From e96f9c36188008c7f3ab6062f7910514339cccc2 Mon Sep 17 00:00:00 2001 From: Joshua Grisham Date: Sun, 31 Aug 2025 22:17:52 +0200 Subject: [PATCH] sdcp: Make sure to always set error when failing and use UNTRUSTED error for SDCP failures --- libfprint/drivers/egismoc/egismoc.c | 2 +- libfprint/fp-sdcp-device-private.h | 1 - libfprint/fpi-sdcp-device.c | 25 ++------ libfprint/fpi-sdcp.c | 99 +++++++++++++++++------------ 4 files changed, 66 insertions(+), 61 deletions(-) diff --git a/libfprint/drivers/egismoc/egismoc.c b/libfprint/drivers/egismoc/egismoc.c index 8af00ede..173e8a1f 100644 --- a/libfprint/drivers/egismoc/egismoc.c +++ b/libfprint/drivers/egismoc/egismoc.c @@ -831,7 +831,7 @@ egismoc_enroll_commit_cb (FpDevice *device, rsp_commit_success_suffix, rsp_commit_success_suffix_len)) { - g_propagate_error (&error, fpi_device_error_new_msg (FP_DEVICE_ERROR_DATA_INVALID, + g_propagate_error (&error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "Enrollment was rejected by the device")); fpi_ssm_mark_failed (self->task_ssm, error); fpi_sdcp_device_enroll_commit_complete (sdcp_device, error); diff --git a/libfprint/fp-sdcp-device-private.h b/libfprint/fp-sdcp-device-private.h index aa29445e..06cb4f0c 100644 --- a/libfprint/fp-sdcp-device-private.h +++ b/libfprint/fp-sdcp-device-private.h @@ -36,7 +36,6 @@ void fpi_sdcp_device_get_application_secret (FpSdcpDevice *self, GBytes **application_secret); void fpi_sdcp_device_set_application_secret (FpSdcpDevice *self, GBytes *application_secret); -void fpi_sdcp_device_unset_application_secret (FpSdcpDevice *self); void fpi_sdcp_device_open (FpSdcpDevice *self); void fpi_sdcp_device_connect (FpSdcpDevice *self); diff --git a/libfprint/fpi-sdcp-device.c b/libfprint/fpi-sdcp-device.c index 19683f09..e714f288 100644 --- a/libfprint/fpi-sdcp-device.c +++ b/libfprint/fpi-sdcp-device.c @@ -196,12 +196,6 @@ fpi_sdcp_device_set_application_secret (FpSdcpDevice *self, g_object_set (G_OBJECT (self), "sdcp-data", data, NULL); } -void -fpi_sdcp_device_unset_application_secret (FpSdcpDevice *self) -{ - g_object_set (G_OBJECT (self), "sdcp-data", NULL); -} - void fpi_sdcp_device_open (FpSdcpDevice *self) { @@ -562,7 +556,10 @@ fpi_sdcp_device_connect_complete (FpSdcpDevice *self, &application_secret, &error)) { - fpi_device_open_complete (FP_DEVICE (self), error); + fpi_device_open_complete (FP_DEVICE (self), + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "SDCP Connect verification failed: %s", + error->message)); return; } @@ -729,10 +726,6 @@ fpi_sdcp_device_enroll_commit (FpSdcpDevice *self, if (!id || error) { fp_warn ("Could not generate SDCP enrollment ID"); - - /* clear potentially non-functioning application_secret */ - fpi_sdcp_device_unset_application_secret (self); - fpi_device_enroll_complete (FP_DEVICE (self), NULL, error); g_object_set (print, "fpi-data", NULL, NULL); return; @@ -875,15 +868,7 @@ fpi_sdcp_device_identify_complete (FpSdcpDevice *self, if (!fpi_sdcp_verify_identify (application_secret, priv->identify_nonce, id, mac, &error)) { g_clear_pointer (&priv->identify_nonce, g_bytes_unref); - - /* clear potentially non-functioning application_secret */ - fpi_sdcp_device_unset_application_secret (self); - - fpi_device_action_error (FP_DEVICE (self), - fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, - "SDCP AuthorizedIdentity verification " - "failed: %s", - error->message)); + fpi_device_action_error (FP_DEVICE (self), error); return; } diff --git a/libfprint/fpi-sdcp.c b/libfprint/fpi-sdcp.c index c3d8ef17..eb9f003b 100644 --- a/libfprint/fpi-sdcp.c +++ b/libfprint/fpi-sdcp.c @@ -113,7 +113,7 @@ fpi_sdcp_verify_signature (EVP_PKEY *pkey, out_error: g_propagate_error (error, - fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error verifying