From c923f422b1e455bdd8ec3bdb10d005e3bfbacfe0 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 23 Feb 2020 15:31:16 +0100 Subject: New upstream version 1.3.1 --- .github/workflows/windows.yml | 14 + .gitignore | 6 + .travis.yml | 86 +++++ .travis/build-linux-clang | 22 ++ .travis/build-linux-gcc | 19 + .travis/build-linux-mingw | 47 +++ .travis/build-osx-clang | 24 ++ .travis/fuzz-linux-asan | 58 +++ .travis/fuzz-linux-msan | 58 +++ CMakeLists.txt | 4 +- NEWS | 4 + README.adoc | 17 +- debian/changelog | 80 ++++ debian/compat | 1 + debian/control | 53 +++ debian/copyright | 85 +++++ debian/fido2-tools.install | 1 + debian/fido2-tools.manpages | 3 + debian/libfido2-1.install | 1 + debian/libfido2-1.symbols | 148 ++++++++ debian/libfido2-dev.install | 23 ++ debian/libfido2-dev.links | 148 ++++++++ debian/libfido2-dev.manpages | 19 + debian/libfido2-udev.install | 1 + debian/rules | 9 + debian/source/format | 1 + fuzz/report.html.gz | Bin 0 -> 206440 bytes openbsd-compat/openbsd-compat.h | 2 + src/iso7816.c | 2 +- src/u2f.c | 2 +- tools/CMakeLists.txt | 7 - tools/sk-libfido2.c | 784 ---------------------------------------- udev/70-u2f.rules | 7 +- 33 files changed, 923 insertions(+), 813 deletions(-) create mode 100644 .github/workflows/windows.yml create mode 100644 .gitignore create mode 100644 .travis.yml create mode 100644 .travis/build-linux-clang create mode 100644 .travis/build-linux-gcc create mode 100644 .travis/build-linux-mingw create mode 100644 .travis/build-osx-clang create mode 100644 .travis/fuzz-linux-asan create mode 100644 .travis/fuzz-linux-msan create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/fido2-tools.install create mode 100644 debian/fido2-tools.manpages create mode 100644 debian/libfido2-1.install create mode 100644 debian/libfido2-1.symbols create mode 100644 debian/libfido2-dev.install create mode 100644 debian/libfido2-dev.links create mode 100644 debian/libfido2-dev.manpages create mode 100644 debian/libfido2-udev.install create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 fuzz/report.html.gz delete mode 100644 tools/sk-libfido2.c diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml new file mode 100644 index 0000000..eb953db --- /dev/null +++ b/.github/workflows/windows.yml @@ -0,0 +1,14 @@ +name: windows + +on: [push] + +jobs: + build: + + runs-on: windows-latest + + steps: + - uses: actions/checkout@v1 + - name: build + run: .\windows\build.ps1 + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..329c184 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +build/ +cscope.out +fuzz/build/ +fuzz/obj/ +fuzz/*.so +output/ diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..5ddf36f --- /dev/null +++ b/.travis.yml @@ -0,0 +1,86 @@ +language: c + +matrix: + include: + - os: linux + compiler: clang-7 + dist: xenial + sudo: required + addons: + apt: + sources: + - ubuntu-toolchain-r-test + - llvm-toolchain-xenial-7 + packages: + - clang-7 + - cmake + - libssl-dev + - libudev-dev + script: /bin/sh -eux .travis/build-linux-clang + - os: linux + compiler: gcc-7 + dist: xenial + sudo: required + addons: + apt: + sources: + - ubuntu-toolchain-r-test + packages: + - gcc-7 + - cmake + - libssl-dev + - libudev-dev + script: /bin/sh -eux .travis/build-linux-gcc + - os: linux + compiler: i686-w64-mingw32-gcc-4.8 + dist: xenial + sudo: required + addons: + apt: + sources: + - ubuntu-toolchain-r-test + packages: + - binutils-mingw-w64-i686 + - gcc-mingw-w64 + - g++-mingw-w64 + - mingw-w64-i686-dev + - cmake + script: /bin/sh -eux .travis/build-linux-mingw + - os: osx + osx_image: xcode10.2 + compiler: clang + sudo: required + script: /bin/sh -eux .travis/build-osx-clang + - os: linux + compiler: clang-7 + dist: xenial + sudo: required + addons: + apt: + sources: + - ubuntu-toolchain-r-test + - llvm-toolchain-xenial-7 + packages: + - clang-7 + - cmake + - libssl-dev + - libudev-dev + script: /bin/sh -eux .travis/fuzz-linux-asan + - os: linux + compiler: clang-7 + dist: xenial + sudo: required + addons: + apt: + sources: + - ubuntu-toolchain-r-test + - llvm-toolchain-xenial-7 + packages: + - clang-7 + - cmake + - libssl-dev + - libudev-dev + script: /bin/sh -eux .travis/fuzz-linux-msan + +notifications: + email: false diff --git a/.travis/build-linux-clang b/.travis/build-linux-clang new file mode 100644 index 0000000..8938461 --- /dev/null +++ b/.travis/build-linux-clang @@ -0,0 +1,22 @@ +#!/bin/sh -eux + +${CC} --version + +# Check exports. +(cd src && ./diff_exports.sh) + +# Build and install libcbor. +git clone git://github.com/pjk/libcbor +cd libcbor +git checkout v0.5.0 +mkdir build +(cd build && cmake ..) +make -C build +sudo make -C build install +cd .. + +# Build, analyze, and install libfido2. +mkdir build +(cd build && scan-build cmake -DCMAKE_BUILD_TYPE=Debug ..) +scan-build --status-bugs make -C build +sudo make -C build install diff --git a/.travis/build-linux-gcc b/.travis/build-linux-gcc new file mode 100644 index 0000000..be1e0a9 --- /dev/null +++ b/.travis/build-linux-gcc @@ -0,0 +1,19 @@ +#!/bin/sh -eux + +${CC} --version + +# Build and install libcbor. +git clone git://github.com/pjk/libcbor +cd libcbor +git checkout v0.5.0 +mkdir build +(cd build && cmake ..) +make -C build +sudo make -C build install +cd .. + +# Build and install libfido2. +mkdir build +(cd build && cmake -DCMAKE_BUILD_TYPE=Debug ..) +make -C build +sudo make -C build install diff --git a/.travis/build-linux-mingw b/.travis/build-linux-mingw new file mode 100644 index 0000000..c88ddca --- /dev/null +++ b/.travis/build-linux-mingw @@ -0,0 +1,47 @@ +#!/bin/sh -eux + +# XXX defining CC and cross-compiling confuses OpenSSL's build. +unset CC + +sudo mkdir /fakeroot +sudo chmod 755 /fakeroot + +cat << EOF > /tmp/mingw.cmake +SET(CMAKE_SYSTEM_NAME Windows) +SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc) +SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++) +SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres) +SET(CMAKE_FIND_ROOT_PATH /fakeroot) +SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) +SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) +SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) +EOF + +# Build and install libcbor. +git clone git://github.com/pjk/libcbor +cd libcbor +git checkout v0.5.0 +mkdir build +(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \ + -DCMAKE_INSTALL_PREFIX=/fakeroot ..) +make -C build +sudo make -C build install +cd .. + +# Build and install OpenSSL 1.1.0j. +git clone git://github.com/openssl/openssl +cd openssl +git checkout OpenSSL_1_1_0j +./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \ + --cross-compile-prefix=i686-w64-mingw32- +make +sudo make install_sw +cd .. + +# Build and install libfido2. +export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig +mkdir build +(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \ + -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/fakeroot ..) +make -C build +sudo make -C build install diff --git a/.travis/build-osx-clang b/.travis/build-osx-clang new file mode 100644 index 0000000..69a784c --- /dev/null +++ b/.travis/build-osx-clang @@ -0,0 +1,24 @@ +#!/bin/sh -eux + +${CC} --version + +# Build and install libcbor. +git clone git://github.com/pjk/libcbor +cd libcbor +git checkout v0.5.0 +mkdir build +(cd build && cmake ..) +make -C build +sudo make -C build install +cd .. + +# Install mandoc from Homebrew. +brew install mandoc + +# Build and install libfido2. +export PKG_CONFIG_PATH=/usr/local/opt/openssl@1.1/lib/pkgconfig +mkdir build +(cd build && cmake -DCMAKE_BUILD_TYPE=Debug ..) +make -C build +make -C build man_symlink_html +sudo make -C build install diff --git a/.travis/fuzz-linux-asan b/.travis/fuzz-linux-asan new file mode 100644 index 0000000..0a0aebb --- /dev/null +++ b/.travis/fuzz-linux-asan @@ -0,0 +1,58 @@ +#!