Coverage Report

Created: 2021-03-26 11:35

/libfido2/src/nfc_linux.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2020 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 */
6
7
#include <sys/types.h>
8
#include <sys/uio.h>
9
#include <sys/socket.h>
10
11
#include <linux/nfc.h>
12
13
#include <errno.h>
14
#include <libudev.h>
15
#include <signal.h>
16
#include <unistd.h>
17
18
#include "fido.h"
19
#include "fido/param.h"
20
#include "netlink.h"
21
#include "iso7816.h"
22
23
1.00k
#define TX_CHUNK_SIZE   240
24
25
static const uint8_t aid[] = { 0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01 };
26
static const uint8_t v_u2f[] = { 'U', '2', 'F', '_', 'V', '2' };
27
static const uint8_t v_fido[] = { 'F', 'I', 'D', 'O', '_', '2', '_', '0' };
28
29
struct nfc_linux {
30
        int             fd;
31
        uint32_t        dev;
32
        uint32_t        target;
33
        sigset_t        sigmask;
34
        const sigset_t *sigmaskp;
35
        struct fido_nl *nl;
36
};
37
38
static int
39
tx_short_apdu(fido_dev_t *d, const iso7816_header_t *h, const uint8_t *payload,
40
    uint8_t payload_len, uint8_t cla_flags)
41
940
{
42
940
        uint8_t apdu[5 + UINT8_MAX + 1];
43
940
        uint8_t sw[2];
44
940
        size_t apdu_len;
45
940
        int ok = -1;
46
940
47
940
        memset(&apdu, 0, sizeof(apdu));
48
940
        apdu[0] = h->cla | cla_flags;
49
940
        apdu[1] = h->ins;
50
940
        apdu[2] = h->p1;
51
940
        apdu[3] = h->p2;
52
940
        apdu[4] = payload_len;
53
940
        memcpy(&apdu[5], payload, payload_len);
54
940
        apdu_len = (size_t)(5 + payload_len + 1);
55
940
56
940
        if (d->io.write(d->io_handle, apdu, apdu_len) < 0) {
57
19
                fido_log_debug("%s: write", __func__);
58
19
                goto fail;
59
19
        }
60
921
61
921
        if (cla_flags & 0x10) {
62
40
                if (d->io.read(d->io_handle, sw, sizeof(sw), -1) != 2) {
63
4
                        fido_log_debug("%s: read", __func__);
64
4
                        goto fail;
65
4
                }
66
36
                if ((sw[0] << 8 | sw[1]) != SW_NO_ERROR) {
67
25
                        fido_log_debug("%s: unexpected sw", __func__);
68
25
                        goto fail;
69
25
                }
70
892
        }
71
892
72
892
        ok = 0;
73
940
fail:
74
940
        explicit_bzero(apdu, sizeof(apdu));
75
940
76
940
        return (ok);
77
892
}
78
79
static int
80
nfc_do_tx(fido_dev_t *d, const uint8_t *apdu_ptr, size_t apdu_len)
81
929
{
82
929
        iso7816_header_t h;
83
929
84
929
        if (fido_buf_read(&apdu_ptr, &apdu_len, &h, sizeof(h)) < 0) {
85
0
                fido_log_debug("%s: header", __func__);
86
0
                return (-1);
87
0
        }
88
929
        if (apdu_len < 2) {
89
0
                fido_log_debug("%s: apdu_len %zu", __func__, apdu_len);
90
0
                return (-1);
91
0
        }
92
929
93
929
        apdu_len -= 2; /* trim le1 le2 */
94
929
95
940
        while (apdu_len > TX_CHUNK_SIZE) {
96
40
                if (tx_short_apdu(d, &h, apdu_ptr, TX_CHUNK_SIZE, 0x10) < 0) {
97
29
                        fido_log_debug("%s: chain", __func__);
98
29
                        return (-1);
99
29
                }
100
11
                apdu_ptr += TX_CHUNK_SIZE;
101
11
                apdu_len -= TX_CHUNK_SIZE;
102
11
        }
103
929
104
929
        if (tx_short_apdu(d, &h, apdu_ptr, (uint8_t)apdu_len, 0) < 0) {
105
19
