diff options
Diffstat (limited to 'tools')
-rw-r--r-- | tools/CMakeLists.txt | 7 | ||||
-rw-r--r-- | tools/assert_get.c | 94 | ||||
-rw-r--r-- | tools/assert_verify.c | 12 | ||||
-rw-r--r-- | tools/base64.c | 5 | ||||
-rw-r--r-- | tools/cred_make.c | 26 | ||||
-rw-r--r-- | tools/cred_verify.c | 26 | ||||
-rw-r--r-- | tools/credman.c | 21 | ||||
-rw-r--r-- | tools/extern.h | 6 | ||||
-rw-r--r-- | tools/fido2-assert.c | 6 | ||||
-rwxr-xr-x | tools/fido2-attach.sh | 14 | ||||
-rw-r--r-- | tools/fido2-cred.c | 6 | ||||
-rwxr-xr-x | tools/fido2-detach.sh | 12 | ||||
-rw-r--r-- | tools/fido2-token.c | 6 | ||||
-rwxr-xr-x | tools/fido2-unprot.sh | 75 | ||||
-rwxr-xr-x | tools/include_check.sh | 8 | ||||
-rwxr-xr-x | tools/macos_pkg.sh | 44 | ||||
-rw-r--r-- | tools/token.c | 18 | ||||
-rw-r--r-- | tools/util.c | 68 |
18 files changed, 331 insertions, 123 deletions
diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 274a799..4d08be9 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt | |||
@@ -20,6 +20,13 @@ else() | |||
20 | list(APPEND COMPAT_SOURCES ../openbsd-compat/readpassphrase.c) | 20 | list(APPEND COMPAT_SOURCES ../openbsd-compat/readpassphrase.c) |
21 | endif() | 21 | endif() |
22 | 22 | ||
23 | if(NOT MSVC) | ||
24 | set_source_files_properties(assert_get.c assert_verify.c base64.c bio.c | ||
25 | cred_make.c cred_verify.c credman.c fido2-assert.c fido2-cred.c | ||
26 | fido2-token.c pin.c token.c util.c PROPERTIES COMPILE_FLAGS | ||
27 | "-Wconversion -Wsign-conversion") | ||
28 | endif() | ||
29 | |||
23 | add_executable(fido2-cred | 30 | add_executable(fido2-cred |
24 | fido2-cred.c | 31 | fido2-cred.c |
25 | cred_make.c | 32 | cred_make.c |
diff --git a/tools/assert_get.c b/tools/assert_get.c index 5e209cd..d52cd06 100644 --- a/tools/assert_get.c +++ b/tools/assert_get.c | |||
@@ -15,8 +15,67 @@ | |||
15 | #include "../openbsd-compat/openbsd-compat.h" | 15 | #include "../openbsd-compat/openbsd-compat.h" |
16 | #include "extern.h" | 16 | #include "extern.h" |
17 | 17 | ||
18 | struct toggle { | ||
19 | fido_opt_t up; | ||
20 | fido_opt_t uv; | ||
21 | fido_opt_t pin; | ||
22 | }; | ||
23 | |||
24 | static const char * | ||
25 | opt2str(fido_opt_t v) | ||
26 | { | ||
27 | switch (v) { | ||
28 | case FIDO_OPT_OMIT: | ||
29 | return "omit"; | ||
30 | case FIDO_OPT_TRUE: | ||
31 | return "true"; | ||
32 | case FIDO_OPT_FALSE: | ||
33 | return "false"; | ||
34 | default: | ||
35 | return "unknown"; | ||
36 | } | ||
37 | } | ||
38 | |||
39 | static void | ||
40 | parse_toggle(const char *str, struct toggle *opt) | ||
41 | { | ||
42 | fido_opt_t *k; | ||
43 | fido_opt_t v; | ||
44 | char *assignment; | ||
45 | char *key; | ||
46 | char *val; | ||
47 | |||
48 | if ((assignment = strdup(str)) == NULL) | ||
49 | err(1, "strdup"); | ||
50 | if ((val = strchr(assignment, '=')) == NULL) | ||
51 | errx(1, "invalid assignment '%s'", assignment); | ||
52 | |||
53 | key = assignment; | ||
54 | *val++ = '\0'; | ||
55 | |||
56 | if (!strcmp(val, "true")) | ||
57 | v = FIDO_OPT_TRUE; | ||
58 | else if (!strcmp(val, "false")) | ||
59 | v = FIDO_OPT_FALSE; | ||
60 | else | ||
61 | errx(1, "unknown value '%s'", val); | ||
62 | |||
63 | if (!strcmp(key, "up")) | ||
64 | k = &opt->up; | ||
65 | else if (!strcmp(key, "uv")) | ||
66 | k = &opt->uv; | ||
67 | else if (!strcmp(key, "pin")) | ||
68 | k = &opt->pin; | ||
69 | else | ||
70 | errx(1, "unknown key '%s'", key); | ||
71 | |||
72 | free(assignment); | ||
73 | |||
74 | *k = v; | ||
75 | } | ||
76 | |||
18 | static fido_assert_t * | 77 | static fido_assert_t * |
19 | prepare_assert(FILE *in_f, int flags) | 78 | prepare_assert(FILE *in_f, int flags, const struct toggle *opt) |
20 | { | 79 | { |
21 | fido_assert_t *assert = NULL; | 80 | fido_assert_t *assert = NULL; |
22 | struct blob cdh; | 81 | struct blob cdh; |
@@ -46,6 +105,9 @@ prepare_assert(FILE *in_f, int flags) | |||
46 | fprintf(stderr, "credential id:\n"); | 105 | fprintf(stderr, "credential id:\n"); |
47 | xxd(id.ptr, id.len); | 106 | xxd(id.ptr, id.len); |
48 | } | 107 | } |
108 | fprintf(stderr, "up=%s\n", opt2str(opt->up)); | ||
109 | fprintf(stderr, "uv=%s\n", opt2str(opt->uv)); | ||
110 | fprintf(stderr, "pin=%s\n", opt2str(opt->pin)); | ||
49 | } | 111 | } |
50 | 112 | ||
51 | if ((assert = fido_assert_new()) == NULL) | 113 | if ((assert = fido_assert_new()) == NULL) |
