTEM_NAME Windows) | ||
11 | SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc) | ||
12 | SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++) | ||
13 | SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres) | ||
14 | SET(CMAKE_FIND_ROOT_PATH /fakeroot) | ||
15 | SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) | ||
16 | SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) | ||
17 | SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) | ||
18 | EOF | ||
19 | |||
20 | # Build and install libcbor. | ||
21 | git clone git://github.com/pjk/libcbor | ||
22 | cd libcbor | ||
23 | git checkout v0.5.0 | ||
24 | mkdir build | ||
25 | (cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \ | ||
26 | -DCMAKE_INSTALL_PREFIX=/fakeroot ..) | ||
27 | make -C build | ||
28 | sudo make -C build install | ||
29 | cd .. | ||
30 | |||
31 | # Build and install OpenSSL 1.1.0j. | ||
32 | git clone git://github.com/openssl/openssl | ||
33 | cd openssl | ||
34 | git checkout OpenSSL_1_1_0j | ||
35 | ./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \ | ||
36 | --cross-compile-prefix=i686-w64-mingw32- | ||
37 | make | ||
38 | sudo make install_sw | ||
39 | cd .. | ||
40 | |||
41 | # Build and install libfido2. | ||
42 | export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig | ||
43 | mkdir build | ||
44 | (cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \ | ||
45 | -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/fakeroot ..) | ||
46 | make -C build | ||
47 | sudo make -C build install | ||
diff --git a/.travis/build-osx-clang b/.travis/build-osx-clang new file mode 100644 index 0000000..69a784c --- /dev/null +++ b/.travis/build-osx-clang | |||
@@ -0,0 +1,24 @@ | |||
1 | #!/bin/sh -eux | ||
2 | |||
3 | ${CC} --version | ||
4 | |||
5 | # Build and install libcbor. | ||
6 | git clone git://github.com/pjk/libcbor | ||
7 | cd libcbor | ||
8 | git checkout v0.5.0 | ||
9 | mkdir build | ||
10 | (cd build && cmake ..) | ||
11 | make -C build | ||
12 | sudo make -C build install | ||
13 | cd .. | ||
14 | |||
15 | # Install mandoc from Homebrew. | ||
16 | brew install mandoc | ||
17 | |||
18 | # Build and install libfido2. | ||
19 | export PKG_CONFIG_PATH=/usr/local/opt/openssl@1.1/lib/pkgconfig | ||
20 | mkdir build | ||
21 | (cd build && cmake -DCMAKE_BUILD_TYPE=Debug ..) | ||
22 | make -C build | ||
23 | make -C build man_symlink_html | ||
24 | sudo make -C build install | ||
diff --git a/.travis/fuzz-linux-asan b/.travis/fuzz-linux-asan new file mode 100644 index 0000000..0a0aebb --- /dev/null +++ b/.travis/fuzz-linux-asan | |||
@@ -0,0 +1,58 @@ | |||
1 | #!/bin/sh -eux | ||
2 | |||
3 | ${CC} --version | ||
4 | |||
5 | FAKEROOT=/fakeroot | ||
6 | sudo mkdir ${FAKEROOT} | ||
7 | sudo chmod 755 ${FAKEROOT} | ||
8 | |||
9 | # Build and install libcbor. | ||
10 | git clone git://github.com/pjk/libcbor | ||
11 | cd libcbor | ||
12 | patch -p0 < ../fuzz/README | ||
13 | mkdir build | ||
14 | cd build | ||
15 | cmake -DCMAKE_C_FLAGS_DEBUG="-g2 -fno-omit-frame-pointer" \ | ||
16 | -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \ | ||
17 | -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=ON \ | ||
18 | -DCMAKE_INSTALL_LIBDIR=lib .. | ||
19 | make | ||
20 | sudo make install | ||
21 | cd ../.. | ||
22 | |||
23 | # Build and install OpenSSL 1.1.1b. | ||
24 | git clone git://github.com/openssl/openssl | ||
25 | cd openssl | ||
26 | git checkout OpenSSL_1_1_1b | ||
27 | ./Configure linux-x86_64-clang enable-asan --prefix=${FAKEROOT} \ | ||
28 | --openssldir=${FAKEROOT}/openssl | ||
29 | make clean | ||
30 | make | ||
31 | sudo make install_sw | ||
32 | cd .. | ||
33 | |||
34 | # Build libfido2. | ||
35 | mkdir build | ||
36 | cd build | ||
37 | export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig | ||
38 | cmake -DFUZZ=1 -DLIBFUZZER=1 -DASAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \ | ||
39 | -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \ | ||
40 | -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \ | ||
41 | -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \ | ||
42 | -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \ | ||
43 | -DCMAKE_BUILD_TYPE=Debug .. | ||
44 | make | ||
45 | |||
46 | # Fuzz with ASAN. | ||
47 | mkdir corpus | ||
48 | tar -C corpus -zxf ../fuzz/corpus.tgz | ||
49 | fuzz/fuzz_cred -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
50 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_cred | ||
51 | fuzz/fuzz_assert -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
52 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_assert | ||
53 | fuzz/fuzz_credman -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
54 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_credman | ||
55 | fuzz/fuzz_mgmt -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
56 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_mgmt | ||
57 | fuzz/fuzz_bio -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
58 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_bio | ||
diff --git a/.travis/fuzz-linux-msan b/.travis/fuzz-linux-msan new file mode 100644 index 0000000..fd7b2ac --- /dev/null +++ b/.travis/fuzz-linux-msan | |||
@@ -0,0 +1,58 @@ | |||
1 | #!/bin/sh -eux | ||
2 | |||
3 | ${CC} --version | ||
4 | |||
5 | FAKEROOT=/fakeroot | ||
6 | sudo mkdir ${FAKEROOT} | ||
7 | sudo chmod 755 ${FAKEROOT} | ||
8 | |||
9 | # Build and install libcbor. | ||
10 | git clone git://github.com/pjk/libcbor | ||
11 | cd libcbor | ||
12 | patch -p0 < ../fuzz/README | ||
13 | mkdir build | ||
14 | cd build | ||
15 | cmake -DCMAKE_C_FLAGS_DEBUG="-fsanitize=memory,undefined -g2 -fno-omit-frame-pointer" \ | ||
16 | -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \ | ||
17 | -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=OFF \ | ||
18 | -DCMAKE_INSTALL_LIBDIR=lib .. | ||
19 | make | ||
20 | sudo make install | ||
21 | cd ../.. | ||
22 | |||
23 | # Build and install OpenSSL 1.1.1b. | ||
24 | git clone git://github.com/openssl/openssl | ||
25 | cd openssl | ||
26 | git checkout OpenSSL_1_1_1b | ||
27 | ./Configure linux-x86_64-clang enable-msan --prefix=${FAKEROOT} \ | ||
28 | --openssldir=${FAKEROOT}/openssl | ||
29 | make clean | ||
30 | make | ||
31 | sudo make install_sw | ||
32 | cd .. | ||
33 | |||
34 | # Build libfido2. | ||
35 | mkdir build | ||
36 | cd build | ||
37 | export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig | ||
38 | cmake -DFUZZ=1 -DLIBFUZZER=1 -DMSAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \ | ||
39 | -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \ | ||
40 | -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \ | ||
41 | -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \ | ||
42 | -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \ | ||
43 | -DCMAKE_BUILD_TYPE=Debug .. | ||
44 | make | ||
45 | |||
46 | # Fuzz with MSAN. | ||
47 | mkdir corpus | ||
48 | tar -C corpus -zxf ../fuzz/corpus.tgz | ||
49 | fuzz/fuzz_cred -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
50 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_cred | ||
51 | fuzz/fuzz_assert -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
52 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_assert | ||
53 | fuzz/fuzz_credman -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
54 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_credman | ||
55 | fuzz/fuzz_mgmt -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
56 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_mgmt | ||
57 | fuzz/fuzz_bio -use_value_profile=1 -reload=30 -print_pcs=1 \ | ||
58 | -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_bio | ||
diff --git a/CMakeLists.txt b/CMakeLists.txt index c7c5991..9481c46 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt | |||
@@ -20,7 +20,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON) | |||
20 | 20 | ||
21 | set(FIDO_MAJOR "1") | 21 | set(FIDO_MAJOR "1") |
22 | set(FIDO_MINOR "3") | 22 | set(FIDO_MINOR "3") |
23 | set(FIDO_PATCH "0") | 23 | set(FIDO_PATCH "1") |
24 | set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH}) | 24 | set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH}) |
25 | 25 | ||
26 | add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR}) | 26 | add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR}) |
@@ -322,7 +322,7 @@ elseif(NOT MSVC) | |||
322 | endif() | 322 | endif() |
323 | else() | 323 | else() |
324 | string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS} | 324 | string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS} |
325 | " /def:${CMAKE_CURRENT_SOURCE_DIR}/src/export.msvc") | 325 | " /def:\"${CMAKE_CURRENT_SOURCE_DIR}/src/export.msvc\"") |
326 | endif() | 326 | endif() |
327 | 327 | ||
328 | include_directories(${CMAKE_SOURCE_DIR}/src) | 328 | include_directories(${CMAKE_SOURCE_DIR}/src) |
@@ -1,3 +1,7 @@ | |||
1 | * Version 1.3.1 (2020-02-19) | ||
2 | ** fix zero-ing of le1 and le2 when talking to a U2F device. | ||
3 | ** dropping sk-libfido2 middleware, please find it in the openssh tree. | ||
4 | |||
1 | * Version 1.3.0 (2019-11-28) | 5 | * Version 1.3.0 (2019-11-28) |
2 | ** assert/hmac: encode public key as per spec, gh#60. | 6 | ** assert/hmac: encode public key as per spec, gh#60. |
