Extend FIDO2 BLE support also for Linux

For Windows it was already added via gh#336,
so let's also add it for Linux.
Unpaired devices are ignored, the user has to pair independently
of libfido use using the bluetooth manager provided by the desktop
environment.

.github/workflows/alpine_builds.yml

@@ -28,7 +28,7 @@ jobs:
         apk -q update
         apk add build-base clang clang-analyzer cmake coreutils eudev-dev
         apk add git linux-headers openssl-dev sudo zlib-dev pcsc-lite-dev \
-          libcbor-dev
+          libcbor-dev elogind-dev
     - name: fix permissions on workdir
       run: chown root:wheel "${GITHUB_WORKSPACE}"
     - name: checkout libfido2

.github/workflows/codeql-analysis.yml

@@ -33,7 +33,7 @@ jobs:
       run: |
         sudo apt -q update
         sudo apt install -q -y libcbor-dev libudev-dev libz-dev original-awk \
-         libpcsclite-dev
+         libpcsclite-dev libsystemd-dev
         ./.actions/build-linux-gcc
     - name: perform codeql analysis
       uses: github/codeql-action/analyze@v2

.github/workflows/linux_builds.yml

@@ -38,7 +38,7 @@ jobs:
       run: |
         sudo apt -q update
         sudo apt install -q -y libcbor-dev libudev-dev libz-dev \
-          original-awk mandoc libpcsclite-dev
+          original-awk mandoc libpcsclite-dev libsystemd-dev
     - name: compiler
       env:
         CC: ${{ matrix.cc }}

.github/workflows/linux_fuzz.yml

@@ -28,7 +28,7 @@ jobs:
     - name: dependencies
       run: |
         sudo apt -q update
-        sudo apt install -q -y libudev-dev libpcsclite-dev
+        sudo apt install -q -y libudev-dev libpcsclite-dev libsystemd-dev
     - name: compiler
       env:
         CC: ${{ matrix.cc }}

.github/workflows/openssl3.yml

@@ -35,7 +35,7 @@ jobs:
       run: |
         sudo apt -q update
         sudo apt install -q -y libcbor-dev libudev-dev libz-dev \
-          original-awk mandoc libpcsclite-dev
+          original-awk mandoc libpcsclite-dev libsystemd-dev
         sudo apt remove -y libssl-dev
         if [ "${CC%-*}" == "clang" ]; then
           sudo ./.actions/setup_clang "${CC}"

CMakeLists.txt

@@ -44,6 +44,7 @@ option(USE_HIDAPI        "Use hidapi as the HID backend"           OFF)
 option(USE_PCSC          "Enable experimental PCSC support"        ON)
 option(USE_WINHELLO      "Abstract Windows Hello as a FIDO device" ON)
 option(NFC_LINUX         "Enable NFC support on Linux"             ON)
+option(BLE_LINUX         "Enable Bluetooth support on Linux"       ON)
 
 add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR})
 add_definitions(-D_FIDO_MINOR=${FIDO_MINOR})
@@ -216,6 +217,7 @@ if(MSVC)
 		add_definitions(-DUSE_WINHELLO)
 	endif()
 	set(NFC_LINUX OFF)
+	set(BLE_LINUX OFF)
 else()
 	include(FindPkgConfig)
 	pkg_search_module(CBOR libcbor)
@@ -255,6 +257,7 @@ else()
 		endif()
 	else()
 		set(NFC_LINUX OFF)
+		set(BLE_LINUX OFF)
 	endif()
 
 	if(MINGW)
@@ -285,6 +288,11 @@ else()
 		add_definitions(-DUSE_NFC)
 	endif()
 
+	if(BLE_LINUX)
+		add_definitions(-DUSE_BLE)
+		pkg_search_module(BLE libsystemd REQUIRED)
+	endif()
+
 	if(WIN32)
 		if(USE_WINHELLO)
 			add_definitions(-DUSE_WINHELLO)
@@ -392,13 +400,15 @@ include_directories(${PROJECT_SOURCE_DIR}/src)
 include_directories(${CBOR_INCLUDE_DIRS})
 include_directories(${CRYPTO_INCLUDE_DIRS})
 include_directories(${HIDAPI_INCLUDE_DIRS})
+include_directories(${BLE_INCLUDE_DIRS})
 include_directories(${PCSC_INCLUDE_DIRS})
 include_directories(${UDEV_INCLUDE_DIRS})
 include_directories(${ZLIB_INCLUDE_DIRS})
 
 link_directories(${CBOR_LIBRARY_DIRS})
 link_directories(${CRYPTO_LIBRARY_DIRS})
 link_directories(${HIDAPI_LIBRARY_DIRS})
+link_directories(${BLE_LIBRARY_DIRS})
 link_directories(${PCSC_LIBRARY_DIRS})
 link_directories(${UDEV_LIBRARY_DIRS})
 link_directories(${ZLIB_LIBRARY_DIRS})
@@ -468,6 +478,7 @@ message(STATUS "USE_HIDAPI: ${USE_HIDAPI}")
 message(STATUS "USE_PCSC: ${USE_PCSC}")
 message(STATUS "USE_WINHELLO: ${USE_WINHELLO}")
 message(STATUS "NFC_LINUX: ${NFC_LINUX}")
+message(STATUS "BLE_LINUX: ${BLE_LINUX}")
 
 if(BUILD_TESTS)
 	enable_testing()

src/CMakeLists.txt

@@ -51,6 +51,10 @@ if(FUZZ)
 	list(APPEND FIDO_SOURCES ../fuzz/wrap.c)
 endif()
 
