Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong usage page in descriptor #1

Open
szszszsz opened this issue Feb 13, 2023 · 2 comments
Open

Wrong usage page in descriptor #1

szszszsz opened this issue Feb 13, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@szszszsz
Copy link

szszszsz commented Feb 13, 2023
edited
Loading

The FIDO_USAGE_DATA_OUT constant is probably equal to 0x21, and not to 0x04. The exact value is not specified in the FIDO CTAPHID spec from the brief look. Because of the wrong value, the fido2luks application cannot find authenticator using this library (as it searches for 0x21 as the usage page).

Nitrokey FIDO2 has this set to 0x21 as well.

usbd-ctaphid/src/class.rs

Lines 157 to 158 in 2f29e01

0x09,
0x04, // Usage ID - vendor defined: FIDO_USAGE_DATA_OUT

Connected:
@szszszsz szszszsz added the bug Something isn't working label Feb 13, 2023
@robin-nitrokey
Copy link
Member

I would argue that this is a problem with the ctap crate. According to the spec, devices should be identified by the device usage page and usage:

A unique Usage Page is defined (0xF1D0) for the FIDO alliance and under this realm, a CTAPHID Usage is defined as well (0x01). During CTAPHID device discovery, all HID devices present in the system are examined and devices that match this usage pages and usage are then considered to be CTAPHID devices.

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#usb-discovery

We correctly set these values:

usbd-ctaphid/src/class.rs

Lines 132 to 138 in 2f29e01

// Usage page (vendor defined): 0xF1D0 (FIDO_USAGE_PAGE)
0x06,
0xD0,
0xF1,
// Usage ID (vendor defined): 0x1 (FIDO_USAGE_CTAPHID)
0x09,
0x01,

It seems to me that the ctap crate reads the complete device descriptor and uses the last usage value.

https://github.com/ArdaXi/ctap/blob/0fa8d420c9e4e0714d1f29ef458101b5c83bf93a/src/hid_linux.rs#L27-L88

But this happens to be the endpoint usage, not the device usage. A better approach would be to use the first value. (This probably could still fail for composite devices, but let’s ignore that for the moment.)

So I think this should be fixed in ctap by a) checking for usage 0x01 instead of 0x21 and b) properly parsing the device usage (instead of the endpoint usage). The current implementation only works by accident with devices that set the last endpoint usage to 0x21. If we would change it here, we would just hide the actual problem.

This was referenced Feb 14, 2023
Open
Open
@robin-nitrokey
Copy link
Member

I’ve prepared a simple patch for ctap, at least for testing: ArdaXi/ctap#5

@robin-nitrokey robin-nitrokey mentioned this issue Feb 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szszszsz @robin-nitrokey