/bin/sh -eux + +${CC} --version + +FAKEROOT=/fakeroot +sudo mkdir ${FAKEROOT} +sudo chmod 755 ${FAKEROOT} + +# Build and install libcbor. +git clone git://github.com/pjk/libcbor +cd libcbor +patch -p0 < ../fuzz/README +mkdir build +cd build +cmake -DCMAKE_C_FLAGS_DEBUG="-g2 -fno-omit-frame-pointer" \ + -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \ + -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=ON \ + -DCMAKE_INSTALL_LIBDIR=lib .. +make +sudo make install +cd ../.. + +# Build and install OpenSSL 1.1.1b. +git clone git://github.com/openssl/openssl +cd openssl +git checkout OpenSSL_1_1_1b +./Configure linux-x86_64-clang enable-asan --prefix=${FAKEROOT} \ + --openssldir=${FAKEROOT}/openssl +make clean +make +sudo make install_sw +cd .. + +# Build libfido2. +mkdir build +cd build +export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig +cmake -DFUZZ=1 -DLIBFUZZER=1 -DASAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \ + -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \ + -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \ + -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \ + -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \ + -DCMAKE_BUILD_TYPE=Debug .. +make + +# Fuzz with ASAN. +mkdir corpus +tar -C corpus -zxf ../fuzz/corpus.tgz +fuzz/fuzz_cred -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_cred +fuzz/fuzz_assert -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_assert +fuzz/fuzz_credman -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_credman +fuzz/fuzz_mgmt -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_mgmt +fuzz/fuzz_bio -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_bio diff --git a/.travis/fuzz-linux-msan b/.travis/fuzz-linux-msan new file mode 100644 index 0000000..fd7b2ac --- /dev/null +++ b/.travis/fuzz-linux-msan @@ -0,0 +1,58 @@ +#!/bin/sh -eux + +${CC} --version + +FAKEROOT=/fakeroot +sudo mkdir ${FAKEROOT} +sudo chmod 755 ${FAKEROOT} + +# Build and install libcbor. +git clone git://github.com/pjk/libcbor +cd libcbor +patch -p0 < ../fuzz/README +mkdir build +cd build +cmake -DCMAKE_C_FLAGS_DEBUG="-fsanitize=memory,undefined -g2 -fno-omit-frame-pointer" \ + -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \ + -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=OFF \ + -DCMAKE_INSTALL_LIBDIR=lib .. +make +sudo make install +cd ../.. + +# Build and install OpenSSL 1.1.1b. +git clone git://github.com/openssl/openssl +cd openssl +git checkout OpenSSL_1_1_1b +./Configure linux-x86_64-clang enable-msan --prefix=${FAKEROOT} \ + --openssldir=${FAKEROOT}/openssl +make clean +make +sudo make install_sw +cd .. + +# Build libfido2. +mkdir build +cd build +export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig +cmake -DFUZZ=1 -DLIBFUZZER=1 -DMSAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \ + -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \ + -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \ + -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \ + -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \ + -DCMAKE_BUILD_TYPE=Debug .. +make + +# Fuzz with MSAN. +mkdir corpus +tar -C corpus -zxf ../fuzz/corpus.tgz +fuzz/fuzz_cred -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_cred +fuzz/fuzz_assert -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_assert +fuzz/fuzz_credman -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_credman +fuzz/fuzz_mgmt -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_mgmt +fuzz/fuzz_bio -use_value_profile=1 -reload=30 -print_pcs=1 \ + -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_bio diff --git a/CMakeLists.txt b/CMakeLists.txt index c7c5991..9481c46 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -20,7 +20,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON) set(FIDO_MAJOR "1") set(FIDO_MINOR "3") -set(FIDO_PATCH "0") +set(FIDO_PATCH "1") set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH}) add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR}) @@ -322,7 +322,7 @@ elseif(NOT MSVC) endif() else() string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS} - " /def:${CMAKE_CURRENT_SOURCE_DIR}/src/export.msvc") + " /def:\"${CMAKE_CURRENT_SOURCE_DIR}/src/export.msvc\"") endif() include_directories(${CMAKE_SOURCE_DIR}/src) diff --git a/NEWS b/NEWS index 1b78c7c..8b96d39 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +* Version 1.3.1 (2020-02-19) + ** fix zero-ing of le1 and le2 when talking to a U2F device. + ** dropping sk-libfido2 middleware, please find it in the openssh tree. + * Version 1.3.0 (2019-11-28) ** assert/hmac: encode public key as per spec, gh#60. ** fido2-cred: fix creation of resident keys. diff --git a/README.adoc b/README.adoc index 8693417..ce8ac1e 100644 --- a/README.adoc +++ b/README.adoc @@ -31,7 +31,7 @@ is also available. ==== Releases -The current release of *libfido2* is 1.3.0. Please consult Yubico's +The current release of *libfido2* is 1.3.1. Please consult Yubico's https://developers.yubico.com/libfido2/Releases[release page] for source and binary releases. @@ -71,18 +71,3 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \ On Windows 1903 and newer versions, access to FIDO devices has been restricted to applications using the operating system's native API. Use of *libfido2* is still possible in privileged applications. - -=== OpenSSH Integration - -*libfido2* includes middleware allowing https://www.openssh.com[OpenSSH] to -talk to U2F/FIDO2 devices. Note that server support is required for -authentication. In a nutshell: - -==== Key Generation - - $ ssh-keygen -t [ecdsa-sk|ed25519-sk] -w /path/to/libsk-libfido2.so - -==== Authentication - - $ ssh-agent -P /path/to/libsk-libfido2.so - $ ssh-add -S /path/to/libsk-libfido2.so diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..7502d61 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,80 @@ +libfido2 (1.2.0~ppa1~bionic1) bionic; urgency=low + + * Credential management support. + * New API reflecting FIDO's 3-state booleans (true, false, absent): + - fido_assert_set_up; + - fido_assert_set_uv; + - fido_cred_set_rk; + - fido_cred_set_uv. + * Command-line tools for Windows. + * Documentation and reliability fixes. + * fido_{assert,cred}_set_options() are now marked as deprecated. + + -- pedro martelletto Fri, 23 Aug 2019 12:08:02 +0000 + +libfido2 (1.1.0) bionic; urgency=low + + * MacOS: fix IOKit crash on HID read. + * Windows: fix contents of release file. + * EdDSA (Ed25519) support. + * fido_dev_make_cred: fix order of CBOR map keys. + * fido_dev_get_assert: plug memory leak when operating on U2F devices. + + -- pedro martelletto Tue, 07 May 2019 08:03:21 +0000 + +libfido2 (1.0.0) bionic; urgency=low + + * Native HID support on Linux, MacOS, and Windows. + * fido2-{assert,cred}: new -u option to force U2F on dual authenticators. + * fido2-assert: support for multiple resident keys with the same RP. + * Strict checks for CTAP2 compliance on received CBOR payloads. + * Better fuzzing harnesses. + * Documentation and reliability fixes. + + -- pedro martelletto Tue, 19 Mar 2019 07:38:36 +0000 + +libfido2 (0.4.0) bionic; urgency=low + + * fido2-assert: print the user id for resident credentials. + * Fix encoding of