Add NFC support

Author: Crote

Cargo.toml

@@ -16,6 +16,8 @@ maintenance = { status = "actively-developed" }
 [features]
 binding-recompile = ["bindgen"]
 
+nfc = ["pcsc"]
+
 [target.'cfg(target_os = "linux")'.dependencies]
 libudev = "^0.2"
 
@@ -44,6 +46,7 @@ log = "0.4"
 libc = "0.2"
 runloop = "0.1.0"
 bitflags = "1.0"
+pcsc = { version = "2", optional = true }
 
 [dev-dependencies]
 sha2 = "^0.8.2"

examples/main.rs

@@ -39,7 +39,9 @@ fn main() {
     let program = args[0].clone();
 
     let mut opts = Options::new();
-    opts.optflag("x", "no-u2f-usb-hid", "do not enable u2f-usb-hid platforms");
+    opts.optflag("u", "no-usb", "do not enable u2f-usb-hid platforms");
+    #[cfg(feature = "nfc")]
+    opts.optflag("n", "no-nfc", "do not enable u2f-nfc platform");
 
     opts.optflag("h", "help", "print this help menu");
     let matches = match opts.parse(&args[1..]) {
@@ -54,10 +56,15 @@ fn main() {
     let mut manager =
         AuthenticatorService::new().expect("The auth service should initialize safely");
 
-    if !matches.opt_present("no-u2f-usb-hid") {
+    if !matches.opt_present("no-usb") {
         manager.add_u2f_usb_hid_platform_transports();
     }
 
+    #[cfg(feature = "nfc")]
+    if !matches.opt_present("no-nfc") {
+        manager.add_u2f_nfc_transports();
+    }
+
     println!("Asking a security key to register now...");
     let challenge_str = format!(
         "{}{}",

src/authenticatorservice.rs

@@ -70,6 +70,9 @@ impl AuthenticatorService {
     /// Add any detected platform transports
     pub fn add_detected_transports(&mut self) {
         self.add_u2f_usb_hid_platform_transports();
+
+        #[cfg(feature = "nfc")]
+        self.add_u2f_nfc_transports();
     }
 
     fn add_transport(&mut self, boxed_token: Box<dyn AuthenticatorTransport + Send>) {
@@ -83,6 +86,11 @@ impl AuthenticatorService {
         }
     }
 
+    #[cfg(feature = "nfc")]
+    pub fn add_u2f_nfc_transports(&mut self) {
+        self.add_transport(Box::new(crate::NFCManager::new()));
+    }
+
     pub fn register(
         &mut self,
         flags: crate::RegisterFlags,

src/consts.rs

@@ -78,3 +78,12 @@ pub const SW_NO_ERROR: [u8; 2] = [0x90, 0x00];
 pub const SW_CONDITIONS_NOT_SATISFIED: [u8; 2] = [0x69, 0x85];
 pub const SW_WRONG_DATA: [u8; 2] = [0x6A, 0x80];
 pub const SW_WRONG_LENGTH: [u8; 2] = [0x67, 0x00];
+
+// U2F-over-NFC constants
+// TODO: naming, some are also ISO 7816-4 ??
+// The're mostly APDU-specific?
+pub const U2F_AID: [u8; 8] = [0xA0, 0x00, 0x00, 0x06, 0x47, 0x2F, 0x00, 0x01];
+pub const U2F_SELECT_FILE: u8 = 0xA4;
+pub const U2F_SELECT_DIRECT: u8 = 0x04;
+pub const U2F_GET_RESPONSE: u8 = 0xC0;
+pub const U2F_MORE_DATA: u8 = 0x61;

src/lib.rs

@@ -52,6 +52,13 @@ pub mod platform;
 #[path = "stub/mod.rs"]
 pub mod platform;
 
+#[cfg(feature = "nfc")]
+extern crate pcsc;
+#[cfg(feature = "nfc")]
+mod nfc;
+#[cfg(feature = "nfc")]
+pub use crate::nfc::NFCManager;
+
 extern crate libc;
 #[macro_use]
 extern crate log;

