/* * U2F USB Passthru device. * * Copyright (c) 2020 César Belley <cesar.belley@lse.epita.fr> * Written by César Belley <cesar.belley@lse.epita.fr> * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * THE SOFTWARE. */ #include "qemu/osdep.h" #include "qemu/module.h" #include "qemu/main-loop.h" #include "qemu/error-report.h" #include "qapi/error.h" #include "hw/qdev-properties.h" #include "hw/usb.h" #include "migration/vmstate.h" #include "u2f.h" #ifdef CONFIG_LIBUDEV #include <libudev.h> #endif #include <linux/hidraw.h> #include <sys/ioctl.h> #define NONCE_SIZE 8 #define BROADCAST_CID 0xFFFFFFFF #define TRANSACTION_TIMEOUT 120000 struct transaction { uint32_t cid; uint16_t resp_bcnt; uint16_t resp_size; /* Nonce for broadcast isolation */ uint8_t nonce[NONCE_SIZE]; }; typedef struct U2FPassthruState U2FPassthruState; #define CURRENT_TRANSACTIONS_NUM 4 struct U2FPassthruState { U2FKeyState base; /* Host device */ char *hidraw; int hidraw_fd; /* Current Transactions */ struct transaction current_transactions[CURRENT_TRANSACTIONS_NUM]; uint8_t current_transactions_start; uint8_t current_transactions_end; uint8_t current_transactions_num; /* Transaction time checking */ int64_t last_transaction_time; QEMUTimer timer; }; #define TYPE_U2F_PASSTHRU "u2f-passthru" #define PASSTHRU_U2F_KEY(obj) \ OBJECT_CHECK(U2FPassthruState, (obj), TYPE_U2F_PASSTHRU) /* Init packet sizes */ #define PACKET_INIT_HEADER_SIZE 7 #define PACKET_INIT_DATA_SIZE (U2FHID_PACKET_SIZE - PACKET_INIT_HEADER_SIZE) /* Cont packet sizes */ #define PACKET_CONT_HEADER_SIZE 5 #define PACKET_CONT_DATA_SIZE (U2FHID_PACKET_SIZE - PACKET_CONT_HEADER_SIZE) struct packet_init { uint32_t cid; uint8_t cmd; uint8_t bcnth; uint8_t bcntl; uint8_t data[PACKET_INIT_DATA_SIZE]; } QEMU_PACKED; static inline uint32_t packet_get_cid(const void *packet) { return *((uint32_t *)packet); } static inline bool packet_is_init(const void *packet) { return ((uint8_t *)packet)[4] & (1 << 7); } static inline uint16_t packet_init_get_bcnt( const struct packet_init *packet_init) { uint16_t bcnt = 0; bcnt |= packet_init->bcnth << 8; bcnt |= packet_init->bcntl; return bcnt; } static void u2f_passthru_reset(U2FPassthruState *key) { timer_del(&key->timer); qemu_set_fd_handler(key->hidraw_fd, NULL, NULL, key); key->last_transaction_time = 0; key->current_transactions_start = 0; key->current_transactions_end = 0; key->current_transactions_num = 0; } static void u2f_timeout_check(void *opaque) { U2FPassthruState *key = opaque; int64_t time = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); if (time > key->last_transaction_time + TRANSACTION_TIMEOUT) { u2f_passthru_reset(key); } else { timer_mod(&key->timer, time + TRANSACTION_TIMEOUT / 4); } } static int u2f_transaction_get_index(U2FPassthruState *key, uint32_t cid) { for (int i = 0; i < key->current_transactions_num; ++i) { int index = (key->current_transactions_start + i) % CURRENT_TRANSACTIONS_NUM; if (cid == key->current_transactions[index].cid) { return index; } } return -1; } static struct transaction *u2f_transaction_get(U2FPassthruState *key, uint32_t cid) { int index = u2f_transaction_get_index(key, cid); if (index < 0) { return NULL; } return &key->current_transactions[index]; } static struct transaction *u2f_transaction_get_from_nonce(U2FPassthruState *key, const uint8_t nonce[NONCE_SIZE]) { for (int i = 0; i < key->current_transactions_num; ++i) { int index = (key->current_transactions_start + i) % CURRENT_TRANSACTIONS_NUM; if (key->current_transactions[index].cid == BROADCAST_CID && memcmp(nonce, key->current_transactions[index].nonce, NONCE_SIZE) == 0) { return &key->current_transactions[index]; } } return NULL; } static void u2f_transaction_close(U2FPassthruState *key, uint32_t cid) { int index, next_index; index = u2f_transaction_get_index(key, cid); if (index < 0) { return; } next_index = (index + 1) % CURRENT_TRANSACTIONS_NUM; /* Rearrange to ensure the oldest is at the start position */ while (next_index != key->current_transactions_end) { memcpy(&key->current_transactions[index], &key->current_transactions[next_index], sizeof(struct transaction)); index = next_index; next_index = (index + 1) % CURRENT_TRANSACTIONS_NUM; } key->current_transactions_end = index; --key->current_transactions_num; if (key->current_transactions_num == 0) { u2f_passthru_reset(key); } } static void u2f_transaction_add(U2FPassthruState *key, uint32_t cid, const uint8_t nonce[NONCE_SIZE]) { uint8_t index; struct transaction *transaction; if (key->current_transactions_num >= CURRENT_TRANSACTIONS_NUM) { /* Close the oldest transaction */ index = key->current_transactions_start; transaction = &key->current_transactions[index]; u2f_transaction_close(key, transaction->cid); } /* Index */ index = key->current_transactions_end; key->current_transactions_end = (index + 1) % CURRENT_TRANSACTIONS_NUM; ++key->current_transactions_num; /* Transaction */ transaction = &key->current_transactions[index]; transaction->cid = cid; transaction->resp_bcnt = 0; transaction->resp_size = 0; /* Nonce */ if (nonce != NULL) { memcpy(transaction->nonce, nonce, NONCE_SIZE); } } static void u2f_passthru_read(void *opaque); static void u2f_transaction_start(U2FPassthruState *key, const struct packet_init *packet_init) { int64_t time; /* Transaction */ if (packet_init->cid == BROADCAST_CID) { u2f_transaction_add(key, packet_init->cid, packet_init->data); } else { u2f_transaction_add(key, packet_init->cid, NULL); } /* Time */ time = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); if (key->last_transaction_time == 0) { qemu_set_fd_handler(key->hidraw_fd, u2f_passthru_read, NULL, key); timer_init_ms(&key->timer, QEMU_CLOCK_VIRTUAL, u2f_timeout_check, key); timer_mod(&key->timer, time + TRANSACTION_TIMEOUT / 4); } key->last_transaction_time = time; } static void u2f_passthru_recv_from_host(U2FPassthruState *key, const uint8_t packet[U2FHID_PACKET_SIZE]) { struct transaction *transaction; uint32_t cid; /* Retrieve transaction */ cid = packet_get_cid(packet); if (cid == BROADCAST_CID) { struct packet_init *packet_init; if (!packet_is_init(packet)) { return; } packet_init = (struct packet_init *)packet; transaction = u2f_transaction_get_from_nonce(key, packet_init->data); } else { transaction = u2f_transaction_get(key, cid); } /* Ignore no started transaction */ if (transaction == NULL) { return; } if (packet_is_init(packet)) { struct packet_init *packet_init = (struct packet_init *)packet; transaction->resp_bcnt = packet_init_get_bcnt(packet_init); transaction->resp_size = PACKET_INIT_DATA_SIZE; if (packet_init->cid == BROADCAST_CID) { /* Nonce checking for legitimate response */ if (memcmp(transaction->nonce, packet_init->data, NONCE_SIZE) != 0) { return; } } } else { transaction->resp_size += PACKET_CONT_DATA_SIZE; } /* Transaction end check */ if (transaction->resp_size >= transaction->resp_bcnt) { u2f_transaction_close(key, cid); } u2f_send_to_guest(&key->base, packet); } static void u2f_passthru_read(void *opaque) { U2FPassthruState *key = opaque; U2FKeyState *base = &key->base; uint8_t packet[2 * U2FHID_PACKET_SIZE]; int ret; /* Full size base queue check */ if (base->pending_in_num >= U2FHID_PENDING_IN_NUM) { return; } ret = read(key->hidraw_fd, packet, sizeof(packet)); if (ret < 0) { /* Detach */ if (base->dev.attached) { usb_device_detach(&base->dev); u2f_passthru_reset(key); } return; } if (ret != U2FHID_PACKET_SIZE) { return; } u2f_passthru_recv_from_host(key, packet); } static void u2f_passthru_recv_from_guest(U2FKeyState *base, const uint8_t packet[U2FHID_PACKET_SIZE]) { U2FPassthruState *key = PASSTHRU_U2F_KEY(base); uint8_t host_packet[U2FHID_PACKET_SIZE + 1]; ssize_t written; if (packet_is_init(packet)) { u2f_transaction_start(key, (struct packet_init *)packet); } host_packet[0] = 0; memcpy(host_packet + 1, packet, U2FHID_PACKET_SIZE); written = write(key->hidraw_fd, host_packet, sizeof(host_packet)); if (written != sizeof(host_packet)) { error_report("%s: Bad written size (req 0x%zu, val 0x%zd)", TYPE_U2F_PASSTHRU, sizeof(host_packet), written); } } static bool u2f_passthru_is_u2f_device(int fd) { int ret, rdesc_size; struct hidraw_report_descriptor rdesc; const uint8_t u2f_hid_report_desc_header[] = { 0x06, 0xd0, 0xf1, /* Usage Page (FIDO) */ 0x09, 