keepassxc
1/*2* Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>3*4* This program is free software: you can redistribute it and/or modify5* it under the terms of the GNU General Public License as published by6* the Free Software Foundation, either version 2 or (at your option)7* version 3 of the License.8*9* This program is distributed in the hope that it will be useful,10* but WITHOUT ANY WARRANTY; without even the implied warranty of11* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the12* GNU General Public License for more details.13*14* You should have received a copy of the GNU General Public License15* along with this program. If not, see <http://www.gnu.org/licenses/>.16*/17// MSYS2 does not define these macros24// So set them to the value used by pcsc-lite25#ifndef MAX_ATR_SIZE26#define MAX_ATR_SIZE 3327#endif28#ifndef MAX_READERNAME29#define MAX_READERNAME 12830#endif31// PCSC framework on OSX uses unsigned int33// Windows winscard and Linux pcsc-lite use unsigned long34#ifdef Q_OS_MACOS35typedef uint32_t SCUINT;36typedef uint32_t RETVAL;37#else38typedef unsigned long SCUINT;39typedef long RETVAL;40#endif41// This namescape contains static wrappers for the smart card API43// Which enable the communication with a Yubikey via PCSC ADPUs44namespace45{46* @brief Check if a smartcard API context is valid and reopen it if it is not49*50* @param context Smartcard API context, valid or not51* @return SCARD_S_SUCCESS on success52*/53RETVAL ensureValidContext(SCARDCONTEXT& context)54{55// This check only tests if the handle pointer is valid in memory56// but it does not actually verify that it works57RETVAL rv = SCardIsValidContext(context);58* @brief return the names of all connected smartcard readers84*85* @param context A pre-established smartcard API context86* @return New list of smartcard readers87*/88QList<QString> getReaders(SCARDCONTEXT& context)89{90// Ensure the Smartcard API handle is still valid91ensureValidContext(context);92* @brief Reads the status of a smartcard handle125*126* This function does not actually transmit data,127* instead it only reads the OS API state128*129* @param handle Smartcard handle130* @param dwProt Protocol currently used131* @param pioSendPci Pointer to the PCI header used for sending132*133* @return SCARD_S_SUCCESS on success134*/135RETVAL getCardStatus(SCARDHANDLE handle, SCUINT& dwProt, const SCARD_IO_REQUEST*& pioSendPci)136{137char pbReader[MAX_READERNAME] = {0}; // Name of the reader the card is placed in138SCUINT dwReaderLen = sizeof(pbReader); // String length of the reader name139SCUINT dwState = 0; // Unused. Contents differ depending on API implementation.140uint8_t pbAtr[MAX_ATR_SIZE] = {0}; // ATR record141SCUINT dwAtrLen = sizeof(pbAtr); // ATR record size142* @brief Executes a sequence of transmissions, and retries it if the card is reset during transmission164*165* A card not opened in exclusive mode (like here) can be reset by another process.166* The application has to acknowledge the reset and retransmit the transaction.167*168* @param handle Smartcard handle169* @param atomic_action Lambda that contains the sequence to be executed as a transaction. Expected to return170* SCARD_S_SUCCESS on success.171*172* @return SCARD_S_SUCCESS on success173*/174RETVAL transactRetry(SCARDHANDLE handle, const std::function<RETVAL()>& atomic_action)175{176SCUINT dwProt = SCARD_PROTOCOL_UNDEFINED;177const SCARD_IO_REQUEST* pioSendPci = nullptr;178auto rv = getCardStatus(handle, dwProt, pioSendPci);179if (rv == SCARD_S_SUCCESS) {180// Begin a transaction. This locks out any other process from interfacing with the card181rv = SCardBeginTransaction(handle);182if (rv == SCARD_S_SUCCESS) {183int i;184for (i = 4; i > 0; i--) { // 3 tries for reconnecting after reset185// Run the lambda payload and store its return code186RETVAL rv_act = atomic_action();187if (rv_act == SCARD_W_RESET_CARD) {188// The card was reset during the transmission.189SCUINT dwProt_new = SCARD_PROTOCOL_UNDEFINED;190// Acknowledge the reset and reestablish the connection and handle191rv = SCardReconnect(handle, SCARD_SHARE_SHARED, dwProt, SCARD_LEAVE_CARD, &dwProt_new);192// On Windows, the transaction has to be re-started.193// On Linux and OSX (which use pcsc-lite), the transaction continues to be valid.194#ifdef Q_OS_WIN195if (rv == SCARD_S_SUCCESS) {196rv = SCardBeginTransaction(handle);197}198#endif199qDebug("Smartcard was reset and had to be reconnected");200} else {201// This does not mean that the payload