Add basic NFC support

Author: Crote

Cargo.toml

@@ -9,6 +9,8 @@ description = "Library for interacting with CTAP1/2 security keys for Web Authen
 [features]
 binding-recompile = ["bindgen"]
 
+nfc = ["pcsc"]
+
 [target.'cfg(target_os = "linux")'.dependencies]
 libudev = "^0.2"
 
@@ -38,6 +40,7 @@ libc = "0.2"
 boxfnonce = "0.0.3"
 runloop = "0.1.0"
 bitflags = "1.0"
+pcsc = { version = "2", optional = true }
 
 [dev-dependencies]
 sha2 = "^0.8"

src/consts.rs

@@ -76,3 +76,10 @@ pub const SW_NO_ERROR: [u8; 2] = [0x90, 0x00];
 pub const SW_CONDITIONS_NOT_SATISFIED: [u8; 2] = [0x69, 0x85];
 pub const SW_WRONG_DATA: [u8; 2] = [0x6A, 0x80];
 pub const SW_WRONG_LENGTH: [u8; 2] = [0x67, 0x00];
+
+// U2F-over-NFC constants
+pub const U2F_AID: [u8; 8] = [0xA0, 0x00, 0x00, 0x06, 0x47, 0x2F, 0x00, 0x01];
+pub const U2F_SELECT_FILE: u8 = 0xA4;
+pub const U2F_SELECT_DIRECT: u8 = 0x04;
+pub const U2F_CONTINUE: u8 = 0xC0;
+pub const U2F_MORE_DATA: u8 = 0x61;