+if(BLE_LINUX)
+	list(APPEND FIDO_SOURCES ble.c ble_linux.c)
+endif()
+
 if(NFC_LINUX)
 	list(APPEND FIDO_SOURCES netlink.c nfc.c nfc_linux.c)
 endif()
@@ -123,6 +127,7 @@ list(APPEND TARGET_LIBRARIES
 	${HIDAPI_LIBRARIES}
 	${ZLIB_LIBRARIES}
 	${PCSC_LIBRARIES}
+	${BLE_LIBRARIES}
 )
 
 # static library

src/ble.c

@@ -0,0 +1,253 @@
+#include "fido.h"
+#include "fido/param.h"
+
+#define CTAPBLE_PING 0x81
+#define CTAPBLE_KEEPALIVE 0x82
+#define CTAPBLE_MSG 0x83
+#define CTAPBLE_CANCEL 0xBE
+#define CTAPBLE_ERROR 0xBF
+#define CTAPBLE_MAX_FRAME_LEN 512
+#define CTAPBLE_INIT_HEADER_LEN 3
+#define CTAPBLE_CONT_HEADER_LEN 1
+
+
+#ifndef MIN
+#define MIN(x, y) ((x) > (y) ? (y) : (x))
+#endif
+
+union frame {
+	struct {
+		uint8_t cmd;
+		uint8_t hlen;
+		uint8_t llen;
+		uint8_t data[CTAPBLE_MAX_FRAME_LEN - CTAPBLE_INIT_HEADER_LEN];
+	} init;
+	struct {
+		uint8_t seq;
+		uint8_t data[CTAPBLE_MAX_FRAME_LEN - CTAPBLE_CONT_HEADER_LEN];
+	} cont;
+};
+
+static size_t
+tx_preamble(fido_dev_t *d, uint8_t cmd, const u_char *buf, size_t count)
+{
+	union frame frag_buf;
+	size_t fragment_len = MIN(fido_ble_get_cp_size(d), CTAPBLE_MAX_FRAME_LEN);
+	int r;
+
+	if (fragment_len <= CTAPBLE_INIT_HEADER_LEN)
+		return 0;
+
+	frag_buf.init.cmd = cmd;
+	frag_buf.init.hlen = (count >> 8) & 0xff;
+	frag_buf.init.llen = count & 0xff;
+
+	count = MIN(count, fragment_len - CTAPBLE_INIT_HEADER_LEN);
+	memcpy(frag_buf.init.data, buf, count);
+
+	count += CTAPBLE_INIT_HEADER_LEN;
+	r = d->io.write(d->io_handle, (const u_char *)&frag_buf, count);
+	explicit_bzero(&frag_buf, sizeof(frag_buf));
+
+	if ((r < 0) || ((size_t)r != count))
+		return 0;
+
+	return count - CTAPBLE_INIT_HEADER_LEN;
+}
+
+static size_t
+tx_cont(fido_dev_t *d, uint8_t seq, const u_char *buf, size_t count)
+{
+	union frame frag_buf;
+	int r;
+	size_t fragment_len = MIN(fido_ble_get_cp_size(d), CTAPBLE_MAX_FRAME_LEN);
+
+	if (fragment_len <= CTAPBLE_CONT_HEADER_LEN)
+		return 0;
+
+	frag_buf.cont.seq = seq;
+	count = MIN(count, fragment_len - CTAPBLE_CONT_HEADER_LEN);
+	memcpy(frag_buf.cont.data, buf, count);
+
+	count += CTAPBLE_CONT_HEADER_LEN;
+	r = d->io.write(d->io_handle, (const u_char *)&frag_buf, count);
+	explicit_bzero(&frag_buf, sizeof(frag_buf));
+
+	if ((r < 0) || ((size_t)r != count))
+		return 0;
+
+	return count - CTAPBLE_CONT_HEADER_LEN;
+}
+
+static int
+fido_ble_fragment_tx(fido_dev_t *d, uint8_t cmd, const u_char *buf, size_t count)
+{
+	size_t n, sent;
+
+	if ((sent = tx_preamble(d, cmd, buf, count)) == 0) {
+		fido_log_debug("%s: tx_preamble", __func__);
+		return (-1);
+	}
+
+	for (uint8_t seq = 0; sent < count; sent += n) {
+		if ((n = tx_cont(d, seq++, buf + sent, count - sent)) == 0) {
+			fido_log_debug("%s: tx_frame", __func__);
+			return (-1);
+		}
+
+		seq &= 0x7f;
+	}
+
+	return 0;
+}
+
+int
+fido_ble_tx(fido_dev_t *d, uint8_t cmd, const u_char *buf, size_t count)
+{
+	switch(cmd) {
+		case CTAP_CMD_INIT:
+			return 0;
+		case CTAP_CMD_CBOR:
+		case CTAP_CMD_MSG:
+			return fido_ble_fragment_tx(d, CTAPBLE_MSG, buf, count);