@@ -55,15 +117,11 @@ prepare_assert(FILE *in_f, int flags) | |||
55 | cdh.len)) != FIDO_OK || | 117 | cdh.len)) != FIDO_OK || |
56 | (r = fido_assert_set_rp(assert, rpid)) != FIDO_OK) | 118 | (r = fido_assert_set_rp(assert, rpid)) != FIDO_OK) |
57 | errx(1, "fido_assert_set: %s", fido_strerr(r)); | 119 | errx(1, "fido_assert_set: %s", fido_strerr(r)); |
120 | if ((r = fido_assert_set_up(assert, opt->up)) != FIDO_OK) | ||
121 | errx(1, "fido_assert_set_up: %s", fido_strerr(r)); | ||
122 | if ((r = fido_assert_set_uv(assert, opt->uv)) != FIDO_OK) | ||
123 | errx(1, "fido_assert_set_uv: %s", fido_strerr(r)); | ||
58 | 124 | ||
59 | if (flags & FLAG_UP) { | ||
60 | if ((r = fido_assert_set_up(assert, FIDO_OPT_TRUE)) != FIDO_OK) | ||
61 | errx(1, "fido_assert_set_up: %s", fido_strerr(r)); | ||
62 | } | ||
63 | if (flags & FLAG_UV) { | ||
64 | if ((r = fido_assert_set_uv(assert, FIDO_OPT_TRUE)) != FIDO_OK) | ||
65 | errx(1, "fido_assert_set_uv: %s", fido_strerr(r)); | ||
66 | } | ||
67 | if (flags & FLAG_HMAC) { | 125 | if (flags & FLAG_HMAC) { |
68 | if ((r = fido_assert_set_extensions(assert, | 126 | if ((r = fido_assert_set_extensions(assert, |
69 | FIDO_EXT_HMAC_SECRET)) != FIDO_OK) | 127 | FIDO_EXT_HMAC_SECRET)) != FIDO_OK) |
@@ -136,6 +194,7 @@ assert_get(int argc, char **argv) | |||
136 | { | 194 | { |
137 | fido_dev_t *dev = NULL; | 195 | fido_dev_t *dev = NULL; |
138 | fido_assert_t *assert = NULL; | 196 | fido_assert_t *assert = NULL; |
197 | struct toggle opt; | ||
139 | char pin[1024]; | 198 | char pin[1024]; |
140 | char prompt[1024]; | 199 | char prompt[1024]; |
141 | char *in_path = NULL; | 200 | char *in_path = NULL; |
@@ -146,7 +205,9 @@ assert_get(int argc, char **argv) | |||
146 | int ch; | 205 | int ch; |
147 | int r; | 206 | int r; |
148 | 207 | ||
149 | while ((ch = getopt(argc, argv, "dhi:o:pruv")) != -1) { | 208 | opt.up = opt.uv = opt.pin = FIDO_OPT_OMIT; |
209 | |||
210 | while ((ch = getopt(argc, argv, "dhi:o:prt:uv")) != -1) { | ||
150 | switch (ch) { | 211 | switch (ch) { |
151 | case 'd': | 212 | case 'd': |
152 | flags |= FLAG_DEBUG; | 213 | flags |= FLAG_DEBUG; |
@@ -161,16 +222,21 @@ assert_get(int argc, char **argv) | |||
161 | out_path = optarg; | 222 | out_path = optarg; |
162 | break; | 223 | break; |
163 | case 'p': | 224 | case 'p': |
164 | flags |= FLAG_UP; | 225 | opt.up = FIDO_OPT_TRUE; |
165 | break; | 226 | break; |
166 | case 'r': | 227 | case 'r': |
167 | flags |= FLAG_RK; | 228 | flags |= FLAG_RK; |
168 | break; | 229 | break; |
230 | case 't' : | ||
231 | parse_toggle(optarg, &opt); | ||
232 | break; | ||
169 | case 'u': | 233 | case 'u': |
170 | flags |= FLAG_U2F; | 234 | flags |= FLAG_U2F; |
171 | break; | 235 | break; |
172 | case 'v': | 236 | case 'v': |
173 | flags |= FLAG_UV; | 237 | /* -v implies both pin and uv for historical reasons */ |
238 | opt.pin = FIDO_OPT_TRUE; | ||
239 | opt.uv = FIDO_OPT_TRUE; | ||
174 | break; | 240 | break; |
175 | default: | 241 | default: |
176 | usage(); | 242 | usage(); |
@@ -188,13 +254,13 @@ assert_get(int argc, char **argv) | |||
188 | 254 | ||
189 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); | 255 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); |
190 | 256 | ||
191 | assert = prepare_assert(in_f, flags); | 257 | assert = prepare_assert(in_f, flags, &opt); |
192 | 258 | ||
193 | dev = open_dev(argv[0]); | 259 | dev = open_dev(argv[0]); |
194 | if (flags & FLAG_U2F) | 260 | if (flags & FLAG_U2F) |
195 | fido_dev_force_u2f(dev); | 261 | fido_dev_force_u2f(dev); |
196 | 262 | ||
197 | if (flags & FLAG_UV) { | 263 | if (opt.pin == FIDO_OPT_TRUE) { |
198 | r = snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", | 264 | r = snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", |
199 | argv[0]); | 265 | argv[0]); |
200 | if (r < 0 || (size_t)r >= sizeof(prompt)) | 266 | if (r < 0 || (size_t)r >= sizeof(prompt)) |
diff --git a/tools/assert_verify.c b/tools/assert_verify.c index ccff57a..fb96b65 100644 --- a/tools/assert_verify.c +++ b/tools/assert_verify.c | |||
@@ -175,16 +175,8 @@ assert_verify(int argc, char **argv) | |||
175 | 175 | ||
176 | in_f = open_read(in_path); | 176 | in_f = open_read(in_path); |
177 | 177 | ||
178 | if (argc > 1) { | 178 | if (argc > 1 && cose_type(argv[1], &type) < 0) |
179 | if (strcmp(argv[1], "es256") == 0) | 179 | errx(1, "unknown type %s", argv[1]); |
180 | type = COSE_ES256; | ||