                fido_log_debug("%s: tx_short_apdu", __func__);
106
19
                return (-1);
107
19
        }
108
881
 
109
881
        return (0);
110
881
}
111
112
int
113
fido_nfc_tx(fido_dev_t *d, uint8_t cmd, const unsigned char *buf, size_t count)
114
953
{
115
953
        iso7816_apdu_t *apdu = NULL;
116
953
        const uint8_t *ptr;
117
953
        size_t len;
118
953
        int ok = -1;
119
953
120
953
        switch (cmd) {
121
500
        case CTAP_CMD_INIT: /* select */
122
500
                if ((apdu = iso7816_new(0, 0xa4, 0x04, sizeof(aid))) == NULL ||
123
500
                    iso7816_add(apdu, aid, sizeof(aid)) < 0) {
124
10
                        fido_log_debug("%s: iso7816", __func__);
125
10
                        goto fail;
126
10
                }
127
490
                break;
128
490
        case CTAP_CMD_CBOR: /* wrap cbor */
129
274
                if (count > UINT16_MAX || (apdu = iso7816_new(0x80, 0x10, 0x80,
130
274
                    (uint16_t)count)) == NULL ||
131
274
                    iso7816_add(apdu, buf, count) < 0) {
132
13
                        fido_log_debug("%s: iso7816", __func__);
133
13
                        goto fail;
134
13
                }
135
261
                break;
136
261
        case CTAP_CMD_MSG: /* already an apdu */
137
178
                break;
138
261
        default:
139
1
                fido_log_debug("%s: cmd=%02x", __func__, cmd);
140
1
                goto fail;
141
929
        }
142
929
143
929
        if (apdu != NULL) {
144
751
                ptr = iso7816_ptr(apdu);
145
751
                len = iso7816_len(apdu);
146
751
        } else {
147
178
                ptr = buf;
148
178
                len = count;
149
178
        }
150
929
151
929
        if (nfc_do_tx(d, ptr, len) < 0) {
152
48
                fido_log_debug("%s: nfc_do_tx", __func__);
153
48
                goto fail;
154
48
        }
155
881
156
881
        ok = 0;
157
953
fail:
158
953
        iso7816_free(&apdu);
159
953
160
953
        return (ok);
161
881
}
162
163
static int
164
rx_init(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
165
484
{
166
484
        fido_ctap_info_t *attr = (fido_ctap_info_t *)buf;
167
484
        uint8_t f[64];
168
484
        int n;
169
484
170
484
        if (count != sizeof(*attr)) {
171
0
                fido_log_debug("%s: count=%zu", __func__, count);
172
0
                return (-1);
173
0
        }
174
484
175
484
        memset(attr, 0, sizeof(*attr));
176
484
177
484
        if ((n = d->io.read(d->io_handle, f, sizeof(f), ms)) < 2 ||
178
484
            (f[n - 2] << 8 | f[n - 1]) != SW_NO_ERROR) {
179
203
                fido_log_debug("%s: read", __func__);
180
203
                return (-1);
181
203
        }
182
281
183
281
        n -= 2;
184
281
185
281
        if (n == sizeof(v_u2f) && memcmp(f, v_u2f, sizeof(v_u2f)) == 0)
186
0
                attr->flags = FIDO_CAP_CBOR;
187
281
        else if (n == sizeof(v_fido) && memcmp(f, v_fido, sizeof(v_fido)) == 0)
188
0
                attr->flags = FIDO_CAP_CBOR | FIDO_CAP_NMSG;
189
281
        else {
190
281
                fido_log_debug("%s: unknown version string", __func__);
191
281
#ifdef FIDO_FUZZ
192
281
                attr->flags = FIDO_CAP_CBOR | FIDO_CAP_NMSG;
193
#else
194
                return (-1);
195
#endif
196
281
        }
197
281
198
281
        memcpy(&attr->nonce, &d->nonce, sizeof(attr->nonce)); /* XXX */
199
281
200
281
        return ((int)count);
201
281
}
202
203
static int