+	}
+	fido_log_debug("%s: unsupported command %02x", __func__, cmd);
+
+	return FIDO_ERR_INTERNAL;
+}
+
+static int
+rx_init(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
+{
+	(void)ms;
+	fido_ctap_info_t *attr = (fido_ctap_info_t *)buf;
+	if (count != sizeof(*attr)) {
+		fido_log_debug("%s: count=%zu", __func__, count);
+		return -1;
+	}
+
+	memset(attr, 0, sizeof(*attr));
+
+	/* we allow only FIDO2 devices for now for simplicity */
+	attr->flags = FIDO_CAP_CBOR | FIDO_CAP_NMSG;
+	memcpy(&attr->nonce, &d->nonce, sizeof(attr->nonce));
+
+	return (int)count;
+}
+
+static int
+rx_fragments(fido_dev_t *d, unsigned char *buf, size_t count, int ms)
+{
+	union frame reply;
+	size_t fragment_len = fido_ble_get_cp_size(d);
+	uint8_t seq;
+	size_t payload;
+	size_t reply_length;
+	int ret;
+	if (fragment_len <= CTAPBLE_INIT_HEADER_LEN) {
+		return -1;
+	}
+
+	payload = fragment_len - CTAPBLE_INIT_HEADER_LEN;
+	if (count < payload)
+		payload = count;
+
+	do {
+		ret = d->io.read(d->io_handle, (u_char *)&reply,
+		    payload + CTAPBLE_INIT_HEADER_LEN, ms);
+		if (ret <= 0) {
+			fido_log_debug("%s: read header", __func__);
+			goto out;
+		}
+	} while (reply.init.cmd == CTAPBLE_KEEPALIVE);
+
+	if ((reply.init.cmd != CTAPBLE_MSG) || (ret <= CTAPBLE_INIT_HEADER_LEN)) {
+		ret = -1;
+		goto out;
+	}
+	ret -= CTAPBLE_INIT_HEADER_LEN;
+
+	reply_length = ((size_t)reply.init.hlen) << 8 | reply.init.llen;
+	if (reply_length > count) {
+		fido_log_debug("%s: more data in reply than expected", __func__);
+		return -1;
+	}
+
+	count = MIN(reply_length, count);
+
+	if (fido_buf_write(&buf, &count, reply.init.data, (size_t)ret) < 0)
+		return -1;
+
+	seq = 0;
+
+	while(count > 0) {
+		payload = fragment_len - CTAPBLE_CONT_HEADER_LEN;
+		payload = MIN(count, payload);
+
+		ret = d->io.read(d->io_handle, (u_char *) &reply,
+		    payload + CTAPBLE_CONT_HEADER_LEN, ms);
+		if (ret <= 1) {
+			if (ret >= 0)
+				ret = -1;
+			fido_log_debug("%s: read cont", __func__);
+			goto out;
+		}
+		ret -= CTAPBLE_CONT_HEADER_LEN;
+		if (reply.cont.seq != seq) {
+			ret = -1;
+			goto out;
+		}
+
+		if (fido_buf_write(&buf, &count, reply.cont.data, (size_t)ret) < 0)
+			return -1;
+
+		seq++;
+		seq &= 0x7f;
+	}
+	ret = (int)reply_length;
+out:
+	explicit_bzero(&reply, sizeof(reply));
+	return ret;
+}
+
+int
+fido_ble_rx(fido_dev_t *d, uint8_t cmd, u_char *buf, size_t count, int ms)
+{
+	switch(cmd) {
+	case CTAP_CMD_INIT:
+		return rx_init(d, buf, count, ms);
+	case CTAP_CMD_CBOR:
+		return rx_fragments(d, buf, count, ms);
+	default:
+		return -1;
+	}
+}
+
+bool
+fido_is_ble(const char *path)
+{
+	return !strncmp(path, FIDO_BLE_PREFIX, strlen(FIDO_BLE_PREFIX));
+}
+
+int
+fido_dev_set_ble(fido_dev_t *d)
+{
+	if (d->io_handle != NULL) {
+		fido_log_debug("%s: device open", __func__);
+		return -1;
+	}
+	d->io_own = true;
+	d->io = (fido_dev_io_t) {
+		fido_ble_open,
+		fido_ble_close,
+		fido_ble_read,
+		fido_ble_write,
+	};
+	d->transport = (fido_dev_transport_t) {
+		fido_ble_rx,
+		fido_ble_tx,
+	};
+
+	return 0;
+}
+