On Mon, 10 Aug 2020, Damien Miller wrote: > Hi, > > This syncs libfido2 with the current state of upstream. It includes > a few new APIs that I want to use in OpenSSH to improve FIDO token > support (require-PIN and fixing some corner-case bugs around multiple > inserted tokens). > > ok? > > (major crank for ABI change)
So I pounced on the new API a bit too soon and before it stabilised. There have been a couple more changes upstream that I need. Sorry for the unneccessary churn. ok? -d Index: README.openbsd =================================================================== RCS file: /cvs/src/lib/libfido2/README.openbsd,v retrieving revision 1.3 diff -u -p -r1.3 README.openbsd --- README.openbsd 11 Aug 2020 08:44:53 -0000 1.3 +++ README.openbsd 17 Aug 2020 06:13:36 -0000 @@ -1,4 +1,4 @@ -This is an import of https://github.com/Yubico/libfido2 2fa20b889 (20200810) +This is an import of https://github.com/Yubico/libfido2 46710ac06 (20200810) Local changes: Index: shlib_version =================================================================== RCS file: /cvs/src/lib/libfido2/shlib_version,v retrieving revision 1.4 diff -u -p -r1.4 shlib_version --- shlib_version 11 Aug 2020 08:44:53 -0000 1.4 +++ shlib_version 17 Aug 2020 06:13:36 -0000 @@ -1,2 +1,2 @@ -major=3 +major=4 minor=0 Index: man/fido_dev_get_touch_begin.3 =================================================================== RCS file: /cvs/src/lib/libfido2/man/fido_dev_get_touch_begin.3,v retrieving revision 1.1 diff -u -p -r1.1 fido_dev_get_touch_begin.3 --- man/fido_dev_get_touch_begin.3 11 Aug 2020 08:44:53 -0000 1.1 +++ man/fido_dev_get_touch_begin.3 17 Aug 2020 06:13:36 -0000 @@ -14,7 +14,7 @@ .Ft int .Fn fido_dev_get_touch_begin "fido_dev_t *dev" .Ft int -.Fn fido_dev_get_touch_status "fido_dev_t *dev" "int *touched" "int *pin_set" "int ms" +.Fn fido_dev_get_touch_status "fido_dev_t *dev" "int *touched" "int ms" .Sh DESCRIPTION The functions described in this page allow an application to asynchronously wait for touch on a FIDO authenticator. Index: man/fido_dev_open.3 =================================================================== RCS file: /cvs/src/lib/libfido2/man/fido_dev_open.3,v retrieving revision 1.4 diff -u -p -r1.4 fido_dev_open.3 --- man/fido_dev_open.3 11 Aug 2020 08:44:53 -0000 1.4 +++ man/fido_dev_open.3 17 Aug 2020 06:13:36 -0000 @@ -16,6 +16,7 @@ .Nm fido_dev_is_fido2 , .Nm fido_dev_supports_cred_prot , .Nm fido_dev_supports_pin , +.Nm fido_dev_has_pin , .Nm fido_dev_protocol , .Nm fido_dev_build , .Nm fido_dev_flags , @@ -44,6 +45,8 @@ .Fn fido_dev_supports_cred_prot "const fido_dev_t *dev" .Ft bool .Fn fido_dev_supports_pin "const fido_dev_t *dev" +.Ft bool +.Fn fido_dev_has_pin "const fido_dev_t *dev" .Ft uint8_t .Fn fido_dev_protocol "const fido_dev_t *dev" .Ft uint8_t @@ -137,6 +140,14 @@ function returns if .Fa dev supports FIDO 2.0 Client PINs. +.Pp +The +.Fn fido_dev_has_pin +function returns +.Dv true +if +.Fa dev +has a FIDO 2.0 Client PIN set. .Pp The .Fn fido_dev_protocol Index: src/dev.c =================================================================== RCS file: /cvs/src/lib/libfido2/src/dev.c,v retrieving revision 1.3 diff -u -p -r1.3 dev.c --- src/dev.c 11 Aug 2020 08:44:53 -0000 1.3 +++ src/dev.c 17 Aug 2020 06:13:36 -0000 @@ -123,30 +123,27 @@ static void fido_dev_set_flags(fido_dev_t *dev, const fido_cbor_info_t *info) { char * const *ptr; + const bool *val; size_t len; ptr = fido_cbor_info_extensions_ptr(info); len = fido_cbor_info_extensions_len(info); - for (size_t i = 0; i < len; i++) { - if (strcmp(ptr[i], "credProtect") == 0) { - dev->flags |= FIDO_DEV_SUPPORTS_CRED_PROT; - } - } + for (size_t i = 0; i < len; i++) + if (strcmp(ptr[i], "credProtect") == 0) + dev->flags |= FIDO_DEV_CRED_PROT; ptr = fido_cbor_info_options_name_ptr(info); + val = fido_cbor_info_options_value_ptr(info); len = fido_cbor_info_options_len(info); - for (size_t i = 0; i < len; i++) { - /* - * clientPin: PIN supported and set; - * noclientPin: PIN supported but not set. - */ - if (strcmp(ptr[i], "clientPin") == 0 || - strcmp(ptr[i], "noclientPin") == 0) { - dev->flags |= FIDO_DEV_SUPPORTS_PIN; + for (size_t i = 0; i < len; i++) + if (strcmp(ptr[i], "clientPin") == 0) { + if (val[i] == true) + dev->flags |= FIDO_DEV_PIN_SET; + else + dev->flags |= FIDO_DEV_PIN_UNSET; } - } } static int @@ -461,12 +458,11 @@ fail: } int -fido_dev_get_touch_status(fido_dev_t *dev, int *touched, int *pin_set, int ms) +fido_dev_get_touch_status(fido_dev_t *dev, int *touched, int ms) { int r; *touched = 0; - *pin_set = 0; if (fido_dev_is_fido2(dev) == false) return (u2f_get_touch_status(dev, touched, ms)); @@ -474,8 +470,6 @@ fido_dev_get_touch_status(fido_dev_t *de switch ((r = fido_rx_cbor_status(dev, ms))) { case FIDO_ERR_PIN_INVALID: case FIDO_ERR_PIN_AUTH_INVALID: - *pin_set = 1; - /* FALLTHROUGH */ case FIDO_ERR_PIN_NOT_SET: *touched = 1; break; @@ -632,13 +626,19 @@ fido_dev_is_fido2(const fido_dev_t *dev) bool fido_dev_supports_pin(const fido_dev_t *dev) { - return (dev->flags & FIDO_DEV_SUPPORTS_PIN); + return (dev->flags & (FIDO_DEV_PIN_SET|FIDO_DEV_PIN_UNSET)); +} + +bool +fido_dev_has_pin(const fido_dev_t *dev) +{ + return (dev->flags & FIDO_DEV_PIN_SET); } bool fido_dev_supports_cred_prot(const fido_dev_t *dev) { - return (dev->flags & FIDO_DEV_SUPPORTS_CRED_PROT); + return (dev->flags & FIDO_DEV_CRED_PROT); } void Index: src/export.llvm =================================================================== RCS file: /cvs/src/lib/libfido2/src/export.llvm,v retrieving revision 1.3 diff -u -p -r1.3 export.llvm --- src/export.llvm 11 Aug 2020 08:44:53 -0000 1.3 +++ src/export.llvm 17 Aug 2020 06:13:36 -0000 @@ -159,6 +159,7 @@ _fido_dev_get_cbor_info _fido_dev_get_retry_count _fido_dev_get_touch_begin _fido_dev_get_touch_status +_fido_dev_has_pin _fido_dev_info_free _fido_dev_info_manifest _fido_dev_info_manufacturer_string Index: src/extern.h =================================================================== RCS file: /cvs/src/lib/libfido2/src/extern.h,v retrieving revision 1.3 diff -u -p -r1.3 extern.h --- src/extern.h 11 Aug 2020 08:44:53 -0000 1.3 +++ src/extern.h 17 Aug 2020 06:13:36 -0000 @@ -159,8 +159,9 @@ uint32_t uniform_random(uint32_t); #endif /* internal device capability flags */ -#define FIDO_DEV_SUPPORTS_PIN 0x01 -#define FIDO_DEV_SUPPORTS_CRED_PROT 0x02 +#define FIDO_DEV_PIN_SET 0x01 +#define FIDO_DEV_PIN_UNSET 0x02 +#define FIDO_DEV_CRED_PROT 0x04 /* miscellanea */ #define FIDO_DUMMY_CLIENTDATA "" Index: src/fido.h =================================================================== RCS file: /cvs/src/lib/libfido2/src/fido.h,v retrieving revision 1.4 diff -u -p -r1.4 fido.h --- src/fido.h 11 Aug 2020 08:44:53 -0000 1.4 +++ src/fido.h 17 Aug 2020 06:13:36 -0000 @@ -140,7 +140,7 @@ int fido_dev_get_assert(fido_dev_t *, fi int fido_dev_get_cbor_info(fido_dev_t *, fido_cbor_info_t *); int fido_dev_get_retry_count(fido_dev_t *, int *); int fido_dev_get_touch_begin(fido_dev_t *); -int fido_dev_get_touch_status(fido_dev_t *, int *, int *, int); +int fido_dev_get_touch_status(fido_dev_t *, int *, int); int fido_dev_info_manifest(fido_dev_info_t *, size_t, size_t *); int fido_dev_make_cred(fido_dev_t *, fido_cred_t *, const char *); int fido_dev_open_with_info(fido_dev_t *); @@ -182,10 +182,11 @@ uint8_t fido_dev_flags(const fido_dev_t int16_t fido_dev_info_vendor(const fido_dev_info_t *); int16_t fido_dev_info_product(const fido_dev_info_t *); uint64_t fido_cbor_info_maxmsgsiz(const fido_cbor_info_t *); -uint64_t fido_cbor_info_maxcredcntlst(const fido_cbor_info_t *ci); +uint64_t fido_cbor_info_maxcredcntlst(const fido_cbor_info_t *); uint64_t fido_cbor_info_maxcredidlen(const fido_cbor_info_t *); uint64_t fido_cbor_info_fwversion(const fido_cbor_info_t *); +bool fido_dev_has_pin(const fido_dev_t *); bool fido_dev_is_fido2(const fido_dev_t *); bool fido_dev_supports_pin(const fido_dev_t *); bool fido_dev_supports_cred_prot(const fido_dev_t *); Index: src/fido/param.h =================================================================== RCS file: /cvs/src/lib/libfido2/src/fido/param.h,v retrieving revision 1.3 diff -u -p -r1.3 param.h --- src/fido/param.h 11 Aug 2020 08:44:53 -0000 1.3 +++ src/fido/param.h 17 Aug 2020 06:13:36 -0000 @@ -53,16 +53,10 @@ #define CTAP_INIT_HEADER_LEN 7 #define CTAP_CONT_HEADER_LEN 5 -/* - * Maximal length of a CTAP HID report in bytes, excluding report ID (if - * required on the given platform). - */ +/* Maximum length of a CTAP HID report in bytes. */ #define CTAP_MAX_REPORT_LEN 64 -/* - * Minimal HID report length needed to transmit an INIT header + one byte of - * payload data. - */ +/* Minimum length of a CTAP HID report in bytes. */ #define CTAP_MIN_REPORT_LEN (CTAP_INIT_HEADER_LEN + 1) /* Randomness device on UNIX-like platforms. */