204
tx_get_response(fido_dev_t *d, uint8_t count)
205
16
{
206
16
        uint8_t apdu[5];
207
16
208
16
        memset(apdu, 0, sizeof(apdu));
209
16
        apdu[1] = 0xc0; /* GET_RESPONSE */
210
16
        apdu[4] = count;
211
16
212
16
        if (d->io.write(d->io_handle, apdu, sizeof(apdu)) < 0) {
213
5
                fido_log_debug("%s: write", __func__);
214
5
                return (-1);
215
5
        }
216
11
217
11
        return (0);
218
11
}
219
220
static int
221
rx_apdu(fido_dev_t *d, uint8_t sw[2], unsigned char **buf, size_t *count, int ms)
222
397
{
223
397
        uint8_t f[256 + 2];
224
397
        int n, ok = -1;
225
397
226
397
        if ((n = d->io.read(d->io_handle, f, sizeof(f), ms)) < 2) {
227
170
                fido_log_debug("%s: read", __func__);
228
170
                goto fail;
229
170
        }
230
227
231
227
        if (fido_buf_write(buf, count, f, (size_t)(n - 2)) < 0) {
232
0
                fido_log_debug("%s: fido_buf_write", __func__);
233
0
                goto fail;
234
0
        }
235
227
236
227
        memcpy(sw, f + n - 2, 2);
237
227
238
227
        ok = 0;
239
397
fail:
240
397
        explicit_bzero(f, sizeof(f));
241
397
242
397
        return (ok);
243
227
}
244
245
static int
246
rx_msg(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
247
386
{
248
386
        uint8_t sw[2];
249
386
        const size_t bufsiz = count;
250
386
251
386
        if (rx_apdu(d, sw, &buf, &count, ms) < 0) {
252
168
                fido_log_debug("%s: preamble", __func__);
253
168
                return (-1);
254
168
        }
255
218
256
227
        while (sw[0] == SW1_MORE_DATA)
257
218
                if (tx_get_response(d, sw[1]) < 0 ||
258
16
                    rx_apdu(d, sw, &buf, &count, ms) < 0) {
259
7
                        fido_log_debug("%s: chain", __func__);
260
7
                        return (-1);
261
7
                }
262
218
263
218
        if (fido_buf_write(&buf, &count, sw, sizeof(sw)) < 0) {
264
0
                fido_log_debug("%s: sw", __func__);
265
0
                return (-1);
266
0
        }
267
211
268
211
        if (bufsiz - count > INT_MAX) {
269
0
                fido_log_debug("%s: bufsiz", __func__);
270
0
                return (-1);
271
0
        }
272
211
273
211
        return ((int)(bufsiz - count));
274
211
}
275
276
static int
277
rx_cbor(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
278
252
{
279
252
        int r;
280
252
281
252
        if ((r = rx_msg(d, buf, count, ms)) < 2)
282
111
                return (-1);
283
141
284
141
        return (r - 2);
285
141
}
286
287
int
288
fido_nfc_rx(fido_dev_t *d, uint8_t cmd, unsigned char *buf, size_t count, int ms)
289
870
{
290
870
        switch (cmd) {
291
484
        case CTAP_CMD_INIT:
292
484
                return (rx_init(d, buf, count, ms));
293
252
        case CTAP_CMD_CBOR:
294
252
                return (rx_cbor(d, buf, count, ms));
295
134
        case CTAP_CMD_MSG:
296
134
                return (rx_msg(d, buf, count, ms));
297
0
        default:
298
0
                fido_log_debug("%s: cmd=%02x", __func__, cmd);
299
0
                return (-1);
300
870
        }
301
870
}
302
303
static char *
304
get_parent_attr(struct udev_device *dev, const char *subsystem,
305
    const char *devtype, const char *attr)
306
0
{
307
0
        struct udev_device *parent;
308
0
        const char *value;
309
0
310
0
        if ((parent = udev_device_get_parent_with_subsystem_devtype(dev,
311
0
