From 173bfbf7886608a4a7abbfac6a42ac4bf4a3432d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 20 Sep 2020 16:14:20 +0100 Subject: New upstream version 1.5.0 --- tools/CMakeLists.txt | 7 ++++ tools/assert_get.c | 94 ++++++++++++++++++++++++++++++++++++++++++-------- tools/assert_verify.c | 12 ++----- tools/base64.c | 5 ++- tools/cred_make.c | 26 ++++++++------ tools/cred_verify.c | 26 ++++++++------ tools/credman.c | 21 +++-------- tools/extern.h | 6 +++- tools/fido2-assert.c | 6 ++-- tools/fido2-attach.sh | 14 ++++++++ tools/fido2-cred.c | 6 ++-- tools/fido2-detach.sh | 12 +++++++ tools/fido2-token.c | 6 ++-- tools/fido2-unprot.sh | 75 ++++++++++++++++++++++++++++++++++++++++ tools/include_check.sh | 8 ++--- tools/macos_pkg.sh | 44 ----------------------- tools/token.c | 18 ++++++++++ tools/util.c | 68 ++++++++++++++++++++++++++++++++++++ 18 files changed, 331 insertions(+), 123 deletions(-) create mode 100755 tools/fido2-attach.sh create mode 100755 tools/fido2-detach.sh create mode 100755 tools/fido2-unprot.sh delete mode 100755 tools/macos_pkg.sh (limited to 'tools') diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 274a799..4d08be9 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -20,6 +20,13 @@ else() list(APPEND COMPAT_SOURCES ../openbsd-compat/readpassphrase.c) endif() +if(NOT MSVC) + set_source_files_properties(assert_get.c assert_verify.c base64.c bio.c + cred_make.c cred_verify.c credman.c fido2-assert.c fido2-cred.c + fido2-token.c pin.c token.c util.c PROPERTIES COMPILE_FLAGS + "-Wconversion -Wsign-conversion") +endif() + add_executable(fido2-cred fido2-cred.c cred_make.c diff --git a/tools/assert_get.c b/tools/assert_get.c index 5e209cd..d52cd06 100644 --- a/tools/assert_get.c +++ b/tools/assert_get.c @@ -15,8 +15,67 @@ #include "../openbsd-compat/openbsd-compat.h" #include "extern.h" +struct toggle { + fido_opt_t up; + fido_opt_t uv; + fido_opt_t pin; +}; + +static const char * +opt2str(fido_opt_t v) +{ + switch (v) { + case FIDO_OPT_OMIT: + return "omit"; + case FIDO_OPT_TRUE: + return "true"; + case FIDO_OPT_FALSE: + return "false"; + default: + return "unknown"; + } +} + +static void +parse_toggle(const char *str, struct toggle *opt) +{ + fido_opt_t *k; + fido_opt_t v; + char *assignment; + char *key; + char *val; + + if ((assignment = strdup(str)) == NULL) + err(1, "strdup"); + if ((val = strchr(assignment, '=')) == NULL) + errx(1, "invalid assignment '%s'", assignment); + + key = assignment; + *val++ = '\0'; + + if (!strcmp(val, "true")) + v = FIDO_OPT_TRUE; + else if (!strcmp(val, "false")) + v = FIDO_OPT_FALSE; + else + errx(1, "unknown value '%s'", val); + + if (!strcmp(key, "up")) + k = &opt->up; + else if (!strcmp(key, "uv")) + k = &opt->uv; + else if (!strcmp(key, "pin")) + k = &opt->pin; + else + errx(1, "unknown key '%s'", key); + + free(assignment); + + *k = v; +} + static fido_assert_t * -prepare_assert(FILE *in_f, int flags) +prepare_assert(FILE *in_f, int flags, const struct toggle *opt) { fido_assert_t *assert = NULL; struct blob cdh; @@ -46,6 +105,9 @@ prepare_assert(FILE *in_f, int flags) fprintf(stderr, "credential id:\n"); xxd(id.ptr, id.len); } + fprintf(stderr, "up=%s\n", opt2str(opt->up)); + fprintf(stderr, "uv=%s\n", opt2str(opt->uv)); + fprintf(stderr, "pin=%s\n", opt2str(opt->pin)); } if ((assert = fido_assert_new()) == NULL) @@ -55,15 +117,11 @@ prepare_assert(FILE *in_f, int flags) cdh.len)) != FIDO_OK || (r = fido_assert_set_rp(assert, rpid)) != FIDO_OK) errx(1, "fido_assert_set: %s", fido_strerr(r)); + if ((r = fido_assert_set_up(assert, opt->up)) != FIDO_OK) + errx(1, "fido_assert_set_up: %s", fido_strerr(r)); + if ((r = fido_assert_set_uv(assert, opt->uv)) != FIDO_OK) + errx(1, "fido_assert_set_uv: %s", fido_strerr(r)); - if (flags & FLAG_UP) { - if ((r = fido_assert_set_up(assert, FIDO_OPT_TRUE)) != FIDO_OK) - errx(1, "fido_assert_set_up: %s", fido_strerr(r)); - } - if (flags & FLAG_UV) { - if ((r = fido_assert_set_uv(assert, FIDO_OPT_TRUE)) != FIDO_OK) - errx(1, "fido_assert_set_uv: %s", fido_strerr(r)); - } if (flags & FLAG_HMAC) { if ((r = fido_assert_set_extensions(assert, FIDO_EXT_HMAC_SECRET)) != FIDO_OK) @@ -136,6 +194,7 @@ assert_get(int argc, char **argv) { fido_dev_t *dev = NULL; fido_assert_t *assert = NULL; + struct toggle opt; char pin[1024]; char prompt[1024]; char *in_path = NULL; @@ -146,7 +205,9 @@ assert_get(int argc, char **argv) int ch; int r; - while ((ch = getopt(argc, argv, "dhi:o:pruv")) != -1) { + opt.up = opt.uv = opt.pin = FIDO_OPT_OMIT; + + while ((ch = getopt(argc, argv, "dhi:o:prt:uv")) != -1) { switch (ch) { case 'd': flags |= FLAG_DEBUG; @@ -161,16 +222,21 @@ assert_get(int argc, char **argv) out_path = optarg; break; case 'p': - flags |= FLAG_UP; + opt.up = FIDO_OPT_TRUE; break; case 'r': flags |= FLAG_RK; break; + case 't' : + parse_toggle(optarg, &opt); + break; case 'u': flags |= FLAG_U2F; break; case 'v': - flags |= FLAG_UV; + /* -v implies both pin and uv for historical reasons */ + opt.pin = FIDO_OPT_TRUE; + opt.uv = FIDO_OPT_TRUE; break; default: usage(); @@ -188,13 +254,13 @@ assert_get(int argc, char **argv) fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); - assert = prepare_assert(in_f, flags); + assert = prepare_assert(in_f, flags, &opt); dev = open_dev(argv[0]); if (flags & FLAG_U2F) fido_dev_force_u2f(dev); - if (flags & FLAG_UV) { + if (opt.pin == FIDO_OPT_TRUE) { r = snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", argv[0]); if (r < 0 || (size_t)r >= sizeof(prompt)) diff --git a/tools/assert_verify.c b/tools/assert_verify.c index ccff57a..fb96b65 100644 --- a/tools/assert_verify.c +++ b/tools/assert_verify.c @@ -175,16 +175,8 @@ assert_verify(int argc, char **argv) in_f = open_read(in_path); - if (argc > 1) { - if (strcmp(argv[1], "es256") == 0) - type = COSE_ES256; - else if (strcmp(argv[1], "rs256") == 0) - type = COSE_RS256; - else if (strcmp(argv[1], "eddsa") == 0) - type = COSE_EDDSA; - else - errx(1, "unknown type %s", argv[1]); - } + if (argc > 1 && cose_type(argv[1], &type) < 0) + errx(1, "unknown type %s", argv[1]); fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); diff --git a/tools/base64.c b/tools/base64.c index 9f31def..e131198 100644 --- a/tools/base64.c +++ b/tools/base64.c @@ -7,7 +7,6 @@ #include #include -#include #include #include #include @@ -62,7 +61,7 @@ fail: } int -base64_decode(char *in, void **ptr, size_t *len) +base64_decode(const char *in, void **ptr, size_t *len) { BIO *bio_mem = NULL; BIO *bio_b64 = NULL; @@ -78,7 +77,7 @@ base64_decode(char *in, void **ptr, size_t *len) if ((bio_b64 = BIO_new(BIO_f_base64())) == NULL) goto fail; - if ((bio_mem = BIO_new_mem_buf((void *)in, -1)) == NULL) + if ((bio_mem = BIO_new_mem_buf((const void *)in, -1)) == NULL) goto fail; BIO_set_flags(bio_b64, BIO_FLAGS_BASE64_NO_NL); diff --git a/tools/cred_make.c b/tools/cred_make.c index 380c67a..255a488 100644 --- a/tools/cred_make.c +++ b/tools/cred_make.c @@ -130,11 +130,16 @@ cred_make(int argc, char **argv) FILE *out_f = NULL; int type = COSE_ES256; int flags = 0; + int cred_protect = -1; int ch; int r; - while ((ch = getopt(argc, argv, "dhi:o:qruv")) != -1) { + while ((ch = getopt(argc, argv, "c:dhi:o:qruv")) != -1) { switch (ch) { + case 'c': + if ((cred_protect = base10(optarg)) < 0) + errx(1, "-c: invalid argument '%s'", optarg); + break; case 'd': flags |= FLAG_DEBUG; break; @@ -173,16 +178,8 @@ cred_make(int argc, char **argv) in_f = open_read(in_path); out_f = open_write(out_path); - if (argc > 1) { - if (strcmp(argv[1], "es256") == 0) - type = COSE_ES256; - else if (strcmp(argv[1], "rs256") == 0) - type = COSE_RS256; - else if (strcmp(argv[1], "eddsa") == 0) - type = COSE_EDDSA; - else - errx(1, "unknown type %s", argv[1]); - } + if (argc > 1 && cose_type(argv[1], &type) < 0) + errx(1, "unknown type %s", argv[1]); fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); @@ -192,6 +189,13 @@ cred_make(int argc, char **argv) if (flags & FLAG_U2F) fido_dev_force_u2f(dev); + if (cred_protect > 0) { + r = fido_cred_set_prot(cred, cred_protect); + if (r != FIDO_OK) { + errx(1, "fido_cred_set_prot: %s", fido_strerr(r)); + } + } + r = fido_dev_make_cred(dev, cred, NULL); if (r == FIDO_ERR_PIN_REQUIRED && !(flags & FLAG_QUIET)) { r = snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", diff --git a/tools/cred_verify.c b/tools/cred_verify.c index 3f7a400..d622ed7 100644 --- a/tools/cred_verify.c +++ b/tools/cred_verify.c @@ -109,11 +109,16 @@ cred_verify(int argc, char **argv) FILE *out_f = NULL; int type = COSE_ES256; int flags = 0; + int cred_prot = -1; int ch; int r; - while ((ch = getopt(argc, argv, "dhi:o:v")) != -1) { + while ((ch = getopt(argc, argv, "c:dhi:o:v")) != -1) { switch (ch) { + case 'c': + if ((cred_prot = base10(optarg)) < 0) + errx(1, "-c: invalid argument '%s'", optarg); + break; case 'd': flags |= FLAG_DEBUG; break; @@ -143,20 +148,19 @@ cred_verify(int argc, char **argv) in_f = open_read(in_path); out_f = open_write(out_path); - if (argc > 0) { - if (strcmp(argv[0], "es256") == 0) - type = COSE_ES256; - else if (strcmp(argv[0], "rs256") == 0) - type = COSE_RS256; - else if (strcmp(argv[0], "eddsa") == 0) - type = COSE_EDDSA; - else - errx(1, "unknown type %s", argv[0]); - } + if (argc > 0 && cose_type(argv[0], &type) < 0) + errx(1, "unknown type %s", argv[0]); fido_init((flags & FLAG_DEBUG) ? FIDO_DEBUG : 0); cred = prepare_cred(in_f, type, flags); + if (cred_prot > 0) { + r = fido_cred_set_prot(cred, cred_prot); + if (r != FIDO_OK) { + errx(1, "fido_cred_set_prot: %s", fido_strerr(r)); + } + } + if (fido_cred_x5c_ptr(cred) == NULL) { if ((r = fido_cred_verify_self(cred)) != FIDO_OK) errx(1, "fido_cred_verify_self: %s", fido_strerr(r)); diff --git a/tools/credman.c b/tools/credman.c index 6eda245..ea913bb 100644 --- a/tools/credman.c +++ b/tools/credman.c @@ -101,6 +101,7 @@ print_rk(const fido_credman_rk_t *rk, size_t idx) char *id = NULL; char *user_id = NULL; const char *type; + const char *prot; if ((cred = fido_credman_rk(rk, idx)) == NULL) errx(1, "fido_credman_rk"); @@ -109,23 +110,11 @@ print_rk(const fido_credman_rk_t *rk, size_t idx) fido_cred_user_id_len(cred), &user_id) < 0) errx(1, "output error"); - switch (fido_cred_type(cred)) { - case COSE_EDDSA: - type = "eddsa"; - break; - case COSE_ES256: - type = "es256"; - break; - case COSE_RS256: - type = "rs256"; - break; - default: - type = "unknown"; - break; - } + type = cose_string(fido_cred_type(cred)); + prot = prot_string(fido_cred_prot(cred)); - printf("%02u: %s %s (%s) %s\n", (unsigned)idx, id, - fido_cred_display_name(cred), user_id, type); + printf("%02u: %s %s %s %s %s\n", (unsigned)idx, id, + fido_cred_display_name(cred), user_id, type, prot); free(user_id); free(id); diff --git a/tools/extern.h b/tools/extern.h index be01046..df5fcd8 100644 --- a/tools/extern.h +++ b/tools/extern.h @@ -32,9 +32,11 @@ EC_KEY *read_ec_pubkey(const char *); fido_dev_t *open_dev(const char *); FILE *open_read(const char *); FILE *open_write(const char *); +const char *cose_string(int); +const char *prot_string(int); int assert_get(int, char **); int assert_verify(int, char **); -int base64_decode(char *, void **, size_t *); +int base64_decode(const char *, void **, size_t *); int base64_encode(const void *, size_t, char **); int base64_read(FILE *, struct blob *); int bio_delete(fido_dev_t *, char *, char *); @@ -42,6 +44,7 @@ int bio_enroll(char *); void bio_info(fido_dev_t *); int bio_list(char *); int bio_set_name(char *, char *, char *); +int cose_type(const char *, int *); int cred_make(int, char **); int cred_verify(int, char **); int credman_delete_rk(fido_dev_t *, const char *, char *); @@ -66,5 +69,6 @@ void print_cred(FILE *, int, const fido_cred_t *); void read_pin(const char *, char *, size_t); void usage(void); void xxd(const void *, size_t); +int base10(const char *); #endif /* _EXTERN_H_ */ diff --git a/tools/fido2-assert.c b/tools/fido2-assert.c index 9ce537a..7fd7632 100644 --- a/tools/fido2-assert.c +++ b/tools/fido2-assert.c @@ -11,10 +11,10 @@ * $ echo relying party >> assert_param * $ head -1 cred >> assert_param # credential id * $ tail -n +2 cred > pubkey # credential pubkey - * $ fido2-assert -G -i assert_param /dev/hidraw5 | fido2-assert -V pubkey rs256 + * $ fido2-assert -G -i assert_param /dev/hidraw5 | fido2-assert -V pubkey rs256 * * See blurb in fido2-cred.c on how to obtain cred. - */ + */ #include #include @@ -28,7 +28,7 @@ void usage(void) { fprintf(stderr, -"usage: fido2-assert -G [-dhpruv] [-i input_file] [-o output_file] device\n" +"usage: fido2-assert -G [-dhpruv] [-t option] [-i input_file] [-o output_file] device\n" " fido2-assert -V [-dhpv] [-i input_file] key_file [type]\n" ); diff --git a/tools/fido2-attach.sh b/tools/fido2-attach.sh new file mode 100755 index 0000000..d4bc449 --- /dev/null +++ b/tools/fido2-attach.