pamu2fcfg.c revision 1.1.1.2
1 1.1 christos /* 2 1.1.1.2 christos * Copyright (C) 2014-2021 Yubico AB - See COPYING 3 1.1 christos */ 4 1.1 christos 5 1.1 christos #define BUFSIZE 1024 6 1.1 christos #define PAM_PREFIX "pam://" 7 1.1 christos #define TIMEOUT 15 8 1.1 christos #define FREQUENCY 1 9 1.1 christos 10 1.1 christos #include <fido.h> 11 1.1 christos 12 1.1 christos #include <stdio.h> 13 1.1 christos #include <stdlib.h> 14 1.1 christos #include <string.h> 15 1.1 christos #include <getopt.h> 16 1.1 christos #include <unistd.h> 17 1.1 christos #include <sys/types.h> 18 1.1 christos #include <pwd.h> 19 1.1 christos 20 1.1 christos #include "b64.h" 21 1.1 christos #include "cmdline.h" 22 1.1 christos #include "util.h" 23 1.1 christos 24 1.1.1.2 christos #include "openbsd-compat.h" 25 1.1.1.2 christos 26 1.1.1.2 christos static fido_cred_t *prepare_cred(const struct gengetopt_args_info *const args) { 27 1.1 christos fido_cred_t *cred = NULL; 28 1.1.1.2 christos fido_opt_t resident_key; 29 1.1 christos char *appid = NULL; 30 1.1 christos char *user = NULL; 31 1.1 christos struct passwd *passwd; 32 1.1 christos unsigned char userid[32]; 33 1.1.1.2 christos unsigned char cdh[32]; 34 1.1.1.2 christos char origin[BUFSIZE]; 35 1.1.1.2 christos int type; 36 1.1.1.2 christos int ok = -1; 37 1.1.1.2 christos size_t n; 38 1.1.1.2 christos int r; 39 1.1 christos 40 1.1.1.2 christos if ((cred = fido_cred_new()) == NULL) { 41 1.1 christos fprintf(stderr, "fido_cred_new failed\n"); 42 1.1.1.2 christos goto err; 43 1.1 christos } 44 1.1 christos 45 1.1.1.2 christos type = COSE_ES256; /* default */ 46 1.1.1.2 christos if (args->type_given) { 47 1.1.1.2 christos if (!cose_type(args->type_arg, &type)) { 48 1.1.1.2 christos fprintf(stderr, "Unknown COSE type '%s'.\n", args->type_arg); 49 1.1.1.2 christos goto err; 50 1.1 christos } 51 1.1.1.2 christos } 52 1.1 christos 53 1.1.1.2 christos if ((r = fido_cred_set_type(cred, type)) != FIDO_OK) { 54 1.1 christos fprintf(stderr, "error: fido_cred_set_type (%d): %s\n", r, fido_strerr(r)); 55 1.1.1.2 christos goto err; 56 1.1 christos } 57 1.1 christos 58 1.1.1.2 christos if (!random_bytes(cdh, sizeof(cdh))) { 59 1.1.1.2 christos fprintf(stderr, "random_bytes failed\n"); 60 1.1.1.2 christos goto err; 61 1.1.1.2 christos } 62 1.1.1.2 christos 63 1.1.1.2 christos if ((r = fido_cred_set_clientdata_hash(cred, cdh, sizeof(cdh))) != FIDO_OK) { 64 1.1 christos fprintf(stderr, "error: fido_cred_set_clientdata_hash (%d): %s\n", r, 65 1.1 christos fido_strerr(r)); 66 1.1.1.2 christos goto err; 67 1.1 christos } 68 1.1 christos 69 1.1.1.2 christos if (args->origin_given) { 70 1.1.1.2 christos if (strlcpy(origin, args->origin_arg, sizeof(origin)) >= sizeof(origin)) { 71 1.1.1.2 christos fprintf(stderr, "error: strlcpy failed\n"); 72 1.1.1.2 christos goto err; 73 1.1.1.2 christos } 74 1.1.1.2 christos } else { 75 1.1.1.2 christos if ((n = strlcpy(origin, PAM_PREFIX, sizeof(origin))) >= sizeof(origin)) { 76 1.1.1.2 christos fprintf(stderr, "error: strlcpy failed\n"); 77 1.1.1.2 christos goto err; 78 1.1 christos } 79 1.1.1.2 christos if (gethostname(origin + n, sizeof(origin) - n) == -1) { 80 1.1 