181 | else if (strcmp(argv[1], "rs256") == 0) | ||
182 | type = COSE_RS256; | ||
183 | else if (strcmp(argv[1], "eddsa") == 0) | ||
184 | type = COSE_EDDSA; | ||
185 | else | ||
186 | errx(1, "unknown type %s", argv[1]); | ||
187 | } | ||
188 | 180 | ||
189 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); | 181 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); |
190 | 182 | ||
diff --git a/tools/base64.c b/tools/base64.c index 9f31def..e131198 100644 --- a/tools/base64.c +++ b/tools/base64.c | |||
@@ -7,7 +7,6 @@ | |||
7 | #include <openssl/bio.h> | 7 | #include <openssl/bio.h> |
8 | #include <openssl/evp.h> | 8 | #include <openssl/evp.h> |
9 | 9 | ||
10 | #include <fido.h> | ||
11 | #include <limits.h> | 10 | #include <limits.h> |
12 | #include <stdint.h> | 11 | #include <stdint.h> |
13 | #include <string.h> | 12 | #include <string.h> |
@@ -62,7 +61,7 @@ fail: | |||
62 | } | 61 | } |
63 | 62 | ||
64 | int | 63 | int |
65 | base64_decode(char *in, void **ptr, size_t *len) | 64 | base64_decode(const char *in, void **ptr, size_t *len) |
66 | { | 65 | { |
67 | BIO *bio_mem = NULL; | 66 | BIO *bio_mem = NULL; |
68 | BIO *bio_b64 = NULL; | 67 | BIO *bio_b64 = NULL; |
@@ -78,7 +77,7 @@ base64_decode(char *in, void **ptr, size_t *len) | |||
78 | 77 | ||
79 | if ((bio_b64 = BIO_new(BIO_f_base64())) == NULL) | 78 | if ((bio_b64 = BIO_new(BIO_f_base64())) == NULL) |
80 | goto fail; | 79 | goto fail; |
81 | if ((bio_mem = BIO_new_mem_buf((void *)in, -1)) == NULL) | 80 | if ((bio_mem = BIO_new_mem_buf((const void *)in, -1)) == NULL) |
82 | goto fail; | 81 | goto fail; |
83 | 82 | ||
84 | BIO_set_flags(bio_b64, BIO_FLAGS_BASE64_NO_NL); | 83 | BIO_set_flags(bio_b64, BIO_FLAGS_BASE64_NO_NL); |
diff --git a/tools/cred_make.c b/tools/cred_make.c index 380c67a..255a488 100644 --- a/tools/cred_make.c +++ b/tools/cred_make.c | |||
@@ -130,11 +130,16 @@ cred_make(int argc, char **argv) | |||
130 | FILE *out_f = NULL; | 130 | FILE *out_f = NULL; |
131 | int type = COSE_ES256; | 131 | int type = COSE_ES256; |
132 | int flags = 0; | 132 | int flags = 0; |
133 | int cred_protect = -1; | ||
133 | int ch; | 134 | int ch; |
134 | int r; | 135 | int r; |
135 | 136 | ||
136 | while ((ch = getopt(argc, argv, "dhi:o:qruv")) != -1) { | 137 | while ((ch = getopt(argc, argv, "c:dhi:o:qruv")) != -1) { |
137 | switch (ch) { | 138 | switch (ch) { |
139 | case 'c': | ||
140 | if ((cred_protect = base10(optarg)) < 0) | ||
141 | errx(1, "-c: invalid argument '%s'", optarg); | ||
142 | break; | ||
138 | case 'd': | 143 | case 'd': |
139 | flags |= FLAG_DEBUG; | 144 | flags |= FLAG_DEBUG; |
140 | break; | 145 | break; |
@@ -173,16 +178,8 @@ cred_make(int argc, char **argv) | |||
173 | in_f = open_read(in_path); | 178 | in_f = open_read(in_path); |
174 | out_f = open_write(out_path); | 179 | out_f = open_write(out_path); |
175 | 180 | ||
176 | if (argc > 1) { | 181 | if (argc > 1 && cose_type(argv[1], &type) < 0) |
177 | if (strcmp(argv[1], "es256") == 0) | 182 | errx(1, "unknown type %s", argv[1]); |
178 | type = COSE_ES256; | ||
179 | else if (strcmp(argv[1], "rs256") == 0) | ||
180 | type = COSE_RS256; | ||
181 | else if (strcmp(argv[1], "eddsa") == 0) | ||
182 | type = COSE_EDDSA; | ||
183 | else | ||
184 | errx(1, "unknown type %s", argv[1]); | ||
185 | } | ||
186 | 183 | ||
187 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); | 184 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); |
188 | 185 | ||
@@ -192,6 +189,13 @@ cred_make(int argc, char **argv) | |||
192 | if (flags & FLAG_U2F) | 189 | if (flags & FLAG_U2F) |
193 | fido_dev_force_u2f(dev); | 190 | fido_dev_force_u2f(dev); |
194 | 191 | ||
192 | if (cred_protect > 0) { | ||
193 | r = fido_cred_set_prot(cred, cred_protect); | ||
194 | if (r != FIDO_OK) { | ||
195 | errx(1, "fido_cred_set_prot: %s", fido_strerr(r)); | ||
196 | } | ||
197 | } | ||
198 | |||
195 | r = fido_dev_make_cred(dev, cred, NULL); | 199 | r = fido_dev_make_cred(dev, cred, NULL); |
196 | if (r == FIDO_ERR_PIN_REQUIRED && !(flags & FLAG_QUIET)) { | 200 | if (r == FIDO_ERR_PIN_REQUIRED && !(flags & FLAG_QUIET)) { |
197 | r = snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", | 201 | r = snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", |
diff --git a/tools/cred_verify.c b/tools/cred_verify.c index 3f7a400..d622ed7 100644 --- a/tools/cred_verify.c +++ b/tools/cred_verify.c | |||
