mirrors/libfprint
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/libfprint/libfprint.git synced 2025-11-15 07:38:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

sdcp: Make sure to always set error when failing and use UNTRUSTED error for SDCP failures

Browse Source
This commit is contained in:
Joshua Grisham
2025-08-31 22:17:52 +02:00
parent 05d0b13c28
commit e96f9c3618
4 changed files with 66 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libfprint/drivers/egismoc/egismoc.c
View File

@@ -831,7 +831,7 @@ egismoc_enroll_commit_cb (FpDevice *device,
rsp_commit_success_suffix,
rsp_commit_success_suffix_len))
{
g_propagate_error (&error, fpi_device_error_new_msg (FP_DEVICE_ERROR_DATA_INVALID,
g_propagate_error (&error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Enrollment was rejected by the device"));
fpi_ssm_mark_failed (self->task_ssm, error);
fpi_sdcp_device_enroll_commit_complete (sdcp_device, error);

1
libfprint/fp-sdcp-device-private.h
View File

@@ -36,7 +36,6 @@ void fpi_sdcp_device_get_application_secret (FpSdcpDevice *self,
GBytes **application_secret);
void fpi_sdcp_device_set_application_secret (FpSdcpDevice *self,
GBytes *application_secret);
void fpi_sdcp_device_unset_application_secret (FpSdcpDevice *self);
void fpi_sdcp_device_open (FpSdcpDevice *self);
void fpi_sdcp_device_connect (FpSdcpDevice *self);

25
libfprint/fpi-sdcp-device.c
View File

@@ -196,12 +196,6 @@ fpi_sdcp_device_set_application_secret (FpSdcpDevice *self,
g_object_set (G_OBJECT (self), "sdcp-data", data, NULL);
}
void
fpi_sdcp_device_unset_application_secret (FpSdcpDevice *self)
{
g_object_set (G_OBJECT (self), "sdcp-data", NULL);
}
void
fpi_sdcp_device_open (FpSdcpDevice *self)
{
@@ -562,7 +556,10 @@ fpi_sdcp_device_connect_complete (FpSdcpDevice *self,
&application_secret,
&error))
{
fpi_device_open_complete (FP_DEVICE (self), error);
fpi_device_open_complete (FP_DEVICE (self),
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"SDCP Connect verification failed: %s",
error->message));
return;
}
@@ -729,10 +726,6 @@ fpi_sdcp_device_enroll_commit (FpSdcpDevice *self,
if (!id || error)
{
fp_warn ("Could not generate SDCP enrollment ID");
/* clear potentially non-functioning application_secret */
fpi_sdcp_device_unset_application_secret (self);
fpi_device_enroll_complete (FP_DEVICE (self), NULL, error);
g_object_set (print, "fpi-data", NULL, NULL);
return;
@@ -875,15 +868,7 @@ fpi_sdcp_device_identify_complete (FpSdcpDevice *self,
if (!fpi_sdcp_verify_identify (application_secret, priv->identify_nonce, id, mac, &error))
{
g_clear_pointer (&priv->identify_nonce, g_bytes_unref);
/* clear potentially non-functioning application_secret */
fpi_sdcp_device_unset_application_secret (self);
fpi_device_action_error (FP_DEVICE (self),
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"SDCP AuthorizedIdentity verification "
"failed: %s",
error->message));
fpi_device_action_error (FP_DEVICE (self), error);
return;
}