src/nfc.rs

@@ -0,0 +1,276 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use std::io;
+use std::sync::mpsc::Sender;
+use pcsc::*;
+use std::ffi::CString;
+use runloop::RunLoop;
+use std::collections::HashMap;
+use std::option::Option;
+use std::thread;
+use std::time::Duration;
+use std::sync::{Mutex, Arc};
+
+use crate::consts::*;
+use crate::apdu::*;
+use crate::util::{io_err, trace_hex};
+
+use crate::authenticatorservice::AuthenticatorTransport;
+use crate::statecallback::StateCallback;
+use crate::statemachine::StateMachine;
+use crate::u2ftypes::{U2FInfoQueryable, U2FDeviceInfo};
+
+fn sendrecv(card: &mut Card, send: &[u8]) -> io::Result<Vec<u8>>
+{
+    trace_hex("NFC send", send);
+    let mut rapdu_buf = [0; MAX_BUFFER_SIZE];
+    match card.transmit(send, &mut rapdu_buf) {
+        Ok(rapdu) => {
+            trace_hex("NFC recv", rapdu);
+            Ok(rapdu.to_vec())
+        },
+        Err(err) => {
+            trace!("NFC error: {}", err);
+            let s = format!("{}", err);
+            Err(io_err(&s))
+        }
+    }
+}
+
+impl APDUDevice for Card {
+    fn init_apdu(&mut self) -> io::Result<()> {
+        let out = APDU::serialize_short(U2F_SELECT_FILE, U2F_SELECT_DIRECT, &U2F_AID)?;
+        let ret = sendrecv(self, &out)?;
+        let (_, status) = APDU::deserialize(ret)?;
+        apdu_status_to_result(status, ())
+    }
+
+    fn send_apdu(&mut self, cmd: u8, p1: u8, send: &[u8]) -> io::Result<(Vec<u8>, [u8; 2])> {
+        // Some devices, such as the Yubikey 4, freak out if an APDU which _would_ fit a short command
+        // is sent as an extended command. This means we must use short, even though that means chaining
+        // the responses together.
+        // The whole response would have fit in an extended reply, but it seems we can't have nice things.
+        let mut data: Vec<u8> = Vec::new();
+
+        let out = APDU::serialize_short(cmd, p1, send)?;
+        let ret = sendrecv(self, &out)?;
+        let (mut more, [s1, s2]) = APDU::deserialize(ret)?;
+        data.append(&mut more);
+
+        if s1 != U2F_MORE_DATA {
+            return Ok((data, [s1, s2]));
+        }
+
+        loop {
+            let out = APDU::serialize_short(U2F_GET_RESPONSE, 0x00, &[])?;
+            let ret = sendrecv(self, &out)?;
+            let (mut more, [s1, s2]) = APDU::deserialize(ret)?;
+            data.append(&mut more);
+            if s1 != U2F_MORE_DATA {
+                return Ok((data, [s1, s2]));
+            }
+        }
+    }
+}
+
+impl U2FInfoQueryable for Card {
+    fn get_device_info(&self) -> U2FDeviceInfo {
+        // TODO: actuall return something sane here!
+        let vendor = String::from("Unknown Vendor");
+        let product = String::from("Unknown Device");
+
+        U2FDeviceInfo {
+            vendor_name: vendor.as_bytes().to_vec(),
+            device_name: product.as_bytes().to_vec(),
+            version_interface: 0,
+            version_major: 0,
+            version_minor: 0,
+            version_build: 0,
+            cap_flags: 0,
+        }
+    }
+}
+
+pub struct NFCManager {
+    run_loop: Option<RunLoop>,
+}
+
+impl NFCManager {
+    fn run<E, F>(&mut self, timeout: u64, fatal_error: E, f: F) -> Result<(), crate::Error>
+    where
+        E: Fn() + Sync + Send + 'static,
+        F: Fn(&mut Card, &dyn Fn() -> bool) + Sync + Send + Clone + 'static,
+    {
+        if self.run_loop.is_some() {
+            return Err(crate::Error::NotAllowed);
+        }
+
+        let ctx = Context::establish(Scope::User)
+        .map_err(|_| crate::Error::Unknown)?;
+
+        let rl = RunLoop::new_with_timeout(move |alive| {
+            let mut child_loops: HashMap<CString, RunLoop> = HashMap::new();
+
+            let mut readers_buf = [0; 2048];
+            // We _could_ insert `ReaderState::new(PNP_NOTIFICATION(), State::UNAWARE)`
+            // to be reminded of reader insertion/removal,
+            // but this is not guaranteed to be supported
+            // and we need to poll anyways.
+            let mut reader_states: Vec<ReaderState> = Vec::new();
+
+            while alive() {
+                // Add new readers.
+                let names = match ctx.list_readers(&mut readers_buf) {
+                    Ok(n) => n,
+                    Err(_) => {
+                        fatal_error();
+                        break; },
+                };
+                for name in names {
+                    if !reader_states.iter().any(|reader| reader.name() == name) {
+                        debug!("Adding reader {:?}", name);
+                        reader_states.push(ReaderState::new(name, State::UNAWARE));
+                    }
+                }
+
+                // Remove dead readers.
+                fn is_dead(reader: &ReaderState) -> bool {
+                    reader.event_state().intersects(State::UNKNOWN | State::IGNORE)
+                }
+                for reader in &reader_states {
+                    if is_dead(reader) {
+                        debug!("Removing reader {:?}", reader.name());
+                    }
+                }