@@ -109,11 +109,16 @@ cred_verify(int argc, char **argv) | |||
109 | FILE *out_f = NULL; | 109 | FILE *out_f = NULL; |
110 | int type = COSE_ES256; | 110 | int type = COSE_ES256; |
111 | int flags = 0; | 111 | int flags = 0; |
112 | int cred_prot = -1; | ||
112 | int ch; | 113 | int ch; |
113 | int r; | 114 | int r; |
114 | 115 | ||
115 | while ((ch = getopt(argc, argv, "dhi:o:v")) != -1) { | 116 | while ((ch = getopt(argc, argv, "c:dhi:o:v")) != -1) { |
116 | switch (ch) { | 117 | switch (ch) { |
118 | case 'c': | ||
119 | if ((cred_prot = base10(optarg)) < 0) | ||
120 | errx(1, "-c: invalid argument '%s'", optarg); | ||
121 | break; | ||
117 | case 'd': | 122 | case 'd': |
118 | flags |= FLAG_DEBUG; | 123 | flags |= FLAG_DEBUG; |
119 | break; | 124 | break; |
@@ -143,20 +148,19 @@ cred_verify(int argc, char **argv) | |||
143 | in_f = open_read(in_path); | 148 | in_f = open_read(in_path); |
144 | out_f = open_write(out_path); | 149 | out_f = open_write(out_path); |
145 | 150 | ||
146 | if (argc > 0) { | 151 | if (argc > 0 && cose_type(argv[0], &type) < 0) |
147 | if (strcmp(argv[0], "es256") == 0) | 152 | errx(1, "unknown type %s", argv[0]); |
148 | type = COSE_ES256; | ||
149 | else if (strcmp(argv[0], "rs256") == 0) | ||
150 | type = COSE_RS256; | ||
151 | else if (strcmp(argv[0], "eddsa") == 0) | ||
152 | type = COSE_EDDSA; | ||
153 | else | ||
154 | errx(1, "unknown type %s", argv[0]); | ||
155 | } | ||
156 | 153 | ||
157 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); | 154 | fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); |
158 | cred = prepare_cred(in_f, type, flags); | 155 | cred = prepare_cred(in_f, type, flags); |
159 | 156 | ||
157 | if (cred_prot > 0) { | ||
158 | r = fido_cred_set_prot(cred, cred_prot); | ||
159 | if (r != FIDO_OK) { | ||
160 | errx(1, "fido_cred_set_prot: %s", fido_strerr(r)); | ||
161 | } | ||
162 | } | ||
163 | |||
160 | if (fido_cred_x5c_ptr(cred) == NULL) { | 164 | if (fido_cred_x5c_ptr(cred) == NULL) { |
161 | if ((r = fido_cred_verify_self(cred)) != FIDO_OK) | 165 | if ((r = fido_cred_verify_self(cred)) != FIDO_OK) |
162 | errx(1, "fido_cred_verify_self: %s", fido_strerr(r)); | 166 | errx(1, "fido_cred_verify_self: %s", fido_strerr(r)); |
diff --git a/tools/credman.c b/tools/credman.c index 6eda245..ea913bb 100644 --- a/tools/credman.c +++ b/tools/credman.c | |||
@@ -101,6 +101,7 @@ print_rk(const fido_credman_rk_t *rk, size_t idx) | |||
101 | char *id = NULL; | 101 | char *id = NULL; |
102 | char *user_id = NULL; | 102 | char *user_id = NULL; |
103 | const char *type; | 103 | const char *type; |
104 | const char *prot; | ||
104 | 105 | ||
105 | if ((cred = fido_credman_rk(rk, idx)) == NULL) | 106 | if ((cred = fido_credman_rk(rk, idx)) == NULL) |
106 | errx(1, "fido_credman_rk"); | 107 | errx(1, "fido_credman_rk"); |
@@ -109,23 +110,11 @@ print_rk(const fido_credman_rk_t *rk, size_t idx) | |||
109 | fido_cred_user_id_len(cred), &user_id) < 0) | 110 | fido_cred_user_id_len(cred), &user_id) < 0) |
110 | errx(1, "output error"); | 111 | errx(1, "output error"); |
111 | 112 | ||
112 | switch (fido_cred_type(cred)) { | 113 | type = cose_string(fido_cred_type(cred)); |
113 | case COSE_EDDSA: | 114 | prot = prot_string(fido_cred_prot(cred)); |
114 | type = "eddsa"; | ||
115 | break; | ||
116 | case COSE_ES256: | ||
117 | type = "es256"; | ||
118 | break; | ||
119 | case COSE_RS256: | ||
120 | type = "rs256"; | ||
121 | break; | ||
122 | default: | ||
123 | type = "unknown"; | ||
124 | break; | ||
125 | } | ||
126 | 115 | ||
127 | printf("%02u: %s %s (%s) %s\n", (unsigned)idx, id, | 116 | printf("%02u: %s %s %s %s %s\n", (unsigned)idx, id, |
128 | fido_cred_display_name(cred), user_id, type); | 117 | fido_cred_display_name(cred), user_id, type, prot); |
129 | 118 | ||
130 | free(user_id); | 119 | free(user_id); |
131 | free(id); | 120 | free(id); |
diff --git a/tools/extern.h b/tools/extern.h index be01046..df5fcd8 100644 --- a/tools/extern.h +++ b/tools/extern.h | |||
@@ -32,9 +32,11 @@ EC_KEY *read_ec_pubkey(const char *); | |||
32 | fido_dev_t *open_dev(const char *); | 32 | fido_dev_t *open_dev(const char *); |
33 | FILE *open_read(const char *); | 33 | FILE *open_read(const char *); |
34 | FILE *open_write(const char *); | 34 | FILE *open_write(const char *); |
35 | const char *cose_string(int); | ||
36 | const char *prot_string(int); | ||