3 | ** fido2-cred: fix creation of resident keys. | 7 | ** fido2-cred: fix creation of resident keys. |
diff --git a/README.adoc b/README.adoc index 8693417..ce8ac1e 100644 --- a/README.adoc +++ b/README.adoc | |||
@@ -31,7 +31,7 @@ is also available. | |||
31 | 31 | ||
32 | ==== Releases | 32 | ==== Releases |
33 | 33 | ||
34 | The current release of *libfido2* is 1.3.0. Please consult Yubico's | 34 | The current release of *libfido2* is 1.3.1. Please consult Yubico's |
35 | https://developers.yubico.com/libfido2/Releases[release page] for source | 35 | https://developers.yubico.com/libfido2/Releases[release page] for source |
36 | and binary releases. | 36 | and binary releases. |
37 | 37 | ||
@@ -71,18 +71,3 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \ | |||
71 | On Windows 1903 and newer versions, access to FIDO devices has been restricted | 71 | On Windows 1903 and newer versions, access to FIDO devices has been restricted |
72 | to applications using the operating system's native API. Use of *libfido2* | 72 | to applications using the operating system's native API. Use of *libfido2* |
73 | is still possible in privileged applications. | 73 | is still possible in privileged applications. |
74 | |||
75 | === OpenSSH Integration | ||
76 | |||
77 | *libfido2* includes middleware allowing https://www.openssh.com[OpenSSH] to | ||
78 | talk to U2F/FIDO2 devices. Note that server support is required for | ||
79 | authentication. In a nutshell: | ||
80 | |||
81 | ==== Key Generation | ||
82 | |||
83 | $ ssh-keygen -t [ecdsa-sk|ed25519-sk] -w /path/to/libsk-libfido2.so | ||
84 | |||
85 | ==== Authentication | ||
86 | |||
87 | $ ssh-agent -P /path/to/libsk-libfido2.so | ||
88 | $ ssh-add -S /path/to/libsk-libfido2.so | ||
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..7502d61 --- /dev/null +++ b/debian/changelog | |||
@@ -0,0 +1,80 @@ | |||
1 | libfido2 (1.2.0~ppa1~bionic1) bionic; urgency=low | ||
2 | |||
3 | * Credential management support. | ||
4 | * New API reflecting FIDO's 3-state booleans (true, false, absent): | ||
5 | - fido_assert_set_up; | ||
6 | - fido_assert_set_uv; | ||
7 | - fido_cred_set_rk; | ||
8 | - fido_cred_set_uv. | ||
9 | * Command-line tools for Windows. | ||
10 | * Documentation and reliability fixes. | ||
11 | * fido_{assert,cred}_set_options() are now marked as deprecated. | ||
12 | |||
13 | -- pedro martelletto <pedro@yubico.com> Fri, 23 Aug 2019 12:08:02 +0000 | ||
14 | |||
15 | libfido2 (1.1.0) bionic; urgency=low | ||
16 | |||
17 | * MacOS: fix IOKit crash on HID read. | ||
18 | * Windows: fix contents of release file. | ||
19 | * EdDSA (Ed25519) support. | ||
20 | * fido_dev_make_cred: fix order of CBOR map keys. | ||
21 | * fido_dev_get_assert: plug memory leak when operating on U2F devices. | ||
22 | |||
23 | -- pedro martelletto <pedro@yubico.com> Tue, 07 May 2019 08:03:21 +0000 | ||
24 | |||
25 | libfido2 (1.0.0) bionic; urgency=low | ||
26 | |||
27 | * Native HID support on Linux, MacOS, and Windows. | ||
28 | * fido2-{assert,cred}: new -u option to force U2F on dual authenticators. | ||
29 | * fido2-assert: support for multiple resident keys with the same RP. | ||
30 | * Strict checks for CTAP2 compliance on received CBOR payloads. | ||
31 | * Better fuzzing harnesses. | ||
32 | * Documentation and reliability fixes. | ||
33 | |||
34 | -- pedro martelletto <pedro@yubico.com> Tue, 19 Mar 2019 07:38:36 +0000 | ||
35 | |||
36 | libfido2 (0.4.0) bionic; urgency=low | ||
37 | |||
38 | * fido2-assert: print the user id for resident credentials. | ||
39 | * Fix encoding of COSE algorithms when making a credential. | ||
40 | * Rework purpose of fido_cred_set_type; no ABI change. | ||
41 | * Minor documentation and code fixes. | ||
42 | |||
43 | -- pedro martelletto <pedro@yubico.com> Mon, 07 Jan 2019 08:22:01 +0000 | ||
44 | |||
45 | libfido2 (0.3.0) bionic; urgency=low | ||
46 | |||
47 | * Various reliability fixes. | ||
48 | * Merged fuzzing instrumentation. | ||
49 | * Added regress tests. | ||
50 | * Added support for FIDO 2's hmac-secret extension. | ||
51 | * New API calls: | ||
52 | - fido_assert_hmac_secret_len; | ||
53 | - fido_assert_hmac_secret_ptr; | ||
54 | - fido_assert_set_extensions; | ||
55 | - fido_assert_set_hmac_salt; | ||
56 | - fido_cred_set_extensions; | ||
57 | - fido_dev_force_fido2. | ||
58 | * Support for native builds with Microsoft Visual Studio 17. | ||
59 | |||
60 | -- pedro martelletto <pedro@yubico.com> Tue, 11 Sep 2018 09:05:32 +0000 | ||
61 | |||
62 | libfido2 (0.2.0) bionic; urgency=low | ||
63 | |||
64 | * Added command-line tools. | ||
65 | * Added a couple of missing get functions. | ||
66 | |||
67 | -- pedro martelletto <pedro@yubico.com> Mon, 18 Jun 2018 10:44:11 +0000 | ||
68 | |||
69 | libfido2 (0.1.1~dev) bionic; urgency=low | ||
70 | |||
71 | * Added documentation. | ||
72 | * Minor fixes. | ||
73 | |||
74 | -- pedro martelletto <pedro@yubico.com> Wed, 30 May 2018 13:16:28 +0000 | ||
75 | |||
76 | libfido2 (0.1.0~dev) bionic; urgency=low | ||
77 | |||
78 | * Initial release. | ||
79 | |||
80 | -- pedro martelletto <pedro@yubico.com> Fri, 18 May 2018 08:47:01 +0000 | ||
diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat | |||
@@ -0,0 +1 @@ | |||
9 | |||
diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..50b9482 --- /dev/null +++ b/debian/control | |||
@@ -0,0 +1,53 @@ | |||
1 | Source: libfido2 | ||
2 | Priority: optional | ||
3 | Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com> | ||
4 | Uploaders: pedro martelletto <pedro@yubico.com> | ||
5 | Standards-Version: 4.1.2 | ||
6 | Section: libs | ||
7 | Homepage: https://github.com/yubico/libfido2 | ||
8 | Build-Depends: debhelper (>= 9), | ||
9 | pkg-config, | ||
10 | cmake, | ||
11 | mandoc, | ||
12 | libcbor-dev, | ||
13 | libssl-dev, | ||
14 | libudev-dev | ||
15 | |||
16 | Package: libfido2-1 | ||
17 | Architecture: any | ||
18 | Multi-Arch: same | ||
19 | Depends: libcbor0, libssl1.1, libudev1, ${shlibs:Depends}, ${misc:Depends} | ||
20 | Description: library for generating and verifying FIDO 2.0 objects | ||
21 | A library for communicating with a FIDO device over USB, and for verifying | ||
22 | attestation and assertion signatures. FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) | ||
23 | are supported. This package contains the runtime library. | ||
24 | |||
25 | Package: libfido2-dev | ||
26 | Section: libdevel | ||
27 | Architecture: any | ||
28 | Multi-Arch: same | ||
29 | Depends: libfido2-1 (= ${binary:Version}), ${misc:Depends} | ||
30 | Suggests: libssl-dev | ||
31 | Description: library for generating and verifying FIDO 2.0 objects (development headers) | ||
32 | A library for communicating with a FIDO device over USB, and for verifying | ||
33 | attestation and assertion signatures. FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) | ||
34 | are supported. This package contains the development headers. | ||
35 | |||
36 | Package: fido2-tools | ||
37 | Section: utils | ||
38 | Architecture: any | ||
39 | Multi-Arch: foreign | ||
40 | Depends: libfido2-1 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} | ||
41 | Description: command-line tools to configure and use a FIDO 2 token | ||
42 | A set of tools to manage a FIDO 2 token, generate credentials and | ||
43 | assertions, and verify them. | ||
44 | |||
45 | Package: libfido2-udev | ||
46 | Section: libs | ||
47 | Architecture: all | ||
48 | Multi-Arch: foreign | ||
49 | Depends: ${misc:Depends} | ||
50 | Conflicts: libu2f-udev | ||
51 | Description: udev rules for access to U2F and FIDO2 devices | ||
52 | A set of udev rules allowing unprivileged system-level access | ||
53 | to U2F and FIDO2 USB devices for logged-on users. | ||
diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..3ba51ef --- /dev/null +++ b/debian/copyright | |||
@@ -0,0 +1,85 @@ | |||
1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ | ||
2 | Upstream-Name: libfido2 | ||
3 | Source: https://github.com/yubico/libfido2 | ||
4 | |||
5 | Files: * | ||
6 | Copyright: Copyright (c) 2018 Yubico AB. All rights reserved. | ||
7 | License: BSD-2-clause | ||
8 | |||
9 | Files: openbsd-compat/strlcpy.c openbsd-compat/strlcat.c | ||
10 | Copyright: Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> | ||
11 | License: ISC | ||
12 | |||
13 | Files: src/compat/timingsafe_bcmp.c | ||
14 | Copyright: Copyright (c) 2010 Damien Miller. All rights reserved. | ||
15 | License: ISC | ||
16 | |||
17 | Files: | ||
18 | openbsd-compat/bsd-getpagesize.c | ||
19 | openbsd-compat/err.h | ||
20 | openbsd-compat/explicit_bzero.c | ||
21 | openbsd-compat/explicit_bzero_win32.c | ||
22 | openbsd-compat/types.h | ||
23 | Copyright: Public domain | ||
24 | License: public-domain | ||
25 | |||
26 | Files: openbsd-compat/recallocarray.c | ||
27 | Copyright: Copyright (c) 2008, 2017 Otto Moerbeek <otto@drijf.net> | ||
28 | License: ISC | ||
29 | |||
30 | Files: openbsd-compat/readpassphrase.h | ||
31 | Copyright: Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com> | ||
32 | License: ISC | ||
33 | |||
34 | Files: openbsd-compat/readpassphrase.c | ||