0x01, /* Usage (FIDO) */ }; /* Get report descriptor size */ ret = ioctl(fd, HIDIOCGRDESCSIZE, &rdesc_size); if (ret < 0 || rdesc_size < sizeof(u2f_hid_report_desc_header)) { return false; } /* Get report descriptor */ memset(&rdesc, 0x0, sizeof(rdesc)); rdesc.size = rdesc_size; ret = ioctl(fd, HIDIOCGRDESC, &rdesc); if (ret < 0) { return false; } /* Header bytes cover specific U2F rdesc values */ return memcmp(u2f_hid_report_desc_header, rdesc.value, sizeof(u2f_hid_report_desc_header)) == 0; } #ifdef CONFIG_LIBUDEV static int u2f_passthru_open_from_device(struct udev_device *device) { const char *devnode = udev_device_get_devnode(device); int fd = qemu_open_old(devnode, O_RDWR); if (fd < 0) { return -1; } else if (!u2f_passthru_is_u2f_device(fd)) { qemu_close(fd); return -1; } return fd; } static int u2f_passthru_open_from_enumerate(struct udev *udev, struct udev_enumerate *enumerate) { struct udev_list_entry *devices, *entry; int ret, fd; ret = udev_enumerate_scan_devices(enumerate); if (ret < 0) { return -1; } devices = udev_enumerate_get_list_entry(enumerate); udev_list_entry_foreach(entry, devices) { struct udev_device *device; const char *syspath = udev_list_entry_get_name(entry); if (syspath == NULL) { continue; } device = udev_device_new_from_syspath(udev, syspath); if (device == NULL) { continue; } fd = u2f_passthru_open_from_device(device); udev_device_unref(device); if (fd >= 0) { return fd; } } return -1; } static int u2f_passthru_open_from_scan(void) { struct udev *udev; struct udev_enumerate *enumerate; int ret, fd = -1; udev = udev_new(); if (udev == NULL) { return -1; } enumerate = udev_enumerate_new(udev); if (enumerate == NULL) { udev_unref(udev); return -1; } ret = udev_enumerate_add_match_subsystem(enumerate, "hidraw"); if (ret >= 0) { fd = u2f_passthru_open_from_enumerate(udev, enumerate); } udev_enumerate_unref(enumerate); udev_unref(udev); return fd; } #endif static void u2f_passthru_unrealize(U2FKeyState *base) { U2FPassthruState *key = PASSTHRU_U2F_KEY(base); u2f_passthru_reset(key); qemu_close(key->hidraw_fd); } static void u2f_passthru_realize(U2FKeyState *base, Error **errp) { U2FPassthruState *key = PASSTHRU_U2F_KEY(base); int fd; if (key->hidraw == NULL) { #ifdef CONFIG_LIBUDEV fd = u2f_passthru_open_from_scan(); if (fd < 0) { error_setg(errp, "%s: Failed to find a U2F USB device", TYPE_U2F_PASSTHRU); return; } #else error_setg(errp, "%s: Missing hidraw", TYPE_U2F_PASSTHRU); return; #endif } else { fd = qemu_open_old(key->hidraw, O_RDWR); if (fd < 0) { error_setg(errp, "%s: Failed to open %s", TYPE_U2F_PASSTHRU, key->hidraw); return; } if (!u2f_passthru_is_u2f_device(fd)) { qemu_close(fd); error_setg(errp, "%s: Passed hidraw does not represent " "a U2F HID device", TYPE_U2F_PASSTHRU); return; } } key->hidraw_fd = fd; u2f_passthru_reset(key); } static int u2f_passthru_post_load(void *opaque, int version_id) { U2FPassthruState *key = opaque; u2f_passthru_reset(key); return 0; } static const VMStateDescription u2f_passthru_vmstate = { .name = "u2f-key-passthru", .version_id = 1, .minimum_version_id = 1, .post_load = u2f_passthru_post_load, .fields = (const VMStateField[]) { VMSTATE_U2F_KEY(base, U2FPassthruState), VMSTATE_END_OF_LIST() } }; static Property u2f_passthru_properties[] = { DEFINE_PROP_STRING("hidraw", U2FPassthruState, hidraw), DEFINE_PROP_END_OF_LIST(), }; static void u2f_passthru_class_init(ObjectClass *klass, void *data) { DeviceClass *dc = DEVICE_CLASS(klass); U2FKeyClass *kc = U2F_KEY_CLASS(klass); kc->realize = u2f_passthru_realize; kc->unrealize = u2f_passthru_unrealize; kc->recv_from_guest = u2f_passthru_recv_from_guest; dc->desc = "QEMU U2F passthrough key"; dc->vmsd = &u2f_passthru_vmstate; device_class_set_props(dc, u2f_passthru_properties); set_bit(DEVICE_CATEGORY_MISC, dc->categories); } static const TypeInfo u2f_key_passthru_info = { .name = TYPE_U2F_PASSTHRU, .parent = TYPE_U2F_KEY, .instance_size = sizeof(U2FPassthruState), .class_init = u2f_passthru_class_init }; static void u2f_key_passthru_register_types(void) { type_register_static(&u2f_key_passthru_info); } type_init(u2f_key_passthru_register_types)