Yubico/libfido2

Problems with Feitian MultiPass FIDO device

avzuquete opened this issue · 4 comments

avzuquete commented

What version of libfido2 are you using?

1.13.0

What operating system are you running?

Ubuntu 22.04.2 LTS, 5.15.0-67-genereric kernel

What application are you using in conjunction with libfido2?

My own

How does the problem manifest itself?

Some fido_dev_supports_XXX give a wrong indication for a Feitian MultiPass FIDO device.
I checked the libfido2 code and I guess the source of the problem is the interpretation that is made of the flags/options deported by the device.
This device reports up=true (instead of uv=true), so the function fido_dev_supports_uv returns FALSE.
This device reports clientPin=false, so the flags field gets a FIDO_DEV_PIN_UNSET, which latter make fido_dev_supports_pin to return TRUE.

Is the problem reproducible?

Yes.

What are the steps that lead to the problem?

Explained before.

Does the problem happen with different authenticators?

Could not check.

Please include the output of fido2-token -L.

fido2-token -L 
$ fido2-token -L
/dev/hidraw1: vendor=0x096e, product=0x085a (FS ePass FIDO)

Please include the output of fido2-token -I.

fido2-token -I 
$ fido2-token -I <device>
proto: 0x02
major: 0x01
minor: 0x00
build: 0x01
caps: 0x0f (wink, cbor, nomsg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: ble, nfc, usb
algorithms: es256 (public-key)
aaguid: 310b2830bd4a4da5832e9a0dfc90abf2
options: rk, up, noplat, noclientPin, credentialMgmtPreview
maxmsgsiz: 1024
maxcredcntlst: 6
maxcredlen: 96
fwversion: 0x0
pin protocols: 1
pin retries: undefined
uv retries: undefined

Please include the output of FIDO_DEBUG=1.

FIDO_DEBUG=1 
$ export FIDO_DEBUG=1
$  fido2-token -L
fido_hid_unix_open: open /dev/hidraw0: Permission denied
/dev/hidraw1: vendor=0x096e, product=0x085a (FS ePass FIDO)
$  fido2-token -I /dev/hidraw1
fido_tx: dev=0x556fc09222a0, cmd=0x06
fido_tx: buf=0x556fc09222a0, len=8
0000: 57 66 8a 35 d0 1e 60 4f
fido_rx: dev=0x556fc09222a0, cmd=0x06, ms=-1
rx_preamble: buf=0x7ffeba17a080, len=64
0000: ff ff ff ff 86 00 11 57 66 8a 35 d0 1e 60 4f 00
0016: 00 00 1b 02 01 00 01 0f 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x556fc09222a8, len=17
0000: 57 66 8a 35 d0 1e 60 4f 00 00 00 1b 02 01 00 01
0016: 0f
fido_dev_get_cbor_info_tx: dev=0x556fc09222a0
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x7ffeba17a137, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x556fc09222a0, ci=0x556fc09223f0, ms=-1
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 90 00 b1 00 aa 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=177
rx: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 00 65 74 03 50 31 0b 28 30 bd 4a 4d
0016: a5 83 2e 9a 0d fc 90 ab f2 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f4 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62
0032: 6c 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c
0048: 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b
rx: buf=0x7ffeba179840, len=64
0000: 00 00 00 1b 02 65 79 00 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffeba1798d0, len=177
0000: 00 aa 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 31 0b 28
0064: 30 bd 4a 4d a5 83 2e 9a 0d fc 90 ab f2 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f4 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62 6c
0144: 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c 67
0160: 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65
0176: 79
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1024
proto: 0x02
major: 0x01
minor: 0x00
build: 0x01
caps: 0x0f (wink, cbor, nomsg)
fido_dev_get_cbor_info_tx: dev=0x556fc09222a0
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x7ffeba17a1a7, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x556fc09222a0, ci=0x556fc09228b0, ms=-1
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 90 00 b1 00 aa 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=177
rx: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 00 65 74 03 50 31 0b 28 30 bd 4a 4d
0016: a5 83 2e 9a 0d fc 90 ab f2 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f4 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62
0032: 6c 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c
0048: 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b
rx: buf=0x7ffeba1798d0, len=64
0000: 00 00 00 1b 02 65 79 00 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffeba179960, len=177
0000: 00 aa 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 31 0b 28
0064: 30 bd 4a 4d a5 83 2e 9a 0d fc 90 ab f2 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f4 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 00 06 81 01 07 06 08 18 60 09 83 63 62 6c
0144: 65 63 6e 66 63 63 75 73 62 0a 81 a2 63 61 6c 67
0160: 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65
0176: 79
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: ble, nfc, usb
algorithms: es256 (public-key)
aaguid: 310b2830bd4a4da5832e9a0dfc90abf2
options: rk, up, noplat, noclientPin, credentialMgmtPreview
maxmsgsiz: 1024
maxcredcntlst: 6
maxcredlen: 96
fwversion: 0x0
pin protocols: 1
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x556fc0922650, len=6
0000: 06 a2 01 01 02 01
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798f0, len=64
0000: 00 00 00 1b 90 00 01 35 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ffeba179980, len=1
0000: 35
cbor_parse_reply: blob[0]=0x35
fido_dev_get_pin_retry_count_rx: parse_pin_retry_count
pin retries: undefined
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x556fc0922650, len=6
0000: 06 a2 01 01 02 07
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798f0, len=64
0000: 00 00 00 1b 90 00 01 02 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ffeba179980, len=1
0000: 02
cbor_parse_reply: blob[0]=0x02
fido_dev_get_uv_retry_count_rx: parse_uv_retry_count
uv retries: undefined
fido_tx: dev=0x556fc09222a0, cmd=0x10
fido_tx: buf=0x556fc0922650, len=6
0000: 40 a2 01 01 02 07
fido_rx: dev=0x556fc09222a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffeba1798b0, len=64
0000: 00 00 00 1b 90 00 01 01 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ffeba179940, len=1
0000: 01
cbor_parse_reply: blob[0]=0x01
bio_rx_info: bio_parse_info
bio_get_info_wait: tx/rx
martelletto commented

fido_dev_supports_uv() returns false because the authenticator does not support UV. Note that UP != UV. fido_dev_supports_pin() returns true because the authenticator supports a pin, although one isn't set. fido_dev_has_pin() can be used to distinguish between the two cases.

These functions are documented in https://developers.yubico.com/libfido2/Manuals/fido_dev_supports_uv.html. Please let us know if there's anything we can do to improve our documentation. Thank you!

avzuquete commented
martelletto commented

Thank you for your response. What does UP means? User Presence? Could you elaborate a bit?

In FIDO2, User Presence (UP) indicates that someone has interacted with the authenticator to authorise an operation, typically through touch. On the other hand, User Verification (UV) signifies that, to a reasonable degree of confidence, the person who authorised an operation was the same individual who previously enrolled a secret, such as a fingerprint or a PIN, on the device.

While a PIN can be used to achieve UV, the two terms are separate concepts in FIDO2, with UV being reserved for methods of user verification that are entirely built-in to the authenticator, such as facial recognition or fingerprint matching. In this sense, most FIDO2 authenticators support PIN but not UV.

So, when the device reports clientPin=false, that means that a PIN is supported but is not set? If the token does not support a PIN the clientPin indication should not even exist?

Yes, that's correct.

Kind regards,

-p.

avzuquete commented