christos perror("gethostname"); 81 1.1.1.2 christos goto err; 82 1.1 christos } 83 1.1 christos } 84 1.1 christos 85 1.1.1.2 christos if (args->appid_given) { 86 1.1.1.2 christos appid = args->appid_arg; 87 1.1.1.2 christos } else { 88 1.1 christos appid = origin; 89 1.1 christos } 90 1.1 christos 91 1.1.1.2 christos if (args->verbose_given) { 92 1.1.1.2 christos fprintf(stderr, "Setting origin to %s\n", origin); 93 1.1 christos fprintf(stderr, "Setting appid to %s\n", appid); 94 1.1.1.2 christos } 95 1.1 christos 96 1.1.1.2 christos if ((r = fido_cred_set_rp(cred, origin, appid)) != FIDO_OK) { 97 1.1 christos fprintf(stderr, "error: fido_cred_set_rp (%d) %s\n", r, fido_strerr(r)); 98 1.1.1.2 christos goto err; 99 1.1 christos } 100 1.1 christos 101 1.1.1.2 christos if (args->username_given) { 102 1.1.1.2 christos user = args->username_arg; 103 1.1.1.2 christos } else { 104 1.1.1.2 christos if ((passwd = getpwuid(getuid())) == NULL) { 105 1.1 christos perror("getpwuid"); 106 1.1.1.2 christos goto err; 107 1.1 christos } 108 1.1 christos user = passwd->pw_name; 109 1.1 christos } 110 1.1 christos 111 1.1 christos if (!random_bytes(userid, sizeof(userid))) { 112 1.1 christos fprintf(stderr, "random_bytes failed\n"); 113 1.1.1.2 christos goto err; 114 1.1 christos } 115 1.1 christos 116 1.1.1.2 christos if (args->verbose_given) { 117 1.1 christos fprintf(stderr, "Setting user to %s\n", user); 118 1.1 christos fprintf(stderr, "Setting user id to "); 119 1.1 christos for (size_t i = 0; i < sizeof(userid); i++) 120 1.1 christos fprintf(stderr, "%02x", userid[i]); 121 1.1 christos fprintf(stderr, "\n"); 122 1.1 christos } 123 1.1 christos 124 1.1.1.2 christos if ((r = fido_cred_set_user(cred, userid, sizeof(userid), user, user, 125 1.1.1.2 christos NULL)) != FIDO_OK) { 126 1.1 christos fprintf(stderr, "error: fido_cred_set_user (%d) %s\n", r, fido_strerr(r)); 127 1.1.1.2 christos goto err; 128 1.1 christos } 129 1.1 christos 130 1.1.1.2 christos if (args->resident_given) { 131 1.1.1.2 christos resident_key = FIDO_OPT_TRUE; 132 1.1.1.2 christos } else { 133 1.1.1.2 christos resident_key = FIDO_OPT_OMIT; 134 1.1.1.2 christos } 135 1.1 christos 136 1.1.1.2 christos if ((r = fido_cred_set_rk(cred, resident_key)) != FIDO_OK) { 137 1.1 christos fprintf(stderr, "error: fido_cred_set_rk (%d) %s\n", r, fido_strerr(r)); 138 1.1.1.2 christos goto err; 139 1.1 christos } 140 1.1 christos 141 1.1.1.2 christos if ((r = fido_cred_set_uv(cred, FIDO_OPT_OMIT)) != FIDO_OK) { 142 1.1 christos fprintf(stderr, "error: fido_cred_set_uv (%d) %s\n", r, fido_strerr(r)); 143 1.1.1.2 christos goto err; 144 1.1.1.2 christos } 145 1.1.1.2 christos 146 1.1.1.2 christos ok = 0; 147 1.1.1.2 christos 148 1.1.1.2 christos err: 149 1.1.1.2 christos if (ok != 0) { 150 1.1.1.2 christos fido_cred_free(&cred); 151 1.1.1.2 christos } 152 1.1.1.2 christos 153 1.1.1.2 christos return cred; 154 1.1.1.2 christos } 155 1.1.1.2 christos 156 1.1.1.2 christos static int make_cred(const char *path, fido_dev_t *dev, fido_cred_t *cred) { 157 1.1.1.2 christos char prompt[BUFSIZE]; 158 1.1.1.2 christos char pin[BUFSIZE]; 159 1.1.1.2 christos int n; 160 1.1.1.2 christos