kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #200 from kaczmarczyck/empty-auth-up

Browse Source 
Adds a UP check for device identification
This commit is contained in:
Jean-Michel Picod
2020-11-24 18:48:38 +01:00
committed by GitHub
parent b0dc019b4e 65f4f2de25
commit 6a2a482b03
1 changed files with 29 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
src/ctap/mod.rs
View File

@@ -344,6 +344,33 @@ where
} }
} }
fn pin_uv_auth_precheck(
&mut self,
pin_uv_auth_param: &Option<Vec<u8>>,
pin_uv_auth_protocol: Option<u64>,
cid: ChannelID,
) -> Result<(), Ctap2StatusCode> {
if let Some(auth_param) = &pin_uv_auth_param {
// This case was added in FIDO 2.1.
if auth_param.is_empty() {
(self.check_user_presence)(cid)?;
if self.persistent_store.pin_hash()?.is_none() {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_NOT_SET);
} else {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID);
}
}
match pin_uv_auth_protocol {
Some(CtapState::<R, CheckUserPresence>::PIN_PROTOCOL_VERSION) => Ok(()),
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID),
None => Err(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER),
}
} else {
Ok(())
}
}
fn process_make_credential( fn process_make_credential(
&mut self, &mut self,
make_credential_params: AuthenticatorMakeCredentialParameters, make_credential_params: AuthenticatorMakeCredentialParameters,
@@ -361,25 +388,7 @@ where
pin_uv_auth_protocol, pin_uv_auth_protocol,
} = make_credential_params; } = make_credential_params;
if let Some(auth_param) = &pin_uv_auth_param { self.pin_uv_auth_precheck(&pin_uv_auth_param, pin_uv_auth_protocol, cid)?;
// This case was added in FIDO 2.1.
if auth_param.is_empty() {
if self.persistent_store.pin_hash()?.is_none() {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_NOT_SET);
} else {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID);
}
}
match pin_uv_auth_protocol {
Some(protocol) => {
if protocol != CtapState::<R, CheckUserPresence>::PIN_PROTOCOL_VERSION {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
}
None => return Err(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER),
}
}
if !pub_key_cred_params.contains(&ES256_CRED_PARAM) { if !pub_key_cred_params.contains(&ES256_CRED_PARAM) {
return Err(Ctap2StatusCode::CTAP2_ERR_UNSUPPORTED_ALGORITHM); return Err(Ctap2StatusCode::CTAP2_ERR_UNSUPPORTED_ALGORITHM);
@@ -563,25 +572,7 @@ where
pin_uv_auth_protocol, pin_uv_auth_protocol,
} = get_assertion_params; } = get_assertion_params;
if let Some(auth_param) = &pin_uv_auth_param { self.pin_uv_auth_precheck(&pin_uv_auth_param, pin_uv_auth_protocol, cid)?;
// This case was added in FIDO 2.1.
if auth_param.is_empty() {
if self.persistent_store.pin_hash()?.is_none() {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_NOT_SET);
} else {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID);
}
}
match pin_uv_auth_protocol {
Some(protocol) => {
if protocol != CtapState::<R, CheckUserPresence>::PIN_PROTOCOL_VERSION {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
}
None => return Err(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER),
}
}
let hmac_secret_input = extensions.map(|e| e.hmac_secret).flatten(); let hmac_secret_input = extensions.map(|e| e.hmac_secret).flatten();
if hmac_secret_input.is_some() && !options.up { if hmac_secret_input.is_some() && !options.up {