sdcp: Make sure to always set error when failing and use UNTRUSTED error for SDCP failures

libfprint/drivers/egismoc/egismoc.c

@@ -831,7 +831,7 @@ egismoc_enroll_commit_cb (FpDevice *device,
                                          rsp_commit_success_suffix,
                                          rsp_commit_success_suffix_len))
     {
-      g_propagate_error (&error, fpi_device_error_new_msg (FP_DEVICE_ERROR_DATA_INVALID,
+      g_propagate_error (&error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                            "Enrollment was rejected by the device"));
       fpi_ssm_mark_failed (self->task_ssm, error);
       fpi_sdcp_device_enroll_commit_complete (sdcp_device, error);

libfprint/fp-sdcp-device-private.h

@@ -36,7 +36,6 @@ void fpi_sdcp_device_get_application_secret (FpSdcpDevice *self,
                                              GBytes      **application_secret);
 void fpi_sdcp_device_set_application_secret (FpSdcpDevice *self,
                                              GBytes       *application_secret);
-void fpi_sdcp_device_unset_application_secret (FpSdcpDevice *self);
 
 void fpi_sdcp_device_open (FpSdcpDevice *self);
 void fpi_sdcp_device_connect (FpSdcpDevice *self);

libfprint/fpi-sdcp-device.c

@@ -196,12 +196,6 @@ fpi_sdcp_device_set_application_secret (FpSdcpDevice *self,
   g_object_set (G_OBJECT (self), "sdcp-data", data, NULL);
 }
 
-void
-fpi_sdcp_device_unset_application_secret (FpSdcpDevice *self)
-{
-  g_object_set (G_OBJECT (self), "sdcp-data", NULL);  
-}
-
 void
 fpi_sdcp_device_open (FpSdcpDevice *self)
 {
@@ -562,7 +556,10 @@ fpi_sdcp_device_connect_complete (FpSdcpDevice *self,
                                 &application_secret,
                                 &error))
     {
-      fpi_device_open_complete (FP_DEVICE (self), error);
+      fpi_device_open_complete (FP_DEVICE (self),
+                                fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                          "SDCP Connect verification failed: %s",
+                                                          error->message));
       return;
     }
 
@@ -729,10 +726,6 @@ fpi_sdcp_device_enroll_commit (FpSdcpDevice *self,
   if (!id || error)
     {
       fp_warn ("Could not generate SDCP enrollment ID");
-
-      /* clear potentially non-functioning application_secret */
-      fpi_sdcp_device_unset_application_secret (self);
-
       fpi_device_enroll_complete (FP_DEVICE (self), NULL, error);
       g_object_set (print, "fpi-data", NULL, NULL);
       return;
@@ -875,15 +868,7 @@ fpi_sdcp_device_identify_complete (FpSdcpDevice *self,
   if (!fpi_sdcp_verify_identify (application_secret, priv->identify_nonce, id, mac, &error))
     {
       g_clear_pointer (&priv->identify_nonce, g_bytes_unref);
-
-      /* clear potentially non-functioning application_secret */
-      fpi_sdcp_device_unset_application_secret (self);
-
-      fpi_device_action_error (FP_DEVICE (self),
-                               fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
-                                                         "SDCP AuthorizedIdentity verification "
-                                                         "failed: %s",
-                                                         error->message));
+      fpi_device_action_error (FP_DEVICE (self), error);
       return;
     }
 

libfprint/fpi-sdcp.c

@@ -113,7 +113,7 @@ fpi_sdcp_verify_signature (EVP_PKEY    *pkey,
 
 out_error:
   g_propagate_error (error,
-                     fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+                     fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                "OpenSSL error verifying signature for label '%s'",
                                                label));
   print_openssl_errors ();
@@ -143,8 +143,10 @@ fpi_sdcp_get_truststore (GError **error)
   truststore = X509_STORE_new ();
   if (!truststore)
     {
-      fp_dbg ("Failed initializing SDCP X509 certificate store");
-      goto out_error;
+      g_propagate_error (error,
+                         fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                   "Failed initializing SDCP X509 certificate store"));
+      goto out;
     }
 
