Coverage Report

Created: 2023-09-23 17:42

/libfido2/src/nfc.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2020-2022 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 * SPDX-License-Identifier: BSD-2-Clause
6
 */
7
8
#include <stdio.h>
9
#include <string.h>
10
11
#include "fido.h"
12
#include "fido/param.h"
13
#include "iso7816.h"
14
15
4.28k
#define TX_CHUNK_SIZE   240
16
17
static const uint8_t aid[] = { 0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01 };
18
static const uint8_t v_u2f[] = { 'U', '2', 'F', '_', 'V', '2' };
19
static const uint8_t v_fido[] = { 'F', 'I', 'D', 'O', '_', '2', '_', '0' };
20
21
static int
22
tx_short_apdu(fido_dev_t *d, const iso7816_header_t *h, const uint8_t *payload,
23
    uint8_t payload_len, uint8_t cla_flags)
24
4.11k
{
25
4.11k
        uint8_t apdu[5 + UINT8_MAX + 1];
26
4.11k
        uint8_t sw[2];
27
4.11k
        size_t apdu_len;
28
4.11k
        int ok = -1;
29
30
4.11k
        memset(&apdu, 0, sizeof(apdu));
31
4.11k
        apdu[0] = h->cla | cla_flags;
32
4.11k
        apdu[1] = h->ins;
33
4.11k
        apdu[2] = h->p1;
34
4.11k
        apdu[3] = h->p2;
35
4.11k
        apdu[4] = payload_len;
36
4.11k
        memcpy(&apdu[5], payload, payload_len);
37
4.11k
        apdu_len = (size_t)(5 + payload_len + 1);
38
39
4.11k
        if (d->io.write(d->io_handle, apdu, apdu_len) < 0) {
40
60
                fido_log_debug("%s: write", __func__);
41
60
                goto fail;
42
60
        }
43
44
4.05k
        if (cla_flags & 0x10) {
45
156
                if (d->io.read(d->io_handle, sw, sizeof(sw), -1) != 2) {
46
72
                        fido_log_debug("%s: read", __func__);
47
72
                        goto fail;
48
72
                }
49
84
                if ((sw[0] << 8 | sw[1]) != SW_NO_ERROR) {
50
76
                        fido_log_debug("%s: unexpected sw", __func__);
51
76
                        goto fail;
52
76
                }
53
84
        }
54
55
3.90k
        ok = 0;
56
4.11k
fail:
57
4.11k
        explicit_bzero(apdu, sizeof(apdu));
58
59
4.11k
        return ok;
60
3.90k
}
61
62
static int
63
nfc_do_tx(fido_dev_t *d, const uint8_t *apdu_ptr, size_t apdu_len)
64
4.18k
{
65
4.18k
        iso7816_header_t h;
66
67
4.18k
        if (fido_buf_read(&apdu_ptr, &apdu_len, &h, sizeof(h)) < 0) {
68
79
                fido_log_debug("%s: header", __func__);
69
79
                return -1;
70
79
        }
71
4.10k
        if (apdu_len < 2) {
72
2
                fido_log_debug("%s: apdu_len %zu", __func__, apdu_len);
73
2
                return -1;
74
2
        }
75
76
4.10k
        apdu_len -= 2; /* trim le1 le2 */
77
78
4.11k
        while (apdu_len > TX_CHUNK_SIZE) {
79
156
                if (tx_short_apdu(d, &h, apdu_ptr, TX_CHUNK_SIZE, 0x10) < 0) {
80
148
                        fido_log_debug("%s: chain", __func__);
81
148
                        return -1;
82
148
                }
83
8
                apdu_ptr += TX_CHUNK_SIZE;
84
8
                apdu_len -= TX_CHUNK_SIZE;
85
8
        }
86
87
3.95k
        if (tx_short_apdu(d, &h, apdu_ptr, (uint8_t)apdu_len, 0) < 0) {
88
60
                fido_log_debug("%s: tx_short_apdu", __func__);
89
60
                return -1;
90
60
        }
91
92
3.89k
        return 0;
93
3.95k
}
94
95
int
96
fido_nfc_tx(fido_dev_t *d, uint8_t cmd, const unsigned char *buf, size_t count)
97
4.58k
{
98
4.58k
        iso7816_apdu_t *apdu = NULL;
99
4.58k
        const uint8_t *ptr;
100
4.58k
        size_t len;
101
4.58k
        int ok = -1;
102
103
4.58k
        switch (cmd) {
104
2.40k
        case CTAP_CMD_INIT: /* select */
105
2.40k
                if ((apdu = iso7816_new(0, 0xa4, 0x04, sizeof(aid))) == NULL ||
106
2.40k
                    iso7816_add(apdu, aid, sizeof(aid)) < 0) {
107
19
                        fido_log_debug("%s: iso7816", __func__);
108
19
                        goto fail;
109
19
                }
110
2.38k
                break;
111