returned SCARD_S_SUCCESS202// just that the card was not reset during communication.203// Return the return code of the payload function204rv = rv_act;205break;206}207}208if (i == 0) {209rv = SCARD_W_RESET_CARD;210qDebug("Smartcard was reset and failed to reconnect after 3 tries");211}212}213}214* @brief Transmits a buffer to the smartcard, and reads the response224*225* @param handle Smartcard handle226* @param pbSendBuffer Pointer to the data to be sent227* @param dwSendLength Size of the data to be sent in bytes228* @param pbRecvBuffer Pointer to the data to be received229* @param dwRecvLength Size of the data to be received in bytes230*231* @return SCARD_S_SUCCESS on success232*/233RETVAL transmit(SCARDHANDLE handle,234const uint8_t* pbSendBuffer,235SCUINT dwSendLength,236uint8_t* pbRecvBuffer,237SCUINT& dwRecvLength)238{239SCUINT dwProt = SCARD_PROTOCOL_UNDEFINED;240const SCARD_IO_REQUEST* pioSendPci = nullptr;241auto rv = getCardStatus(handle, dwProt, pioSendPci);242if (rv == SCARD_S_SUCCESS) {243// Write to and read from the card244// pioRecvPci is nullptr because we do not expect any PCI response header245const SCUINT dwRecvBufferSize = dwRecvLength;246rv = SCardTransmit(handle, pioSendPci, pbSendBuffer, dwSendLength, nullptr, pbRecvBuffer, &dwRecvLength);247* @brief Transmits an applet selection APDU to select the challenge-response applet321*322* @param handle Smartcard handle and applet ID bytestring pair323*324* @return SCARD_S_SUCCESS on success325*/326RETVAL selectApplet(const SCardAID& handle)327{328uint8_t pbSendBuffer_head[5] = {329CLA_ISO, INS_SELECT, SEL_APP_AID, 0, static_cast<uint8_t>(handle.second.size())};330auto pbSendBuffer = new uint8_t[5 + handle.second.size()];331memcpy(pbSendBuffer, pbSendBuffer_head, 5);332memcpy(pbSendBuffer + 5, handle.second.constData(), handle.second.size());333// Give it more space in case custom implementations have longer answer to select334uint8_t pbRecvBuffer[64] = {3350}; // 3 bytes version, 1 byte program counter, other stuff for various implementations, 2 bytes status336SCUINT dwRecvLength = sizeof pbRecvBuffer;337* @brief Finds the AID a card uses by checking a list of AIDs347*348* @param handle Smartcard handle349* @param aid Application identifier byte string350* @param result Smartcard handle and AID bytestring pair that will be populated on success351*352* @return true on success353*/354bool findAID(SCARDHANDLE handle, const QList<QByteArray>& aid_codes, SCardAID& result)355{356for (const auto& aid : aid_codes) {357// Ensure the transmission is retransmitted after card resets358auto rv = transactRetry(handle, [&handle, &aid]() {359// Try to select the card using the specified AID360return selectApplet({handle, aid});361});362if (rv == SCARD_S_SUCCESS) {363result.first = handle;364result.second = aid;365return true;366}367}368return false;369}370* @brief Reads the serial number of a key373*374* @param handle Smartcard handle and applet ID bytestring pair375* @param serial The serial number376*377* @return SCARD_S_SUCCESS on success378*/379RETVAL getSerial(const SCardAID& handle, unsigned int& serial)380{381// Ensure the transmission is retransmitted after card resets382return transactRetry(handle.first, [&handle, &serial]() {383// Ensure that the card is always selected before sending the command384auto rv = selectApplet(handle);385if (rv != SCARD_S_SUCCESS) {386return rv;387}388* @brief Creates a smartcard handle and applet select bytestring pair by looking up a serial key405*406* @param target_serial The serial number to search for407* @param context A pre-established smartcard API context408* @param aid_codes A list which contains the AIDs to scan for409* @param handle The created smartcard handle and applet select bytestring pair410*411* @return SCARD_S_SUCCESS on success412*/413RETVAL openKeySerial(const unsigned int target_serial,414SCARDCONTEXT& context,415const QList<QByteArray>& aid_codes,416SCardAID* handle)417{418// Ensure the Smartcard API handle is still valid419auto rv = ensureValidContext(context);420if (rv != SCARD_S_SUCCESS) {421return rv;422}423* @brief Performs a challenge-response transmission471*472* The card computes the SHA1-HMAC of the challenge473* using its pre-programmed secret key and return the response474*475* @param handle Smartcard handle and applet ID bytestring pair476* @param slot_cmd Either CMD_HMAC_1 for slot 1 or CMD_HMAC_2 for slot 2477* @param input Challenge byte buffer, exactly 64 bytes and padded using PKCS#7 or Yubikey