search

Yubico / libfido2

Provides library functionality for FIDO2, including communication with a device over USB or NFC.
Other
590 stars 152 forks source link

Problems with Feitian MultiPass FIDO device #695

Closed avzuquete closed 1 year ago

avzuquete commented 1 year ago

What version of libfido2 are you using?

1.13.0

What operating system are you running?

Ubuntu 22.04.2 LTS, 5.15.0-67-genereric kernel

What application are you using in conjunction with libfido2?

My own

How does the problem manifest itself?

Some fido_dev_supports_XXX give a wrong indication for a Feitian MultiPass FIDO device. I checked the libfido2 code and I guess the source of the problem is the interpretation that is made of the flags/options deported by the device. This device reports up=true (instead of uv=true), so the function fido_dev_supports_uv returns FALSE. This device reports clientPin=false, so the flags field gets a FIDO_DEV_PIN_UNSET, which latter make fido_dev_supports_pin to return TRUE.

Is the problem reproducible?

Yes.

What are the steps that lead to the problem?

Explained before.

Does the problem happen with different authenticators?

Could not check.

Please include the output of fido2-token -L.

fido2-token -L 
$ fido2-token -L
/dev/hidraw1: vendor=0x096e, product=0x085a (FS ePass FIDO)

Please include the output of fido2-token -I.

fido2-token -I 
$ fido2-token -I <device>
proto: 0x02
major: 0x01
minor: 0x00
build: 0x01
caps: 0x0f (wink, cbor, nomsg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: ble, nfc, usb
algorithms: es256 (public-key)
aaguid: 310b2830bd4a4da5832e9a0dfc90abf2
options: rk, up, noplat, noclientPin, credentialMgmtPreview
maxmsgsiz: 1024
maxcredcntlst: 6
maxcredlen: 96
fwversion: 0x0
pin protocols: 1
pin retries: undefined
uv retries: undefined

Please include the output of FIDO_DEBUG=1.

FIDO_DEBUG=1 
$ export FIDO_DEBUG=1
$  fido2-token -L
fido_hid_unix_open: open /dev/hidraw0: Permission denied
/dev/hidraw1: vendor=0x096e, product=0x085a (FS ePass FIDO)
$  fido2-token -I /dev/hidraw1
fido_tx: dev=0x556fc09222a0, cmd=0x06
fido_tx: buf=0x556fc09222a0, len=8
0000: 57 66 8a 35 d0 1e 60 4f
fido_rx: dev=0x556fc09222a0, cmd=0x06, ms=-1
rx_preamble: buf=0x7ffeba17a080, len=64
0000: ff ff ff ff 86 00 11 57 66 8a 35 d0 1e 60 4f 00
0016: 00 00 1b 02 01 00 01 0f 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x556fc09222a8, len=17
0000: 57 66 8a 35 d0 1e 60 4f 00 00 00 1b 02 01 00 01
0016: 0f
fido_dev_get_cbor_info_tx: dev=0x556fc09222a0
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x7ffeba17a137, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x556fc09222a0, ci=0x556fc09223f0, ms=-1
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 90 00 b1 00 aa 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=177
rx: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 00 65 74 03 50 31 0b 28 30 bd 4a 4d
0016: a5 83 2e 9a 0d fc 90 ab f2 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f4 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62
0032: 6c 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c
0048: 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b
rx: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 02 65 79 00 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffeba1798d0, len=177
0000: 00 aa 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 31 0b 28
0064: 30 bd 4a 4d a5 83 2e 9a 0d fc 90 ab f2 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f4 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62 6c
0144: 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c 67
0160: 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65
0176: 79
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1024
proto: 0x02
major: 0x01
minor: 0x00
build: 0x01
caps: 0x0f (wink, cbor, nomsg)
fido_dev_get_cbor_info_tx: dev=0x556fc09222a0
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x7ffeba17a1a7, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x556fc09222a0, ci=0x556fc09228b0, ms=-1
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 90 00 b1 00 aa 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=177
rx: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 00 65 74 03 50 31 0b 28 30 bd 4a 4d
0016: a5 83 2e 9a 0d fc 90 ab f2 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f4 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62
0032: 6c 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c
0048: 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b
rx: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 02 65 79 00 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffeba179960, len=177
0000: 00 aa 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 31 0b 28
0064: 30 bd 4a 4d a5 83 2e 9a 0d fc 90 ab f2 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f4 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62 6c
0144: 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c 67
0160: 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65
0176: 79
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: ble, nfc, usb
algorithms: es256 (public-key)
aaguid: 310b2830bd4a4da5832e9a0dfc90abf2
options: rk, up, noplat, noclientPin, credentialMgmtPreview
maxmsgsiz: 1024
maxcredcntlst: 6
maxcredlen: 96
fwversion: 0x0
pin protocols: 1
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x556fc0922650, len=6
0000: 06 a2 01 01 02 01
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798f0, len=64
0000: 00 00 00 1b 90 00 01 35 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ffeba179980, len=1
0000: 35
cbor_parse_reply: blob[0]=0x35
fido_dev_get_pin_retry_count_rx: parse_pin_retry_count
pin retries: undefined
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x556fc0922650, len=6
0000: 06 a2 01 01 02 07
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798f0, len=64
0000: 00 00 00 1b 90 00 01 02 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ffeba179980, len=1
0000: 02
cbor_parse_reply: blob[0]=0x02
fido_dev_get_uv_retry_count_rx: parse_uv_retry_count
uv retries: undefined
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x556fc0922650, len=6
0000: 40 a2 01 01 02 07
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798b0, len=64
0000: 00 00 00 1b 90 00 01 01 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ffeba179940, len=1
0000: 01
cbor_parse_reply: blob[0]=0x01
bio_rx_info: bio_parse_info
bio_get_info_wait: tx/rx
martelletto commented 1 year ago