35 | Copyright: Copyright (c) 2000-2002, 2007, 2010 Todd C. Miller <Todd.Miller@courtesan.com> | ||
36 | License: ISC | ||
37 | |||
38 | Files: openbsd-compat/getopt.h | ||
39 | Copyright: Copyright (c) 2000 The NetBSD Foundation, Inc. All rights reserved. | ||
40 | License: BSD-2-clause | ||
41 | |||
42 | Files: openbsd-compat/getopt_long.c | ||
43 | Copyright: Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com> | ||
44 | Copyright (c) 2000 The NetBSD Foundation, Inc. All rights reserved. | ||
45 | License: ISC and BSD-2-clause | ||
46 | |||
47 | License: BSD-2-clause | ||
48 | Redistribution and use in source and binary forms, with or without | ||
49 | modification, are permitted provided that the following conditions are | ||
50 | met: | ||
51 | . | ||
52 | 1. Redistributions of source code must retain the above copyright | ||
53 | notice, this list of conditions and the following disclaimer. | ||
54 | 2. Redistributions in binary form must reproduce the above copyright | ||
55 | notice, this list of conditions and the following disclaimer in | ||
56 | the documentation and/or other materials provided with the | ||
57 | distribution. | ||
58 | . | ||
59 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
60 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
61 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | ||
62 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | ||
63 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
64 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
65 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
66 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
67 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
68 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | ||
69 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
70 | |||
71 | License: public-domain | ||
72 | Public domain. | ||
73 | |||
74 | License: ISC | ||
75 | Permission to use, copy, modify, and distribute this software for any | ||
76 | purpose with or without fee is hereby granted, provided that the above | ||
77 | copyright notice and this permission notice appear in all copies. | ||
78 | . | ||
79 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
80 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
81 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
82 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
83 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
84 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
85 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
diff --git a/debian/fido2-tools.install b/debian/fido2-tools.install new file mode 100644 index 0000000..e772481 --- /dev/null +++ b/debian/fido2-tools.install | |||
@@ -0,0 +1 @@ | |||
usr/bin | |||
diff --git a/debian/fido2-tools.manpages b/debian/fido2-tools.manpages new file mode 100644 index 0000000..fc19867 --- /dev/null +++ b/debian/fido2-tools.manpages | |||
@@ -0,0 +1,3 @@ | |||
1 | man/fido2-assert.1 | ||
2 | man/fido2-cred.1 | ||
3 | man/fido2-token.1 | ||
diff --git a/debian/libfido2-1.install b/debian/libfido2-1.install new file mode 100644 index 0000000..a080fbe --- /dev/null +++ b/debian/libfido2-1.install | |||
@@ -0,0 +1 @@ | |||
usr/lib/*/libfido2.so.* | |||
diff --git a/debian/libfido2-1.symbols b/debian/libfido2-1.symbols new file mode 100644 index 0000000..afbf449 --- /dev/null +++ b/debian/libfido2-1.symbols | |||
@@ -0,0 +1,148 @@ | |||
1 | libfido2.so.1 libfido2-1 #MINVER# | ||
2 | eddsa_pk_free@Base 1.1.0 | ||
3 | eddsa_pk_from_EVP_PKEY@Base 1.1.0 | ||
4 | eddsa_pk_from_ptr@Base 1.1.0 | ||
5 | eddsa_pk_new@Base 1.1.0 | ||
6 | eddsa_pk_to_EVP_PKEY@Base 1.1.0 | ||
7 | es256_pk_free@Base 1.1.0 | ||
8 | es256_pk_from_EC_KEY@Base 1.1.0 | ||
9 | es256_pk_from_ptr@Base 1.1.0 | ||
10 | es256_pk_new@Base 1.1.0 | ||
11 | es256_pk_to_EVP_PKEY@Base 1.1.0 | ||
12 | fido_assert_allow_cred@Base 1.1.0 | ||
13 | fido_assert_authdata_len@Base 1.1.0 | ||
14 | fido_assert_authdata_ptr@Base 1.1.0 | ||
15 | fido_assert_clientdata_hash_len@Base 1.1.0 | ||
16 | fido_assert_clientdata_hash_ptr@Base 1.1.0 | ||
17 | fido_assert_count@Base 1.1.0 | ||
18 | fido_assert_flags@Base 1.1.0 | ||
19 | fido_assert_free@Base 1.1.0 | ||
20 | fido_assert_hmac_secret_len@Base 1.1.0 | ||
21 | fido_assert_hmac_secret_ptr@Base 1.1.0 | ||
22 | fido_assert_id_len@Base 1.1.0 | ||
23 | fido_assert_id_ptr@Base 1.1.0 | ||
24 | fido_assert_new@Base 1.1.0 | ||
25 | fido_assert_rp_id@Base 1.1.0 | ||
26 | fido_assert_set_authdata@Base 1.1.0 | ||
27 | fido_assert_set_clientdata_hash@Base 1.1.0 | ||
28 | fido_assert_set_count@Base 1.1.0 | ||
29 | fido_assert_set_extensions@Base 1.1.0 | ||
30 | fido_assert_set_hmac_salt@Base 1.1.0 | ||
31 | fido_assert_set_options@Base 1.1.0 | ||
32 | fido_assert_set_rp@Base 1.1.0 | ||
33 | fido_assert_set_sig@Base 1.1.0 | ||
34 | fido_assert_set_up@Base 1.2.0 | ||
35 | fido_assert_set_uv@Base 1.2.0 | ||
36 | fido_assert_sig_len@Base 1.1.0 | ||
37 | fido_assert_sig_ptr@Base 1.1.0 | ||
38 | fido_assert_user_display_name@Base 1.1.0 | ||
39 | fido_assert_user_icon@Base 1.1.0 | ||
40 | fido_assert_user_id_len@Base 1.1.0 | ||
41 | fido_assert_user_id_ptr@Base 1.1.0 | ||
42 | fido_assert_user_name@Base 1.1.0 | ||
43 | fido_assert_verify@Base 1.1.0 | ||
44 | fido_cbor_info_aaguid_len@Base 1.1.0 | ||
45 | fido_cbor_info_aaguid_ptr@Base 1.1.0 | ||
46 | fido_cbor_info_extensions_len@Base 1.1.0 | ||
47 | fido_cbor_info_extensions_ptr@Base 1.1.0 | ||
48 | fido_cbor_info_free@Base 1.1.0 | ||
49 | fido_cbor_info_maxmsgsiz@Base 1.1.0 | ||
50 | fido_cbor_info_new@Base 1.1.0 | ||
51 | fido_cbor_info_options_len@Base 1.1.0 | ||
52 | fido_cbor_info_options_name_ptr@Base 1.1.0 | ||
53 | fido_cbor_info_options_value_ptr@Base 1.1.0 | ||
54 | fido_cbor_info_protocols_len@Base 1.1.0 | ||
55 | fido_cbor_info_protocols_ptr@Base 1.1.0 | ||
56 | fido_cbor_info_versions_len@Base 1.1.0 | ||
57 | fido_cbor_info_versions_ptr@Base 1.1.0 | ||
58 | fido_cred_authdata_len@Base 1.1.0 | ||
59 | fido_cred_authdata_ptr@Base 1.1.0 | ||
60 | fido_cred_clientdata_hash_len@Base 1.1.0 | ||
61 | fido_cred_clientdata_hash_ptr@Base 1.1.0 | ||
62 | fido_cred_display_name@Base 1.2.0 | ||
63 | fido_cred_exclude@Base 1.1.0 | ||
64 | fido_cred_flags@Base 1.1.0 | ||
65 | fido_cred_fmt@Base 1.1.0 | ||
66 | fido_cred_free@Base 1.1.0 | ||
67 | fido_cred_id_len@Base 1.1.0 | ||
68 | fido_cred_id_ptr@Base 1.1.0 | ||
69 | fido_cred_new@Base 1.1.0 | ||
70 | fido_cred_pubkey_len@Base 1.1.0 | ||
71 | fido_cred_pubkey_ptr@Base 1.1.0 | ||
72 | fido_cred_rp_id@Base 1.1.0 | ||
73 | fido_cred_rp_name@Base 1.1.0 | ||
74 | fido_cred_set_authdata@Base 1.1.0 | ||
75 | fido_cred_set_clientdata_hash@Base 1.1.0 | ||
76 | fido_cred_set_extensions@Base 1.1.0 | ||
77 | fido_cred_set_fmt@Base 1.1.0 | ||
78 | fido_cred_set_options@Base 1.1.0 | ||
79 | fido_cred_set_rk@Base 1.2.0 | ||
80 | fido_cred_set_rp@Base 1.1.0 | ||
81 | fido_cred_set_sig@Base 1.1.0 | ||
82 | fido_cred_set_type@Base 1.1.0 | ||
83 | fido_cred_set_user@Base 1.1.0 | ||
84 | fido_cred_set_uv@Base 1.2.0 | ||
85 | fido_cred_set_x509@Base 1.1.0 | ||
86 | fido_cred_sig_len@Base 1.1.0 | ||
87 | fido_cred_sig_ptr@Base 1.1.0 | ||
88 | fido_cred_type@Base 1.2.0 | ||
89 | fido_cred_user_id_len@Base 1.2.0 | ||
90 | fido_cred_user_id_ptr@Base 1.2.0 | ||
91 | fido_cred_user_name@Base 1.2.0 | ||
92 | fido_cred_verify@Base 1.1.0 | ||
93 | fido_cred_x5c_len@Base 1.1.0 | ||
94 | fido_cred_x5c_ptr@Base 1.1.0 | ||
95 | fido_credman_del_dev_rk@Base 1.2.0 | ||
96 | fido_credman_get_dev_metadata@Base 1.2.0 | ||
97 | fido_credman_get_dev_rk@Base 1.2.0 | ||
98 | fido_credman_get_dev_rp@Base 1.2.0 | ||
99 | fido_credman_metadata_free@Base 1.2.0 | ||
100 | fido_credman_metadata_new@Base 1.2.0 | ||
101 | fido_credman_rk@Base 1.2.0 | ||
102 | fido_credman_rk_count@Base 1.2.0 | ||
103 | fido_credman_rk_existing@Base 1.2.0 | ||
104 | fido_credman_rk_free@Base 1.2.0 | ||
105 | fido_credman_rk_new@Base 1.2.0 | ||
106 | fido_credman_rk_remaining@Base 1.2.0 | ||
107 | fido_credman_rp_count@Base 1.2.0 | ||
108 | fido_credman_rp_free@Base 1.2.0 | ||
109 | fido_credman_rp_id@Base 1.2.0 | ||
110 | fido_credman_rp_id_hash_len@Base 1.2.0 | ||
111 | fido_credman_rp_id_hash_ptr@Base 1.2.0 | ||
112 | fido_credman_rp_name@Base 1.2.0 | ||
113 | fido_credman_rp_new@Base 1.2.0 | ||
114 | fido_dev_build@Base 1.1.0 | ||
115 | fido_dev_close@Base 1.1.0 | ||
116 | fido_dev_flags@Base 1.1.0 | ||
117 | fido_dev_force_fido2@Base 1.1.0 | ||
118 | fido_dev_force_u2f@Base 1.1.0 | ||
119 | fido_dev_free@Base 1.1.0 | ||
120 | fido_dev_get_assert@Base 1.1.0 | ||
121 | fido_dev_get_cbor_info@Base 1.1.0 | ||
122 | fido_dev_get_retry_count@Base 1.1.0 | ||
123 | fido_dev_info_free@Base 1.1.0 | ||
124 | fido_dev_info_manifest@Base 1.1.0 | ||
125 | fido_dev_info_manufacturer_string@Base 1.1.0 | ||
126 | fido_dev_info_new@Base 1.1.0 | ||
127 | fido_dev_info_path@Base 1.1.0 | ||
128 | fido_dev_info_product@Base 1.1.0 | ||
129 | fido_dev_info_product_string@Base 1.1.0 | ||
130 | fido_dev_info_ptr@Base 1.1.0 | ||
131 | fido_dev_info_vendor@Base 1.1.0 | ||
132 | fido_dev_is_fido2@Base 1.1.0 | ||
133 | fido_dev_major@Base 1.1.0 | ||
134 | fido_dev_make_cred@Base 1.1.0 | ||
135 | fido_dev_minor@Base 1.1.0 | ||
136 | fido_dev_new@Base 1.1.0 | ||