99
libfprint/fpi-sdcp.c
View File

@@ -113,7 +113,7 @@ fpi_sdcp_verify_signature (EVP_PKEY *pkey,
out_error:
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error verifying signature for label '%s'",
label));
print_openssl_errors ();
@@ -143,8 +143,10 @@ fpi_sdcp_get_truststore (GError **error)
truststore = X509_STORE_new ();
if (!truststore)
{
fp_dbg ("Failed initializing SDCP X509 certificate store");
goto out_error;
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Failed initializing SDCP X509 certificate store"));
goto out;
}
fpi_sdcp_truststore_register_resource ();
@@ -153,7 +155,10 @@ fpi_sdcp_get_truststore (GError **error)
G_RESOURCE_LOOKUP_FLAGS_NONE, error);
if (*error)
{
fp_dbg ("Error loading SDCP truststore certificates: %s", (*error)->message);
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Error loading SDCP truststore certificates: %s",
(*error)->message));
goto out;
}
for (int i = 0; trustcert_names[i]; i++)
@@ -163,8 +168,11 @@ fpi_sdcp_get_truststore (GError **error)
trustcert_gb = g_resource_lookup_data (truststore_resource, trustcert_path, 0, error);
if (*error)
{
fp_dbg ("Error loading SDCP truststore certificate '%s': %s",
trustcert_names[i], (*error)->message);
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Error loading SDCP truststore "
"certificate '%s': %s",
trustcert_names[i], (*error)->message));
goto out;
}
g_free (trustcert_path);
@@ -175,16 +183,22 @@ fpi_sdcp_get_truststore (GError **error)
bio = BIO_new (BIO_s_mem ());
if (BIO_write (bio, trustcert_ptr, trustcert_len) != trustcert_len)
{
fp_dbg ("Failed reading '%s' to buffer", trustcert_names[i]);
goto out_error;
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Failed reading '%s' to buffer",
trustcert_names[i]));
goto out;
}
g_bytes_unref (trustcert_gb);
trustcert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
//print_certificate (trustcert);
if (!X509_STORE_add_cert (truststore, trustcert))
{
fp_dbg ("Failed adding '%s' to X509 store", trustcert_names[i]);
goto out_error;
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Failed adding '%s' to X509 store",
trustcert_names[i]));
goto out;
}
BIO_free (bio);
X509_free (trustcert);
@@ -195,13 +209,8 @@ fpi_sdcp_get_truststore (GError **error)
return truststore;
out_error:
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
"OpenSSL error setting up certificate verification"));
print_openssl_errors ();
goto out;
out:
print_openssl_errors ();
g_clear_pointer (&trustcert_names, g_strfreev);
g_clear_pointer (&trustcert, X509_free);
return NULL;
@@ -258,16 +267,15 @@ fpi_sdcp_verify_certificate (X509 *certificate,
out_error:
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error setting up certificate verification"));
print_openssl_errors ();
goto out;
out_verify_error:
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
"OpenSSL error verifying model certificate"));
fp_dbg ("OpenSSL verification error: %s",
X509_verify_cert_error_string (X509_STORE_CTX_get_error (ctx)));
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error verifying model certificate: %s",
X509_verify_cert_error_string (X509_STORE_CTX_get_error (ctx))));
out:
g_clear_pointer (&param, X509_VERIFY_PARAM_free);
g_clear_pointer (&ctx, X509_STORE_CTX_free);
@@ -323,7 +331,7 @@ fpi_sdcp_kdf (GBytes *key,
secret = g_malloc0 (length);
if (!EVP_KDF_derive (kdf_ctx, secret, length, params))
{
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error during key derivation "
"for label '%s'", label));
g_free (secret);
@@ -395,7 +403,7 @@ fpi_sdcp_mac (GBytes *application_secret,
return g_steal_pointer (&res);
out_error:
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error generating MAC for label '%s'",
label));
print_openssl_errors ();
@@ -434,7 +442,7 @@ fpi_sdcp_get_private_key (EVP_PKEY *pkey,
return g_steal_pointer (&res);
out_error:
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error getting private key bytes"));
print_openssl_errors ();
g_clear_pointer (&priv, g_free);
@@ -465,7 +473,7 @@ fpi_sdcp_get_public_key (EVP_PKEY *pkey,
return g_steal_pointer (&res);
out_error:
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error getting public key bytes"));
print_openssl_errors ();
g_clear_pointer (&pub, g_free);
@@ -533,7 +541,7 @@ fpi_sdcp_get_private_pkey (GBytes *private_key,
return g_steal_pointer (&key);
out_error:
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error getting private key"));
print_openssl_errors ();
g_clear_pointer (&key, EVP_PKEY_free);
@@ -577,7 +585,7 @@ fpi_sdcp_get_public_pkey (GBytes *public_key,
return g_steal_pointer (&key);
out_error:
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error getting public key"));
print_openssl_errors ();
g_clear_pointer (&key, EVP_PKEY_free);
@@ -641,7 +649,7 @@ fpi_sdcp_hash_claim (FpiSdcpClaim *claim,
return g_steal_pointer (&res);
out_error:
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error hashing the SDCP claim"));
print_openssl_errors ();
g_clear_pointer (&sh256_ctx, EVP_MD_CTX_free);
@@ -699,7 +707,7 @@ fpi_sdcp_key_agreement (GBytes *host_private_key,
return g_steal_pointer (&res);
out_error:
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
g_propagate_error (error, fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error deriving key agreement"));
print_openssl_errors ();
out:
@@ -750,7 +758,7 @@ fpi_sdcp_generate_random (GError **error)
if (!RAND_bytes (random, SDCP_RANDOM_SIZE))
{
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"OpenSSL error generating random"));
print_openssl_errors ();
g_free (random);
@@ -852,7 +860,9 @@ fpi_sdcp_verify_connect (GBytes *host_private_key,
}
else
{
fp_warn ("SDCP ConnectResponse claim validation failed");
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"SDCP ConnectResponse claim validation failed"));
goto out;
}
@@ -869,8 +879,8 @@ fpi_sdcp_verify_connect (GBytes *host_private_key,
if (!cert)
{
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
"Error parsing model certificate"));
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Error parsing model certificate"));
goto out;
}
@@ -894,8 +904,9 @@ fpi_sdcp_verify_connect (GBytes *host_private_key,
if (!cert_public_pkey)
{
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
"Error getting public key from model certificate"));
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"Error getting public key from "
"model certificate"));
goto out;
}
@@ -911,7 +922,10 @@ fpi_sdcp_verify_connect (GBytes *host_private_key,
claim->model_signature,
error))
{
fp_warn ("SDCP model signature verification failed");
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"SDCP model signature verification "
"failed"));
goto out_error;
}
@@ -940,7 +954,10 @@ fpi_sdcp_verify_connect (GBytes *host_private_key,
claim->model_signature,
error))
{
fp_warn ("SDCP device signature verification failed");
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"SDCP device signature verification "
"failed"));
goto out_error;
}
@@ -997,7 +1014,9 @@ fpi_sdcp_verify_reconnect (GBytes *application_secret,
}
else
{
fp_warn ("SDCP ReconnectResponse verification failed");
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"SDCP ReconnectResponse verification failed"));
return FALSE;
}
}
@@ -1030,7 +1049,9 @@ fpi_sdcp_verify_identify (GBytes *application_secret,
}
else
{
fp_warn ("SDCP AuthorizedIdentity verification failed");
g_propagate_error (error,
fpi_device_error_new_msg (FP_DEVICE_ERROR_UNTRUSTED,
"SDCP AuthorizedIdentity verification failed"));
return FALSE;
}
}