int r; 161 1.1.1.2 christos 162 1.1.1.2 christos if (path == NULL || dev == NULL || cred == NULL) { 163 1.1.1.2 christos fprintf(stderr, "%s: args\n", __func__); 164 1.1.1.2 christos return -1; 165 1.1.1.2 christos } 166 1.1.1.2 christos 167 1.1.1.2 christos r = fido_dev_make_cred(dev, cred, NULL); 168 1.1.1.2 christos if (r == FIDO_ERR_PIN_REQUIRED) { 169 1.1.1.2 christos n = snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", path); 170 1.1.1.2 christos if (n < 0 || (size_t) n >= sizeof(prompt)) { 171 1.1.1.2 christos fprintf(stderr, "error: snprintf prompt"); 172 1.1.1.2 christos return -1; 173 1.1.1.2 christos } 174 1.1.1.2 christos if (!readpassphrase(prompt, pin, sizeof(pin), RPP_ECHO_OFF)) { 175 1.1.1.2 christos fprintf(stderr, "error: failed to read pin"); 176 1.1.1.2 christos explicit_bzero(pin, sizeof(pin)); 177 1.1.1.2 christos return -1; 178 1.1.1.2 christos } 179 1.1.1.2 christos r = fido_dev_make_cred(dev, cred, pin); 180 1.1.1.2 christos } 181 1.1.1.2 christos explicit_bzero(pin, sizeof(pin)); 182 1.1.1.2 christos 183 1.1.1.2 christos if (r != FIDO_OK) { 184 1.1.1.2 christos fprintf(stderr, "error: fido_dev_make_cred (%d) %s\n", r, fido_strerr(r)); 185 1.1.1.2 christos return -1; 186 1.1.1.2 christos } 187 1.1.1.2 christos 188 1.1.1.2 christos return 0; 189 1.1.1.2 christos } 190 1.1.1.2 christos 191 1.1.1.2 christos static int verify_cred(const fido_cred_t *const cred) { 192 1.1.1.2 christos int r; 193 1.1.1.2 christos 194 1.1.1.2 christos if (cred == NULL) { 195 1.1.1.2 christos fprintf(stderr, "%s: args\n", __func__); 196 1.1.1.2 christos return -1; 197 1.1.1.2 christos } 198 1.1.1.2 christos 199 1.1.1.2 christos if (fido_cred_x5c_ptr(cred) == NULL) { 200 1.1.1.2 christos if ((r = fido_cred_verify_self(cred)) != FIDO_OK) { 201 1.1.1.2 christos fprintf(stderr, "error: fido_cred_verify_self (%d) %s\n", r, 202 1.1.1.2 christos fido_strerr(r)); 203 1.1.1.2 christos return -1; 204 1.1.1.2 christos } 205 1.1.1.2 christos } else { 206 1.1.1.2 christos if ((r = fido_cred_verify(cred)) != FIDO_OK) { 207 1.1.1.2 christos fprintf(stderr, "error: fido_cred_verify (%d) %s\n", r, fido_strerr(r)); 208 1.1.1.2 christos return -1; 209 1.1.1.2 christos } 210 1.1.1.2 christos } 211 1.1.1.2 christos 212 1.1.1.2 christos return 0; 213 1.1.1.2 christos } 214 1.1.1.2 christos 215 1.1.1.2 christos static int print_authfile_line(const struct gengetopt_args_info *const args, 216 1.1.1.2 christos const fido_cred_t *const cred) { 217 1.1.1.2 christos const unsigned char *kh = NULL; 218 1.1.1.2 christos const unsigned char *pk = NULL; 219 1.1.1.2 christos const char *user = NULL; 220 1.1.1.2 christos char *b64_kh = NULL; 221 1.1.1.2 christos char *b64_pk = NULL; 222 1.1.1.2 christos size_t kh_len; 223 1.1.1.2 christos size_t pk_len; 224 1.1.1.2 christos int ok = -1; 225 1.1.1.2 christos 226 1.1.1.2 christos if ((kh = fido_cred_id_ptr(cred)) == NULL) { 227 1.1.1.2 christos fprintf(stderr, "error: fido_cred_id_ptr returned NULL\n"); 228 1.1.1.2 christos goto err; 229 1.1.1.2 christos } 230 1.1.1.2 christos 231 1.1.1.2 christos if ((kh_len = fido_cred_id_len(cred)) == 0) { 232 1.1.1.2 christos fprintf(stderr, "error: fido_cred_id_len returned 0\n"); 233 1.1.1.2 christos goto err; 234 1.1.1.2 christos } 235 1.1.1.2 christos 236 1.1.1.2 christos if ((pk = fido_cred_pubkey_ptr(cred)) == NULL) { 237 1.1.1.2 christos fprintf(stderr, "error: fido_cred_pubkey_ptr returned NULL\n"); 238 1.1.1.2 christos goto err; 239 1.1.1.2 christos } 240 1.1.1.2 christos 241 1.1.1.2 christos if ((pk_len = fido_cred_pubkey_len(cred)) == 0) { 242 1.1.1.2 christos fprintf(stderr, "error: fido_cred_pubkey_len returned 0\n"); 243 1.1.1.2 christos goto err; 244 1.1.1.2 christos } 245 1.1.1.2 christos 246 1.1.1.2 christos if (!b64_encode(kh, kh_len, &b64_kh)) { 247 1.1.1.2 christos fprintf(stderr, "error: failed to encode key handle\n"); 248 1.1.1.2 christos goto err; 249 1.1.1.2 christos } 250 1.1.1.2 christos 251 1.1.1.2 christos if (!b64_encode(pk, pk_len, &b64_pk)) { 252 1.1.1.2 christos fprintf(stderr, "error: failed to encode public key\n"); 253 1.1.1.2 christos goto err; 254 1.1.1.2 christos } 255 1.1.1.2 christos 256 1.1.1.2 christos if (!args->nouser_given) { 257 1.1.1.2 christos if ((user = fido_cred_user_name(cred)) == NULL) { 258 1.1.1.2 christos fprintf(stderr, "error: fido_cred_user_name returned NULL\n"); 259 1.1.1.2 christos goto err; 260 1.1.1.2 christos } 261 1.1.1.2 christos printf("%s", user); 262 1.1.1.2 christos } 263 1.1.1.2 christos 264 1.1.1.2 christos printf(":%s,%s,%s,%s%s%s", args->resident_given ? "*" : b64_kh, b64_pk, 265 1.1.1.2 christos cose_string(fido_cred_type(cred)), 266 1.1.1.2 christos !args->no_user_presence_given ? "+presence" : "", 267 1.1.1.2 christos args->user_verification_given ? "+verification" : "", 268 1.1.1.2 christos args->pin_verification_given ? "+pin" : ""); 269 1.1.1.2 christos 270 1.1.1.2 christos ok = 0; 271 1.1.1.2 christos 272 1.1.1.2 christos err: 273 1.1.1.2 christos free(b64_kh); 274 1.1.1.2 christos free(b64_pk); 275 1.1.1.2 christos 276 1.1.1.2 christos return ok; 277 1.1.1.2 christos } 278 1.1.1.2 christos 279 1.1.1.2 christos int main(int argc, char *argv[]) { 280 1.1.1.2 christos int exit_code = EXIT_FAILURE; 281 1.1.1.2 christos struct gengetopt_args_info args_info; 282 1.1.1.2 christos fido_cred_t *cred = NULL; 283 1.1.1.2 christos fido_dev_info_t *devlist = NULL; 284 1.1.1.2 christos fido_dev_t *dev = NULL; 285 1.1.1.2 christos const fido_dev_info_t *di = NULL; 286 1.1.1.2 christos const char *path = NULL; 287 1.1.1.2 christos size_t ndevs = 0; 288 1.1.1.2 christos int r; 289 1.1.1.2 christos 290 1.1.1.2 christos /* NOTE: initializes args_info. on error, frees args_info and calls exit() */ 291 1.1.1.2 christos if (cmdline_parser(argc, argv, &args_info) != 0) 292 1.1.1.2 christos goto err; 293 1.1.1.2 christos 294 1.1.1.2 christos if (args_info.help_given) { 295 1.1.1.2 christos cmdline_parser_print_help(); 296 1.1.1.2 christos printf("\nReport bugs at <https://github.com/Yubico/pam-u2f>.