137 | fido_dev_open@Base 1.1.0 | ||
138 | fido_dev_protocol@Base 1.1.0 | ||
139 | fido_dev_reset@Base 1.1.0 | ||
140 | fido_dev_set_io_functions@Base 1.1.0 | ||
141 | fido_dev_set_pin@Base 1.1.0 | ||
142 | fido_init@Base 1.1.0 | ||
143 | fido_strerr@Base 1.1.0 | ||
144 | rs256_pk_free@Base 1.1.0 | ||
145 | rs256_pk_from_RSA@Base 1.1.0 | ||
146 | rs256_pk_from_ptr@Base 1.1.0 | ||
147 | rs256_pk_new@Base 1.1.0 | ||
148 | rs256_pk_to_EVP_PKEY@Base 1.1.0 | ||
diff --git a/debian/libfido2-dev.install b/debian/libfido2-dev.install new file mode 100644 index 0000000..77fd2fb --- /dev/null +++ b/debian/libfido2-dev.install | |||
@@ -0,0 +1,23 @@ | |||
1 | usr/include | ||
2 | usr/lib/*/*.so | ||
3 | usr/lib/*/pkgconfig/*.pc | ||
4 | usr/share/doc/libfido2/es256_pk.html | ||
5 | usr/share/doc/libfido2/fido.html | ||
6 | usr/share/doc/libfido2/fido_assert.html | ||
7 | usr/share/doc/libfido2/fido_assert_allow_cred.html | ||
8 | usr/share/doc/libfido2/fido_assert_set.html | ||
9 | usr/share/doc/libfido2/fido_assert_verify.html | ||
10 | usr/share/doc/libfido2/fido_cbor_info.html | ||
11 | usr/share/doc/libfido2/fido_cred.html | ||
12 | usr/share/doc/libfido2/fido_cred_exclude.html | ||
13 | usr/share/doc/libfido2/fido_cred_set.html | ||
14 | usr/share/doc/libfido2/fido_cred_verify.html | ||
15 | usr/share/doc/libfido2/fido_dev_get_assert.html | ||
16 | usr/share/doc/libfido2/fido_dev_info_manifest.html | ||
17 | usr/share/doc/libfido2/fido_dev_make_cred.html | ||
18 | usr/share/doc/libfido2/fido_dev_open.html | ||
19 | usr/share/doc/libfido2/fido_dev_set_io_functions.html | ||
20 | usr/share/doc/libfido2/fido_dev_set_pin.html | ||
21 | usr/share/doc/libfido2/fido_strerr.html | ||
22 | usr/share/doc/libfido2/rs256_pk.html | ||
23 | usr/share/doc/libfido2/style.css | ||
diff --git a/debian/libfido2-dev.links b/debian/libfido2-dev.links new file mode 100644 index 0000000..6fd8356 --- /dev/null +++ b/debian/libfido2-dev.links | |||
@@ -0,0 +1,148 @@ | |||
1 | /usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_new.3 | ||
2 | /usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_free.3 | ||
3 | /usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_from_EC_KEY.3 | ||
4 | /usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_from_ptr.3 | ||
5 | /usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_to_EVP_PKEY.3 | ||
6 | /usr/share/man/man3/fido.3 /usr/share/man/man3/fido_init.3 | ||
7 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_new.3 | ||
8 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_free.3 | ||
9 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_count.3 | ||
10 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_display_name.3 | ||
11 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_icon.3 | ||
12 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_name.3 | ||
13 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_authdata_ptr.3 | ||
14 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_clientdata_hash_ptr.3 | ||
15 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_id_ptr.3 | ||
16 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_sig_ptr.3 | ||
17 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_authdata_len.3 | ||
18 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_clientdata_hash_len.3 | ||
19 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_id_len.3 | ||
20 | /usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_sig_len.3 | ||
21 | /usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_authdata.3 | ||
22 | /usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_clientdata_hash.3 | ||
23 | /usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_count.3 | ||
24 | /usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_options.3 | ||
25 | /usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_rp.3 | ||
26 | /usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_sig.3 | ||
27 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_new.3 | ||
28 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_free.3 | ||
29 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_fmt.3 | ||
30 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_authdata_ptr.3 | ||
31 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_clientdata_hash_ptr.3 | ||
32 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_id_ptr.3 | ||
33 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_pubkey_ptr.3 | ||
34 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_sig_ptr.3 | ||
35 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_x5c_ptr.3 | ||
36 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_authdata_len.3 | ||
37 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_clientdata_hash_len.3 | ||
38 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_id_len.3 | ||
39 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_pubkey_len.3 | ||
40 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_sig_len.3 | ||
41 | /usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_x5c_len.3 | ||
42 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_authdata.3 | ||
43 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_x509.3 | ||
44 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_sig.3 | ||
45 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_clientdata_hash.3 | ||
46 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_rp.3 | ||
47 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_user.3 | ||
48 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_options.3 | ||
49 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_fmt.3 | ||
50 | /usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_type.3 | ||
51 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_new.3 | ||
52 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_free.3 | ||
53 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_ptr.3 | ||
54 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_path.3 | ||
55 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_product.3 | ||
56 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_vendor.3 | ||
57 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_manufacturer_string.3 | ||
58 | /usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_product_string.3 | ||
59 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_close.3 | ||
60 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_new.3 | ||
61 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_free.3 | ||
62 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_is_fido2.3 | ||
63 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_protocol.3 | ||
64 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_build.3 | ||
65 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_flags.3 | ||
66 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_major.3 | ||
67 | /usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_minor.3 | ||
68 | /usr/share/man/man3/fido_dev_set_pin.3 /usr/share/man/man3/fido_dev_get_retry_count.3 | ||
69 | /usr/share/man/man3/fido_dev_set_pin.3 /usr/share/man/man3/fido_dev_reset.3 | ||
70 | /usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_new.3 | ||
71 | /usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_free.3 | ||
72 | /usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_from_RSA.3 | ||
73 | /usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_from_ptr.3 | ||
74 | /usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_to_EVP_PKEY.3 | ||
75 | /usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_new.html | ||
76 | /usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_free.html | ||
77 | /usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_from_EC_KEY.html | ||
78 | /usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_from_ptr.html | ||
79 | /usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_to_EVP_PKEY.html | ||
80 | /usr/share/doc/libfido2/fido.html /usr/share/doc/libfido2/fido_init.html | ||
81 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_new.html | ||
82 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_free.html | ||
83 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_count.html | ||
84 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_display_name.html | ||
85 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_icon.html | ||
86 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_name.html | ||
87 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_authdata_ptr.html | ||
88 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_clientdata_hash_ptr.html | ||
89 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_id_ptr.html | ||
90 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_sig_ptr.html | ||
91 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_authdata_len.html | ||
92 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_clientdata_hash_len.html | ||
93 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_id_len.html | ||
94 | /usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_sig_len.html | ||
95 | /usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_authdata.html | ||
96 | /usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_clientdata_hash.html | ||