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +# Copyright (c) 2020 Yubico AB. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +DEV="" + +while [ -z "${DEV}" ]; do + sleep .5 + DEV="$(fido2-token -L | sed 's/^\(.*\): .*$/\1/;q')" +done + +printf '%s\n' "${DEV}" diff --git a/tools/fido2-cred.c b/tools/fido2-cred.c index 45efca0..ce277f5 100644 --- a/tools/fido2-cred.c +++ b/tools/fido2-cred.c @@ -12,7 +12,7 @@ * $ echo user name >> cred_param * $ dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param * $ fido2-cred -M -i cred_param /dev/hidraw5 | fido2-cred -V -o cred - */ + */ #include #include @@ -26,8 +26,8 @@ void usage(void) { fprintf(stderr, -"usage: fido2-cred -M [-dhqruv] [-i input_file] [-o output_file] device [type]\n" -" fido2-cred -V [-dhv] [-i input_file] [-o output_file] [type]\n" +"usage: fido2-cred -M [-dhqruv] [-c cred_protect] [-i input_file] [-o output_file] device [type]\n" +" fido2-cred -V [-dhv] [-c cred_protect] [-i input_file] [-o output_file] [type]\n" ); exit(1); diff --git a/tools/fido2-detach.sh b/tools/fido2-detach.sh new file mode 100755 index 0000000..9cd2e64 --- /dev/null +++ b/tools/fido2-detach.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +# Copyright (c) 2020 Yubico AB. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +DEV="$(fido2-token -L | sed 's/^\(.*\): .*$/\1/;q')" + +while [ -n "${DEV}" ]; do + sleep .5 + DEV="$(fido2-token -L | sed 's/^\(.*\): .*$/\1/;q')" +done diff --git a/tools/fido2-token.c b/tools/fido2-token.c index 0b02fea..a1e6594 100644 --- a/tools/fido2-token.c +++ b/tools/fido2-token.c @@ -19,11 +19,11 @@ usage(void) { fprintf(stderr, "usage: fido2-token [-CR] [-d] device\n" -" fido2-token -D [-de] -i id device\n" +" fido2-token -D [-de] -i id device\n" " fido2-token -I [-cd] [-k rp_id -i cred_id] device\n" -" fido2-token -L [-der] [-k rp_id] [device]\n" +" fido2-token -L [-der] [-k rp_id] [device]\n" " fido2-token -S [-de] [-i template_id -n template_name] device\n" -" fido2-token -V\n" +" fido2-token -V\n" ); exit(1); diff --git a/tools/fido2-unprot.sh b/tools/fido2-unprot.sh new file mode 100755 index 0000000..44b28b8 --- /dev/null +++ b/tools/fido2-unprot.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +# Copyright (c) 2020 Fabian Henneke. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + + +if [ $(uname) != "Linux" ] ; then + echo "Can only run on Linux" + exit 1 +fi + +TOKEN_VERSION=$(${FIDO_TOOLS_PREFIX}fido2-token -V 2>&1) +if [ $? -ne 0 ] ; then + echo "Please install libfido2 1.5.0 or higher" + exit +fi + +TOKEN_VERSION_MAJOR=$(echo "$TOKEN_VERSION" | cut -d. -f1) +TOKEN_VERSION_MINOR=$(echo "$TOKEN_VERSION" | cut -d. -f2) +if [ $TOKEN_VERSION_MAJOR -eq 0 -o $TOKEN_VERSION_MAJOR -eq 1 -a $TOKEN_VERSION_MINOR -lt 5 ] ; then + echo "Please install libfido2 1.5.0 or higher (current version: $TOKEN_VERSION)" + exit 1 +fi + +set -e + +TOKEN_OUTPUT=$(${FIDO_TOOLS_PREFIX}fido2-token -L) +DEV_PATH_NAMES=$(echo "$TOKEN_OUTPUT" | sed -r 's/^(.*): .*\((.*)\)$/\1 \2/g') +DEV_COUNT=$(echo "$DEV_PATH_NAMES" | wc -l) + +for i in $(seq 1 $DEV_COUNT) +do + DEV_PATH_NAME=$(echo "$DEV_PATH_NAMES" | sed "${i}q;d") + DEV_PATH=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1) + DEV_NAME=$(echo "$DEV_PATH_NAME" | cut -d' ' -f1 --complement) + DEV_PRETTY=$(echo "$DEV_NAME (at '$DEV_PATH')") + if expr match "$(${FIDO_TOOLS_PREFIX}fido2-token -I $DEV_PATH)" ".