COSE algorithms when making a credential. + * Rework purpose of fido_cred_set_type; no ABI change. + * Minor documentation and code fixes. + + -- pedro martelletto Mon, 07 Jan 2019 08:22:01 +0000 + +libfido2 (0.3.0) bionic; urgency=low + + * Various reliability fixes. + * Merged fuzzing instrumentation. + * Added regress tests. + * Added support for FIDO 2's hmac-secret extension. + * New API calls: + - fido_assert_hmac_secret_len; + - fido_assert_hmac_secret_ptr; + - fido_assert_set_extensions; + - fido_assert_set_hmac_salt; + - fido_cred_set_extensions; + - fido_dev_force_fido2. + * Support for native builds with Microsoft Visual Studio 17. + + -- pedro martelletto Tue, 11 Sep 2018 09:05:32 +0000 + +libfido2 (0.2.0) bionic; urgency=low + + * Added command-line tools. + * Added a couple of missing get functions. + + -- pedro martelletto Mon, 18 Jun 2018 10:44:11 +0000 + +libfido2 (0.1.1~dev) bionic; urgency=low + + * Added documentation. + * Minor fixes. + + -- pedro martelletto Wed, 30 May 2018 13:16:28 +0000 + +libfido2 (0.1.0~dev) bionic; urgency=low + + * Initial release. + + -- pedro martelletto Fri, 18 May 2018 08:47:01 +0000 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..50b9482 --- /dev/null +++ b/debian/control @@ -0,0 +1,53 @@ +Source: libfido2 +Priority: optional +Maintainer: Yubico Open Source Maintainers +Uploaders: pedro martelletto +Standards-Version: 4.1.2 +Section: libs +Homepage: https://github.com/yubico/libfido2 +Build-Depends: debhelper (>= 9), + pkg-config, + cmake, + mandoc, + libcbor-dev, + libssl-dev, + libudev-dev + +Package: libfido2-1 +Architecture: any +Multi-Arch: same +Depends: libcbor0, libssl1.1, libudev1, ${shlibs:Depends}, ${misc:Depends} +Description: library for generating and verifying FIDO 2.0 objects + A library for communicating with a FIDO device over USB, and for verifying + attestation and assertion signatures. FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) + are supported. This package contains the runtime library. + +Package: libfido2-dev +Section: libdevel +Architecture: any +Multi-Arch: same +Depends: libfido2-1 (= ${binary:Version}), ${misc:Depends} +Suggests: libssl-dev +Description: library for generating and verifying FIDO 2.0 objects (development headers) + A library for communicating with a FIDO device over USB, and for verifying + attestation and assertion signatures. FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) + are supported. This package contains the development headers. + +Package: fido2-tools +Section: utils +Architecture: any +Multi-Arch: foreign +Depends: libfido2-1 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: command-line tools to configure and use a FIDO 2 token + A set of tools to manage a FIDO 2 token, generate credentials and + assertions, and verify them. + +Package: libfido2-udev +Section: libs +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends} +Conflicts: libu2f-udev +Description: udev rules for access to U2F and FIDO2 devices + A set of udev rules allowing unprivileged system-level access + to U2F and FIDO2 USB devices for logged-on users. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..3ba51ef --- /dev/null +++ b/debian/copyright @@ -0,0 +1,85 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: libfido2 +Source: https://github.com/yubico/libfido2 + +Files: * +Copyright: Copyright (c) 2018 Yubico AB. All rights reserved. +License: BSD-2-clause + +Files: openbsd-compat/strlcpy.c openbsd-compat/strlcat.c +Copyright: Copyright (c) 1998 Todd C. Miller +License: ISC + +Files: src/compat/timingsafe_bcmp.c +Copyright: Copyright (c) 2010 Damien Miller. All rights reserved. +License: ISC + +Files: + openbsd-compat/bsd-getpagesize.c + openbsd-compat/err.h + openbsd-compat/explicit_bzero.c + openbsd-compat/explicit_bzero_win32.c + openbsd-compat/types.h +Copyright: Public domain +License: public-domain + +Files: openbsd-compat/recallocarray.c +Copyright: Copyright (c) 2008, 2017 Otto Moerbeek +License: ISC + +Files: openbsd-compat/readpassphrase.h +Copyright: Copyright (c) 2000, 2002 Todd C. Miller +License: ISC + +Files: openbsd-compat/readpassphrase.c +Copyright: Copyright (c) 2000-2002, 2007, 2010 Todd C. Miller +License: ISC + +Files: openbsd-compat/getopt.h +Copyright: Copyright (c) 2000 The NetBSD Foundation, Inc. All rights reserved. +License: BSD-2-clause + +Files: openbsd-compat/getopt_long.c +Copyright: Copyright (c) 2002 Todd C. Miller + Copyright (c) 2000 The NetBSD Foundation, Inc. All rights reserved. +License: ISC and BSD-2-clause + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: public-domain + Public domain. + +License: ISC + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/debian/fido2-tools.install b/debian/fido2-tools.install new file mode 100644 index 0000000..e772481 --- /dev/null +++ b/debian/fido2-tools.install @@ -0,0 +1 @@ +usr/bin diff --git a/debian/fido2-tools.manpages b/debian/fido2-tools.manpages new file mode 100644 index 0000000..fc19867 --- /dev/null +++ b/debian/fido2-tools.manpages @@ -0,0 +1,3 @@ +man/fido2-assert.1 +man/fido2-cred.1 +man/fido2-token.1 diff --git a/debian/libfido2-1.install b/debian/libfido2-1.install new file mode 100644 index 0000000..a080fbe --- /dev/null +++ b/debian/libfido2-1.install @@ -0,0 +1 @@ +usr/lib/*/libfido2.so.* diff --git a/debian/libfido2-1.symbols b/debian/libfido2-1.symbols new file mode 100644 index 0000000..afbf449 --- /dev/null +++ b/debian/libfido2-1.symbols @@ -0,0 +1,148 @@ +libfido2.so.1 libfido2-1 #MINVER# + eddsa_pk_free@Base 1.1.0 + eddsa_pk_from_EVP_PKEY@Base 1.1.0 + eddsa_pk_from_ptr@Base 1.1.0 + eddsa_pk_new@Base 1.1.0 + eddsa_pk_to_EVP_PKEY@Base 1.1.0 + es256_pk_free@Base 1.1.0 + es256_pk_from_EC_KEY@Base 1.1.0 + es256_pk_from_ptr@Base 1.1.0 + es256_pk_new@Base 1.1.0 + es256_pk_to_EVP_PKEY@Base 1.1.0 + fido_assert_allow_cred@Base 1.1.0 + fido_assert_authdata_len@Base 1.1.0 + fido_assert_authdata_ptr@Base 1.1.0 + fido_assert_clientdata_hash_len@Base 1.1.0 + fido_assert_clientdata_hash_ptr@Base 1.1.0 + fido_assert_count@Base 1.1.0 + fido_assert_flags@Base 1.1.0 + fido_assert_free@Base 1.1.0 + fido_assert_hmac_secret_len@Base 1.1.0 + fido_assert_hmac_secret_ptr@Base 1.1.0 + fido_assert_id_len@Base 1.1.0 + fido_assert_id_ptr@Base 1.1.0 + fido_assert_new@Base 1.1.0 + fido_assert_rp_id@Base 1.1.0 + fido_assert_set_authdata@Base 1.1.0 + fido_assert_set_clientdata_hash@Base 1.1.0 + fido_assert_set_count@Base 1.1.0 + fido_assert_set_extensions@Base 1.1.0 + fido_assert_set_hmac_salt@Base 1.1.0 + fido_assert_set_options@Base 1.1.0 + fido_assert_set_rp@Base 1.1.0 + fido_assert_set_sig@Base 1.1.0 + fido_assert_set_up@Base 1.2.0 + fido_assert_set_uv@Base 1.2.0 + fido_assert_sig_len@Base 1.1.0 + fido_assert_sig_ptr@Base 1.1.0 + fido_assert_user_display_name@Base 1.1.0 + fido_assert_user_icon@Base 1.1.0 + fido_assert_user_id_len@Base 1.1.0 + fido_assert_user_id_ptr@Base 1.1.0 + fido_assert_user_name@Base 1.1.0 + fido_assert_verify@Base 1.1.0 + fido_cbor_info_aaguid_len@Base 1.1.0 + fido_cbor_info_aaguid_ptr@Base 1.1.0 + fido_cbor_info_extensions_len@Base 1.1.0 + fido_cbor_info_extensions_ptr@Base 1.1.0 + fido_cbor_info_free@Base 1.1.0 + fido_cbor_info_maxmsgsiz@Base 1.1.0 + fido_cbor_info_new@Base 1.1.0 + fido_cbor_info_options_len@Base 1.1.0 + fido_cbor_info_options_name_ptr@Base 1.1.0 + fido_cbor_info_options_value_ptr@Base 1.1.0 + fido_cbor_info_protocols_len@Base 1.1.0 + fido_cbor_info_protocols_ptr@Base 1.1.0 + fido_cbor_info_versions_len@Base 1.1.0 + fido_cbor_info_versions_ptr@Base 1.1.0 + fido_cred_authdata_len@Base 1.1.0 + fido_cred_authdata_ptr@Base 1.1.0 + fido_cred_clientdata_hash_len@Base 1.1.0 + fido_cred_clientdata_hash_ptr@Base 1.1.0 + fido_cred_display_name@Base 1.2.0 + fido_cred_exclude@Base 1.1.0 + fido_cred_flags@Base 1.1.0 + fido_cred_fmt@Base 1.1.0 + fido_cred_free@Base 1.1.0 + fido_cred_id_len@Base 1.1.0 + fido_cred_id_ptr@Base 1.1.0 + fido_cred_new@Base 1.1.0 + fido_cred_pubkey_len@Base 1.1.0 + fido_cred_pubkey_ptr@Base 1.1.0 + fido_cred_rp_id@Base 1.1.0 + fido_cred_rp_name@Base 1.1.0 + fido_cred_set_authdata@Base 1.1.0 + fido_cred_set_clientdata_hash@Base 1.1.0 + fido_cred_set_extensions@Base 1.1.0 + fido_cred_set_fmt@Base 1.1.0 + fido_cred_set_options@Base 1.1.0 + fido_cred_set_rk@Base 1.2.0 + fido_cred_set_rp@Base 1.1.0 + fido_cred_set_sig@Base 1.1.0 + fido_cred_set_type@Base 1.1.0 + fido_cred_set_user@Base 1.1.0 + fido_cred_set_uv@Base 1.2.0 + fido_cred_set_x509@Base 1.1.0 + fido_cred_sig_len@Base 1.1.0 + fido_cred_sig_ptr@Base 1.1.0 + fido_cred_type@Base 1.2.0 + fido_cred_user_id_len@Base 1.2.0 + fido_cred_user_id_ptr@Base 1.2.0 + fido_cred_user_name@Base 1.2.0 + fido_cred_verify@Base 1.1.0 + fido_cred_x5c_len@Base 1.1.0 + fido_cred_x5c_ptr@Base 1.1.0 + fido_credman_del_dev_rk@Base 1.2.0 + fido_credman_get_dev_metadata@Base 1.2.0 + fido_credman_get_dev_rk@Base 1.2.0 + fido_credman_get_dev_rp@Base 1.2.0 + fido_credman_metadata_free@Base 1.2.0 + fido_credman_metadata_new@Base 1.2.0 + fido_credman_rk@Base 1.2.0 + fido_credman_rk_count@Base 1.2.0 + fido_credman_rk_existing@Base 1.2.0 + fido_credman_rk_free@Base 1.2.0 + fido_credman_rk_new@Base 1.2.0 + fido_credman_rk_remaining@Base 1.2.0 + fido_credman_rp_count@Base 1.2.0 + fido_credman_rp_free@Base 1.2.0 + fido_credman_rp_id@Base 1.2.0 + fido_credman_rp_id_hash_len@Base 1.2.0 + fido_credman_rp_id_hash_ptr@Base 1.2.0 + fido_credman_rp_name@Base 1.2.0 + fido_credman_rp_new@Base 1.2.0 + fido_dev_build@Base 1.1.0 + fido_dev_close@Base 1.1.0 + fido_dev_flags@Base 1.1.0 + fido_dev_force_fido2@Base 1.1.0 + fido_dev_force_u2f@Base 1.1.0 + fido_dev_free@Base 1.1.0 + fido_dev_get_assert@Base 1.1.0 + fido_dev_get_cbor_info@Base 1.1.0 + fido_dev_get_retry_count@Base 1.1.0 + fido_dev_info_free@Base 1.1.0 + fido_dev_info_manifest@Base 1.1.0 + fido_dev_info_manufacturer_string@Base 1.1.0 + fido_dev_info_new@Base 1.1.0 + fido_dev_info_path@Base 1.1.0 + fido_dev_info_product@Base 1.1.0 + fido_dev_info_product_string@Base 1.1.0 + fido_dev_info_ptr@Base 1.1.0 + fido_dev_info_vendor@Base 1.1.0 + fido_dev_is_fido2@Base 1.1.0 + fido_dev_major@Base 1.1.0 + fido_dev_make_cred@Base 1.1.0 + fido_dev_minor@Base 1.1.0 + fido_dev_new@Base 1.1.0 + fido_dev_open@Base 1.1.0 + fido_dev_protocol@Base 1.1.0 + fido_dev_reset@Base 1.1.0 + fido_dev_set_io_functions@Base 1.1.0 + fido_dev_set_pin@Base 1.1.0 + fido_init@Base 1.1.0 + fido_strerr@Base 1.1.0 + rs256_pk_free@Base 1.1.0 + rs256_pk_from_RSA@Base 1.1.0 + rs256_pk_from_ptr@Base 1.1.0 + rs256_pk_new@Base 1.1.0 + rs256_pk_to_EVP_PKEY@Base 1.1.0 diff --git a/debian/libfido2-dev.install b/debian/libfido2-dev.install new file mode 100644 index 0000000..77fd2fb --- /dev/null +++ b/debian/libfido2-dev.install @@ -0,0 +1,23 @@ +usr/include +usr/lib/*/*.so +usr/lib/*/pkgconfig/*.pc +usr/share/doc/libfido2/es256_pk.html +usr/share/doc/libfido2/fido.html +usr/share/doc/libfido2/fido_assert.html +usr/share/doc/libfido2/fido_assert_allow_cred.html +usr/share/doc/libfido2/fido_assert_set.html +usr/share/doc/libfido2/fido_assert_verify.html +usr/share/doc/libfido2/fido_cbor_info.html +usr/share/doc/libfido2/fido_cred.html +usr/share/doc/libfido2/fido_cred_exclude.html +usr/share/doc/libfido2/fido_cred_set.html +usr/share/doc/libfido2/fido_cred_verify.html +usr/share/doc/libfido2/fido_dev_get_assert.html +usr/share/doc/libfido2/fido_dev_info_manifest.html +usr/share/doc/libfido2/fido_dev_make_cred.html +usr/share/doc/libfido2/fido_dev_open.html +usr/share/doc/libfido2/fido_dev_set_io_functions.html +usr/share/doc/libfido2/fido_dev_set_pin.html +usr/share/doc/libfido2/fido_strerr.html +usr/share/doc/libfido2/rs256_pk.html +usr/share/doc/libfido2/style.css diff --git a/debian/libfido2-dev.links b/debian/libfido2-dev.links new file mode 100644 index 0000000..6fd8356 --- /dev/null +++ b/debian/libfido2-dev.links @@ -0,0 +1,148 @@ +/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_new.3 +/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_free.3 +/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_from_EC_KEY.3 +/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_from_ptr.3 +/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_to_EVP_PKEY.3 +/usr/share/man/man3/fido.3 /usr/share/man/man3/fido_init.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_new.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_free.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_count.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_display_name.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_icon.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_name.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_authdata_ptr.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_clientdata_hash_ptr.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_id_ptr.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_sig_ptr.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_authdata_len.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_clientdata_hash_len.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_id_len.3 +/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_sig_len.3 +/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_authdata.3 +/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_clientdata_hash.3 +/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_count.3 +/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_options.3 +/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_rp.3 +/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_sig.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_new.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_free.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_fmt.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_authdata_ptr.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_clientdata_hash_ptr.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_id_ptr.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_pubkey_ptr.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_sig_ptr.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_x5c_ptr.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_authdata_len.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_clientdata_hash_len.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_id_len.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_pubkey_len.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_sig_len.3 +/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_x5c_len.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_authdata.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_x509.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_sig.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_clientdata_hash.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_rp.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_user.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_options.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_fmt.3 +/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_type.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_new.