            subsystem, devtype)) == NULL || (value =
312
0
            udev_device_get_sysattr_value(parent, attr)) == NULL)
313
0
                return (NULL);
314
0
315
0
        return (strdup(value));
316
0
}
317
318
static char *
319
get_usb_attr(struct udev_device *dev, const char *attr)
320
0
{
321
0
        return (get_parent_attr(dev, "usb", "usb_device", attr));
322
0
}
323
324
static int
325
to_int(const char *str, int base)
326
0
{
327
0
        char *ep;
328
0
        long long ll;
329
0
330
0
        ll = strtoll(str, &ep, base);
331
0
        if (str == ep || *ep != '\0')
332
0
                return (-1);
333
0
        else if (ll == LLONG_MIN && errno == ERANGE)
334
0
                return (-1);
335
0
        else if (ll == LLONG_MAX && errno == ERANGE)
336
0
                return (-1);
337
0
        else if (ll < 0 || ll > INT_MAX)
338
0
                return (-1);
339
0
340
0
        return ((int)ll);
341
0
}
342
343
static int
344
copy_info(fido_dev_info_t *di, struct udev *udev,
345
    struct udev_list_entry *udev_entry)
346
0
{
347
0
        const char *name;
348
0
        char *str;
349
0
        struct udev_device *dev = NULL;
350
0
        int id, ok = -1;
351
0
352
0
        memset(di, 0, sizeof(*di));
353
0
354
0
        if ((name = udev_list_entry_get_name(udev_entry)) == NULL ||
355
0
            (dev = udev_device_new_from_syspath(udev, name)) == NULL)
356
0
                goto fail;
357
0
358
0
        if ((di->path = strdup(name)) == NULL ||
359
0
            (di->manufacturer = get_usb_attr(dev, "manufacturer")) == NULL ||
360
0
            (di->product = get_usb_attr(dev, "product")) == NULL)
361
0
                goto fail;
362
0
363
0
        /* XXX assumes USB for vendor/product info */
364
0
        if ((str = get_usb_attr(dev, "idVendor")) != NULL &&
365
0
            (id = to_int(str, 16)) > 0 && id <= UINT16_MAX)
366
0
                di->vendor_id = (int16_t)id;
367
0
        free(str);
368
0
369
0
        if ((str = get_usb_attr(dev, "idProduct")) != NULL &&
370
0
            (id = to_int(str, 16)) > 0 && id <= UINT16_MAX)
371
0
                di->product_id = (int16_t)id;
372
0
        free(str);
373
0
374
0
        ok = 0;
375
0
fail:
376
0
        if (dev != NULL)
377
0
                udev_device_unref(dev);
378
0
379
0
        if (ok < 0) {
380
0
                free(di->path);
381
0
                free(di->manufacturer);
382
0
                free(di->product);
383
0
                explicit_bzero(di, sizeof(*di));
384
0
        }
385
0
386
0
        return (ok);
387
0
}
388
389
static int
390
sysnum_from_syspath(const char *path)
391
0
{
392
0
        struct udev *udev = NULL;
393
0
        struct udev_device *dev = NULL;
394
0
        const char *str;
395
0
        int idx;
396
0
397
0
        if ((udev = udev_new()) == NULL ||
398
0
            (dev = udev_device_new_from_syspath(udev, path)) == NULL ||
399
0
            (str = udev_device_get_sysnum(dev)) == NULL)
400
0
                idx = -1;
401
0
        else
402
0
                idx = to_int(str, 10);
403
0
404
0
        if (dev != NULL)
405
0
                udev_device_unref(dev);
406
0
        if (udev != NULL)
407
0
                udev_unref(udev);
408
0
409
0
        return (idx);
410
0
}
411
412
int
413
fido_nfc_manifest(fido_dev_info_t *devlist, size_t ilen, size_t *olen)
414
0
{
415
0
        struct udev *udev = NULL;
416
0
        struct udev_enumerate *udev_enum = NULL;
417
0
        struct udev_list_entry *udev_list;