* credMgmt.* clientPin.*\|.* clientPin.* credMgmt.*" > /dev/null ; then + printf "Enter PIN for $DEV_PRETTY once (ignore further prompts): " + stty -echo + read PIN + stty echo + printf "\n" + RESIDENT_RPS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -r $DEV_PATH | cut -d' ' -f3) + printf "\n" + RESIDENT_RPS_COUNT=$(echo "$RESIDENT_RPS" | wc -l) + FOUND=0 + for j in $(seq 1 $DEV_RESIDENT_RPS_COUNT) + do + RESIDENT_RP=$(echo "$RESIDENT_RPS" | sed "${j}q;d") + UNPROT_CREDS=$(echo "${PIN}\n" | setsid -w ${FIDO_TOOLS_PREFIX}fido2-token -L -k $RESIDENT_RP $DEV_PATH | grep ' uvopt$' | cut -d' ' -f2,3,4) + printf "\n" + UNPROT_CREDS_COUNT=$(echo "$UNPROT_CREDS" | wc -l) + if [ $UNPROT_CREDS_COUNT -gt 0 ] ; then + FOUND=1 + echo "Unprotected credentials on $DEV_PRETTY for '$RESIDENT_RP':" + echo "$UNPROT_CREDS" + fi + done + if [ $FOUND -eq 0 ] ; then + echo "No unprotected credentials on $DEV_PRETTY" + fi + else + echo "$DEV_PRETTY cannot enumerate credentials" + echo "Discovering unprotected SSH credentials only..." + STUB_HASH=$(echo -n "" | openssl sha256 -binary | base64) + printf "$STUB_HASH\nssh:\n" | ${FIDO_TOOLS_PREFIX}fido2-assert -G -r -t up=false $DEV_PATH 2> /dev/null || ASSERT_EXIT_CODE=$? + if [ $ASSERT_EXIT_CODE -eq 0 ] ; then + echo "Found an unprotected SSH credential on $DEV_PRETTY!" + else + echo "No unprotected SSH credentials (default settings) on $DEV_PRETTY" + fi + fi + printf "\n" +done diff --git a/tools/include_check.sh b/tools/include_check.sh index 9958c9a..e684d0b 100755 --- a/tools/include_check.sh +++ b/tools/include_check.sh @@ -1,5 +1,5 @@ -#!/bin/bash -# +#!/bin/sh + # Copyright (c) 2019 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. @@ -8,14 +8,14 @@ check() { for f in $(find $1 -maxdepth 1 -name '*.h'); do echo "#include \"$f\"" | \ cc $CFLAGS -Isrc -xc -c - -o /dev/null 2>&1 - echo $f $CFLAGS $? + echo "$f $CFLAGS $?" done } check examples check fuzz check openbsd-compat -CFLAGS=-D_FIDO_INTERNAL check src +CFLAGS="${CFLAGS} -D_FIDO_INTERNAL" check src check src/fido.h check src/fido check tools diff --git a/tools/macos_pkg.sh b/tools/macos_pkg.sh deleted file mode 100755 index 4313c27..0000000 --- a/tools/macos_pkg.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash -e -# Copyright (c) 2019 Yubico AB. All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - -if [[ "$#" -ne 2 ]]; then - echo usage: $0 version directory 1>&2 - exit 1 -fi - -V=$1 -D=$2 - -FIDO_PATH=$(realpath ${D}/lib/libfido2.${V}.dylib) -CBOR_PATH=$(otool -L "${FIDO_PATH}" | grep cbor | awk '{ print $1 }') -CRYPTO_PATH=$(otool -L "${FIDO_PATH}" | grep crypto | awk '{ print $1 }') - -cp -p "${CBOR_PATH}" "${CRYPTO_PATH}" "${D}/lib" -chmod 755 "${D}/lib/"*dylib -rm "${D}/lib/pkgconfig/libfido2.pc" -rmdir "${D}/lib/pkgconfig" - -CBOR_NAME=$(echo "${CBOR_PATH}" | grep -o 'libcbor.*dylib') -CRYPTO_NAME=$(echo "${CRYPTO_PATH}" | grep -o 'libcrypto.*dylib') -FIDO_NAME="libfido2.${V}.dylib" - -install_name_tool -id "@loader_path/${CBOR_NAME}" "${D}/lib/${CBOR_NAME}" -install_name_tool -id "@loader_path/${CRYPTO_NAME}" "${D}/lib/${CRYPTO_NAME}" -install_name_tool -id "@loader_path/libfido2.