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_free.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_ptr.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_path.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_product.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_vendor.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_manufacturer_string.3 +/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_product_string.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_close.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_new.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_free.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_is_fido2.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_protocol.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_build.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_flags.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_major.3 +/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_minor.3 +/usr/share/man/man3/fido_dev_set_pin.3 /usr/share/man/man3/fido_dev_get_retry_count.3 +/usr/share/man/man3/fido_dev_set_pin.3 /usr/share/man/man3/fido_dev_reset.3 +/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_new.3 +/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_free.3 +/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_from_RSA.3 +/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_from_ptr.3 +/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_to_EVP_PKEY.3 +/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_new.html +/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_free.html +/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_from_EC_KEY.html +/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_from_ptr.html +/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_to_EVP_PKEY.html +/usr/share/doc/libfido2/fido.html /usr/share/doc/libfido2/fido_init.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_new.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_free.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_count.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_display_name.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_icon.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_name.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_authdata_ptr.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_clientdata_hash_ptr.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_id_ptr.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_sig_ptr.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_authdata_len.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_clientdata_hash_len.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_id_len.html +/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_sig_len.html +/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_authdata.html +/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_clientdata_hash.html +/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_count.html +/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_options.html +/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_rp.html +/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_sig.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_new.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_free.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_fmt.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_authdata_ptr.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_clientdata_hash_ptr.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_id_ptr.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_pubkey_ptr.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_sig_ptr.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_x5c_ptr.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_authdata_len.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_clientdata_hash_len.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_id_len.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_pubkey_len.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_sig_len.html +/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_x5c_len.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_authdata.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_x509.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_sig.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_clientdata_hash.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_rp.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_user.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_options.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_fmt.html +/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_type.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_new.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_free.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_ptr.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_path.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_product.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_vendor.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_docufacturer_string.html +/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_product_string.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_close.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_new.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_free.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_is_fido2.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_protocol.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_build.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_flags.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_major.html +/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_minor.html +/usr/share/doc/libfido2/fido_dev_set_pin.html /usr/share/doc/libfido2/fido_dev_get_retry_count.html +/usr/share/doc/libfido2/fido_dev_set_pin.html /usr/share/doc/libfido2/fido_dev_reset.html +/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_new.html +/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_free.html +/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_from_RSA.html +/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_from_ptr.html +/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_to_EVP_PKEY.html diff --git a/debian/libfido2-dev.manpages b/debian/libfido2-dev.manpages new file mode 100644 index 0000000..1dab8b8 --- /dev/null +++ b/debian/libfido2-dev.manpages @@ -0,0 +1,19 @@ +man/es256_pk.3 +man/fido.3 +man/fido_assert.3 +man/fido_assert_allow_cred.3 +man/fido_assert_set.3 +man/fido_assert_verify.3 +man/fido_cbor_info.3 +man/fido_cred.3 +man/fido_cred_exclude.3 +man/fido_cred_set.3 +man/fido_cred_verify.3 +man/fido_dev_get_assert.3 +man/fido_dev_info_manifest.3 +man/fido_dev_make_cred.3 +man/fido_dev_open.3 +man/fido_dev_set_io_functions.3 +man/fido_dev_set_pin.3 +man/fido_strerr.3 +man/rs256_pk.3 diff --git a/debian/libfido2-udev.install b/debian/libfido2-udev.install new file mode 100644 index 0000000..528cb53 --- /dev/null +++ b/debian/libfido2-udev.install @@ -0,0 +1 @@ +lib/udev/rules.d diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..bb7acbc --- /dev/null +++ b/debian/rules @@ -0,0 +1,9 @@ +#!