97 | /usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_count.html | ||
98 | /usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_options.html | ||
99 | /usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_rp.html | ||
100 | /usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_sig.html | ||
101 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_new.html | ||
102 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_free.html | ||
103 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_fmt.html | ||
104 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_authdata_ptr.html | ||
105 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_clientdata_hash_ptr.html | ||
106 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_id_ptr.html | ||
107 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_pubkey_ptr.html | ||
108 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_sig_ptr.html | ||
109 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_x5c_ptr.html | ||
110 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_authdata_len.html | ||
111 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_clientdata_hash_len.html | ||
112 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_id_len.html | ||
113 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_pubkey_len.html | ||
114 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_sig_len.html | ||
115 | /usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_x5c_len.html | ||
116 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_authdata.html | ||
117 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_x509.html | ||
118 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_sig.html | ||
119 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_clientdata_hash.html | ||
120 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_rp.html | ||
121 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_user.html | ||
122 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_options.html | ||
123 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_fmt.html | ||
124 | /usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_type.html | ||
125 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_new.html | ||
126 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_free.html | ||
127 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_ptr.html | ||
128 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_path.html | ||
129 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_product.html | ||
130 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_vendor.html | ||
131 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_docufacturer_string.html | ||
132 | /usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_product_string.html | ||
133 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_close.html | ||
134 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_new.html | ||
135 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_free.html | ||
136 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_is_fido2.html | ||
137 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_protocol.html | ||
138 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_build.html | ||
139 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_flags.html | ||
140 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_major.html | ||
141 | /usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_minor.html | ||
142 | /usr/share/doc/libfido2/fido_dev_set_pin.html /usr/share/doc/libfido2/fido_dev_get_retry_count.html | ||
143 | /usr/share/doc/libfido2/fido_dev_set_pin.html /usr/share/doc/libfido2/fido_dev_reset.html | ||
144 | /usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_new.html | ||
145 | /usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_free.html | ||
146 | /usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_from_RSA.html | ||
147 | /usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_from_ptr.html | ||
148 | /usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_to_EVP_PKEY.html | ||
diff --git a/debian/libfido2-dev.manpages b/debian/libfido2-dev.manpages new file mode 100644 index 0000000..1dab8b8 --- /dev/null +++ b/debian/libfido2-dev.manpages | |||
@@ -0,0 +1,19 @@ | |||
1 | man/es256_pk.3 | ||
2 | man/fido.3 | ||
3 | man/fido_assert.3 | ||
4 | man/fido_assert_allow_cred.3 | ||
5 | man/fido_assert_set.3 | ||
6 | man/fido_assert_verify.3 | ||
7 | man/fido_cbor_info.3 | ||
8 | man/fido_cred.3 | ||
9 | man/fido_cred_exclude.3 | ||
10 | man/fido_cred_set.3 | ||
11 | man/fido_cred_verify.3 | ||
12 | man/fido_dev_get_assert.3 | ||
13 | man/fido_dev_info_manifest.3 | ||
14 | man/fido_dev_make_cred.3 | ||
15 | man/fido_dev_open.3 | ||
16 | man/fido_dev_set_io_functions.3 | ||
17 | man/fido_dev_set_pin.3 | ||
18 | man/fido_strerr.3 | ||
19 | man/rs256_pk.3 | ||
diff --git a/debian/libfido2-udev.install b/debian/libfido2-udev.install new file mode 100644 index 0000000..528cb53 --- /dev/null +++ b/debian/libfido2-udev.install | |||
@@ -0,0 +1 @@ | |||
lib/udev/rules.d | |||
diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..bb7acbc --- /dev/null +++ b/debian/rules | |||
@@ -0,0 +1,9 @@ | |||
1 | #!/usr/bin/make -f | ||
2 | |||
3 | DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) | ||
4 | |||
5 | %: | ||
6 | dh $@ | ||
7 | |||
8 | override_dh_auto_configure: | ||
9 | dh_auto_configure -- -DUDEV_RULES_DIR=/lib/udev/rules.d | ||
diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format | |||
@@ -0,0 +1 @@ | |||
3.0 (native) | |||
diff --git a/fuzz/report.html.gz b/fuzz/report.html.gz new file mode 100644 index 0000000..9f07223 --- /dev/null +++ b/fuzz/report.html.gz | |||
Binary files differ | |||
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index d1d8652..bee126c 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -18,6 +18,7 @@ | |||
18 | #if defined(__APPLE__) && !defined(HAVE_ENDIAN_H) | 18 | #if defined(__APPLE__) && !defined(HAVE_ENDIAN_H) |
19 | #include <libkern/OSByteOrder.h> | 19 | #include <libkern/OSByteOrder.h> |
20 | #define be16toh(x) OSSwapBigToHostInt16((x)) | 20 | #define be16toh(x) OSSwapBigToHostInt16((x)) |
21 | #define htobe16(x) OSSwapHostToBigInt16((x)) | ||
21 | #define be32toh(x) OSSwapBigToHostInt32((x)) | 22 | #define be32toh(x) OSSwapBigToHostInt32((x)) |
22 | #endif /* __APPLE__ && !HAVE_ENDIAN_H */ | 23 | #endif /* __APPLE__ && !HAVE_ENDIAN_H */ |
23 | 24 | ||
@@ -27,6 +28,7 @@ | |||
27 | #include <sys/param.h> | 28 | #include <sys/param.h> |
28 | #endif | 29 | #endif |
29 | #define be16toh(x) ntohs((x)) | 30 | #define be16toh(x) ntohs((x)) |
31 | #define htobe16(x) htons((x)) | ||
30 | #define be32toh(x) ntohl((x)) | 32 | #define be32toh(x) ntohl((x)) |
31 | #endif /* _WIN32 && !HAVE_ENDIAN_H */ | 33 | #endif /* _WIN32 && !HAVE_ENDIAN_H */ |
32 | 34 | ||
diff --git a/src/iso7816.c b/src/iso7816.c index e2ea281..a3fd280 100644 --- a/src/iso7816.c +++ b/src/iso7816.c | |||
@@ -13,7 +13,7 @@ iso7816_new(uint8_t ins, uint8_t p1, uint16_t payload_len) | |||
13 | iso7816_apdu_t *apdu; | 13 | iso7816_apdu_t *apdu; |
14 | size_t alloc_len; | 14 | size_t alloc_len; |
15 | 15 | ||
16 | alloc_len = sizeof(iso7816_apdu_t) + payload_len; | 16 | alloc_len = sizeof(iso7816_apdu_t) + payload_len + 2; /* le1 le2 */ |
17 | 17 | ||
18 | if ((apdu = calloc(1, alloc_len)) == NULL) | 18 | if ((apdu = calloc(1, alloc_len)) == NULL) |
19 | return (NULL); | 19 | return (NULL); |
@@ -439,7 +439,7 @@ encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len, | |||
439 | authdata.sigcount = 0; | 439 | authdata.sigcount = 0; |
440 | 440 | ||
441 | memset(&attcred_raw.aaguid, 0, sizeof(attcred_raw.aaguid)); | 441 | memset(&attcred_raw.aaguid, 0, sizeof(attcred_raw.aaguid)); |
442 | attcred_raw.id_len = (uint16_t)(kh_len << 8); /* XXX */ | 442 | attcred_raw.id_len = htobe16(kh_len); |
443 | 443 | ||
444 | len = authdata_blob.len = sizeof(authdata) + sizeof(attcred_raw) + | 444 | len = authdata_blob.len = sizeof(authdata) + sizeof(attcred_raw) + |
445 | kh_len + pk_blob.len; | 445 | kh_len + pk_blob.len; |
diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 5f27e88..4b8ef32 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt | |||
@@ -49,17 +49,10 @@ add_executable(fido2-token | |||
49 | ${COMPAT_SOURCES} | 49 | ${COMPAT_SOURCES} |
50 | ) | 50 | ) |
51 | 51 | ||
52 | add_library(sk-libfido2 MODULE sk-libfido2.c) | ||
53 | set_target_properties(sk-libfido2 PROPERTIES | ||
54 | COMPILE_FLAGS "-DSK_STANDALONE -DWITH_OPENSSL" | ||
55 | OUTPUT_NAME sk-libfido2 | ||
56 | ) | ||
57 | 52 | ||
58 | target_link_libraries(fido2-cred ${CRYPTO_LIBRARIES} fido2_shared) | 53 | target_link_libraries(fido2-cred ${CRYPTO_LIBRARIES} fido2_shared) |
59 | target_link_libraries(fido2-assert ${CRYPTO_LIBRARIES} fido2_shared) | 54 | target_link_libraries(fido2-assert ${CRYPTO_LIBRARIES} fido2_shared) |
60 | target_link_libraries(fido2-token ${CRYPTO_LIBRARIES} fido2_shared) | 55 | target_link_libraries(fido2-token ${CRYPTO_LIBRARIES} fido2_shared) |
61 | target_link_libraries(sk-libfido2 ${CRYPTO_LIBRARIES} fido2_shared) | ||
62 | 56 | ||
63 | install(TARGETS fido2-cred fido2-assert fido2-token | 57 | install(TARGETS fido2-cred fido2-assert fido2-token |