2.38k
        case CTAP_CMD_CBOR: /* wrap cbor */
112
1.21k
                if (count > UINT16_MAX || (apdu = iso7816_new(0x80, 0x10, 0x00,
113
1.20k
                    (uint16_t)count)) == NULL ||
114
1.21k
                    iso7816_add(apdu, buf, count) < 0) {
115
19
                        fido_log_debug("%s: iso7816", __func__);
116
19
                        goto fail;
117
19
                }
118
1.19k
                break;
119
1.19k
        case CTAP_CMD_MSG: /* already an apdu */
120
609
                break;
121
364
        default:
122
364
                fido_log_debug("%s: cmd=%02x", __func__, cmd);
123
364
                goto fail;
124
4.58k
        }
125
126
4.18k
        if (apdu != NULL) {
127
3.57k
                ptr = iso7816_ptr(apdu);
128
3.57k
                len = iso7816_len(apdu);
129
3.57k
        } else {
130
609
                ptr = buf;
131
609
                len = count;
132
609
        }
133
134
4.18k
        if (nfc_do_tx(d, ptr, len) < 0) {
135
289
                fido_log_debug("%s: nfc_do_tx", __func__);
136
289
                goto fail;
137
289
        }
138
139
3.89k
        ok = 0;
140
4.58k
fail:
141
4.58k
        iso7816_free(&apdu);
142
143
4.58k
        return ok;
144
3.89k
}
145
146
static int
147
rx_init(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
148
2.29k
{
149
2.29k
        fido_ctap_info_t *attr = (fido_ctap_info_t *)buf;
150
2.29k
        uint8_t f[64];
151
2.29k
        int n;
152
153
2.29k
        if (count != sizeof(*attr)) {
154
157
                fido_log_debug("%s: count=%zu", __func__, count);
155
157
                return -1;
156
157
        }
157
158
2.14k
        memset(attr, 0, sizeof(*attr));
159
160
2.14k
        if ((n = d->io.read(d->io_handle, f, sizeof(f), ms)) < 2 ||
161
2.14k
            (f[n - 2] << 8 | f[n - 1]) != SW_NO_ERROR) {
162
1.19k
                fido_log_debug("%s: read", __func__);
163
1.19k
                return -1;
164
1.19k
        }
165
166
943
        n -= 2;
167
168
943
        if (n == sizeof(v_u2f) && memcmp(f, v_u2f, sizeof(v_u2f)) == 0)
169
7
                attr->flags = FIDO_CAP_CBOR;
170
936
        else if (n == sizeof(v_fido) && memcmp(f, v_fido, sizeof(v_fido)) == 0)
171
7
                attr->flags = FIDO_CAP_CBOR | FIDO_CAP_NMSG;
172
929
        else {
173
929
                fido_log_debug("%s: unknown version string", __func__);
174
929
#ifdef FIDO_FUZZ
175
929
                attr->flags = FIDO_CAP_CBOR | FIDO_CAP_NMSG;
176
#else
177
                return -1;
178
#endif
179
929
        }
180
181
943
        memcpy(&attr->nonce, &d->nonce, sizeof(attr->nonce)); /* XXX */
182
183
943
        return (int)count;
184
2.14k
}
185
186
static int
187
tx_get_response(fido_dev_t *d, uint8_t count)
188
154
{
189
154
        uint8_t apdu[5];
190
191
154
        memset(apdu, 0, sizeof(apdu));
192
154
        apdu[1] = 0xc0; /* GET_RESPONSE */
193
154
        apdu[4] = count;
194
195
154
        if (d->io.write(d->io_handle, apdu, sizeof(apdu)) < 0) {
196
9
                fido_log_debug("%s: write", __func__);
197
9
                return -1;
198
9
        }
199
200
145
        return 0;
201
154
}
202
203
static int
204
rx_apdu(fido_dev_t *d, uint8_t sw[2], unsigned char **buf, size_t *count, int *ms)
205
1.84k
{
206
1.84k
        uint8_t f[256 + 2];
207
1.84k
        struct timespec ts;
208
1.84k
        int n, ok = -1;
209
210
1.84k
        if (fido_time_now(&ts) != 0)
211
24
                goto fail;
212
213
1.82k
        if ((n = d->io.read(d->io_handle, f, sizeof(f), *ms)) < 2) {
214
1.15k
                fido_log_debug("%s: read", __func__);
215
1.15k
                goto fail;
216
1.15k
        }
217
218
666
        if (fido_time_delta(&ts, ms) != 0)
219
19
                goto fail;
220
221
647
        if (fido_buf_write(buf, count, f, (size_t)(n - 2)) < 0) {
222
0
                fido_log_debug("%s: fido_buf_write", __func__);
223
0
                goto fail;