/usr/bin/make -f + +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +%: + dh $@ + +override_dh_auto_configure: + dh_auto_configure -- -DUDEV_RULES_DIR=/lib/udev/rules.d diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/fuzz/report.html.gz b/fuzz/report.html.gz new file mode 100644 index 0000000..9f07223 Binary files /dev/null and b/fuzz/report.html.gz differ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index d1d8652..bee126c 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -18,6 +18,7 @@ #if defined(__APPLE__) && !defined(HAVE_ENDIAN_H) #include #define be16toh(x) OSSwapBigToHostInt16((x)) +#define htobe16(x) OSSwapHostToBigInt16((x)) #define be32toh(x) OSSwapBigToHostInt32((x)) #endif /* __APPLE__ && !HAVE_ENDIAN_H */ @@ -27,6 +28,7 @@ #include #endif #define be16toh(x) ntohs((x)) +#define htobe16(x) htons((x)) #define be32toh(x) ntohl((x)) #endif /* _WIN32 && !HAVE_ENDIAN_H */ diff --git a/src/iso7816.c b/src/iso7816.c index e2ea281..a3fd280 100644 --- a/src/iso7816.c +++ b/src/iso7816.c @@ -13,7 +13,7 @@ iso7816_new(uint8_t ins, uint8_t p1, uint16_t payload_len) iso7816_apdu_t *apdu; size_t alloc_len; - alloc_len = sizeof(iso7816_apdu_t) + payload_len; + alloc_len = sizeof(iso7816_apdu_t) + payload_len + 2; /* le1 le2 */ if ((apdu = calloc(1, alloc_len)) == NULL) return (NULL); diff --git a/src/u2f.c b/src/u2f.c index 3f2d9aa..82b289f 100644 --- a/src/u2f.c +++ b/src/u2f.c @@ -439,7 +439,7 @@ encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len, authdata.sigcount = 0; memset(&attcred_raw.aaguid, 0, sizeof(attcred_raw.aaguid)); - attcred_raw.id_len = (uint16_t)(kh_len << 8); /* XXX */ + attcred_raw.id_len = htobe16(kh_len); len = authdata_blob.len = sizeof(authdata) + sizeof(attcred_raw) + kh_len + pk_blob.len; diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 5f27e88..4b8ef32 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -49,17 +49,10 @@ add_executable(fido2-token ${COMPAT_SOURCES} ) -add_library(sk-libfido2 MODULE sk-libfido2.c) -set_target_properties(sk-libfido2 PROPERTIES - COMPILE_FLAGS "-DSK_STANDALONE -DWITH_OPENSSL" - OUTPUT_NAME sk-libfido2 -) target_link_libraries(fido2-cred ${CRYPTO_LIBRARIES} fido2_shared) target_link_libraries(fido2-assert ${CRYPTO_LIBRARIES} fido2_shared) target_link_libraries(fido2-token ${CRYPTO_LIBRARIES} fido2_shared) -target_link_libraries(sk-libfido2 ${CRYPTO_LIBRARIES} fido2_shared) install(TARGETS fido2-cred fido2-assert fido2-token DESTINATION ${CMAKE_INSTALL_BINDIR}) -install(TARGETS sk-libfido2 DESTINATION ${CMAKE_INSTALL_LIBDIR}) diff --git a/tools/sk-libfido2.c b/tools/sk-libfido2.c deleted file mode 100644 index 15aa813..0000000 --- a/tools/sk-libfido2.c +++ /dev/null @@ -1,784 +0,0 @@ -/* - * Copyright (c) 2019 Markus Friedl - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif - -#ifdef WITH_OPENSSL -#include -#include -#include -#include -#include -#endif /* WITH_OPENSSL */ - -#include - -#ifndef SK_STANDALONE -#include "log.h" -#include "xmalloc.h" -#endif - -/* #define SK_DEBUG 1 */ - -#if defined(_WIN32) -#include -#include -#include -#include -#include -#endif - -#define MAX_FIDO_DEVICES 256 - -/* Compatibility with OpenSSL 1.0.x */ -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) -#define ECDSA_SIG_get0(sig, pr, ps) \ - do { \ - (*pr) = sig->r; \ - (*ps) = sig->s; \ - } while (0) -#endif - -#define SK_VERSION_MAJOR 0x00020000 /* current API version */ - -/* Flags */ -#define SK_USER_PRESENCE_REQD 0x01 - -/* Algs */ -#define SK_ECDSA 0x00 -#define SK_ED25519 0x01 - -struct sk_enroll_response { - uint8_t *public_key; - size_t public_key_len; - uint8_t *key_handle; - size_t key_handle_len; - uint8_t *signature; - size_t signature_len; - uint8_t *attestation_cert; - size_t attestation_cert_len; -}; - -struct sk_sign_response { - uint8_t flags; - uint32_t counter; - uint8_t *sig_r; - size_t sig_r_len; - uint8_t *sig_s; - size_t sig_s_len; -}; - -/* If building as part of OpenSSH, then rename exported functions */ -#if !defined(SK_STANDALONE) -#define sk_api_version ssh_sk_api_version -#define sk_enroll ssh_sk_enroll -#define sk_sign ssh_sk_sign -#endif - -/* Return the version of the middleware API */ -uint32_t sk_api_version(void); - -/* Enroll a U2F key (private key generation) */ -int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, - const char *application, uint8_t flags, - struct sk_enroll_response **enroll_response); - -/* Sign a challenge */ -int sk_sign(int alg, const uint8_t *message, size_t message_len, - const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, struct sk_sign_response **sign_response); - -#ifdef SK_DEBUG -static void skdebug(const char *func, const char *fmt, ...) - __attribute__((__format__ (printf, 2, 3))); - -static void -skdebug(const char *func, const char *fmt, ...) -{ -#if !defined(SK_STANDALONE) - char *msg; - va_list ap; - - va_start(ap, fmt); - xvasprintf(&msg, fmt, ap); - va_end(ap); - debug("%s: %s", func, msg); - free(msg); -#else - va_list ap; - - va_start(ap, fmt); - fprintf(stderr, "%s: ", func); - vfprintf(stderr, fmt, ap); - fputc('\n', stderr); - va_end(ap); -#endif /* !SK_STANDALONE */ -} -#else -#define skdebug(...) do { /* nothing */ } while (0) -#endif /* SK_DEBUG */ - -uint32_t -sk_api_version(void) -{ - return SK_VERSION_MAJOR; -} - -/* Select the first identified FIDO device attached to the system */ -static char * -pick_first_device(void) -{ - char *ret = NULL; - fido_dev_info_t *devlist = NULL; - size_t olen = 0; - int r; - const fido_dev_info_t *di; - - if ((devlist = fido_dev_info_new(1)) == NULL) { - skdebug(__func__, "fido_dev_info_new failed"); - goto out; - } - if ((r = fido_dev_info_manifest(devlist, 1, &olen)) != FIDO_OK) { - skdebug(__func__, "fido_dev_info_manifest failed: %s", - fido_strerr(r)); - goto out; - } - if (olen != 1) { - skdebug(__func__, "fido_dev_info_manifest bad len %zu", olen); - goto out; - } - di = fido_dev_info_ptr(devlist, 0); - if ((ret = strdup(fido_dev_info_path(di))) == NULL) { - skdebug(__func__, "fido_dev_info_path failed"); - goto out; - } - out: - fido_dev_info_free(&devlist, 1); - return ret; -} - -#if defined(HAVE_ARC4RANDOM_BUF) -static int -get_random_challenge(uint8_t *ptr, size_t len) -{ - arc4random_buf(ptr, len); - - return 0; -} -#elif defined(HAVE_GETENTROPY) -static int -get_random_challenge(uint8_t *ptr, size_t len) -{ - if (getentropy(ptr, len) == -1) { - skdebug(__func__, "getentropy failed"); - return -1; - } - - return 0; -} -#elif defined(HAS_DEV_URANDOM) -static int -get_random_challenge(uint8_t *ptr, size_t len) -{ - int fd; - ssize_t n; - - if ((fd = open(FIDO_RANDOM_DEV, O_RDONLY)) < 0) { - skdebug(__func__, "open %s failed", FIDO_RANDOM_DEV); - return -1; - } - - n = read(fd, ptr, len); - close(fd); - - if (n < 0 || (size_t)n != len) { - skdebug(__func__, "read from %s failed", FIDO_RANDOM_DEV); - return -1; - } - - return 0; -} -#elif defined(_WIN32) -static int -get_random_challenge(uint8_t *ptr, size_t len) -{ - NTSTATUS status; - - status = BCryptGenRandom(NULL, ptr, len, - BCRYPT_USE_SYSTEM_PREFERRED_RNG); - if (!NT_SUCCESS(status)) - return -1; - - return 0; -} -#else -#error "please provide an implementation of get_random_challenge() for your platform" -#endif - -/* Check if the specified key handle exists on a given device. */ -static int -try_device(fido_dev_t *dev, const char *application, - const uint8_t *key_handle, size_t key_handle_len) -{ - fido_assert_t *assert = NULL; - uint8_t challenge[32]; - int r = FIDO_ERR_INTERNAL; - - if (get_random_challenge(challenge, sizeof(challenge)) == -1) { - skdebug(__func__, "get_random_challenge failed"); - goto out; - } - - if ((assert = fido_assert_new()) == NULL) { - skdebug(__func__, "fido_assert_new failed"); - goto out; - } - if ((r = fido_assert_set_clientdata_hash(assert, challenge, - sizeof(challenge))) != FIDO_OK) { - skdebug(__func__, "fido_assert_set_clientdata_hash: %s", - fido_strerr(r)); - goto out; - } - if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) { - skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_assert_allow_cred(assert, key_handle, - key_handle_len)) != FIDO_OK) { - skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) { - skdebug(__func__, "fido_assert_up: %s", fido_strerr(r)); - goto out; - } - r = fido_dev_get_assert(dev, assert, NULL); - skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r)); - if (r == FIDO_ERR_USER_PRESENCE_REQUIRED) { - /* U2F tokens may return this */ - r = FIDO_OK; - } - out: - fido_assert_free(&assert); - - return r != FIDO_OK ? -1 : 0; -} - -/* Iterate over configured devices looking for a specific key handle */ -static fido_dev_t * -find_device(const char *application, const uint8_t *key_handle, - size_t key_handle_len) -{ - fido_dev_info_t *devlist = NULL; - fido_dev_t *dev = NULL; - size_t devlist_len = 0, i; - const char *path; - int r; - - if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) { - skdebug(__func__, "fido_dev_info_new failed"); - goto out; - } - if ((r = fido_dev_info_manifest(devlist, MAX_FIDO_DEVICES, - &devlist_len)) != FIDO_OK) { - skdebug(__func__, "fido_dev_info_manifest: %s", fido_strerr(r)); - goto out; - } - - skdebug(__func__, "found %zu device(s)", devlist_len); - - for (i = 0; i < devlist_len; i++) { - const fido_dev_info_t *di = fido_dev_info_ptr(devlist, i); - - if (di == NULL) { - skdebug(__func__, "fido_dev_info_ptr %zu failed", i); - continue; - } - if ((path = fido_dev_info_path(di)) == NULL) { - skdebug(__func__, "fido_dev_info_path %zu failed", i); - continue; - } - skdebug(__func__, "trying device %zu: %s", i, path); - if ((dev = fido_dev_new()) == NULL) { - skdebug(__func__, "fido_dev_new failed"); - continue; - } - if ((r = fido_dev_open(dev, path)) != FIDO_OK) { - skdebug(__func__, "fido_dev_open failed"); - fido_dev_free(&dev); - continue; - } - if (try_device(dev, application, key_handle, - key_handle_len) == 0) { - skdebug(__func__, "found key"); - break; - } - fido_dev_close(dev); - fido_dev_free(&dev); - } - - out: - if (devlist != NULL) - fido_dev_info_free(&devlist, MAX_FIDO_DEVICES); - - return dev; -} - -#ifdef WITH_OPENSSL -/* - * The key returned via fido_cred_pubkey_ptr() is in affine coordinates, - * but the API expects a SEC1 octet string. - */ -static int -pack_public_key_ecdsa(fido_cred_t *cred, struct sk_enroll_response *response) -{ - const uint8_t *ptr; - BIGNUM *x = NULL, *y = NULL; - EC_POINT *q = NULL; - EC_GROUP *g = NULL; - int ret = -1; - - response->public_key = NULL; - response->public_key_len = 0; - - if ((x = BN_new()) == NULL || - (y = BN_new()) == NULL || - (g = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL || - (q = EC_POINT_new(g)) == NULL) { - skdebug(__func__, "libcrypto setup failed"); - goto out; - } - if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) { - skdebug(__func__, "fido_cred_pubkey_ptr failed"); - goto out; - } - if (fido_cred_pubkey_len(cred) != 64) { - skdebug(__func__, "bad fido_cred_pubkey_len %zu", - fido_cred_pubkey_len(cred)); - goto out; - } - - if (BN_bin2bn(ptr, 32, x) == NULL || - BN_bin2bn(ptr + 32, 32, y) == NULL) { - skdebug(__func__, "BN_bin2bn failed"); - goto out; - } - if (EC_POINT_set_affine_coordinates_GFp(g, q, x, y, NULL) != 1) { - skdebug(__func__, "EC_POINT_set_affine_coordinates_GFp failed"); - goto out; - } - response->public_key_len = EC_POINT_point2oct(g, q, - POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); - if (response->public_key_len == 0 || response->public_key_len > 2048) { - skdebug(__func__, "bad pubkey length %zu", - response->public_key_len); - goto out; - } - if ((response->public_key = malloc(response->public_key_len)) == NULL) { - skdebug(__func__, "malloc pubkey failed"); - goto out; - } - if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED, - response->public_key, response->public_key_len, NULL) == 0) { - skdebug(__func__, "EC_POINT_point2oct failed"); - goto out; - } - /* success */ - ret = 0; - out: - if (ret != 0 && response->public_key != NULL) { - memset(response->public_key, 0, response->public_key_len); - free(response->public_key); - response->public_key = NULL; - } - EC_POINT_free(q); - EC_GROUP_free(g); - BN_clear_free(x); - BN_clear_free(y); - return ret; -} -#endif /* WITH_OPENSSL */ - -static int -pack_public_key_ed25519(fido_cred_t *cred, struct sk_enroll_response *response) -{ - const uint8_t *ptr; - size_t len; - int ret = -1; - - response->public_key = NULL; - response->public_key_len = 0; - - if ((len = fido_cred_pubkey_len(cred)) != 32) { - skdebug(__func__, "bad fido_cred_pubkey_len len %zu", len); - goto out; - } - if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) { - skdebug(__func__, "fido_cred_pubkey_ptr failed"); - goto out; - } - response->public_key_len = len; - if ((response->public_key = malloc(response->public_key_len)) == NULL) { - skdebug(__func__, "malloc pubkey failed"); - goto out; - } - memcpy(response->public_key, ptr, len); - ret = 0; - out: - if (ret != 0) - free(response->public_key); - return ret; -} - -static int -pack_public_key(int alg, fido_cred_t *cred, struct sk_enroll_response *response) -{ - switch(alg) { -#ifdef WITH_OPENSSL - case SK_ECDSA: - return pack_public_key_ecdsa(cred, response); -#endif /* WITH_OPENSSL */ - case SK_ED25519: - return pack_public_key_ed25519(cred, response); - default: - return -1; - } -} - -int -sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, - const char *application, uint8_t flags, - struct sk_enroll_response **enroll_response) -{ - fido_cred_t *cred = NULL; - fido_dev_t *dev = NULL; - const uint8_t *ptr; - uint8_t user_id[32]; - struct sk_enroll_response *response = NULL; - size_t len; - int cose_alg; - int ret = -1; - int r; - char *device = NULL; - - (void)flags; /* XXX; unused */ -#ifdef SK_DEBUG - fido_init(FIDO_DEBUG); -#endif - if (enroll_response == NULL) { - skdebug(__func__, "enroll_response == NULL"); - goto out; - } - *enroll_response = NULL; - switch(alg) { -#ifdef WITH_OPENSSL - case SK_ECDSA: - cose_alg = COSE_ES256; - break; -#endif /* WITH_OPENSSL */ - case SK_ED25519: - cose_alg = COSE_EDDSA; - break; - default: - skdebug(__func__, "unsupported key type %d", alg); - goto out; - } - if ((device = pick_first_device()) == NULL) { - skdebug(__func__, "pick_first_device failed"); - goto out; - } - skdebug(__func__, "using device %s", device); - if ((cred = fido_cred_new()) == NULL) { - skdebug(__func__, "fido_cred_new failed"); - goto out; - } - memset(user_id, 0, sizeof(user_id)); - if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) { - skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_cred_set_clientdata_hash(cred, challenge, - challenge_len)) != FIDO_OK) { - skdebug(__func__, "fido_cred_set_clientdata_hash: %s", - fido_strerr(r)); - goto out; - } - if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), - "openssh", "openssh", NULL)) != FIDO_OK) { - skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_cred_set_rp(cred, application, NULL)) != FIDO_OK) { - skdebug(__func__, "fido_cred_set_rp: %s", fido_strerr(r)); - goto out; - } - if ((dev = fido_dev_new()) == NULL) { - skdebug(__func__, "fido_dev_new failed"); - goto out; - } - if ((r = fido_dev_open(dev, device)) != FIDO_OK) { - skdebug(__func__, "fido_dev_open: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_dev_make_cred(dev, cred, NULL)) != FIDO_OK) { - skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r)); - goto