authtok: add support for decrypting an auth token

Makefile.am

@@ -26,6 +26,7 @@ libmodule_la_SOURCES += drop_privs.h
 libmodule_la_SOURCES += expand.c
 libmodule_la_SOURCES += explicit_bzero.c
 libmodule_la_SOURCES += util.c util.h
+libmodule_la_SOURCES += authtok.c authtok.h
 libmodule_la_LIBADD = -lpam $(LIBFIDO2_LIBS) $(LIBCRYPTO_LIBS)
 
 pampluginexecdir = $(PAMDIR)

authtok.c

@@ -0,0 +1,257 @@
+#include <string.h>
+#include <fido.h>
+#include <openssl/evp.h>
+
+#include "authtok.h"
+#include "b64.h"
+
+static int
+encrypt_authtok(const unsigned char *plaintext, size_t plaintext_len,
+                const unsigned char *key, /* 32 bytes */
+                unsigned char *tag,       /* 16 bytes */
+                unsigned char *ciphertext /* equal to plaintext_len */
+) {
+  EVP_CIPHER_CTX *ctx = NULL;
+  int len;
+  int retval = 0;
+  unsigned char iv[12] = {0};
+
+  if (!(ctx = EVP_CIPHER_CTX_new())) {
+    goto err;
+  }
+  if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, key, iv)) {
+    goto err;
+  }
+  if (plaintext_len > INT_MAX) {
+    goto err;
+  }
+  if (!EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext,
+                         (int) plaintext_len)) {
+    goto err;
+  }
+  if (!EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) {
+    goto err;
+  }
+  if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, (void *) tag)) {
+    goto err;
+  }
+  retval = 1;
+
+err:
+  EVP_CIPHER_CTX_free(ctx);
+  return retval;
+}
+
+static int
+decrypt_authtok(const unsigned char *ciphertext, size_t ciphertext_len,
+                const unsigned char *key, /* 32 bytes */
+                const unsigned char *tag, /* 16 bytes */
+                unsigned char *plaintext  /* equal to ciphertext_len */
+) {
+  EVP_CIPHER_CTX *ctx = NULL;
+  int len;
+  int retval = 0;
+  unsigned char iv[12] = {0};
+
+  if (!(ctx = EVP_CIPHER_CTX_new())) {
+    goto err;
+  }
+  if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, key, iv)) {
+    goto err;
+  }
+  if (ciphertext_len > INT_MAX) {
+    goto err;
+  }
+  if (!EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext,
+                         (int) ciphertext_len)) {
+    goto err;
+  }
+  if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, (void *) tag)) {
+    goto err;
+  }
+  if (!EVP_DecryptFinal_ex(ctx, plaintext + len, &len)) {
+    goto err;
+  }
+  retval = 1;
+
+err:
+  EVP_CIPHER_CTX_free(ctx);
+  return retval;
+}
+
+int get_authtok(const fido_assert_t *assert, const char *enc_authtok,
+                char **authtok, size_t *authtok_len) {
+  unsigned char *buf = NULL;
+  size_t buf_len;
+  const unsigned char *key;
+  int ok = 0;
+
+  *authtok = NULL;
+
+  if (!b64_decode(enc_authtok, (void **) &buf, &buf_len) ||
+      buf_len <= HMAC_SALT_SIZE + AEAD_TAG_SIZE) {
+    goto err;
+  }
+
+  if (fido_assert_count(assert) != 1) {
+    goto err;
+  }
+
+  if ((key = fido_assert_hmac_secret_ptr(assert, 0)) == NULL) {
+    goto err;
+  }
+  if (fido_assert_hmac_secret_len(assert, 0) != HMAC_SECRET_SIZE) {
+    goto err;
+  }
+
+  *authtok_len = buf_len - HMAC_SALT_SIZE - AEAD_TAG_SIZE;
+  if (!(*authtok = malloc(*authtok_len + 1))) {
+    goto err;
+  }
+  if (!decrypt_authtok(buf + HMAC_SALT_SIZE,
+                       buf_len - HMAC_SALT_SIZE - AEAD_TAG_SIZE, key,
+                       buf + buf_len - AEAD_TAG_SIZE,