signature for label '%s'", label)); print_openssl_errors (); @@ -143,8 +143,10 @@ fpi_sdcp_get_truststore (GError **error) truststore = X509_STORE_new (); if (!truststore) { - fp_dbg ("Failed initializing SDCP X509 certificate store"); - goto out_error; + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "Failed initializing SDCP X509 certificate store")); + goto out; } fpi_sdcp_truststore_register_resource (); @@ -153,7 +155,10 @@ fpi_sdcp_get_truststore (GError **error) G_RESOURCE_LOOKUP_FLAGS_NONE, error); if (*error) { - fp_dbg ("Error loading SDCP truststore certificates: %s", (*error)->message); + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "Error loading SDCP truststore certificates: %s", + (*error)->message)); goto out; } for (int i = 0; trustcert_names[i]; i++) @@ -163,8 +168,11 @@ fpi_sdcp_get_truststore (GError **error) trustcert_gb = g_resource_lookup_data (truststore_resource, trustcert_path, 0, error); if (*error) { - fp_dbg ("Error loading SDCP truststore certificate '%s': %s", - trustcert_names[i], (*error)->message); + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "Error loading SDCP truststore " + "certificate '%s': %s", + trustcert_names[i], (*error)->message)); goto out; } g_free (trustcert_path); @@ -175,16 +183,22 @@ fpi_sdcp_get_truststore (GError **error) bio = BIO_new (BIO_s_mem ()); if (BIO_write (bio, trustcert_ptr, trustcert_len) != trustcert_len) { - fp_dbg ("Failed reading '%s' to buffer", trustcert_names[i]); - goto out_error; + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "Failed reading '%s' to buffer", + trustcert_names[i])); + goto out; } g_bytes_unref (trustcert_gb); trustcert = PEM_read_bio_X509 (bio, NULL, NULL, NULL); //print_certificate (trustcert); if (!X509_STORE_add_cert (truststore, trustcert)) { - fp_dbg ("Failed adding '%s' to X509 store", trustcert_names[i]); - goto out_error; + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "Failed adding '%s' to X509 store", + trustcert_names[i])); + goto out; } BIO_free (bio); X509_free (trustcert); @@ -195,13 +209,8 @@ fpi_sdcp_get_truststore (GError **error) return truststore; -out_error: - g_propagate_error (error, - fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, - "OpenSSL error setting up certificate verification")); - print_openssl_errors (); - goto out; out: + print_openssl_errors (); g_clear_pointer (&trustcert_names, g_strfreev); g_clear_pointer (&trustcert, X509_free); return NULL; @@ -258,16 +267,15 @@ fpi_sdcp_verify_certificate (X509 *certificate, out_error: g_propagate_error (error, - fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error setting up certificate verification")); print_openssl_errors (); goto out; out_verify_error: g_propagate_error (error, - fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, - "OpenSSL error verifying model certificate")); - fp_dbg ("OpenSSL verification error: %s", - X509_verify_cert_error_string (X509_STORE_CTX_get_error (ctx))); + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "OpenSSL error verifying model certificate: %s", + X509_verify_cert_error_string (X509_STORE_CTX_get_error (ctx)))); out: g_clear_pointer (¶m, X509_VERIFY_PARAM_free); g_clear_pointer (&ctx, X509_STORE_CTX_free); @@ -323,7 +331,7 @@ fpi_sdcp_kdf (GBytes *key, secret = g_malloc0 (length); if (!EVP_KDF_derive (kdf_ctx, secret, length, params)) { - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error during key derivation " "for label '%s'", label)); g_free (secret); @@ -395,7 +403,7 @@ fpi_sdcp_mac (GBytes *application_secret, return g_steal_pointer (&res); out_error: - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error generating MAC for label '%s'", label)); print_openssl_errors (); @@ -434,7 +442,7 @@ fpi_sdcp_get_private_key (EVP_PKEY *pkey, return g_steal_pointer (&res); out_error: - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error getting private key bytes")); print_openssl_errors (); g_clear_pointer (&priv, g_free); @@ -465,7 +473,7 @@ fpi_sdcp_get_public_key (EVP_PKEY *pkey, return g_steal_pointer (&res); out_error: - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error getting public key bytes")); print_openssl_errors (); g_clear_pointer (&pub, g_free); @@ -533,7 +541,7 @@ fpi_sdcp_get_private_pkey (GBytes *private_key, return g_steal_pointer (&key); out_error: - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error getting private key")); print_openssl_errors (); g_clear_pointer (&key, EVP_PKEY_free); @@ -577,7 +585,7 @@ fpi_sdcp_get_public_pkey (GBytes *public_key, return g_steal_pointer (&key); out_error: - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error getting public key")); print_openssl_errors (); g_clear_pointer (&key, EVP_PKEY_free); @@ -641,7 +649,7 @@ fpi_sdcp_hash_claim (FpiSdcpClaim *claim, return g_steal_pointer (&res); out_error: - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error hashing the SDCP claim")); print_openssl_errors (); g_clear_pointer (&sh256_ctx, EVP_MD_CTX_free); @@ -699,7 +707,7 @@ fpi_sdcp_key_agreement (GBytes *host_private_key, return g_steal_pointer (&res); out_error: - g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error deriving key agreement")); print_openssl_errors (); out: @@ -750,7 +758,7 @@ fpi_sdcp_generate_random (GError **error) if (!RAND_bytes (random, SDCP_RANDOM_SIZE)) { g_propagate_error (error, - fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, "OpenSSL error generating random")); print_openssl_errors (); g_free (random); @@ -852,7 +860,9 @@ fpi_sdcp_verify_connect (GBytes *host_private_key, } else { - fp_warn ("SDCP ConnectResponse claim validation failed"); + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "SDCP ConnectResponse claim validation failed")); goto out; } @@ -869,8 +879,8 @@ fpi_sdcp_verify_connect (GBytes *host_private_key, if (!cert) { g_propagate_error (error, - fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, - "Error parsing model certificate")); + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "Error parsing model certificate")); goto out; } @@ -894,8 +904,9 @@ fpi_sdcp_verify_connect (GBytes *host_private_key, if (!cert_public_pkey) { g_propagate_error (error, - fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, - "Error getting public key from model certificate")); + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "Error getting public key from " + "model certificate")); goto out; } @@ -911,7 +922,10 @@ fpi_sdcp_verify_connect (GBytes *host_private_key, claim->model_signature, error)) { - fp_warn ("SDCP model signature verification failed"); + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "SDCP model signature verification " + "failed")); goto out_error; } @@ -940,7 +954,10 @@ fpi_sdcp_verify_connect (GBytes *host_private_key, claim->model_signature, error)) { - fp_warn ("SDCP device signature verification failed"); + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "SDCP device signature verification " + "failed")); goto out_error; } @@ -997,7 +1014,9 @@ fpi_sdcp_verify_reconnect (GBytes *application_secret, } else { - fp_warn ("SDCP ReconnectResponse verification failed"); + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "SDCP ReconnectResponse verification failed")); return FALSE; } } @@ -1030,7 +1049,9 @@ fpi_sdcp_verify_identify (GBytes *application_secret, } else { - fp_warn ("SDCP AuthorizedIdentity verification failed"); + g_propagate_error (error, + fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED, + "SDCP AuthorizedIdentity verification failed")); return FALSE; } }