Extend FIDO2 BLE support also for Linux

For Windows it was already added via gh#336, so let's also add it for Linux. Unpaired devices are ignored, the user has to pair independently of libfido use using the bluetooth manager provided by the desktop environment.
Yubico · Jun 6, 2023 · be35428 · be35428
1 parent 854053f
commit be35428
Show file tree

Hide file tree

Showing 11 changed files with 927 additions and 5 deletions.
diff --git a/.github/workflows/alpine_builds.yml b/.github/workflows/alpine_builds.yml
@@ -28,7 +28,7 @@ jobs:
         apk -q update
         apk add build-base clang clang-analyzer cmake coreutils eudev-dev
         apk add git linux-headers openssl-dev sudo zlib-dev pcsc-lite-dev \
-          libcbor-dev
+          libcbor-dev elogind-dev
     - name: fix permissions on workdir
       run: chown root:wheel "${GITHUB_WORKSPACE}"
     - name: checkout libfido2

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -33,7 +33,7 @@ jobs:
       run: |
         sudo apt -q update
         sudo apt install -q -y libcbor-dev libudev-dev libz-dev original-awk \
-         libpcsclite-dev
+         libpcsclite-dev libsystemd-dev
         ./.actions/build-linux-gcc
     - name: perform codeql analysis
       uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/linux_builds.yml b/.github/workflows/linux_builds.yml
@@ -38,7 +38,7 @@ jobs:
       run: |
         sudo apt -q update
         sudo apt install -q -y libcbor-dev libudev-dev libz-dev \
-          original-awk mandoc libpcsclite-dev
+          original-awk mandoc libpcsclite-dev libsystemd-dev
     - name: compiler
       env:
         CC: ${{ matrix.cc }}

diff --git a/.github/workflows/linux_fuzz.yml b/.github/workflows/linux_fuzz.yml
@@ -28,7 +28,7 @@ jobs:
     - name: dependencies
       run: |
         sudo apt -q update
-        sudo apt install -q -y libudev-dev libpcsclite-dev
+        sudo apt install -q -y libudev-dev libpcsclite-dev libsystemd-dev
     - name: compiler
       env:
         CC: ${{ matrix.cc }}

diff --git a/.github/workflows/openssl3.yml b/.github/workflows/openssl3.yml
@@ -35,7 +35,7 @@ jobs:
       run: |
         sudo apt -q update
         sudo apt install -q -y libcbor-dev libudev-dev libz-dev \
-          original-awk mandoc libpcsclite-dev
+          original-awk mandoc libpcsclite-dev libsystemd-dev
         sudo apt remove -y libssl-dev
         if [ "${CC%-*}" == "clang" ]; then
           sudo ./.actions/setup_clang "${CC}"

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -44,6 +44,7 @@ option(USE_HIDAPI        "Use hidapi as the HID backend"           OFF)
 option(USE_PCSC          "Enable experimental PCSC support"        ON)
 option(USE_WINHELLO      "Abstract Windows Hello as a FIDO device" ON)
 option(NFC_LINUX         "Enable NFC support on Linux"             ON)
+option(BLUETOOTH_LINUX   "Enable Bluetooth support on Linux"       ON)
 
 add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR})
 add_definitions(-D_FIDO_MINOR=${FIDO_MINOR})
@@ -216,6 +217,7 @@ if(MSVC)
 		add_definitions(-DUSE_WINHELLO)
 	endif()
 	set(NFC_LINUX OFF)
+	set(BLUETOOTH_LINUX OFF)
 else()
 	include(FindPkgConfig)
 	pkg_search_module(CBOR libcbor)
@@ -255,6 +257,7 @@ else()
 		endif()
 	else()
 		set(NFC_LINUX OFF)
+		set(BLUETOOTH_LINUX OFF)
 	endif()
 
 	if(MINGW)
@@ -285,6 +288,12 @@ else()
 		add_definitions(-DUSE_NFC)
 	endif()
 