+                       (unsigned char *) *authtok)) {
+    goto err;
+  }
+  (*authtok)[*authtok_len] = '\0';
+
+  ok = 1;
+
+err:
+  free(buf);
+  if (!ok) {
+    if (*authtok) {
+      explicit_bzero(*authtok, *authtok_len);
+      free(*authtok);
+      *authtok = NULL;
+      *authtok_len = 0;
+    }
+  }
+  return ok;
+}
+
+static int get_hmac_secret(fido_dev_t *dev, fido_cred_t *cred, fido_opt_t uv,
+                           const char *pin, const unsigned char *salt,
+                           unsigned char *secret) {
+  fido_assert_t *assert = NULL;
+  unsigned char cdh[32];
+  const unsigned char *kh = NULL;
+  const unsigned char *hmac_secret;
+  size_t kh_len;
+  size_t hmac_secret_len;
+  const char *id;
+  int retval = 0;
+
+  if (!random_bytes(cdh, sizeof(cdh))) {
+    goto err;
+  }
+
+  if ((assert = fido_assert_new()) == NULL) {
+    goto err;
+  }
+
+  if (!(id = fido_cred_rp_id(cred))) {
+    goto err;
+  }
+
+  if (fido_assert_set_rp(assert, id) != FIDO_OK) {
+    goto err;
+  }
+
+  if ((kh = fido_cred_id_ptr(cred)) == NULL) {
+    goto err;
+  }
+
+  if ((kh_len = fido_cred_id_len(cred)) == 0) {
+    goto err;
+  }
+
+  if (fido_assert_allow_cred(assert, kh, kh_len) != FIDO_OK) {
+    goto err;
+  }
+
+  if (fido_assert_set_clientdata_hash(assert, cdh, 32) != FIDO_OK) {
+    goto err;
+  }
+
+  if (fido_assert_set_uv(assert, uv) != FIDO_OK) {
+    goto err;
+  }
+
+  if (fido_assert_set_extensions(assert, FIDO_EXT_HMAC_SECRET) != FIDO_OK) {
+    goto err;
+  }
+
+  if (fido_assert_set_hmac_salt(assert, salt, HMAC_SALT_SIZE) != FIDO_OK) {
+    goto err;
+  }
+
+  if (fido_dev_get_assert(dev, assert, pin) != FIDO_OK) {
+    goto err;
+  }
+
+  if (fido_assert_count(assert) != 1) {
+    goto err;
+  }
+
+  if (fido_assert_verify(assert, 0, fido_cred_type(cred),
+                         fido_cred_pubkey_ptr(cred)) != FIDO_OK) {
+    goto err;
+  }
+
+  if ((hmac_secret = fido_assert_hmac_secret_ptr(assert, 0)) == NULL) {
+    goto err;
+  }
+
+  if ((hmac_secret_len = fido_assert_hmac_secret_len(assert, 0)) !=
+      HMAC_SECRET_SIZE) {
+    goto err;
+  }
+
+  memcpy(secret, hmac_secret, hmac_secret_len);
+  retval = 1;
+
+err:
+  fido_assert_free(&assert);
+  return retval;
+}
+
+int generate_encrypted_authtok(fido_dev_t *dev, fido_cred_t *cred,
+                               const char *authtok, fido_opt_t uv,
+                               const char *pin, unsigned char **enc_authtok,
+                               size_t *enc_authtok_len) {
+  size_t authtok_len;
+  unsigned char key[32];
+  int ok = 0;
+
+  authtok_len = strlen(authtok);
+  *enc_authtok_len = HMAC_SALT_SIZE + authtok_len + AEAD_TAG_SIZE;
+  if ((*enc_authtok = malloc(*enc_authtok_len)) == NULL) {
+    goto err;
+  }
+  if (!random_bytes(*enc_authtok, HMAC_SALT_SIZE)) {
+    goto err;
+  }
+  if (!get_hmac_secret(dev, cred, uv, pin, *enc_authtok, key)) {
+    goto err;
+  }
+  if (!encrypt_authtok((unsigned char *) authtok, authtok_len, key,
+                       *enc_authtok + HMAC_SALT_SIZE + authtok_len,
+                       *enc_authtok + HMAC_SALT_SIZE)) {
+    goto err;
+  }
+  ok = 1;
+
+err:
+  explicit_bzero(key, sizeof(key));
+  if (!ok) {
+    if (*enc_authtok) {
+      explicit_bzero(*enc_authtok, *enc_authtok_len);
+      free(*enc_authtok);
+      *enc_authtok = NULL;
+      *enc_authtok_len = 0;
+    }
+  }
+  return ok;
+}