   fpi_sdcp_truststore_register_resource ();
@@ -153,7 +155,10 @@ fpi_sdcp_get_truststore (GError **error)
                                                     G_RESOURCE_LOOKUP_FLAGS_NONE, error);
   if (*error)
     {
-      fp_dbg ("Error loading SDCP truststore certificates: %s", (*error)->message);
+      g_propagate_error (error,
+                         fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                   "Error loading SDCP truststore certificates: %s",
+                                                   (*error)->message));
       goto out;
     }
   for (int i = 0; trustcert_names[i]; i++)
@@ -163,8 +168,11 @@ fpi_sdcp_get_truststore (GError **error)
       trustcert_gb = g_resource_lookup_data (truststore_resource, trustcert_path, 0, error);
       if (*error)
         {
-          fp_dbg ("Error loading SDCP truststore certificate '%s': %s",
-                  trustcert_names[i], (*error)->message);
+          g_propagate_error (error,
+                             fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                       "Error loading SDCP truststore "
+                                                       "certificate '%s': %s",
+                                                       trustcert_names[i], (*error)->message));
           goto out;
         }
       g_free (trustcert_path);
@@ -175,16 +183,22 @@ fpi_sdcp_get_truststore (GError **error)
       bio = BIO_new (BIO_s_mem ());
       if (BIO_write (bio, trustcert_ptr, trustcert_len) != trustcert_len)
         {
-          fp_dbg ("Failed reading '%s' to buffer", trustcert_names[i]);
-          goto out_error;
+          g_propagate_error (error,
+                             fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                       "Failed reading '%s' to buffer",
+                                                       trustcert_names[i]));
+          goto out;
         }
       g_bytes_unref (trustcert_gb);
       trustcert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
       //print_certificate (trustcert);
       if (!X509_STORE_add_cert (truststore, trustcert))
         {
-          fp_dbg ("Failed adding '%s' to X509 store", trustcert_names[i]);
-          goto out_error;
+          g_propagate_error (error,
+                             fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                       "Failed adding '%s' to X509 store",
+                                                       trustcert_names[i]));
+          goto out;
         }
       BIO_free (bio);
       X509_free (trustcert);
@@ -195,13 +209,8 @@ fpi_sdcp_get_truststore (GError **error)
 
   return truststore;
 
-out_error:
-  g_propagate_error (error,
-                     fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
-                                               "OpenSSL error setting up certificate verification"));
-  print_openssl_errors ();
-  goto out;
 out:
+  print_openssl_errors ();
   g_clear_pointer (&trustcert_names, g_strfreev);
   g_clear_pointer (&trustcert, X509_free);
   return NULL;
@@ -258,16 +267,15 @@ fpi_sdcp_verify_certificate (X509 *certificate,
 
 out_error:
   g_propagate_error (error,
-                     fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+                     fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                "OpenSSL error setting up certificate verification"));
   print_openssl_errors ();
   goto out;
 out_verify_error:
   g_propagate_error (error,
-                     fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
-                                               "OpenSSL error verifying model certificate"));
-  fp_dbg ("OpenSSL verification error: %s",
-          X509_verify_cert_error_string (X509_STORE_CTX_get_error (ctx)));
+                     fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                               "OpenSSL error verifying model certificate: %s",
+                                               X509_verify_cert_error_string (X509_STORE_CTX_get_error (ctx))));
 out:
   g_clear_pointer (&param, X509_VERIFY_PARAM_free);
   g_clear_pointer (&ctx, X509_STORE_CTX_free);
@@ -323,7 +331,7 @@ fpi_sdcp_kdf (GBytes      *key,
   secret = g_malloc0 (length);
   if (!EVP_KDF_derive (kdf_ctx, secret, length, params))
     {
-      g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+      g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                           "OpenSSL error during key derivation "
                                                           "for label '%s'", label));
       g_free (secret);
@@ -395,7 +403,7 @@ fpi_sdcp_mac (GBytes      *application_secret,
   return g_steal_pointer (&res);
 
 out_error:
-  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                       "OpenSSL error generating MAC for label '%s'",
                                                       label));
   print_openssl_errors ();
@@ -434,7 +442,7 @@ fpi_sdcp_get_private_key (EVP_PKEY *pkey,
   return g_steal_pointer (&res);
 