+	if(BLUETOOTH_LINUX)
+		add_definitions(-DUSE_BLUETOOTH)
+		pkg_search_module(SYSTEMD libsystemd REQUIRED)
+		set(BLUETOOTH_LIBRARIES ${SYSTEMD_LIBRARIES})
+	endif()
+
 	if(WIN32)
 		if(USE_WINHELLO)
 			add_definitions(-DUSE_WINHELLO)
@@ -399,6 +408,7 @@ include_directories(${ZLIB_INCLUDE_DIRS})
 link_directories(${CBOR_LIBRARY_DIRS})
 link_directories(${CRYPTO_LIBRARY_DIRS})
 link_directories(${HIDAPI_LIBRARY_DIRS})
+link_directories(${BLUETOOTH_LIBRARY_DIRS})
 link_directories(${PCSC_LIBRARY_DIRS})
 link_directories(${UDEV_LIBRARY_DIRS})
 link_directories(${ZLIB_LIBRARY_DIRS})
@@ -468,6 +478,7 @@ message(STATUS "USE_HIDAPI: ${USE_HIDAPI}")
 message(STATUS "USE_PCSC: ${USE_PCSC}")
 message(STATUS "USE_WINHELLO: ${USE_WINHELLO}")
 message(STATUS "NFC_LINUX: ${NFC_LINUX}")
+message(STATUS "BLUETOOTH_LINUX: ${BLUETOOTH_LINUX}")
 
 if(BUILD_TESTS)
 	enable_testing()

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -51,6 +51,10 @@ if(FUZZ)
 	list(APPEND FIDO_SOURCES ../fuzz/wrap.c)
 endif()
 
+if(BLUETOOTH_LINUX)
+	list(APPEND FIDO_SOURCES bluetooth.c bluetooth_linux.c)
+endif()
+
 if(NFC_LINUX)
 	list(APPEND FIDO_SOURCES netlink.c nfc.c nfc_linux.c)
 endif()
@@ -123,6 +127,7 @@ list(APPEND TARGET_LIBRARIES
 	${HIDAPI_LIBRARIES}
 	${ZLIB_LIBRARIES}
 	${PCSC_LIBRARIES}
+	${BLUETOOTH_LIBRARIES}
 )
 