418
0
        struct udev_list_entry *udev_entry;
419
0
        int r = FIDO_ERR_INTERNAL;
420
0
421
0
        *olen = 0;
422
0
423
0
        if (ilen == 0)
424
0
                return (FIDO_OK);
425
0
426
0
        if (devlist == NULL)
427
0
                return (FIDO_ERR_INVALID_ARGUMENT);
428
0
429
0
        if ((udev = udev_new()) == NULL ||
430
0
            (udev_enum = udev_enumerate_new(udev)) == NULL)
431
0
                goto fail;
432
0
433
0
        if (udev_enumerate_add_match_subsystem(udev_enum, "nfc") < 0 ||
434
0
            udev_enumerate_scan_devices(udev_enum) < 0)
435
0
                goto fail;
436
0
437
0
        if ((udev_list = udev_enumerate_get_list_entry(udev_enum)) == NULL) {
438
0
                r = FIDO_OK; /* zero nfc devices */
439
0
                goto fail;
440
0
        }
441
0
442
0
        udev_list_entry_foreach(udev_entry, udev_list) {
443
0
                if (copy_info(&devlist[*olen], udev, udev_entry) == 0) {
444
0
                        devlist[*olen].io = (fido_dev_io_t) {
445
0
                                fido_nfc_open,
446
0
                                fido_nfc_close,
447
0
                                fido_nfc_read,
448
0
                                fido_nfc_write,
449
0
                        };
450
0
                        devlist[*olen].transport = (fido_dev_transport_t) {
451
0
                                fido_nfc_rx,
452
0
                                fido_nfc_tx,
453
0
                        };
454
0
                        if (++(*olen) == ilen)
455
0
                                break;
456
0
                }
457
0
        }
458
0
459
0
        r = FIDO_OK;
460
0
fail:
461
0
        if (udev_enum != NULL)
462
0
                udev_enumerate_unref(udev_enum);
463
0
        if (udev != NULL)
464
0
                udev_unref(udev);
465
0
466
0
        return (r);
467
0
}
468
469
static int
470
nfc_target_connect(struct nfc_linux *ctx)
471
0
{
472
0
        struct sockaddr_nfc sa;
473
0
474
0
        memset(&sa, 0, sizeof(sa));
475
0
        sa.sa_family = AF_NFC;
476
0
        sa.dev_idx = ctx->dev;
477
0
        sa.target_idx = ctx->target;
478
0
        sa.nfc_protocol = NFC_PROTO_ISO14443;
479
0
480
0
        if ((ctx->fd = socket(AF_NFC, SOCK_SEQPACKET | SOCK_CLOEXEC,
481
0
            NFC_SOCKPROTO_RAW)) == -1) {
482
0
                fido_log_error(errno, "%s: socket", __func__);
483
0
                return (-1);
484
0
        }
485
0
        if (connect(ctx->fd, (struct sockaddr *)&sa, sizeof(sa)) == -1) {
486
0
                fido_log_error(errno, "%s: connect", __func__);
487
0
                if (close(ctx->fd) == -1)
488
0
                        fido_log_error(errno, "%s: close", __func__);
489
0
                ctx->fd = -1;
490
0
                return (-1);
491
0
        }
492
0
493
0
        return (0);
494
0
}
495
496
static void
497
nfc_free(struct nfc_linux **ctx_p)
498
0
{
499
0
        struct nfc_linux *ctx;
500
0
501
0
        if (ctx_p == NULL || (ctx = *ctx_p) == NULL)
502
0
                return;
503
0
        if (ctx->fd != -1 && close(ctx->fd) == -1)
504
0
                fido_log_error(errno, "%s: close", __func__);
505
0
        if (ctx->nl != NULL)
506
0
                fido_nl_free(&ctx->nl);
507
0
508
0
        free(ctx);
509
0
        *ctx_p = NULL;
510
0
}
511
512
static struct nfc_linux *
513
nfc_new(uint32_t dev)
514
0
{
515
0
        struct nfc_linux *ctx;
516
0
517
0
        if ((ctx = calloc(1, sizeof(*ctx))) == NULL ||