35 | int assert_get(int, char **); | 37 | int assert_get(int, char **); |
36 | int assert_verify(int, char **); | 38 | int assert_verify(int, char **); |
37 | int base64_decode(char *, void **, size_t *); | 39 | int base64_decode(const char *, void **, size_t *); |
38 | int base64_encode(const void *, size_t, char **); | 40 | int base64_encode(const void *, size_t, char **); |
39 | int base64_read(FILE *, struct blob *); | 41 | int base64_read(FILE *, struct blob *); |
40 | int bio_delete(fido_dev_t *, char *, char *); | 42 | int bio_delete(fido_dev_t *, char *, char *); |
@@ -42,6 +44,7 @@ int bio_enroll(char *); | |||
42 | void bio_info(fido_dev_t *); | 44 | void bio_info(fido_dev_t *); |
43 | int bio_list(char *); | 45 | int bio_list(char *); |
44 | int bio_set_name(char *, char *, char *); | 46 | int bio_set_name(char *, char *, char *); |
47 | int cose_type(const char *, int *); | ||
45 | int cred_make(int, char **); | 48 | int cred_make(int, char **); |
46 | int cred_verify(int, char **); | 49 | int cred_verify(int, char **); |
47 | int credman_delete_rk(fido_dev_t *, const char *, char *); | 50 | int credman_delete_rk(fido_dev_t *, const char *, char *); |
@@ -66,5 +69,6 @@ void print_cred(FILE *, int, const fido_cred_t *); | |||
66 | void read_pin(const char *, char *, size_t); | 69 | void read_pin(const char *, char *, size_t); |
67 | void usage(void); | 70 | void usage(void); |
68 | void xxd(const void *, size_t); | 71 | void xxd(const void *, size_t); |
72 | int base10(const char *); | ||
69 | 73 | ||
70 | #endif /* _EXTERN_H_ */ | 74 | #endif /* _EXTERN_H_ */ |
diff --git a/tools/fido2-assert.c b/tools/fido2-assert.c index 9ce537a..7fd7632 100644 --- a/tools/fido2-assert.c +++ b/tools/fido2-assert.c | |||
@@ -11,10 +11,10 @@ | |||
11 | * $ echo relying party >> assert_param | 11 | * $ echo relying party >> assert_param |
12 | * $ head -1 cred >> assert_param # credential id | 12 | * $ head -1 cred >> assert_param # credential id |
13 | * $ tail -n +2 cred > pubkey # credential pubkey | 13 | * $ tail -n +2 cred > pubkey # credential pubkey |
14 | * $ fido2-assert -G -i assert_param /dev/hidraw5 | fido2-assert -V pubkey rs256 | 14 | * $ fido2-assert -G -i assert_param /dev/hidraw5 | fido2-assert -V pubkey rs256 |
15 | * | 15 | * |
16 | * See blurb in fido2-cred.c on how to obtain cred. | 16 | * See blurb in fido2-cred.c on how to obtain cred. |
17 | */ | 17 | */ |
18 | 18 | ||
19 | #include <fido.h> | 19 | #include <fido.h> |
20 | #include <stdio.h> | 20 | #include <stdio.h> |
@@ -28,7 +28,7 @@ void | |||
28 | usage(void) | 28 | usage(void) |
29 | { | 29 | { |
30 | fprintf(stderr, | 30 | fprintf(stderr, |
31 | "usage: fido2-assert -G [-dhpruv] [-i input_file] [-o output_file] device\n" | 31 | "usage: fido2-assert -G [-dhpruv] [-t option] [-i input_file] [-o output_file] device\n" |
32 | " fido2-assert -V [-dhpv] [-i input_file] key_file [type]\n" | 32 | " fido2-assert -V [-dhpv] [-i input_file] key_file [type]\n" |
33 | ); | 33 | ); |
34 | 34 | ||
diff --git a/tools/fido2-attach.sh b/tools/fido2-attach.sh new file mode 100755 index 0000000..d4bc449 --- /dev/null +++ b/tools/fido2-attach.sh | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # Copyright (c) 2020 Yubico AB. All rights reserved. | ||
4 | # Use of this source code is governed by a BSD-style | ||
5 | # license that can be found in the LICENSE file. | ||
6 | |||
7 | DEV="" | ||
8 | |||
9 | while [ -z "${DEV}" ]; do | ||
10 | sleep .5 | ||
11 | DEV="$(fido2-token -L | sed 's/^\(.*\): .*$/\1/;q')" | ||
12 | done | ||
13 | |||
14 | printf '%s\n' "${DEV}" | ||
diff --git a/tools/fido2-cred.c b/tools/fido2-cred.c index 45efca0..ce277f5 100644 --- a/tools/fido2-cred.c +++ b/tools/fido2-cred.c | |||
@@ -12,7 +12,7 @@ | |||
12 | * $ echo user name >> cred_param | 12 | * $ echo user name >> cred_param |
13 | * $ dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param | 13 | * $ dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param |
14 | * $ fido2-cred -M -i cred_param /dev/hidraw5 | fido2-cred -V -o cred | 14 | * $ fido2-cred -M -i cred_param /dev/hidraw5 | fido2-cred -V -o cred |
15 | */ | 15 | */ |
16 | 16 | ||
17 | #include <fido.h> | 17 | #include <fido.h> |
18 | #include <stdio.h> | 18 | #include <stdio.h> |
@@ -26,8 +26,8 @@ void | |||
26 | usage(void) | 26 | usage(void) |
27 | { | 27 | { |
28 | fprintf(stderr, | 28 | fprintf(stderr, |