src/hid.rs

@@ -0,0 +1,232 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use std::io;
+use std::io::{Read, Write};
+use std::cmp;
+use rand::{thread_rng, RngCore};
+
+use platform::device::USBDevice;
+use u2ftypes::*;
+use consts::*;
+use util::{io_err, trace_hex};
+
+// Represents U2F HID Devices. Requires getters/setters for the
+// channel ID, created during device initialization.
+pub struct HIDDevice<'a> {
+    base: &'a mut USBDevice,
+    cid: [u8; 4],
+}
+
+impl<'a> HIDDevice<'a> {
+    pub fn new(base: &'a mut USBDevice) -> HIDDevice<'a> {
+        Self {
+            base,
+            cid: CID_BROADCAST,
+        }
+    }
+
+    pub fn get_cid(&self) -> &[u8; 4] {
+        &self.cid
+    }
+
+    pub fn set_cid(&mut self, cid: [u8; 4]) {
+        self.cid = cid;
+    }
+
+    fn sendrecv(&mut self, cmd: u8, send: &[u8]) -> io::Result<Vec<u8>>
+    {
+        // Send initialization packet.
+        let mut count = U2FHIDInit::write(self, cmd, send)?;
+
+        // Send continuation packets.
+        let mut sequence = 0u8;
+        while count < send.len() {
+            count += U2FHIDCont::write(self, sequence, &send[count..])?;
+            sequence += 1;
+        }
+
+        // Now we read. This happens in 2 chunks: The initial packet, which has the
+        // size we expect overall, then continuation packets, which will fill in
+        // data until we have everything.
+        let mut data = U2FHIDInit::read(self)?;
+
+        let mut sequence = 0u8;
+        while data.len() < data.capacity() {
+            let max = data.capacity() - data.len();
+            data.extend_from_slice(&U2FHIDCont::read(self, sequence, max)?);
+            sequence += 1;
+        }
+
+        Ok(data)
+    }
+}
+
+impl Read for HIDDevice<'_> {
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        self.base.read(buf)
+    }
+}
+
+impl Write for HIDDevice<'_> {
+    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+        self.base.write(buf)
+    }
+
+    // USB HID writes don't buffer, so this will be a nop.
+    fn flush(&mut self) -> io::Result<()> {
+        Ok(())
+    }
+}
+
+
+impl APDUDevice for HIDDevice<'_> {
+    fn init_apdu(&mut self) -> io::Result<()> {
+        self.base.initialize()?;
+
+        let mut nonce = [0u8; 8];
+        thread_rng().fill_bytes(&mut nonce);
+        assert_eq!(nonce.len(), INIT_NONCE_SIZE);
+        let raw = self.sendrecv(U2FHID_INIT, &nonce)?;
+        self.set_cid(U2FHIDInitResp::read(&raw, &nonce)?);
+
+        Ok(())
+    }
+
+    fn send_apdu(&mut self, cmd: u8, p1: u8, send: &[u8]) -> io::Result<(Vec<u8>, [u8; 2])> {
+        let out = APDU::serialize_long(cmd, p1, send)?;
+        trace_hex("USB send", &out);
+        let ret = self.sendrecv(U2FHID_MSG, &out)?;
+        trace_hex("USB recv", &ret);
+        APDU::deserialize(ret)
+    }
+}
+
+// Init structure for U2F Communications. Tells the receiver what channel
+// communication is happening on, what command is running, and how much data to
+// expect to receive over all.
+//
+// Spec at https://fidoalliance.org/specs/fido-u2f-v1.
+// 0-nfc-bt-amendment-20150514/fido-u2f-hid-protocol.html#message--and-packet-structure
+pub struct U2FHIDInit {}
+
+impl U2FHIDInit {
+    pub fn read(dev: &mut HIDDevice) -> io::Result<Vec<u8>>
+    {
+        let mut frame = [0u8; HID_RPT_SIZE];
+        let mut count = dev.read(&mut frame)?;
+
+        while dev.get_cid() != &frame[..4] {
+            count = dev.read(&mut frame)?;
+        }
+
+        if count != HID_RPT_SIZE {
+            return Err(io_err("invalid init packet"));
+        }
+
+        let cap = (frame[5] as usize) << 8 | (frame[6] as usize);
+        let mut data = Vec::with_capacity(cap);
+
+        let len = cmp::min(cap, INIT_DATA_SIZE);
+        data.extend_from_slice(&frame[7..7 + len]);
+
+        Ok(data)
+    }
+
+    pub fn write(dev: &mut HIDDevice, cmd: u8, data: &[u8]) -> io::Result<usize>
+    {
+        if data.len() > 0xffff {
+            return Err(io_err("payload length > 2^16"));
+        }
+
+        let mut frame = [0; HID_RPT_SIZE + 1];
+        frame[1..5].copy_from_slice(dev.get_cid());
+        frame[5] = cmd;
+        frame[6] = (data.len() >> 8) as u8;
+        frame[7] = data.len() as u8;
+
+        let count = cmp::min(data.len(), INIT_DATA_SIZE);
+        frame[8..8 + count].copy_from_slice(&data[..count]);
+
+        if dev.write(&frame)? != frame.len() {
+            return Err(io_err("device write failed"));
+        }
+
+        Ok(count)
+    }
+}
+
+// Continuation structure for U2F Communications. After an Init structure is
+// sent, continuation structures are used to transmit all extra data that
+// wouldn't fit in the initial packet. The sequence number increases with every
+// packet, until all data is received.
+//
+// https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-hid-protocol.
+// html#message--and-packet-structure
+pub struct U2FHIDCont {}
+
+impl U2FHIDCont {
+    pub fn read(dev: &mut HIDDevice, seq: u8, max: usize) -> io::Result<Vec<u8>>
+    {
+        let mut frame = [0u8; HID_RPT_SIZE];
+        let mut count = dev.read(&mut frame)?;
+
+        while dev.get_cid() != &frame[..4] {
+            count = dev.read(&mut frame)?;
+        }
+
+        if count != HID_RPT_SIZE {
+            return Err(io_err("invalid cont packet"));
+        }
+
+        if seq != frame[4] {
+            return Err(io_err("invalid sequence number"));
+        }
+
+        let max = cmp::min(max, CONT_DATA_SIZE);
+        Ok(frame[5..5 + max].to_vec())
+    }
+
+    pub fn write(dev: &mut HIDDevice, seq: u8, data: &[u8]) -> io::Result<usize>
+    {
+        let mut frame = [0; HID_RPT_SIZE + 1];
+        frame[1..5].copy_from_slice(dev.get_cid());
+        frame[5] = seq;
+
+        let count = cmp::min(data.len(), CONT_DATA_SIZE);
+        frame[6..6 + count].copy_from_slice(&data[..count]);
+
+        if dev.write(&frame)? != frame.len() {
+            return Err(io_err("device write failed"));
+        }
+
+        Ok(count)
+    }
+}
+
+// Reply sent after initialization command. Contains information about U2F USB
+// Key versioning, as well as the communication channel to be used for all
+// further requests.
+//
+// https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-hid-protocol.
+// html#u2fhid_init
+pub struct U2FHIDInitResp {}
+
+impl U2FHIDInitResp {
+    pub fn read(data: &[u8], nonce: &[u8]) -> io::Result<[u8; 4]> {
+        assert_eq!(nonce.len(), INIT_NONCE_SIZE);
+
+        if data.len() != INIT_NONCE_SIZE + 9 {
+            return Err(io_err("invalid init response"));
+        }
+
+        if nonce != &data[..INIT_NONCE_SIZE] {
+            return Err(io_err("invalid nonce"));
+        }
+
+        let mut cid = [0u8; 4];
+        cid.copy_from_slice(&data[INIT_NONCE_SIZE..INIT_NONCE_SIZE + 4]);
+        Ok(cid)
+    }
+}