64 | DESTINATION ${CMAKE_INSTALL_BINDIR}) | 58 | DESTINATION ${CMAKE_INSTALL_BINDIR}) |
65 | install(TARGETS sk-libfido2 DESTINATION ${CMAKE_INSTALL_LIBDIR}) | ||
diff --git a/tools/sk-libfido2.c b/tools/sk-libfido2.c deleted file mode 100644 index 15aa813..0000000 --- a/tools/sk-libfido2.c +++ /dev/null | |||
@@ -1,784 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2019 Markus Friedl | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | #include <fcntl.h> | ||
18 | #include <stdint.h> | ||
19 | #include <stdlib.h> | ||
20 | #include <string.h> | ||
21 | #include <stdio.h> | ||
22 | #include <stddef.h> | ||
23 | #include <stdarg.h> | ||
24 | #ifdef HAVE_UNISTD_H | ||
25 | #include <unistd.h> | ||
26 | #endif | ||
27 | |||
28 | #ifdef WITH_OPENSSL | ||
29 | #include <openssl/opensslv.h> | ||
30 | #include <openssl/crypto.h> | ||
31 | #include <openssl/bn.h> | ||
32 | #include <openssl/ec.h> | ||
33 | #include <openssl/ecdsa.h> | ||
34 | #endif /* WITH_OPENSSL */ | ||
35 | |||
36 | #include <fido.h> | ||
37 | |||
38 | #ifndef SK_STANDALONE | ||
39 | #include "log.h" | ||
40 | #include "xmalloc.h" | ||
41 | #endif | ||
42 | |||
43 | /* #define SK_DEBUG 1 */ | ||
44 | |||
45 | #if defined(_WIN32) | ||
46 | #include <windows.h> | ||
47 | #include <winternl.h> | ||
48 | #include <winerror.h> | ||
49 | #include <bcrypt.h> | ||
50 | #include <sal.h> | ||
51 | #endif | ||
52 | |||
53 | #define MAX_FIDO_DEVICES 256 | ||
54 | |||
55 | /* Compatibility with OpenSSL 1.0.x */ | ||
56 | #if (OPENSSL_VERSION_NUMBER < 0x10100000L) | ||
57 | #define ECDSA_SIG_get0(sig, pr, ps) \ | ||
58 | do { \ | ||
59 | (*pr) = sig->r; \ | ||
60 | (*ps) = sig->s; \ | ||
61 | } while (0) | ||
62 | #endif | ||
63 | |||
64 | #define SK_VERSION_MAJOR 0x00020000 /* current API version */ | ||
65 | |||
66 | /* Flags */ | ||
67 | #define SK_USER_PRESENCE_REQD 0x01 | ||
68 | |||
69 | /* Algs */ | ||
70 | #define SK_ECDSA 0x00 | ||
71 | #define SK_ED25519 0x01 | ||
72 | |||
73 | struct sk_enroll_response { | ||
74 | uint8_t *public_key; | ||
75 | size_t public_key_len; | ||
76 | uint8_t *key_handle; | ||
77 | size_t key_handle_len; | ||
78 | uint8_t *signature; | ||
79 | size_t signature_len; | ||
80 | uint8_t *attestation_cert; | ||
81 | size_t attestation_cert_len; | ||
82 | }; | ||
83 | |||
84 | struct sk_sign_response { | ||
85 | uint8_t flags; | ||
86 | uint32_t counter; | ||
87 | uint8_t *sig_r; | ||
88 | size_t sig_r_len; | ||
89 | uint8_t *sig_s; | ||
90 | size_t sig_s_len; | ||
91 | }; | ||
92 | |||
93 | /* If building as part of OpenSSH, then rename exported functions */ | ||
94 | #if !defined(SK_STANDALONE) | ||
95 | #define sk_api_version ssh_sk_api_version | ||
96 | #define sk_enroll ssh_sk_enroll | ||
97 | #define sk_sign ssh_sk_sign | ||
98 | #endif | ||
99 | |||
100 | /* Return the version of the middleware API */ | ||
101 | uint32_t sk_api_version(void); | ||
102 | |||
103 | /* Enroll a U2F key (private key generation) */ | ||
104 | int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | ||
105 | const char *application, uint8_t flags, | ||
106 | struct sk_enroll_response **enroll_response); | ||
107 | |||
108 | /* Sign a challenge */ | ||
109 | int sk_sign(int alg, const uint8_t *message, size_t message_len, | ||
110 | const char *application, const uint8_t *key_handle, size_t key_handle_len, | ||
111 | uint8_t flags, struct sk_sign_response **sign_response); | ||
112 | |||
113 | #ifdef SK_DEBUG | ||
114 | static void skdebug(const char *func, const char *fmt, ...) | ||
115 | __attribute__((__format__ (printf, 2, 3))); | ||
116 | |||
117 | static void | ||
118 | skdebug(const char *func, const char *fmt, ...) | ||
119 | { | ||
120 | #if !defined(SK_STANDALONE) | ||
121 | char *msg; | ||
122 | va_list ap; | ||
123 | |||
124 | va_start(ap, fmt); | ||
125 | xvasprintf(&msg, fmt, ap); | ||
126 | va_end(ap); | ||
127 | debug("%s: %s", func, msg); | ||
128 | free(msg); | ||
129 | #else | ||
130 | va_list ap; | ||
131 | |||
132 | va_start(ap, fmt); | ||
133 | fprintf(stderr, "%s: ", func); | ||
134 | vfprintf(stderr, fmt, ap); | ||
135 | fputc('\n', stderr); | ||
136 | va_end(ap); | ||
137 | #endif /* !SK_STANDALONE */ | ||
138 | } | ||
139 | #else | ||
140 | #define skdebug(...) do { /* nothing */ } while (0) | ||
141 | #endif /* SK_DEBUG */ | ||
142 | |||
143 | uint32_t | ||
144 | sk_api_version(void) | ||
145 | { | ||
146 | return SK_VERSION_MAJOR; | ||
147 | } | ||
148 | |||
149 | /* Select the first identified FIDO device attached to the system */ | ||
150 | static char * | ||
151 | pick_first_device(void) | ||
152 | { | ||
153 | char *ret = NULL; | ||
154 | fido_dev_info_t *devlist = NULL; | ||
155 | size_t olen = 0; | ||
156 | int r; | ||
157 | const fido_dev_info_t *di; | ||
158 | |||
159 | if ((devlist = fido_dev_info_new(1)) == NULL) { | ||
160 | skdebug(__func__, "fido_dev_info_new failed"); | ||
161 | goto out; | ||
162 | } | ||
163 | if ((r = fido_dev_info_manifest(devlist, 1, &olen)) != FIDO_OK) { | ||
164 | skdebug(__func__, "fido_dev_info_manifest failed: %s", | ||
165 | fido_strerr(r)); | ||
166 | goto out; | ||
167 | } | ||
168 | if (olen != 1) { | ||
169 | skdebug(__func__, "fido_dev_info_manifest bad len %zu", olen); | ||
170 | goto out; | ||
171 | } | ||
172 | di = fido_dev_info_ptr(devlist, 0); | ||
173 | if ((ret = strdup(fido_dev_info_path(di))) == NULL) { | ||
174 | skdebug(__func__, "fido_dev_info_path failed"); | ||
175 | goto out; | ||
176 | } | ||
177 | out: | ||
178 | fido_dev_info_free(&devlist, 1); | ||
179 | return ret; | ||
180 | } | ||
181 | |||
182 | #if defined(HAVE_ARC4RANDOM_BUF) | ||
183 | static int | ||
184 | get_random_challenge(uint8_t *ptr, size_t len) | ||
185 | { | ||
186 | arc4random_buf(ptr, len); | ||
187 | |||
188 | return 0; | ||
189 | } | ||
190 | #elif defined(HAVE_GETENTROPY) | ||
191 | static int | ||
192 | get_random_challenge(uint8_t *ptr, size_t len) | ||
193 | { | ||
194 | if (getentropy(ptr, len) == -1) { | ||
195 | skdebug(__func__, "getentropy failed"); | ||
196 | return -1; | ||
197 | } | ||
198 | |||
199 | return 0; | ||
200 | } | ||
201 | #elif defined(HAS_DEV_URANDOM) | ||
202 | static int | ||
203 | get_random_challenge(uint8_t *ptr, size_t len) | ||
204 | { | ||
205 | int fd; | ||
206 | ssize_t n; | ||
207 | |||
208 | if ((fd = open(FIDO_RANDOM_DEV, O_RDONLY)) < 0) { | ||
209 | skdebug(__func__, "open %s failed", FIDO_RANDOM_DEV); | ||
210 | return -1; | ||
211 | } | ||
212 | |||
213 | n = read(fd, ptr, len); | ||
214 | close(fd); | ||
215 | |||
216 | if (n < 0 || (size_t)n != len) { | ||
217 | skdebug(__func__, "read from %s failed", FIDO_RANDOM_DEV); | ||
218 | return -1; | ||
219 | } | ||
220 | |||
221 | return 0; | ||
222 | } | ||
223 | #elif defined(_WIN32) | ||
224 | static int | ||
225 | get_random_challenge(uint8_t *ptr, size_t len) | ||
226 | { | ||
227 | NTSTATUS status; | ||
228 | |||
229 | status = BCryptGenRandom(NULL, ptr, len, | ||
230 | BCRYPT_USE_SYSTEM_PREFERRED_RNG); | ||
231 | if (!NT_SUCCESS(status)) | ||
232 | return -1; | ||
233 | |||
234 | return 0; | ||
235 | } | ||
236 | #else | ||
237 | #error "please provide an implementation of get_random_challenge() for your platform" | ||
238 | #endif | ||
239 | |||
240 | /* Check if the specified key handle exists on a given device. */ | ||
241 | static int | ||
242 | try_device(fido_dev_t *dev, const char *application, | ||
243 | const uint8_t *key_handle, size_t key_handle_len) | ||
244 | { | ||
245 | fido_assert_t *assert = NULL; | ||
246 | uint8_t challenge[32]; | ||
247 | int r = FIDO_ERR_INTERNAL; | ||
248 | |||
249 | if (get_random_challenge(challenge, sizeof(challenge)) == -1) { | ||
250 | skdebug(__func__, "get_random_challenge failed"); | ||
251 | goto out; | ||
252 | } | ||
253 | |||
254 | if ((assert = fido_assert_new()) == NULL) { | ||
255 | skdebug(__func__, "fido_assert_new failed"); | ||
256 | goto out; | ||
257 | } | ||
258 | if ((r = fido_assert_set_clientdata_hash(assert, challenge, | ||
259 | sizeof(challenge))) != FIDO_OK) { | ||
260 | skdebug(__func__, "fido_assert_set_clientdata_hash: %s", | ||
261 | fido_strerr(r)); | ||
262 | goto out; | ||
263 | } | ||
264 | if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) { | ||
265 | skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r)); | ||
266 | goto out; | ||
267 | } | ||
268 | if ((r = fido_assert_allow_cred(assert, key_handle, | ||
269 | key_handle_len)) != FIDO_OK) { | ||
270 | skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r)); | ||
271 | goto out; | ||
272 | } | ||
273 | if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) { | ||
274 | skdebug(__func__, "fido_assert_up: %s", fido_strerr(r)); | ||
275 | goto out; | ||
276 | } | ||
277 | r = fido_dev_get_assert(dev, assert, NULL); | ||
278 | skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r)); | ||
279 | if (r == FIDO_ERR_USER_PRESENCE_REQUIRED) { | ||
280 | /* U2F tokens may return this */ | ||
281 | r = FIDO_OK; | ||
282 | } | ||
283 | out: | ||
284 | fido_assert_free(&assert); | ||
285 | |||
286 | return r != FIDO_OK ? -1 : 0; | ||
287 | } | ||
288 | |||
289 | /* Iterate over configured devices looking for a specific key handle */ | ||
290 | static fido_dev_t * | ||