224
0
        }
225
226
647
        memcpy(sw, f + n - 2, 2);
227
228
647
        ok = 0;
229
1.84k
fail:
230
1.84k
        explicit_bzero(f, sizeof(f));
231
232
1.84k
        return ok;
233
647
}
234
235
static int
236
rx_msg(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
237
1.70k
{
238
1.70k
        uint8_t sw[2];
239
1.70k
        const size_t bufsiz = count;
240
241
1.70k
        if (rx_apdu(d, sw, &buf, &count, &ms) < 0) {
242
1.11k
                fido_log_debug("%s: preamble", __func__);
243
1.11k
                return -1;
244
1.11k
        }
245
246
647
        while (sw[0] == SW1_MORE_DATA)
247
154
                if (tx_get_response(d, sw[1]) < 0 ||
248
154
                    rx_apdu(d, sw, &buf, &count, &ms) < 0) {
249
89
                        fido_log_debug("%s: chain", __func__);
250
89
                        return -1;
251
89
                }
252
253
493
        if (fido_buf_write(&buf, &count, sw, sizeof(sw)) < 0) {
254
0
                fido_log_debug("%s: sw", __func__);
255
0
                return -1;
256
0
        }
257
258
493
        if (bufsiz - count > INT_MAX) {
259
0
                fido_log_debug("%s: bufsiz", __func__);
260
0
                return -1;
261
0
        }
262
263
493
        return (int)(bufsiz - count);
264
493
}
265
266
static int
267
rx_cbor(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
268
1.12k
{
269
1.12k
        int r;
270
271
1.12k
        if ((r = rx_msg(d, buf, count, ms)) < 2)
272
728
                return -1;
273
274
398
        return r - 2;
275
1.12k
}
276
277
int
278
fido_nfc_rx(fido_dev_t *d, uint8_t cmd, unsigned char *buf, size_t count, int ms)
279
4.18k
{
280
4.18k
        switch (cmd) {
281
2.29k
        case CTAP_CMD_INIT:
282
2.29k
                return rx_init(d, buf, count, ms);
283
1.12k
        case CTAP_CMD_CBOR:
284
1.12k
                return rx_cbor(d, buf, count, ms);
285
575
        case CTAP_CMD_MSG:
286
575
                return rx_msg(d, buf, count, ms);
287
189
        default:
288
189
                fido_log_debug("%s: cmd=%02x", __func__, cmd);
289
189
                return -1;
290
4.18k
        }
291
4.18k
}
292
293
bool
294
nfc_is_fido(const char *path)
295
554k
{
296
554k
        bool fido = false;
297
554k
        fido_dev_t *d;
298
554k
        int r;
299
300
554k
        if ((d = fido_dev_new()) == NULL) {
301
1.33k
                fido_log_debug("%s: fido_dev_new", __func__);
302
1.33k
                goto fail;
303
1.33k
        }
304
        /* fido_dev_open selects the fido applet */
305
552k
        if ((r = fido_dev_open(d, path)) != FIDO_OK) {
306
552k
                fido_log_debug("%s: fido_dev_open: 0x%x", __func__, r);
307
552k
                goto fail;
308
552k
        }
309
94
        if ((r = fido_dev_close(d)) != FIDO_OK) {
310
0
                fido_log_debug("%s: fido_dev_close: 0x%x", __func__, r);
311
0
                goto fail;
312
313
0
        }
314
315
94
        fido = true;
316
554k
fail:
317
554k
        fido_dev_free(&d);
318
319
554k
        return fido;
320
94
}
321
322
#ifdef USE_NFC
323
bool
324
fido_is_nfc(const char *path)
325
619k
{
326
619k
        return strncmp(path, FIDO_NFC_PREFIX, strlen(FIDO_NFC_PREFIX)) == 0;
327
619k
}
328
329
int
330
fido_dev_set_nfc(fido_dev_t *d)
331
551k
{
332
551k
        if (d->io_handle != NULL) {
333
0
                fido_log_debug("%s: device open", __func__);
334
0
                return -1;
335
0
        }
336
551k
        d->io_own = true;
337
551k
        d->io = (fido_dev_io_t) {
338
551k
                fido_nfc_open,
339
551k
                fido_nfc_close,
340
551k
                fido_nfc_read,
341
551k
                fido_nfc_write,
342
551k
        };
343
551k
        d->transport = (fido_dev_transport_t) {
344
551k
                fido_nfc_rx,
345
551k
                fido_nfc_tx,
346
551k
        };
347
348
551k
        return 0;
349
551k
}
350
#endif /* USE_NFC */