29 | "usage: fido2-cred -M [-dhqruv] [-i input_file] [-o output_file] device [type]\n" | 29 | "usage: fido2-cred -M [-dhqruv] [-c cred_protect] [-i input_file] [-o output_file] device [type]\n" |
30 | " fido2-cred -V [-dhv] [-i input_file] [-o output_file] [type]\n" | 30 | " fido2-cred -V [-dhv] [-c cred_protect] [-i input_file] [-o output_file] [type]\n" |
31 | ); | 31 | ); |
32 | 32 | ||
33 | exit(1); | 33 | exit(1); |
diff --git a/tools/fido2-detach.sh b/tools/fido2-detach.sh new file mode 100755 index 0000000..9cd2e64 --- /dev/null +++ b/tools/fido2-detach.sh | |||
@@ -0,0 +1,12 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # Copyright (c) 2020 Yubico AB. All rights reserved. | ||
4 | # Use of this source code is governed by a BSD-style | ||
5 | # license that can be found in the LICENSE file. | ||
6 | |||
7 | DEV="$(fido2-token -L | sed 's/^\(.*\): .*$/\1/;q')" | ||
8 | |||
9 | while [ -n "${DEV}" ]; do | ||
10 | sleep .5 | ||
11 | DEV="$(fido2-token -L | sed 's/^\(.*\): .*$/\1/;q')" | ||
12 | done | ||
diff --git a/tools/fido2-token.c b/tools/fido2-token.c index 0b02fea..a1e6594 100644 --- a/tools/fido2-token.c +++ b/tools/fido2-token.c | |||
@@ -19,11 +19,11 @@ usage(void) | |||
19 | { | 19 | { |
20 | fprintf(stderr, | 20 | fprintf(stderr, |
21 | "usage: fido2-token [-CR] [-d] device\n" | 21 | "usage: fido2-token [-CR] [-d] device\n" |
22 | " fido2-token -D [-de] -i id device\n" | 22 | " fido2-token -D [-de] -i id device\n" |
23 | " fido2-token -I [-cd] [-k rp_id -i cred_id] device\n" | 23 | " fido2-token -I [-cd] [-k rp_id -i cred_id] device\n" |
24 | " fido2-token -L [-der] [-k rp_id] [device]\n" | 24 | " fido2-token -L [-der] [-k rp_id] [device]\n" |
25 | " fido2-token -S [-de] [-i template_id -n template_name] device\n" | 25 | " fido2-token -S [-de] [-i template_id -n template_name] device\n" |
26 | " fido2-token -V\n" | 26 | " fido2-token -V\n" |
27 | ); | 27 | ); |
28 | 28 | ||
29 | exit(1); | 29 | exit(1); |
diff --git a/tools/fido2-unprot.sh b/tools/fido2-unprot.sh new file mode 100755 index 0000000..44b28b8 --- /dev/null +++ b/tools/fido2-unprot.sh | |||
@@ -0,0 +1,75 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # Copyright (c) 2020 Fabian Henneke. | ||
4 | # Use of this source code is governed by a BSD-style | ||
5 | # license that can be found in the LICENSE file. | ||
6 | |||
7 | |||
8 | if [ $(uname) != "Linux" ] ; then | ||
9 | echo "Can only run on Linux" | ||
10 | exit 1 | ||
11 | fi | ||
12 | |||
13 | TOKEN_VERSION=$(${FIDO_TOOLS_PREFIX}fido2-token -V 2>&1) | ||
14 | if [ $? -ne 0 ] ; then | ||
15 | echo "Please install libfido2 1.5.0 or higher" | ||
16 | exit | ||
17 | fi | ||
18 | |||
19 | TOKEN_VERSION_MAJOR=$(echo "$TOKEN_VERSION" | cut -d. -f1) | ||
20 | TOKEN_VERSION_MINOR=$(echo "$TOKEN_VERSION" | cut -d. -f2) | ||
21 | if [ $TOKEN_VERSION_MAJOR -eq 0 -o $TOKEN_VERSION_MAJOR -eq 1 -a $TOKEN_VERSION_MINOR -lt 5 ] ; then | ||
22 | echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)" | ||
23 | exit 1 | ||
24 | fi | ||
25 | |||
26 | set -e | ||
27 | |||
28 | TOKEN_OUTPUT=$(${FIDO_TOOLS_PREFIX}fido2-token -L) | ||
29 | DEV_PATH_NAMES=$(echo "$TOKEN_OUTPUT" | sed -r 's/^(.*): .*\((.*)\)$/\1 \2/g') | ||
30 | DEV_COUNT=$(echo "$DEV_PATH_NAMES" | wc -l) | ||
31 | |||
32 | for i in $(seq 1 $DEV_COUNT) | ||
33 | do | ||
34 | DEV_PATH_NAME=$(echo "$DEV_PATH_NAMES" | sed "${i}q;d") | ||
35 | DEV_PATH=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1) | ||
36 | DEV_NAME=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1 --complement) | ||
37 | DEV_PRETTY=$(echo "$DEV_NAME (at '$DEV_PATH')") | ||
38 | if expr match "$(${FIDO_TOOLS_PREFIX}fido2-token -I $DEV_PATH)" ".* credMgmt.* clientPin.*\|.* clientPin.* credMgmt.*" > /dev/null ; then | ||
39 | printf "Enter PIN for $DEV_PRETTY once (ignore further prompts): " | ||
40 | stty -echo | ||
41 | read PIN | ||
42 | stty echo | ||
43 | printf "\n" | ||
44 | RESIDENT_RPS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -r $DEV_PATH | cut -d' ' -f3) | ||
45 | printf "\n" | ||
46 | RESIDENT_RPS_COUNT=$(echo "$RESIDENT_RPS" | wc -l) | ||
47 | FOUND=0 | ||
48 | for j in $(seq 1 $DEV_RESIDENT_RPS_COUNT) | ||
49 | do | ||
50 | RESIDENT_RP=$(echo "$RESIDENT_RPS" | sed "${j}q;d") | ||
51 | UNPROT_CREDS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -k $RESIDENT_RP $DEV_PATH | grep ' uvopt$' | cut -d' ' -f2,3,4) | ||