 # static library

diff --git a/src/bluetooth.c b/src/bluetooth.c
@@ -0,0 +1,209 @@
+#include "fido.h"
+#include "fido/param.h"
+
+#define CTAPBLE_PING 0x81
+#define CTAPBLE_KEEPALIVE 0x82
+#define CTAPBLE_MSG 0x83
+#define CTAPBLE_CANCEL 0xBE
+#define CTAPBLE_ERROR 0xBF
+
+static int
+fido_bluetooth_fragment_tx(fido_dev_t *d, uint8_t cmd, const u_char *buf, size_t count)
+{
+	size_t fragment_len = fido_bluetooth_get_cp_size(d);
+	u_char *frag_buf;
+	size_t payload;
+	uint8_t seqnum;
+
+	if (fragment_len <= 3)
+		return -1;
+
+	payload = fragment_len - 3;
+	frag_buf = calloc(1, fragment_len);
+	if (!frag_buf)
+		return -1;
+
+	frag_buf[0] = cmd;
+	frag_buf[1] = (count >> 8) & 0xff;
+	frag_buf[2] = count & 0xff;
+	if (payload > count)
+		payload = count;
+
+	memcpy(frag_buf + 3, buf, payload);
+	d->io.write(d->io_handle, frag_buf, payload + 3);
+
+	count -= payload;
+	seqnum = 0;
+	buf += payload;
+	while (count > 0) {
+		payload = fragment_len - 1;
+		if (payload > count)
+			payload = count;
+
+		memcpy(frag_buf + 1, buf, payload);
+		frag_buf[0] = seqnum;
+		if (d->io.write(d->io_handle, frag_buf, payload + 1) < 0)
+			break;
+
+		count -= payload;
+		buf += payload;
+		seqnum++;
+		seqnum &= 0x7F;
+	}
+
+	free(frag_buf);
+
+	if (count > 0)
+		return -1;
+
+	return 0;
+}
+
+int
+fido_bluetooth_tx(fido_dev_t *d, uint8_t cmd, const u_char *buf, size_t count)
+{
+	switch(cmd) {
+		case CTAP_CMD_INIT:
+			return FIDO_OK;
+		case CTAP_CMD_CBOR:
+		case CTAP_CMD_MSG:
+			return fido_bluetooth_fragment_tx(d, CTAPBLE_MSG, buf, count);
+			break;
+	}
+	if (cmd == CTAP_CMD_INIT)
+		return FIDO_OK;
+
+
+	return FIDO_ERR_INTERNAL;
+}
+
+static int
+rx_init(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
+{
+	(void)ms;
+	fido_ctap_info_t *attr = (fido_ctap_info_t *)buf;
+	if (count != sizeof(*attr)) {
+		fido_log_debug("%s: count=%zu", __func__, count);
+		return -1;
+	}
+
+	memset(attr, 0, sizeof(*attr));
+
+	/* we allow only FIDO2 devices for now for simplicity */
+	attr->flags = FIDO_CAP_CBOR | FIDO_CAP_NMSG;
+	memcpy(&attr->nonce, &d->nonce, sizeof(attr->nonce));
+
+	return (int)count;
+}
+
+static int
+rx_fragments(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
+{
+	size_t fragment_len = fido_bluetooth_get_cp_size(d);
+	uint8_t *reply;
+	uint8_t seq;
+	size_t payload;
+	size_t reply_length;
+	int ret;
+	if (fragment_len <= 3) {
+		return -1;
+	}
+	reply = calloc(1, fragment_len);
+	payload = fragment_len - 3;
+	if (count < payload)
+		payload = count;
+
+	do {
+		ret = d->io.read(d->io_handle, reply, payload + 3, ms);
+		if (ret <= 0)
+			goto out;
+	} while (reply[0] == CTAPBLE_KEEPALIVE);
+
+	if ((reply[0] != CTAPBLE_MSG) || (ret <= 3)) {
+		ret = -1;
+		goto out;
+	}
+	ret -= 3;
+
+	reply_length = ((size_t)reply[1]) << 8 | reply[2];
+	if (reply_length > count)
+		reply_length = count;
+
+	if (reply_length < count)
+		count = reply_length;
+
+	memcpy(buf, reply + 3, (size_t)ret);
+	count -= (size_t)ret;
+	buf += ret;
+	seq = 0;
+
+	while(count > 0) {
+		payload = fragment_len - 1;
+		if (count < payload)
+			payload = count;
+
+		ret = d->io.read(d->io_handle, reply, payload + 1, ms);
+		if (ret <= 1) {
+			if (ret >= 0)
+				ret = -1;
+			goto out;
+		}
+		ret--;
+		if (reply[0] != seq) {
+			ret = -1;
+			goto out;
+		}
+		memcpy(buf, reply + 1, (size_t) ret);
+
+		seq++;
+		count -= (size_t) ret;
+		buf += ret;
+	}
+	ret = (int)reply_length;
+out:
+	explicit_bzero(reply, fragment_len);
+	free(reply);
+	return ret;
+}
+
+int 
+fido_bluetooth_rx(fido_dev_t *d, uint8_t cmd, u_char *buf, size_t count, int ms)
+{
+	switch(cmd) {
+		case CTAP_CMD_INIT:
+			return rx_init(d, buf, count, ms);
+		case CTAP_CMD_CBOR:
+			return rx_fragments(d, buf, count, ms);
+		default:
+			return FIDO_ERR_INTERNAL;
+	}
+}
+
+bool
+fido_is_bluetooth(const char *path)
+{
+	return !strncmp(path, FIDO_BLUETOOTH_PREFIX, strlen(FIDO_BLUETOOTH_PREFIX));
+}
+
+int
+fido_dev_set_bluetooth(fido_dev_t *d)
+{
+	if (d->io_handle != NULL) {
+		fido_log_debug("%s: device open", __func__);
+		return -1;
+	}
+	d->io_own = true;
+	d->io = (fido_dev_io_t) {
+		fido_bluetooth_open,
+		fido_bluetooth_close,
+		fido_bluetooth_read,
+		fido_bluetooth_write,
+	};
+	d->transport = (fido_dev_transport_t) {
+		fido_bluetooth_rx,
+		fido_bluetooth_tx,
+	};
+
+	return 0;
+}
+