src/lib.rs

@@ -11,10 +11,17 @@ pub mod hidproto;
 #[cfg(any(target_os = "linux"))]
 extern crate libudev;
 
-#[cfg(any(target_os = "linux"))]
+#[cfg(all(any(target_os = "linux"), not(feature = "nfc")))]
 #[path = "linux/mod.rs"]
 pub mod platform;
 
+#[cfg(feature = "nfc")]
+#[path = "nfc/mod.rs"]
+pub mod platform;
+
+#[cfg(feature = "nfc")]
+extern crate pcsc;
+
 #[cfg(any(target_os = "freebsd"))]
 extern crate devd_rs;
 
@@ -61,6 +68,8 @@ mod consts;
 mod statemachine;
 mod u2fprotocol;
 mod u2ftypes;
+#[cfg(not(feature = "nfc"))]
+mod hid;
 
 mod manager;
 pub use manager::U2FManager;

src/linux/device.rs

@@ -9,57 +9,58 @@ use std::io;
 use std::io::{Read, Write};
 use std::os::unix::prelude::*;
 
-use consts::CID_BROADCAST;
 use platform::hidraw;
-use u2ftypes::U2FDevice;
 use util::from_unix_result;
+use util::io_err;
 
 #[derive(Debug)]
-pub struct Device {
+pub struct USBDevice {
     path: OsString,
     fd: libc::c_int,
-    cid: [u8; 4],
 }
 
-impl Device {
+impl USBDevice {
     pub fn new(path: OsString) -> io::Result<Self> {
         let cstr = CString::new(path.as_bytes())?;
         let fd = unsafe { libc::open(cstr.as_ptr(), libc::O_RDWR) };
         let fd = from_unix_result(fd)?;
         Ok(Self {
             path,
             fd,
-            cid: CID_BROADCAST,
         })
     }
 
-    pub fn is_u2f(&self) -> bool {
-        hidraw::is_u2f_device(self.fd)
+    pub fn initialize(&self) -> io::Result<()> {
+        if hidraw::is_u2f_device(self.fd) {
+            Ok(())
+        } else {
+            Err(io_err("not a u2f device"))
+        }
     }
 }
 
-impl Drop for Device {
+impl Drop for USBDevice {
     fn drop(&mut self) {
         // Close the fd, ignore any errors.
         let _ = unsafe { libc::close(self.fd) };
     }
 }
 
-impl PartialEq for Device {
-    fn eq(&self, other: &Device) -> bool {
+impl PartialEq for USBDevice {
+    fn eq(&self, other: &USBDevice) -> bool {
         self.path == other.path
     }
 }
 
-impl Read for Device {
+impl Read for USBDevice {
     fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
         let bufp = buf.as_mut_ptr() as *mut libc::c_void;
         let rv = unsafe { libc::read(self.fd, bufp, buf.len()) };
         from_unix_result(rv as usize)
     }
 }
 
-impl Write for Device {
+impl Write for USBDevice {
     fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
         let bufp = buf.as_ptr() as *const libc::c_void;
         let rv = unsafe { libc::write(self.fd, bufp, buf.len()) };
@@ -71,13 +72,3 @@ impl Write for Device {
         Ok(())
     }
 }
-
-impl U2FDevice for Device {
-    fn get_cid(&self) -> &[u8; 4] {
-        &self.cid
-    }
-
-    fn set_cid(&mut self, cid: [u8; 4]) {
-        self.cid = cid;
-    }
-}