52 | printf "\n" | ||
53 | UNPROT_CREDS_COUNT=$(echo "$UNPROT_CREDS" | wc -l) | ||
54 | if [ $UNPROT_CREDS_COUNT -gt 0 ] ; then | ||
55 | FOUND=1 | ||
56 | echo "Unprotected credentials on $DEV_PRETTY for '$RESIDENT_RP':" | ||
57 | echo "$UNPROT_CREDS" | ||
58 | fi | ||
59 | done | ||
60 | if [ $FOUND -eq 0 ] ; then | ||
61 | echo "No unprotected credentials on $DEV_PRETTY" | ||
62 | fi | ||
63 | else | ||
64 | echo "$DEV_PRETTY cannot enumerate credentials" | ||
65 | echo "Discovering unprotected SSH credentials only..." | ||
66 | STUB_HASH=$(echo -n "" | openssl sha256 -binary | base64) | ||
67 | printf "$STUB_HASH\nssh:\n" | ${FIDO_TOOLS_PREFIX}fido2-assert -G -r -t up=false $DEV_PATH 2> /dev/null || ASSERT_EXIT_CODE=$? | ||
68 | if [ $ASSERT_EXIT_CODE -eq 0 ] ; then | ||
69 | echo "Found an unprotected SSH credential on $DEV_PRETTY!" | ||
70 | else | ||
71 | echo "No unprotected SSH credentials (default settings) on $DEV_PRETTY" | ||
72 | fi | ||
73 | fi | ||
74 | printf "\n" | ||
75 | done | ||
diff --git a/tools/include_check.sh b/tools/include_check.sh index 9958c9a..e684d0b 100755 --- a/tools/include_check.sh +++ b/tools/include_check.sh | |||
@@ -1,5 +1,5 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/sh |
2 | # | 2 | |
3 | # Copyright (c) 2019 Yubico AB. All rights reserved. | 3 | # Copyright (c) 2019 Yubico AB. All rights reserved. |
4 | # Use of this source code is governed by a BSD-style | 4 | # Use of this source code is governed by a BSD-style |
5 | # license that can be found in the LICENSE file. | 5 | # license that can be found in the LICENSE file. |
@@ -8,14 +8,14 @@ check() { | |||
8 | for f in $(find $1 -maxdepth 1 -name '*.h'); do | 8 | for f in $(find $1 -maxdepth 1 -name '*.h'); do |
9 | echo "#include \"$f\"" | \ | 9 | echo "#include \"$f\"" | \ |
10 | cc $CFLAGS -Isrc -xc -c - -o /dev/null 2>&1 | 10 | cc $CFLAGS -Isrc -xc -c - -o /dev/null 2>&1 |
11 | echo $f $CFLAGS $? | 11 | echo "$f $CFLAGS $?" |
12 | done | 12 | done |
13 | } | 13 | } |
14 | 14 | ||
15 | check examples | 15 | check examples |
16 | check fuzz | 16 | check fuzz |
17 | check openbsd-compat | 17 | check openbsd-compat |
18 | CFLAGS=-D_FIDO_INTERNAL check src | 18 | CFLAGS="${CFLAGS} -D_FIDO_INTERNAL" check src |
19 | check src/fido.h | 19 | check src/fido.h |
20 | check src/fido | 20 | check src/fido |
21 | check tools | 21 | check tools |
diff --git a/tools/macos_pkg.sh b/tools/macos_pkg.sh deleted file mode 100755 index 4313c27..0000000 --- a/tools/macos_pkg.sh +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | #!/bin/bash -e | ||
2 | # Copyright (c) 2019 Yubico AB. All rights reserved. | ||
3 | # Use of this source code is governed by a BSD-style | ||
4 | # license that can be found in the LICENSE file. | ||
5 | |||
6 | if [[ "$#" -ne 2 ]]; then | ||
7 | echo usage: $0 version directory 1>&2 | ||
8 | exit 1 | ||
9 | fi | ||
10 | |||
11 | V=$1 | ||
12 | D=$2 | ||
13 | |||
14 | FIDO_PATH=$(realpath ${D}/lib/libfido2.${V}.dylib) | ||
15 | CBOR_PATH=$(otool -L "${FIDO_PATH}" | grep cbor | awk '{ print $1 }') | ||
16 | CRYPTO_PATH=$(otool -L "${FIDO_PATH}" | grep crypto | awk '{ print $1 }') | ||
17 | |||
18 | cp -p "${CBOR_PATH}" "${CRYPTO_PATH}" "${D}/lib" | ||
19 | chmod 755 "${D}/lib/"*dylib | ||
20 | rm "${D}/lib/pkgconfig/libfido2.pc" | ||
21 | rmdir "${D}/lib/pkgconfig" | ||
22 | |||
23 | CBOR_NAME=$(echo "${CBOR_PATH}" | grep -o 'libcbor.*dylib') | ||
24 | CRYPTO_NAME=$(echo "${CRYPTO_PATH}" | grep -o 'libcrypto.*dylib') | ||
25 | FIDO_NAME="libfido2.${V}.dylib" | ||
26 | |||
27 | install_name_tool -id "@loader_path/${CBOR_NAME}" "${D}/lib/${CBOR_NAME}" | ||
28 | install_name_tool -id "@loader_path/${CRYPTO_NAME}" "${D}/lib/${CRYPTO_NAME}" | ||
29 | install_name_tool -id "@loader_path/libfido2.${V}.dylib" "${FIDO_PATH}" | ||
30 | |||
31 | install_name_tool -change "${CBOR_PATH}" "@loader_path/${CBOR_NAME}" \ | ||
32 | "${FIDO_PATH}" | ||
33 | install_name_tool -change "${CRYPTO_PATH}" "@loader_path/${CRYPTO_NAME}" \ | ||
34 | "${FIDO_PATH}" | ||
35 | |||
36 | for f in $(find "${D}/bin" -type f); do | ||
37 | FIDO_PATH=$(otool -L "${f}" | grep libfido2 | awk '{ print $1 }') | ||
38 | install_name_tool -change "${CBOR_PATH}" \ | ||
39 | "@executable_path/../lib/${CBOR_NAME}" "${f}" | ||
40 | install_name_tool -change "${CRYPTO_PATH}" \ | ||
41 | "@executable_path/../lib/${CRYPTO_NAME}" "${f}" | ||