authtok.h

@@ -0,0 +1,20 @@
+#ifndef AUTHTOK_H
+#define AUTHTOK_H
+
+#include <fido.h>
+
+#include "util.h"
+
+#define HMAC_SALT_SIZE 32
+#define HMAC_SECRET_SIZE 32
+#define AEAD_TAG_SIZE 16
+
+int get_authtok(const fido_assert_t *assert, const char *enc_authtok,
+                char **authtok, size_t *authtok_len);
+
+int generate_encrypted_authtok(fido_dev_t *dev, fido_cred_t *cred,
+                               const char *authtok, fido_opt_t uv,
+                               const char *pin, unsigned char **enc_authtok,
+                               size_t *enc_authtok_len);
+
+#endif /* UTIL_H */

fuzz/fuzz_format_parsers.c

@@ -19,10 +19,12 @@ static void cleanup(device_t *devs, unsigned int n_devs) {
     free(devs[i].publicKey);
     free(devs[i].coseType);
     free(devs[i].attributes);
+    free(devs[i].enc_authtok);
     devs[i].keyHandle = NULL;
     devs[i].publicKey = NULL;
     devs[i].coseType = NULL;
     devs[i].attributes = NULL;
+    devs[i].enc_authtok = NULL;
   }
 }
 

pam-u2f.c

@@ -65,6 +65,8 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
       cfg->nodetect = 1;
     } else if (strcmp(argv[i], "expand") == 0) {
       cfg->expand = 1;
+    } else if (strcmp(argv[i], "allowauthtok") == 0) {
+      cfg->allowauthtok = 1;
     } else if (strncmp(argv[i], "userpresence=", 13) == 0) {
       sscanf(argv[i], "userpresence=%d", &cfg->userpresence);
     } else if (strncmp(argv[i], "userverification=", 17) == 0) {
@@ -111,6 +113,7 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
   debug_dbg(cfg, "alwaysok=%d", cfg->alwaysok);
   debug_dbg(cfg, "sshformat=%d", cfg->sshformat);
   debug_dbg(cfg, "expand=%d", cfg->expand);
+  debug_dbg(cfg, "allowauthtok=%d", cfg->allowauthtok);
   debug_dbg(cfg, "authfile=%s", cfg->auth_file ? cfg->auth_file : "(null)");
   debug_dbg(cfg, "authpending_file=%s",
             cfg->authpending_file ? cfg->authpending_file : "(null)");

pamu2fcfg/Makefile.am

@@ -9,4 +9,5 @@ pamu2fcfg_SOURCES = pamu2fcfg.c
 pamu2fcfg_SOURCES += readpassphrase.c _readpassphrase.h
 pamu2fcfg_SOURCES += strlcpy.c openbsd-compat.h
 pamu2fcfg_SOURCES += ../util.c ../b64.c ../explicit_bzero.c
+pamu2fcfg_SOURCES += ../authtok.c ../authtok.h
 pamu2fcfg_LDADD = $(LIBFIDO2_LIBS) $(LIBCRYPTO_LIBS)