\n"); 297 1.1.1.2 christos exit_code = EXIT_SUCCESS; 298 1.1.1.2 christos goto err; 299 1.1 christos } 300 1.1 christos 301 1.1.1.2 christos fido_init(args_info.debug_flag ? FIDO_DEBUG : 0); 302 1.1.1.2 christos 303 1.1.1.2 christos if ((cred = prepare_cred(&args_info)) == NULL) 304 1.1.1.2 christos goto err; 305 1.1.1.2 christos 306 1.1 christos devlist = fido_dev_info_new(64); 307 1.1 christos if (!devlist) { 308 1.1 christos fprintf(stderr, "error: fido_dev_info_new failed\n"); 309 1.1.1.2 christos goto err; 310 1.1 christos } 311 1.1 christos 312 1.1 christos r = fido_dev_info_manifest(devlist, 64, &ndevs); 313 1.1 christos if (r != FIDO_OK) { 314 1.1 christos fprintf(stderr, "Unable to discover device(s), %s (%d)\n", fido_strerr(r), 315 1.1 christos r); 316 1.1.1.2 christos goto err; 317 1.1 christos } 318 1.1 christos 319 1.1 christos if (ndevs == 0) { 320 1.1.1.2 christos for (int i = 0; i < TIMEOUT; i += FREQUENCY) { 321 1.1 christos fprintf(stderr, 322 1.1 christos "\rNo U2F device available, please insert one now, you " 323 1.1 christos "have %2d seconds", 324 1.1 christos TIMEOUT - i); 325 1.1 christos fflush(stderr); 326 1.1 christos sleep(FREQUENCY); 327 1.1 christos 328 1.1 christos r = fido_dev_info_manifest(devlist, 64, &ndevs); 329 1.1 christos if (r != FIDO_OK) { 330 1.1 christos fprintf(stderr, "\nUnable to discover device(s), %s (%d)", 331 1.1 christos fido_strerr(r), r); 332 1.1.1.2 christos goto err; 333 1.1 christos } 334 1.1 christos 335 1.1 christos if (ndevs != 0) { 336 1.1 christos fprintf(stderr, "\nDevice found!\n"); 337 1.1 christos break; 338 1.1 christos } 339 1.1 christos } 340 1.1 christos } 341 1.1 christos 342 1.1 christos if (ndevs == 0) { 343 1.1 christos fprintf(stderr, "\rNo device found. Aborting. " 344 1.1 christos " \n"); 345 1.1.1.2 christos goto err; 346 1.1 christos } 347 1.1 christos 348 1.1 christos /* XXX loop over every device? */ 349 1.1 christos dev = fido_dev_new(); 350 1.1 christos if (!dev) { 351 1.1 christos fprintf(stderr, "fido_dev_new failed\n"); 352 1.1.1.2 christos goto err; 353 1.1 christos } 354 1.1 christos 355 1.1 christos di = fido_dev_info_ptr(devlist, 0); 356 1.1 christos if (!di) { 357 1.1 christos fprintf(stderr, "error: fido_dev_info_ptr returned NULL\n"); 358 1.1.1.2 christos goto err; 359 1.1 christos } 360 1.1 christos 361 1.1.1.2 christos if ((path = fido_dev_info_path(di)) == NULL) { 362 1.1.1.2 christos fprintf(stderr, "error: fido_dev_path returned NULL\n"); 363 1.1.1.2 christos goto err; 364 1.1 christos } 365 1.1 christos 366 1.1.1.2 christos r = fido_dev_open(dev, path); 367 1.1 christos if (r != FIDO_OK) { 368 1.1.1.2 christos fprintf(stderr, "error: fido_dev_open (%d) %s\n", r, fido_strerr(r)); 369 1.1.1.2 christos goto err; 370 1.1 christos } 371 1.1 christos 372 1.1.1.2 christos if (make_cred(path, dev, cred) != 0 || verify_cred(cred) != 0 || 373 1.1.1.2 christos print_authfile_line(&args_info, cred) != 0) 374 1.1.1.2 christos goto err; 375 1.1 christos 376 1.1 christos exit_code = EXIT_SUCCESS; 377 1.1 christos 378 1.1.1.2 christos err: 379 1.1.1.2 christos if (dev != NULL) 380 1.1.1.2 christos fido_dev_close(dev); 381 1.1 christos fido_dev_info_free(&devlist, ndevs); 382 1.1 christos fido_cred_free(&cred); 383 1.1 christos fido_dev_free(&dev); 384 1.1 christos 385 1.1.1.2 christos cmdline_parser_free(&args_info); 386 1.1 christos 387 1.1 christos exit(exit_code); 388 1.1 christos } 389
Indexes created Sun Apr 19 00:22:55 UTC 2026