291 | find_device(const char *application, const uint8_t *key_handle, | ||
292 | size_t key_handle_len) | ||
293 | { | ||
294 | fido_dev_info_t *devlist = NULL; | ||
295 | fido_dev_t *dev = NULL; | ||
296 | size_t devlist_len = 0, i; | ||
297 | const char *path; | ||
298 | int r; | ||
299 | |||
300 | if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) { | ||
301 | skdebug(__func__, "fido_dev_info_new failed"); | ||
302 | goto out; | ||
303 | } | ||
304 | if ((r = fido_dev_info_manifest(devlist, MAX_FIDO_DEVICES, | ||
305 | &devlist_len)) != FIDO_OK) { | ||
306 | skdebug(__func__, "fido_dev_info_manifest: %s", fido_strerr(r)); | ||
307 | goto out; | ||
308 | } | ||
309 | |||
310 | skdebug(__func__, "found %zu device(s)", devlist_len); | ||
311 | |||
312 | for (i = 0; i < devlist_len; i++) { | ||
313 | const fido_dev_info_t *di = fido_dev_info_ptr(devlist, i); | ||
314 | |||
315 | if (di == NULL) { | ||
316 | skdebug(__func__, "fido_dev_info_ptr %zu failed", i); | ||
317 | continue; | ||
318 | } | ||
319 | if ((path = fido_dev_info_path(di)) == NULL) { | ||
320 | skdebug(__func__, "fido_dev_info_path %zu failed", i); | ||
321 | continue; | ||
322 | } | ||
323 | skdebug(__func__, "trying device %zu: %s", i, path); | ||
324 | if ((dev = fido_dev_new()) == NULL) { | ||
325 | skdebug(__func__, "fido_dev_new failed"); | ||
326 | continue; | ||
327 | } | ||
328 | if ((r = fido_dev_open(dev, path)) != FIDO_OK) { | ||
329 | skdebug(__func__, "fido_dev_open failed"); | ||
330 | fido_dev_free(&dev); | ||
331 | continue; | ||
332 | } | ||
333 | if (try_device(dev, application, key_handle, | ||
334 | key_handle_len) == 0) { | ||
335 | skdebug(__func__, "found key"); | ||
336 | break; | ||
337 | } | ||
338 | fido_dev_close(dev); | ||
339 | fido_dev_free(&dev); | ||
340 | } | ||
341 | |||
342 | out: | ||
343 | if (devlist != NULL) | ||
344 | fido_dev_info_free(&devlist, MAX_FIDO_DEVICES); | ||
345 | |||
346 | return dev; | ||
347 | } | ||
348 | |||
349 | #ifdef WITH_OPENSSL | ||
350 | /* | ||
351 | * The key returned via fido_cred_pubkey_ptr() is in affine coordinates, | ||
352 | * but the API expects a SEC1 octet string. | ||
353 | */ | ||
354 | static int | ||
355 | pack_public_key_ecdsa(fido_cred_t *cred, struct sk_enroll_response *response) | ||
356 | { | ||
357 | const uint8_t *ptr; | ||
358 | BIGNUM *x = NULL, *y = NULL; | ||
359 | EC_POINT *q = NULL; | ||
360 | EC_GROUP *g = NULL; | ||
361 | int ret = -1; | ||
362 | |||
363 | response->public_key = NULL; | ||
364 | response->public_key_len = 0; | ||
365 | |||
366 | if ((x = BN_new()) == NULL || | ||
367 | (y = BN_new()) == NULL || | ||
368 | (g = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL || | ||
369 | (q = EC_POINT_new(g)) == NULL) { | ||
370 | skdebug(__func__, "libcrypto setup failed"); | ||
371 | goto out; | ||
372 | } | ||
373 | if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) { | ||
374 | skdebug(__func__, "fido_cred_pubkey_ptr failed"); | ||
375 | goto out; | ||
376 | } | ||
377 | if (fido_cred_pubkey_len(cred) != 64) { | ||
378 | skdebug(__func__, "bad fido_cred_pubkey_len %zu", | ||
379 | fido_cred_pubkey_len(cred)); | ||
380 | goto out; | ||
381 | } | ||
382 | |||
383 | if (BN_bin2bn(ptr, 32, x) == NULL || | ||
384 | BN_bin2bn(ptr + 32, 32, y) == NULL) { | ||
385 | skdebug(__func__, "BN_bin2bn failed"); | ||
386 | goto out; | ||
387 | } | ||
388 | if (EC_POINT_set_affine_coordinates_GFp(g, q, x, y, NULL) != 1) { | ||
389 | skdebug(__func__, "EC_POINT_set_affine_coordinates_GFp failed"); | ||
390 | goto out; | ||
391 | } | ||
392 | response->public_key_len = EC_POINT_point2oct(g, q, | ||
393 | POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); | ||
394 | if (response->public_key_len == 0 || response->public_key_len > 2048) { | ||
395 | skdebug(__func__, "bad pubkey length %zu", | ||
396 | response->public_key_len); | ||
397 | goto out; | ||
398 | } | ||
399 | if ((response->public_key = malloc(response->public_key_len)) == NULL) { | ||
400 | skdebug(__func__, "malloc pubkey failed"); | ||
401 | goto out; | ||
402 | } | ||
403 | if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED, | ||
404 | response->public_key, response->public_key_len, NULL) == 0) { | ||
405 | skdebug(__func__, "EC_POINT_point2oct failed"); | ||
406 | goto out; | ||
407 | } | ||
408 | /* success */ | ||
409 | ret = 0; | ||
410 | out: | ||
411 | if (ret != 0 && response->public_key != NULL) { | ||
412 | memset(response->public_key, 0, response->public_key_len); | ||
413 | free(response->public_key); | ||
414 | response->public_key = NULL; | ||
415 | } | ||
416 | EC_POINT_free(q); | ||
417 | EC_GROUP_free(g); | ||
418 | BN_clear_free(x); | ||
419 | BN_clear_free(y); | ||
420 | return ret; | ||
421 | } | ||
422 | #endif /* WITH_OPENSSL */ | ||
423 | |||
424 | static int | ||
425 | pack_public_key_ed25519(fido_cred_t *cred, struct sk_enroll_response *response) | ||
426 | { | ||
427 | const uint8_t *ptr; | ||
428 | size_t len; | ||
429 | int ret = -1; | ||
430 | |||
431 | response->public_key = NULL; | ||
432 | response->public_key_len = 0; | ||
433 | |||
434 | if ((len = fido_cred_pubkey_len(cred)) != 32) { | ||
435 | skdebug(__func__, "bad fido_cred_pubkey_len len %zu", len); | ||
436 | goto out; | ||
437 | } | ||
438 | if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) { | ||
439 | skdebug(__func__, "fido_cred_pubkey_ptr failed"); | ||
440 | goto out; | ||
441 | } | ||
442 | response->public_key_len = len; | ||
443 | if ((response->public_key = malloc(response->public_key_len)) == NULL) { | ||
444 | skdebug(__func__, "malloc pubkey failed"); | ||
445 | goto out; | ||
446 | } | ||
447 | memcpy(response->public_key, ptr, len); | ||
448 | ret = 0; | ||
449 | out: | ||
450 | if (ret != 0) | ||
451 | free(response->public_key); | ||
452 | return ret; | ||
453 | } | ||
454 | |||
455 | static int | ||
456 | pack_public_key(int alg, fido_cred_t *cred, struct sk_enroll_response *response) | ||
457 | { | ||
458 | switch(alg) { | ||
459 | #ifdef WITH_OPENSSL | ||
460 | case SK_ECDSA: | ||
461 | return pack_public_key_ecdsa(cred, response); | ||
462 | #endif /* WITH_OPENSSL */ | ||
463 | case SK_ED25519: | ||
464 | return pack_public_key_ed25519(cred, response); | ||
465 | default: | ||
466 | return -1; | ||
467 | } | ||
468 | } | ||
469 | |||
470 | int | ||
471 | sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | ||
472 | const char *application, uint8_t flags, | ||
473 | struct sk_enroll_response **enroll_response) | ||
474 | { | ||
475 | fido_cred_t *cred = NULL; | ||
476 | fido_dev_t *dev = NULL; | ||
477 | const uint8_t *ptr; | ||
478 | uint8_t user_id[32]; | ||
479 | struct sk_enroll_response *response = NULL; | ||
480 | size_t len; | ||
481 | int cose_alg; | ||
482 | int ret = -1; | ||
483 | int r; | ||
484 | char *device = NULL; | ||
485 | |||
486 | (void)flags; /* XXX; unused */ | ||
487 | #ifdef SK_DEBUG | ||
488 | fido_init(FIDO_DEBUG); | ||
489 | #endif | ||
490 | if (enroll_response == NULL) { | ||
491 | skdebug(__func__, "enroll_response == NULL"); | ||
492 | goto out; | ||
493 | } | ||
494 | *enroll_response = NULL; | ||
495 | switch(alg) { | ||
496 | #ifdef WITH_OPENSSL | ||
497 | case SK_ECDSA: | ||
498 | cose_alg = COSE_ES256; | ||
499 | break; | ||
500 | #endif /* WITH_OPENSSL */ | ||
501 | case SK_ED25519: | ||
502 | cose_alg = COSE_EDDSA; | ||
503 | break; | ||
504 | default: | ||
505 | skdebug(__func__, "unsupported key type %d", alg); | ||
506 | goto out; | ||
507 | } | ||
508 | if ((device = pick_first_device()) == NULL) { | ||
509 | skdebug(__func__, "pick_first_device failed"); | ||
510 | goto out; | ||
511 | } | ||
512 | skdebug(__func__, "using device %s", device); | ||
513 | if ((cred = fido_cred_new()) == NULL) { | ||
514 | skdebug(__func__, "fido_cred_new failed"); | ||
515 | goto out; | ||
516 | } | ||
517 | memset(user_id, 0, sizeof(user_id)); | ||
518 | if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) { | ||
519 | skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r)); | ||
520 | goto out; | ||
521 | } | ||
522 | if ((r = fido_cred_set_clientdata_hash(cred, challenge, | ||
523 | challenge_len)) != FIDO_OK) { | ||
524 | skdebug(__func__, "fido_cred_set_clientdata_hash: %s", | ||
525 | fido_strerr(r)); | ||
526 | goto out; | ||
527 | } | ||
528 | if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), | ||
529 | "openssh", "openssh", NULL)) != FIDO_OK) { | ||
530 | skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); | ||
531 | goto out; | ||
532 | } | ||
533 | if ((r = fido_cred_set_rp(cred, application, NULL)) != FIDO_OK) { | ||
534 | skdebug(__func__, "fido_cred_set_rp: %s", fido_strerr(r)); | ||
535 | goto out; | ||
536 | } | ||
537 | if ((dev = fido_dev_new()) == NULL) { | ||
538 | skdebug(__func__, "fido_dev_new failed"); | ||
539 | goto out; | ||
540 | } | ||
541 | if ((r = fido_dev_open(dev, device)) != FIDO_OK) { | ||
542 | skdebug(__func__, "fido_dev_open: %s", fido_strerr(r)); | ||
543 | goto out; | ||
544 | } | ||
545 | if ((r = fido_dev_make_cred(dev, cred, NULL)) != FIDO_OK) { | ||
546 | skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r)); | ||
547 | goto out; | ||
548 | } | ||
549 | if (fido_cred_x5c_ptr(cred) != NULL) { | ||