+                reader_states.retain(|reader| !is_dead(reader));
+
+                // Let backend know that we know about the reader state.
+                // Otherwise it will keep trying to update us.
+                for rs in &mut reader_states {
+                    rs.sync_current_state();
+                }
+
+                if reader_states.len() == 0 {
+                    // No readers available. This means that `get_status_change` will return
+                    // immediately without any work, causing a busy-loop.
+                    // Let's wait for a bit and look for a new reader.
+                    thread::sleep(Duration::from_millis(500));
+                    continue;
+                }
+
+                // This call is blocking, so we must give it _some_ timeout in order for
+                // the `alive()` check to work.
+                let timeout = Duration::from_millis(100);
+                if let Err(e) = ctx.get_status_change(timeout, &mut reader_states) {
+                    if e == Error::Timeout {
+                        continue;
+                    }
+                    fatal_error();
+                    break;
+                }
+
+                for reader in &mut reader_states {
+                    let state = reader.event_state();
+                    let name = CString::from(reader.name());
+
+                    trace!("Reader {:?}: state {:?}", name, state);
+
+                    // TODO: this will keep spamming yubikeys with usb auth attempts???
+                    // probably not harmful, but is there a way to avoid it?
+                    if state.contains(State::PRESENT) && !state.contains(State::EXCLUSIVE) {
+                        let mut card = match ctx.connect(&name, ShareMode::Shared, Protocols::ANY) {
+                            Ok(card) => card,
+                            _ => continue,
+                        };
+
+                        let my_f = f.clone();
+                        let cl = RunLoop::new(move |alive| {
+                            if alive() {
+                                my_f(&mut card, alive);
+                            }
+                        });
+
+                        if let Ok(x) = cl {
+                            child_loops.insert(name, x);
+                        }
+                    } else {
+                        if let Some(cl) = child_loops.remove(&name) {
+                            cl.cancel();
+                        }
+                    }
+                }
+            }
+
+            for (_, child) in child_loops {
+                child.cancel();
+            }
+        }, timeout)
+        .map_err(|_| crate::Error::Unknown)?;
+        self.run_loop = Some(rl);
+        Ok(())
+    }
+
+    pub fn new() -> Self {
+        Self {
+            run_loop: None,
+        }
+    }
+
+    fn stop(&mut self) {
+        if let Some(rl) = &self.run_loop {
+            rl.cancel();
+            self.run_loop = None;
+        }
+    }
+}
+
+impl Drop for NFCManager {
+    fn drop(&mut self) {
+        self.stop();
+    }
+}
+
+impl AuthenticatorTransport for NFCManager {
+    fn register(
+        &mut self,
+        flags: crate::RegisterFlags,
+        timeout: u64,
+        challenge: Vec<u8>,
+        application: crate::AppId,
+        key_handles: Vec<crate::KeyHandle>,
+        status: Sender<crate::StatusUpdate>,
+        callback: StateCallback<Result<crate::RegisterResult, crate::Error>>,
+    ) -> Result<(), crate::Error> {
+        let status_mutex = Arc::new(Mutex::new(status));
+        let cbc = callback.clone();
+        let err = move || { cbc.call(Err(crate::Error::Unknown)) };
+        self.run(timeout, err, move |card, alive| {
+            StateMachine::register(card, flags, &challenge, &application, &key_handles, &status_mutex, &callback, alive);
+        })
+    }
+
+    fn sign(
+        &mut self,
+        flags: crate::SignFlags,
+        timeout: u64,
+        challenge: Vec<u8>,
+        app_ids: Vec<crate::AppId>,
+        key_handles: Vec<crate::KeyHandle>,
+        status: Sender<crate::StatusUpdate>,
+        callback: StateCallback<Result<crate::SignResult, crate::Error>>,
+    ) -> Result<(), crate::Error> {
+        let status_mutex = Arc::new(Mutex::new(status));
+        let cbc = callback.clone();
+        let err = move || { cbc.call(Err(crate::Error::Unknown)) };
+        self.run(timeout, err, move |card, alive| {
+            StateMachine::sign(card, flags, &challenge, &app_ids, &key_handles, &status_mutex, &callback, alive);
+        })
+    }
+
+    fn cancel(&mut self) -> Result<(), crate::Error> {
+        self.stop();
+        Ok(())
+    }
+}

src/statemachine.rs

@@ -15,7 +15,7 @@ use std::thread;
 use std::time::Duration;
 
 fn is_valid_transport(transports: crate::AuthenticatorTransports) -> bool {
-    transports.is_empty() || transports.contains(crate::AuthenticatorTransports::USB)
+    transports.is_empty() || transports.intersects(crate::AuthenticatorTransports::USB | crate::AuthenticatorTransports::NFC)
 }
 
 fn find_valid_key_handles<'a, F>(