fido_dev_supports_uv() returns false because the authenticator does not support UV. Note that UP != UV. fido_dev_supports_pin() returns true because the authenticator supports a pin, although one isn't set. fido_dev_has_pin() can be used to distinguish between the two cases.

These functions are documented in https://developers.yubico.com/libfido2/Manuals/fido_dev_supports_uv.html. Please let us know if there's anything we can do to improve our documentation. Thank you!

avzuquete commented 1 year ago

Thank you for your response.

What does UP means? User Presence? Could you elaborate a bit?

So, when the device reports clientPin=false, that means that a PIN is supported but is not set? If the token does not support a PIN the clientPin indication should not even exist?

Thank you.

Regards,

On 07/05/2023 15:22, pedro martelletto wrote:

|fido_dev_supports_uv()| returns false because the authenticator does not support UV. Note that UP != UV. |fido_dev_supports_pin()| returns true because the authenticator supports a pin, although one isn't set. |fido_dev_has_pin()| can be used to distinguish between the two cases.

These functions are documented in https://developers.yubico.com/libfido2/Manuals/fido_dev_supports_uv.html. Please let us know if there's anything we can do to improve our documentation. Thank you!

— Reply to this email directly, view it on GitHub https://github.com/Yubico/libfido2/issues/695#issuecomment-1537453982, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGADOYZNWS7BJIV5J6WXUPDXE6V2FANCNFSM6AAAAAAXYZZMRY. You are receiving this because you authored the thread.Message ID: @.***>

-- Prof. André Ventura Zúquete

DETI / IEETA, Univ. of Aveiro

e-mail: @.***

Campus Univ. de Santiago, 3810-193 Aveiro

Phone: +351 234 370504

Portugal

URL: http://wiki.ieeta.pt/wiki/index.php/Andr%C3%A9_Z%C3%BAquete Zoom: https://videoconf-colibri.zoom.us/my/andre.zuquete

martelletto commented 1 year ago

Thank you for your response. What does UP means? User Presence? Could you elaborate a bit?

In FIDO2, User Presence (UP) indicates that someone has interacted with the authenticator to authorise an operation, typically through touch. On the other hand, User Verification (UV) signifies that, to a reasonable degree of confidence, the person who authorised an operation was the same individual who previously enrolled a secret, such as a fingerprint or a PIN, on the device.

While a PIN can be used to achieve UV, the two terms are separate concepts in FIDO2, with UV being reserved for methods of user verification that are entirely built-in to the authenticator, such as facial recognition or fingerprint matching. In this sense, most FIDO2 authenticators support PIN but not UV.

So, when the device reports clientPin=false, that means that a PIN is supported but is not set? If the token does not support a PIN the clientPin indication should not even exist?

Yes, that's correct.

Kind regards,

-p.

avzuquete commented 1 year ago

Dear Pedro,

Thank you for your prompt and clear explanation.

Sorry for the noise, I'm still trying to get acquainted with the intrinsics of FIDO2,and those simple explanations are not easy to find in the tones of marketing stuff.

Best regards,

    A. Zúquete

On 07/05/2023 18:40, pedro martelletto wrote:

Thank you for your response. What does UP means? User Presence?
Could you elaborate a bit?

In FIDO2, User Presence (UP) indicates that someone has interacted with the authenticator to authorise an operation, typically through touch. On the other hand, User Verification (UV) signifies that, to a reasonable degree of confidence, the person who authorised an operation was the same individual who previously enrolled a secret, such as a fingerprint or a PIN, on the device.

While a PIN can be used to achieve UV, the two terms are separate concepts in FIDO2, with UV being reserved for methods of user verification that are entirely built-in to the authenticator, such as facial recognition or fingerprint matching. In this sense, most FIDO2 authenticators support PIN but not UV.

So, when the device reports clientPin=false, that means that a PIN
is supported but is not set? If the token does not support a PIN
the clientPin indication should not even exist?

Yes, that's correct.

Kind regards,

-p.

— Reply to this email directly, view it on GitHub https://github.com/Yubico/libfido2/issues/695#issuecomment-1537501546, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGADOY6RWQH75DHAIKW6ECDXE7M7DANCNFSM6AAAAAAXYZZMRY. You are receiving this because you authored the thread.Message ID: @.***>

-- Prof. André Ventura Zúquete

DETI / IEETA, Univ. of Aveiro

e-mail: @.***

Campus Univ. de Santiago, 3810-193 Aveiro

Phone: +351 234 370504

Portugal

URL: http://wiki.ieeta.pt/wiki/index.php/Andr%C3%A9_Z%C3%BAquete Zoom: https://videoconf-colibri.zoom.us/my/andre.zuquete