550 | if ((r = fido_cred_verify(cred)) != FIDO_OK) { | ||
551 | skdebug(__func__, "fido_cred_verify: %s", | ||
552 | fido_strerr(r)); | ||
553 | goto out; | ||
554 | } | ||
555 | } else { | ||
556 | skdebug(__func__, "self-attested credential"); | ||
557 | if ((r = fido_cred_verify_self(cred)) != FIDO_OK) { | ||
558 | skdebug(__func__, "fido_cred_verify_self: %s", | ||
559 | fido_strerr(r)); | ||
560 | goto out; | ||
561 | } | ||
562 | } | ||
563 | if ((response = calloc(1, sizeof(*response))) == NULL) { | ||
564 | skdebug(__func__, "calloc response failed"); | ||
565 | goto out; | ||
566 | } | ||
567 | if (pack_public_key(alg, cred, response) != 0) { | ||
568 | skdebug(__func__, "pack_public_key failed"); | ||
569 | goto out; | ||
570 | } | ||
571 | if ((ptr = fido_cred_id_ptr(cred)) != NULL) { | ||
572 | len = fido_cred_id_len(cred); | ||
573 | if ((response->key_handle = calloc(1, len)) == NULL) { | ||
574 | skdebug(__func__, "calloc key handle failed"); | ||
575 | goto out; | ||
576 | } | ||
577 | memcpy(response->key_handle, ptr, len); | ||
578 | response->key_handle_len = len; | ||
579 | } | ||
580 | if ((ptr = fido_cred_sig_ptr(cred)) != NULL) { | ||
581 | len = fido_cred_sig_len(cred); | ||
582 | if ((response->signature = calloc(1, len)) == NULL) { | ||
583 | skdebug(__func__, "calloc signature failed"); | ||
584 | goto out; | ||
585 | } | ||
586 | memcpy(response->signature, ptr, len); | ||
587 | response->signature_len = len; | ||
588 | } | ||
589 | if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) { | ||
590 | len = fido_cred_x5c_len(cred); | ||
591 | if ((response->attestation_cert = calloc(1, len)) == NULL) { | ||
592 | skdebug(__func__, "calloc attestation cert failed"); | ||
593 | goto out; | ||
594 | } | ||
595 | memcpy(response->attestation_cert, ptr, len); | ||
596 | response->attestation_cert_len = len; | ||
597 | } | ||
598 | *enroll_response = response; | ||
599 | response = NULL; | ||
600 | ret = 0; | ||
601 | out: | ||
602 | free(device); | ||
603 | if (response != NULL) { | ||
604 | free(response->public_key); | ||
605 | free(response->key_handle); | ||
606 | free(response->signature); | ||
607 | free(response->attestation_cert); | ||
608 | free(response); | ||
609 | } | ||
610 | if (dev != NULL) { | ||
611 | fido_dev_close(dev); | ||
612 | fido_dev_free(&dev); | ||
613 | } | ||
614 | if (cred != NULL) { | ||
615 | fido_cred_free(&cred); | ||
616 | } | ||
617 | return ret; | ||
618 | } | ||
619 | |||
620 | #ifdef WITH_OPENSSL | ||
621 | static int | ||
622 | pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response) | ||
623 | { | ||
624 | ECDSA_SIG *sig = NULL; | ||
625 | const BIGNUM *sig_r, *sig_s; | ||
626 | const unsigned char *cp; | ||
627 | size_t sig_len; | ||
628 | int ret = -1; | ||
629 | |||
630 | cp = fido_assert_sig_ptr(assert, 0); | ||
631 | sig_len = fido_assert_sig_len(assert, 0); | ||
632 | if ((sig = d2i_ECDSA_SIG(NULL, &cp, sig_len)) == NULL) { | ||
633 | skdebug(__func__, "d2i_ECDSA_SIG failed"); | ||
634 | goto out; | ||
635 | } | ||
636 | ECDSA_SIG_get0(sig, &sig_r, &sig_s); | ||
637 | response->sig_r_len = BN_num_bytes(sig_r); | ||
638 | response->sig_s_len = BN_num_bytes(sig_s); | ||
639 | if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL || | ||
640 | (response->sig_s = calloc(1, response->sig_s_len)) == NULL) { | ||
641 | skdebug(__func__, "calloc signature failed"); | ||
642 | goto out; | ||
643 | } | ||
644 | BN_bn2bin(sig_r, response->sig_r); | ||
645 | BN_bn2bin(sig_s, response->sig_s); | ||
646 | ret = 0; | ||
647 | out: | ||
648 | ECDSA_SIG_free(sig); | ||
649 | if (ret != 0) { | ||
650 | free(response->sig_r); | ||
651 | free(response->sig_s); | ||
652 | response->sig_r = NULL; | ||
653 | response->sig_s = NULL; | ||
654 | } | ||
655 | return ret; | ||
656 | } | ||
657 | #endif /* WITH_OPENSSL */ | ||
658 | |||
659 | static int | ||
660 | pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response) | ||
661 | { | ||
662 | const unsigned char *ptr; | ||
663 | size_t len; | ||
664 | int ret = -1; | ||
665 | |||
666 | ptr = fido_assert_sig_ptr(assert, 0); | ||
667 | len = fido_assert_sig_len(assert, 0); | ||
668 | if (len != 64) { | ||
669 | skdebug(__func__, "bad length %zu", len); | ||
670 | goto out; | ||
671 | } | ||
672 | response->sig_r_len = len; | ||
673 | if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) { | ||
674 | skdebug(__func__, "calloc signature failed"); | ||
675 | goto out; | ||
676 | } | ||
677 | memcpy(response->sig_r, ptr, len); | ||
678 | ret = 0; | ||
679 | out: | ||
680 | if (ret != 0) { | ||
681 | free(response->sig_r); | ||
682 | response->sig_r = NULL; | ||
683 | } | ||
684 | return ret; | ||
685 | } | ||
686 | |||
687 | static int | ||
688 | pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response) | ||
689 | { | ||
690 | switch(alg) { | ||
691 | #ifdef WITH_OPENSSL | ||
692 | case SK_ECDSA: | ||
693 | return pack_sig_ecdsa(assert, response); | ||
694 | #endif /* WITH_OPENSSL */ | ||
695 | case SK_ED25519: | ||
696 | return pack_sig_ed25519(assert, response); | ||
697 | default: | ||
698 | return -1; | ||
699 | } | ||
700 | } | ||
701 | |||
702 | int | ||
703 | sk_sign(int alg, const uint8_t *message, size_t message_len, | ||
704 | const char *application, | ||
705 | const uint8_t *key_handle, size_t key_handle_len, | ||
706 | uint8_t flags, struct sk_sign_response **sign_response) | ||
707 | { | ||
708 | fido_assert_t *assert = NULL; | ||
709 | fido_dev_t *dev = NULL; | ||
710 | struct sk_sign_response *response = NULL; | ||
711 | int ret = -1; | ||
712 | int r; | ||
713 | |||
714 | #ifdef SK_DEBUG | ||
715 | fido_init(FIDO_DEBUG); | ||
716 | #endif | ||
717 | |||
718 | if (sign_response == NULL) { | ||
719 | skdebug(__func__, "sign_response == NULL"); | ||
720 | goto out; | ||
721 | } | ||
722 | *sign_response = NULL; | ||
723 | if ((dev = find_device(application, key_handle, | ||
724 | key_handle_len)) == NULL) { | ||
725 | skdebug(__func__, "couldn't find device for key handle"); | ||
726 | goto out; | ||
727 | } | ||
728 | if ((assert = fido_assert_new()) == NULL) { | ||
729 | skdebug(__func__, "fido_assert_new failed"); | ||
730 | goto out; | ||
731 | } | ||
732 | if ((r = fido_assert_set_clientdata_hash(assert, message, | ||
733 | message_len)) != FIDO_OK) { | ||
734 | skdebug(__func__, "fido_assert_set_clientdata_hash: %s", | ||
735 | fido_strerr(r)); | ||
736 | goto out; | ||
737 | } | ||
738 | if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) { | ||
739 | skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r)); | ||
740 | goto out; | ||
741 | } | ||
742 | if ((r = fido_assert_allow_cred(assert, key_handle, | ||
743 | key_handle_len)) != FIDO_OK) { | ||
744 | skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r)); | ||
745 | goto out; | ||
746 | } | ||
747 | if ((r = fido_assert_set_up(assert, | ||
748 | (flags & SK_USER_PRESENCE_REQD) ? | ||
749 | FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) { | ||
750 | skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r)); | ||
751 | goto out; | ||
752 | } | ||
753 | if ((r = fido_dev_get_assert(dev, assert, NULL)) != FIDO_OK) { | ||
754 | skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r)); | ||
755 | goto out; | ||
756 | } | ||
757 | if ((response = calloc(1, sizeof(*response))) == NULL) { | ||
758 | skdebug(__func__, "calloc response failed"); | ||
759 | goto out; | ||
760 | } | ||
761 | response->flags = fido_assert_flags(assert, 0); | ||
762 | response->counter = fido_assert_sigcount(assert, 0); | ||
763 | if (pack_sig(alg, assert, response) != 0) { | ||
764 | skdebug(__func__, "pack_sig failed"); | ||
765 | goto out; | ||
766 | } | ||
767 | *sign_response = response; | ||
768 | response = NULL; | ||
769 | ret = 0; | ||
770 | out: | ||
771 | if (response != NULL) { | ||
772 | free(response->sig_r); | ||
773 | free(response->sig_s); | ||
774 | free(response); | ||
775 | } | ||
776 | if (dev != NULL) { | ||
777 | fido_dev_close(dev); | ||
778 | fido_dev_free(&dev); | ||
779 | } | ||
780 | if (assert != NULL) { | ||
781 | fido_assert_free(&assert); | ||
782 | } | ||
783 | return ret; | ||
784 | } | ||
diff --git a/udev/70-u2f.rules b/udev/70-u2f.rules index 8dc20a1..3932270 100644 --- a/udev/70-u2f.rules +++ b/udev/70-u2f.rules | |||
@@ -35,8 +35,11 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2abe", ATTRS{idProduct | |||
35 | # Thetis Key | 35 | # Thetis Key |
36 | KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660" | 36 | KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660" |
37 | 37 | ||
38 | # Nitrokey FIDO U2F | 38 | # Nitrokey FIDO U2F, Nitrokey FIDO2 |
39 | KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess", GROUP="plugdev", MODE="0660" | 39 | KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287|42b1", TAG+="uaccess", GROUP="plugdev", MODE="0660" |
40 | |||
41 | # Safetech SafeKey | ||
42 | KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b3", TAG+="uaccess", GROUP="plugdev", MODE="0660" | ||
40 | 43 | ||
41 | # Google Titan U2F | 44 | # Google Titan U2F |
42 | KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660" | 45 | KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660" |