padding478* @param output Response byte buffer, exactly 20 bytes479*480* @return SCARD_S_SUCCESS on success481*/482RETVAL getHMAC(const SCardAID& handle, uint8_t slot_cmd, const uint8_t input[64], uint8_t output[20])483{484// Ensure the transmission is retransmitted after card resets485return transactRetry(handle.first, [&handle, &slot_cmd, &input, &output]() {486auto rv = selectApplet(handle);487{519if (ensureValidContext(m_sc_context) != SCARD_S_SUCCESS) {520qDebug("YubiKey: Failed to establish PCSC context.");521} else {522m_initialized = true;523}524}525{528if (m_initialized && SCardReleaseContext(m_sc_context) != SCARD_S_SUCCESS) {529qDebug("YubiKey: Failed to release PCSC context.");530}531}532{537if (!m_instance) {538m_instance = new YubiKeyInterfacePCSC();539}540}543{546m_error.clear();547if (!isInitialized()) {548return {};549}550Although this would not be a problem in itself,557we filter these connections because in USB mode,558the PCSC challenge-response interface is usually locked559Instead, the other USB (HID) interface should pick up and560interface the key.561For more info see the comment block further below. */562if (reader_name.contains("yubikey", Qt::CaseInsensitive)) {563continue;564}565When using the key via NFC, the user has to re-present the key to clear the timeout.609Also, the key can be programmatically reset (see below).610When using the key via USB (where the Yubikey presents as a PCSC reader in itself),611the non-HMAC-SHA1 slots (eg. OTP) are incorrectly recognized as locked HMAC-SHA1 slots.612Due to this conundrum, we exclude "locked" keys from the key enumeration,613but only if the reader is the "virtual yubikey reader device".614This also has the nice side effect of de-duplicating interfaces when a key615Is connected via USB and also accessible via PCSC */616bool wouldBlock = false;617/* When the key is used via NFC, the lock state / time-out is cleared when618the smartcard connection is re-established / the applet is selected619so the next call to performTestChallenge actually clears the lock.620Due to this the key is unlocked, and we display it as such.621When the key times out in the time between the key listing and622the database unlock /save, an interaction request will be displayed. */623for (int slot = 1; slot <= 2; ++slot) {624if (performTestChallenge(&satr, slot, &wouldBlock)) {625auto display =626tr("(NFC) %1 [%2] - Slot %3, %4", "YubiKey display fields")627.arg(name,628QString::number(serial),629QString::number(slot),630wouldBlock ? tr("Press", "USB Challenge-Response Key interaction request")631: tr("Passive", "USB Challenge-Response Key no interaction required"));632foundKeys.insert({serial, slot}, display);633}634}635}636}637}640{643bool ret = false;644SCardAID hCard;645}654{657// Array has to be at least one byte or else the yubikey would interpret everything as padding658auto chall = randomGen()->randomArray(1);659Botan::secure_vector<char> resp;660auto ret = performChallenge(static_cast<SCardAID*>(key), slot, false, chall, resp);661if (ret == YubiKey::ChallengeResult::YCR_SUCCESS || ret == YubiKey::ChallengeResult::YCR_WOULDBLOCK) {662if (wouldBlock) {663*wouldBlock = ret == YubiKey::ChallengeResult::YCR_WOULDBLOCK;664}665return true;666}667return false;668}669{673m_error.clear();674if (!m_initialized) {675m_error = tr("The YubiKey PCSC interface has not been initialized.");676return YubiKey::ChallengeResult::YCR_ERROR;677}678So we wait for the user to re-present it to clear the time-out693This condition usually only happens when the key times out after694the initial key listing, because performTestChallenge implicitly695resets the key (see comment above) */696if (ret == YubiKey::ChallengeResult::YCR_SUCCESS) {697emit challengeCompleted();698return ret;699}700}701}713{720// Always block (i.e. wait for the user to touch the key to the reader)721Q_UNUSED(mayBlock);722* The challenge sent to the Yubikey should always be 64 bytes for732* compatibility with all configurations. Follow PKCS7 padding.733*734* There is some question whether or not 64 bytes fixed length735* configurations even work, some docs say avoid it.736*737* In fact, the Yubikey always assumes the last byte (nr. 64)738* and all bytes of the same value preceding it to be padding.739* This does not conform fully to PKCS7, because the the actual value740* of the padding bytes is ignored.741*/742const int padLen = 64 - paddedChallenge.size();743if (padLen > 0) {744paddedChallenge.append(QByteArray(padLen, padLen));745}746}767