out; - } - if (fido_cred_x5c_ptr(cred) != NULL) { - if ((r = fido_cred_verify(cred)) != FIDO_OK) { - skdebug(__func__, "fido_cred_verify: %s", - fido_strerr(r)); - goto out; - } - } else { - skdebug(__func__, "self-attested credential"); - if ((r = fido_cred_verify_self(cred)) != FIDO_OK) { - skdebug(__func__, "fido_cred_verify_self: %s", - fido_strerr(r)); - goto out; - } - } - if ((response = calloc(1, sizeof(*response))) == NULL) { - skdebug(__func__, "calloc response failed"); - goto out; - } - if (pack_public_key(alg, cred, response) != 0) { - skdebug(__func__, "pack_public_key failed"); - goto out; - } - if ((ptr = fido_cred_id_ptr(cred)) != NULL) { - len = fido_cred_id_len(cred); - if ((response->key_handle = calloc(1, len)) == NULL) { - skdebug(__func__, "calloc key handle failed"); - goto out; - } - memcpy(response->key_handle, ptr, len); - response->key_handle_len = len; - } - if ((ptr = fido_cred_sig_ptr(cred)) != NULL) { - len = fido_cred_sig_len(cred); - if ((response->signature = calloc(1, len)) == NULL) { - skdebug(__func__, "calloc signature failed"); - goto out; - } - memcpy(response->signature, ptr, len); - response->signature_len = len; - } - if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) { - len = fido_cred_x5c_len(cred); - if ((response->attestation_cert = calloc(1, len)) == NULL) { - skdebug(__func__, "calloc attestation cert failed"); - goto out; - } - memcpy(response->attestation_cert, ptr, len); - response->attestation_cert_len = len; - } - *enroll_response = response; - response = NULL; - ret = 0; - out: - free(device); - if (response != NULL) { - free(response->public_key); - free(response->key_handle); - free(response->signature); - free(response->attestation_cert); - free(response); - } - if (dev != NULL) { - fido_dev_close(dev); - fido_dev_free(&dev); - } - if (cred != NULL) { - fido_cred_free(&cred); - } - return ret; -} - -#ifdef WITH_OPENSSL -static int -pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response) -{ - ECDSA_SIG *sig = NULL; - const BIGNUM *sig_r, *sig_s; - const unsigned char *cp; - size_t sig_len; - int ret = -1; - - cp = fido_assert_sig_ptr(assert, 0); - sig_len = fido_assert_sig_len(assert, 0); - if ((sig = d2i_ECDSA_SIG(NULL, &cp, sig_len)) == NULL) { - skdebug(__func__, "d2i_ECDSA_SIG failed"); - goto out; - } - ECDSA_SIG_get0(sig, &sig_r, &sig_s); - response->sig_r_len = BN_num_bytes(sig_r); - response->sig_s_len = BN_num_bytes(sig_s); - if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL || - (response->sig_s = calloc(1, response->sig_s_len)) == NULL) { - skdebug(__func__, "calloc signature failed"); - goto out; - } - BN_bn2bin(sig_r, response->sig_r); - BN_bn2bin(sig_s, response->sig_s); - ret = 0; - out: - ECDSA_SIG_free(sig); - if (ret != 0) { - free(response->sig_r); - free(response->sig_s); - response->sig_r = NULL; - response->sig_s = NULL; - } - return ret; -} -#endif /* WITH_OPENSSL */ - -static int -pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response) -{ - const unsigned char *ptr; - size_t len; - int ret = -1; - - ptr = fido_assert_sig_ptr(assert, 0); - len = fido_assert_sig_len(assert, 0); - if (len != 64) { - skdebug(__func__, "bad length %zu", len); - goto out; - } - response->sig_r_len = len; - if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) { - skdebug(__func__, "calloc signature failed"); - goto out; - } - memcpy(response->sig_r, ptr, len); - ret = 0; - out: - if (ret != 0) { - free(response->sig_r); - response->sig_r = NULL; - } - return ret; -} - -static int -pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response) -{ - switch(alg) { -#ifdef WITH_OPENSSL - case SK_ECDSA: - return pack_sig_ecdsa(assert, response); -#endif /* WITH_OPENSSL */ - case SK_ED25519: - return pack_sig_ed25519(assert, response); - default: - return -1; - } -} - -int -sk_sign(int alg, const uint8_t *message, size_t message_len, - const char *application, - const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, struct sk_sign_response **sign_response) -{ - fido_assert_t *assert = NULL; - fido_dev_t *dev = NULL; - struct sk_sign_response *response = NULL; - int ret = -1; - int r; - -#ifdef SK_DEBUG - fido_init(FIDO_DEBUG); -#endif - - if (sign_response == NULL) { - skdebug(__func__, "sign_response == NULL"); - goto out; - } - *sign_response = NULL; - if ((dev = find_device(application, key_handle, - key_handle_len)) == NULL) { - skdebug(__func__, "couldn't find device for key handle"); - goto out; - } - if ((assert = fido_assert_new()) == NULL) { - skdebug(__func__, "fido_assert_new failed"); - goto out; - } - if ((r = fido_assert_set_clientdata_hash(assert, message, - message_len)) != FIDO_OK) { - skdebug(__func__, "fido_assert_set_clientdata_hash: %s", - fido_strerr(r)); - goto out; - } - if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) { - skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_assert_allow_cred(assert, key_handle, - key_handle_len)) != FIDO_OK) { - skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_assert_set_up(assert, - (flags & SK_USER_PRESENCE_REQD) ? - FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) { - skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r)); - goto out; - } - if ((r = fido_dev_get_assert(dev, assert, NULL)) != FIDO_OK) { - skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r)); - goto out; - } - if ((response = calloc(1, sizeof(*response))) == NULL) { - skdebug(__func__, "calloc response failed"); - goto out; - } - response->flags = fido_assert_flags(assert, 0); - response->counter = fido_assert_sigcount(assert, 0); - if (pack_sig(alg, assert, response) != 0) { - skdebug(__func__, "pack_sig failed"); - goto out; - } - *sign_response = response; - response = NULL; - ret = 0; - out: - if (response != NULL) { - free(response->sig_r); - free(response->sig_s); - free(response); - } - if (dev != NULL) { - fido_dev_close(dev); - fido_dev_free(&dev); - } - if (assert != NULL) { - fido_assert_free(&assert); - } - return ret; -} diff --git a/udev/70-u2f.rules b/udev/70-u2f.rules index 8dc20a1..3932270 100644 --- a/udev/70-u2f.rules +++ b/udev/70-u2f.rules @@ -35,8 +35,11 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2abe", ATTRS{idProduct # Thetis Key KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660" -# Nitrokey FIDO U2F -KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess", GROUP="plugdev", MODE="0660" +# Nitrokey FIDO U2F, Nitrokey FIDO2 +KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287|42b1", TAG+="uaccess", GROUP="plugdev", MODE="0660" + +# Safetech SafeKey +KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b3", TAG+="uaccess", GROUP="plugdev", MODE="0660" # Google Titan U2F KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660" -- cgit v1.2.3 From 400533f0af0b8119c84e574387ed05e500f63861 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 23 Feb 2020 15:36:47 +0100 Subject: Prepare upload v1.3.1-1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index af5ccc1..d3ef6dd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -libfido2 (1.3.1-0.1) UNRELEASED; urgency=medium +libfido2 (1.3.1-1) unstable; urgency=medium [ nicoo ] * New upstream version 1.3.1 (released 2020-02-19) @@ -12,7 +12,7 @@ libfido2 (1.3.1-0.1) UNRELEASED; urgency=medium * Fix pattern in debian/watch. * Only use -fstack-protector-all if it is supported - -- nicoo Sun, 23 Feb 2020 15:33:59 +0100 + -- nicoo Sun, 23 Feb 2020 15:36:41 +0100 libfido2 (1.3.0-1) unstable; urgency=low -- cgit v1.2.3