 out_error:
-  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                       "OpenSSL error getting private key bytes"));
   print_openssl_errors ();
   g_clear_pointer (&priv, g_free);
@@ -465,7 +473,7 @@ fpi_sdcp_get_public_key (EVP_PKEY *pkey,
   return g_steal_pointer (&res);
 
 out_error:
-  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                       "OpenSSL error getting public key bytes"));
   print_openssl_errors ();
   g_clear_pointer (&pub, g_free);
@@ -533,7 +541,7 @@ fpi_sdcp_get_private_pkey (GBytes  *private_key,
   return g_steal_pointer (&key);
 
 out_error:
-  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                       "OpenSSL error getting private key"));
   print_openssl_errors ();
   g_clear_pointer (&key, EVP_PKEY_free);
@@ -577,7 +585,7 @@ fpi_sdcp_get_public_pkey (GBytes  *public_key,
   return g_steal_pointer (&key);
 
 out_error:
-  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                       "OpenSSL error getting public key"));
   print_openssl_errors ();
   g_clear_pointer (&key, EVP_PKEY_free);
@@ -641,7 +649,7 @@ fpi_sdcp_hash_claim (FpiSdcpClaim *claim,
   return g_steal_pointer (&res);
 
 out_error:
-  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                       "OpenSSL error hashing the SDCP claim"));
   print_openssl_errors ();
   g_clear_pointer (&sh256_ctx, EVP_MD_CTX_free);
@@ -699,7 +707,7 @@ fpi_sdcp_key_agreement (GBytes  *host_private_key,
   return g_steal_pointer (&res);
 
 out_error:
-  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+  g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                       "OpenSSL error deriving key agreement"));
   print_openssl_errors ();
 out:
@@ -750,7 +758,7 @@ fpi_sdcp_generate_random (GError **error)
   if (!RAND_bytes (random, SDCP_RANDOM_SIZE))
     {
       g_propagate_error (error,
-                         fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+                         fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                    "OpenSSL error generating random"));
       print_openssl_errors ();
       g_free (random);
@@ -852,7 +860,9 @@ fpi_sdcp_verify_connect (GBytes       *host_private_key,
     }
   else
     {
-      fp_warn ("SDCP ConnectResponse claim validation failed");
+      g_propagate_error (error,
+                         fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                   "SDCP ConnectResponse claim validation failed"));
       goto out;
     }
 
@@ -869,7 +879,7 @@ fpi_sdcp_verify_connect (GBytes       *host_private_key,
       if (!cert)
         {
           g_propagate_error (error,
-                            fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+                             fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
                                                        "Error parsing model certificate"));
           goto out;
         }
@@ -894,8 +904,9 @@ fpi_sdcp_verify_connect (GBytes       *host_private_key,
           if (!cert_public_pkey)
             {
               g_propagate_error (error,
-                                fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
-                                                          "Error getting public key from model certificate"));
+                                 fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                           "Error getting public key from "
+                                                           "model certificate"));
               goto out;
             }
 
@@ -911,7 +922,10 @@ fpi_sdcp_verify_connect (GBytes       *host_private_key,
                                           claim->model_signature,
                                           error))
             {
-              fp_warn ("SDCP model signature verification failed");
+              g_propagate_error (error,
+                                 fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                           "SDCP model signature verification "
+                                                           "failed"));
               goto out_error;
             }
 
@@ -940,7 +954,10 @@ fpi_sdcp_verify_connect (GBytes       *host_private_key,
                                           claim->model_signature,
                                           error))
             {
-              fp_warn ("SDCP device signature verification failed");
+              g_propagate_error (error,
+                                 fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                           "SDCP device signature verification "
+                                                           "failed"));
               goto out_error;
             }
 
@@ -997,7 +1014,9 @@ fpi_sdcp_verify_reconnect (GBytes  *application_secret,
     }
   else
     {
-      fp_warn ("SDCP ReconnectResponse verification failed");
+      g_propagate_error (error,
+                         fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                   "SDCP ReconnectResponse verification failed"));
       return FALSE;
     }
 }
@@ -1030,7 +1049,9 @@ fpi_sdcp_verify_identify (GBytes  *application_secret,
     }
   else
     {
-      fp_warn ("SDCP AuthorizedIdentity verification failed");
+      g_propagate_error (error,
+                         fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
+                                                   "SDCP AuthorizedIdentity verification failed"));
       return FALSE;
     }
 }