42 | install_name_tool -change "${FIDO_PATH}" \ | ||
43 | "@executable_path/../lib/${FIDO_NAME}" "${f}" | ||
44 | done | ||
diff --git a/tools/token.c b/tools/token.c index e65f09f..28e4512 100644 --- a/tools/token.c +++ b/tools/token.c | |||
@@ -112,6 +112,18 @@ print_maxmsgsiz(uint64_t maxmsgsiz) | |||
112 | } | 112 | } |
113 | 113 | ||
114 | static void | 114 | static void |
115 | print_maxcredcntlst(uint64_t maxcredcntlst) | ||
116 | { | ||
117 | printf("maxcredcntlst: %d\n", (int)maxcredcntlst); | ||
118 | } | ||
119 | |||
120 | static void | ||
121 | print_maxcredidlen(uint64_t maxcredidlen) | ||
122 | { | ||
123 | printf("maxcredlen: %d\n", (int)maxcredidlen); | ||
124 | } | ||
125 | |||
126 | static void | ||
115 | print_fwversion(uint64_t fwversion) | 127 | print_fwversion(uint64_t fwversion) |
116 | { | 128 | { |
117 | printf("fwversion: 0x%x\n", (int)fwversion); | 129 | printf("fwversion: 0x%x\n", (int)fwversion); |
@@ -202,6 +214,12 @@ token_info(int argc, char **argv, char *path) | |||
202 | /* print maximum message size */ | 214 | /* print maximum message size */ |
203 | print_maxmsgsiz(fido_cbor_info_maxmsgsiz(ci)); | 215 | print_maxmsgsiz(fido_cbor_info_maxmsgsiz(ci)); |
204 | 216 | ||
217 | /* print maximum number of credentials allowed in credential lists */ | ||
218 | print_maxcredcntlst(fido_cbor_info_maxcredcntlst(ci)); | ||
219 | |||
220 | /* print maximum length of a credential ID */ | ||
221 | print_maxcredidlen(fido_cbor_info_maxcredidlen(ci)); | ||
222 | |||
205 | /* print firmware version */ | 223 | /* print firmware version */ |
206 | print_fwversion(fido_cbor_info_fwversion(ci)); | 224 | print_fwversion(fido_cbor_info_fwversion(ci)); |
207 | 225 | ||
diff --git a/tools/util.c b/tools/util.c index de70388..7ed59e4 100644 --- a/tools/util.c +++ b/tools/util.c | |||
@@ -16,7 +16,9 @@ | |||
16 | #include <fido/rs256.h> | 16 | #include <fido/rs256.h> |
17 | #include <fido/eddsa.h> | 17 | #include <fido/eddsa.h> |
18 | 18 | ||
19 | #include <errno.h> | ||
19 | #include <fcntl.h> | 20 | #include <fcntl.h> |
21 | #include <limits.h> | ||
20 | #include <stdint.h> | 22 | #include <stdint.h> |
21 | #include <stdio.h> | 23 | #include <stdio.h> |
22 | #include <stdlib.h> | 24 | #include <stdlib.h> |
@@ -78,6 +80,25 @@ open_read(const char *file) | |||
78 | return (f); | 80 | return (f); |
79 | } | 81 | } |
80 | 82 | ||
83 | int | ||
84 | base10(const char *str) | ||
85 | { | ||
86 | char *ep; | ||
87 | long long ll; | ||
88 | |||
89 | ll = strtoll(str, &ep, 10); | ||
90 | if (str == ep || *ep != '\0') | ||
91 | return (-1); | ||
92 | else if (ll == LLONG_MIN && errno == ERANGE) | ||
93 | return (-1); | ||
94 | else if (ll == LLONG_MAX && errno == ERANGE) | ||
95 | return (-1); | ||
96 | else if (ll < 0 || ll > INT_MAX) | ||
97 | return (-1); | ||
98 | |||
99 | return ((int)ll); | ||
100 | } | ||
101 | |||
81 | void | 102 | void |
82 | xxd(const void *buf, size_t count) | 103 | xxd(const void *buf, size_t count) |
83 | { | 104 | { |
@@ -362,3 +383,50 @@ print_cred(FILE *out_f, int type, const fido_cred_t *cred) | |||
362 | 383 | ||
363 | free(id); | 384 | free(id); |
364 | } | 385 | } |
386 | |||
387 | int | ||
388 | cose_type(const char *str, int *type) | ||
389 | { | ||
390 | if (strcmp(str, "es256") == 0) | ||
391 | *type = COSE_ES256; | ||
392 | else if (strcmp(str, "rs256") == 0) | ||
393 | *type = COSE_RS256; | ||
394 | else if (strcmp(str, "eddsa") == 0) | ||
395 | *type = COSE_EDDSA; | ||
396 | else { | ||
397 | *type = 0; | ||
398 | return (-1); | ||
399 | } | ||
400 | |||
401 | return (0); | ||
402 | } | ||
403 | |||
404 | const char * | ||
405 | cose_string(int type) | ||
406 | { | ||
407 | switch (type) { | ||
408 | case COSE_EDDSA: | ||
409 | return ("eddsa"); | ||
410 | case COSE_ES256: | ||
411 | return ("es256"); | ||
412 | case COSE_RS256: | ||
413 | return ("rs256"); | ||
414 | default: | ||
415 | return ("unknown"); | ||
416 | } | ||
417 | } | ||
418 | |||
419 | const char * | ||
420 | prot_string(int prot) | ||
421 | { | ||
422 | switch (prot) { | ||
423 | case FIDO_CRED_PROT_UV_OPTIONAL: | ||
424 | return ("uvopt"); | ||
425 | case FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID: | ||
426 | return ("uvopt+id"); | ||
427 | case FIDO_CRED_PROT_UV_REQUIRED: | ||
428 | return ("uvreq"); | ||
429 | default: | ||
430 | return ("unknown"); | ||
431 | } | ||
432 | } | ||