518
0
            (ctx->nl = fido_nl_new()) == NULL) {
519
0
                nfc_free(&ctx);
520
0
                return (NULL);
521
0
        }
522
0
523
0
        ctx->fd = -1;
524
0
        ctx->dev = dev;
525
0
526
0
        return (ctx);
527
0
}
528
529
void *
530
fido_nfc_open(const char *path)
531
0
{
532
0
        struct nfc_linux *ctx = NULL;
533
0
        int idx;
534
0
535
0
        if ((idx = sysnum_from_syspath(path)) < 0 ||
536
0
            (ctx = nfc_new((uint32_t)idx)) == NULL) {
537
0
                fido_log_debug("%s: nfc_new", __func__);
538
0
                goto fail;
539
0
        }
540
0
        if (fido_nl_power_nfc(ctx->nl, ctx->dev) < 0 ||
541
0
            fido_nl_get_nfc_target(ctx->nl, ctx->dev, &ctx->target) < 0 ||
542
0
            nfc_target_connect(ctx) < 0) {
543
0
                fido_log_debug("%s: netlink", __func__);
544
0
                goto fail;
545
0
        }
546
0
547
0
        return (ctx);
548
0
fail:
549
0
        nfc_free(&ctx);
550
0
        return (NULL);
551
0
}
552
553
void
554
fido_nfc_close(void *handle)
555
0
{
556
0
        struct nfc_linux *ctx = handle;
557
0
558
0
        nfc_free(&ctx);
559
0
}
560
561
int
562
fido_nfc_set_sigmask(void *handle, const fido_sigset_t *sigmask)
563
0
{
564
0
        struct nfc_linux *ctx = handle;
565
0
566
0
        ctx->sigmask = *sigmask;
567
0
        ctx->sigmaskp = &ctx->sigmask;
568
0
569
0
        return (FIDO_OK);
570
0
}
571
572
int
573
fido_nfc_read(void *handle, unsigned char *buf, size_t len, int ms)
574
0
{
575
0
        struct nfc_linux *ctx = handle;
576
0
        struct iovec iov[2];
577
0
        uint8_t preamble;
578
0
        ssize_t r;
579
0
580
0
        memset(&iov, 0, sizeof(iov));
581
0
        iov[0].iov_base = &preamble;
582
0
        iov[0].iov_len = sizeof(preamble);
583
0
        iov[1].iov_base = buf;
584
0
        iov[1].iov_len = len;
585
0
586
0
        if (fido_hid_unix_wait(ctx->fd, ms, ctx->sigmaskp) < 0) {
587
0
                fido_log_debug("%s: fido_hid_unix_wait", __func__);
588
0
                return (-1);
589
0
        }
590
0
        if ((r = readv(ctx->fd, iov, nitems(iov))) == -1) {
591
0
                fido_log_error(errno, "%s: read", __func__);
592
0
                return (-1);
593
0
        }
594
0
        if (r < 1) {
595
0
                fido_log_debug("%s: %zd < 1", __func__, r);
596
0
                return (-1);
597
0
        }
598
0
        if (preamble != 0x00) {
599
0
                fido_log_debug("%s: preamble", __func__);
600
0
                return (-1);
601
0
        }
602
0
603
0
        r--;
604
0
        fido_log_xxd(buf, (size_t)r, "%s", __func__);
605
0
606
0
        return ((int)r);
607
0
}
608
609
int
610
fido_nfc_write(void *handle, const unsigned char *buf, size_t len)
611
0
{
612
0
        struct nfc_linux *ctx = handle;
613
0
        ssize_t r;
614
0
615
0
        fido_log_xxd(buf, len, "%s", __func__);
616
0
617
0
        if (len > INT_MAX) {
618
0
                fido_log_debug("%s: len", __func__);
619
0
                return (-1);
620
0
        }
621
0
        if ((r = write(ctx->fd, buf, len)) == -1) {
622
0
                fido_log_error(errno, "%s: write", __func__);
623
0
                return (-1);
624
0
        }
625
0
        if (r < 0 || (size_t)r != len) {
626
0
                fido_log_debug("%s: %zd != %zu", __func__, r, len);
627
0
                return (-1);
628
0
        }
629
0
630
0
        return ((int)r);
631
0
}