${V}.dylib" "${FIDO_PATH}" - -install_name_tool -change "${CBOR_PATH}" "@loader_path/${CBOR_NAME}" \ - "${FIDO_PATH}" -install_name_tool -change "${CRYPTO_PATH}" "@loader_path/${CRYPTO_NAME}" \ - "${FIDO_PATH}" - -for f in $(find "${D}/bin" -type f); do - FIDO_PATH=$(otool -L "${f}" | grep libfido2 | awk '{ print $1 }') - install_name_tool -change "${CBOR_PATH}" \ - "@executable_path/../lib/${CBOR_NAME}" "${f}" - install_name_tool -change "${CRYPTO_PATH}" \ - "@executable_path/../lib/${CRYPTO_NAME}" "${f}" - install_name_tool -change "${FIDO_PATH}" \ - "@executable_path/../lib/${FIDO_NAME}" "${f}" -done diff --git a/tools/token.c b/tools/token.c index e65f09f..28e4512 100644 --- a/tools/token.c +++ b/tools/token.c @@ -111,6 +111,18 @@ print_maxmsgsiz(uint64_t maxmsgsiz) printf("maxmsgsiz: %d\n", (int)maxmsgsiz); } +static void +print_maxcredcntlst(uint64_t maxcredcntlst) +{ + printf("maxcredcntlst: %d\n", (int)maxcredcntlst); +} + +static void +print_maxcredidlen(uint64_t maxcredidlen) +{ + printf("maxcredlen: %d\n", (int)maxcredidlen); +} + static void print_fwversion(uint64_t fwversion) { @@ -202,6 +214,12 @@ token_info(int argc, char **argv, char *path) /* print maximum message size */ print_maxmsgsiz(fido_cbor_info_maxmsgsiz(ci)); + /* print maximum number of credentials allowed in credential lists */ + print_maxcredcntlst(fido_cbor_info_maxcredcntlst(ci)); + + /* print maximum length of a credential ID */ + print_maxcredidlen(fido_cbor_info_maxcredidlen(ci)); + /* print firmware version */ print_fwversion(fido_cbor_info_fwversion(ci)); diff --git a/tools/util.c b/tools/util.c index de70388..7ed59e4 100644 --- a/tools/util.c +++ b/tools/util.c @@ -16,7 +16,9 @@ #include #include +#include #include +#include #include #include #include @@ -78,6 +80,25 @@ open_read(const char *file) return (f); } +int +base10(const char *str) +{ + char *ep; + long long ll; + + ll = strtoll(str, &ep, 10); + if (str == ep || *ep != '\0') + return (-1); + else if (ll == LLONG_MIN && errno == ERANGE) + return (-1); + else if (ll == LLONG_MAX && errno == ERANGE) + return (-1); + else if (ll < 0 || ll > INT_MAX) + return (-1); + + return ((int)ll); +} + void xxd(const void *buf, size_t count) { @@ -362,3 +383,50 @@ print_cred(FILE *out_f, int type, const fido_cred_t *cred) free(id); } + +int +cose_type(const char *str, int *type) +{ + if (strcmp(str, "es256") == 0) + *type = COSE_ES256; + else if (strcmp(str, "rs256") == 0) + *type = COSE_RS256; + else if (strcmp(str, "eddsa") == 0) + *type = COSE_EDDSA; + else { + *type = 0; + return (-1); + } + + return (0); +} + +const char * +cose_string(int type) +{ + switch (type) { + case COSE_EDDSA: + return ("eddsa"); + case COSE_ES256: + return ("es256"); + case COSE_RS256: + return ("rs256"); + default: + return ("unknown"); + } +} + +const char * +prot_string(int prot) +{ + switch (prot) { + case FIDO_CRED_PROT_UV_OPTIONAL: + return ("uvopt"); + case FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID: + return ("uvopt+id"); + case FIDO_CRED_PROT_UV_REQUIRED: + return ("uvreq"); + default: + return ("unknown"); + } +} -- cgit v1.2.3