CTAP HID Lock (#605)

* Implements the CTAP HID Lock command This is a direct translation of our internal implementation. * adds more HID Lock tests
2023-03-17 17:22:36 +01:00
parent 2560b6661c
commit 6d5ea16f2d
7 changed files with 522 additions and 51 deletions
--- a/libraries/opensk/src/lib.rs
+++ b/libraries/opensk/src/lib.rs
@@ -96,13 +96,22 @@ impl<E: Env> Ctap<E> {
    ) -> HidPacketIterator {
        match transport {
            Transport::MainHid => {
+                #[cfg(not(feature = "vendor_hid"))]
+                let is_disabled = false;
+                #[cfg(feature = "vendor_hid")]
+                let is_disabled = self.vendor_hid.has_channel_lock(&mut self.env);
                self.hid
-                    .process_hid_packet(&mut self.env, packet, &mut self.state)
+                    .process_hid_packet(&mut self.env, packet, is_disabled, &mut self.state)
            }
            #[cfg(feature = "vendor_hid")]
            Transport::VendorHid => {
-                self.vendor_hid
-                    .process_hid_packet(&mut self.env, packet, &mut self.state)
+                let is_disabled = self.hid.has_channel_lock(&mut self.env);
+                self.vendor_hid.process_hid_packet(
+                    &mut self.env,
+                    packet,
+                    is_disabled,
+                    &mut self.state,
+                )
            }
        }
    }
@@ -121,3 +130,96 @@ impl<E: Env> Ctap<E> {
        self.state.u2f_needs_user_presence(&mut self.env)
    }
 }
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use crate::env::test::TestEnv;
+
+    /// Assembles a packet for a payload that fits into one packet.
+    fn assemble_packet(cid: &[u8; 4], cmd: u8, payload: &[u8]) -> HidPacket {
+        assert!(payload.len() <= 57);
+        let mut packet = [0x00; 64];
+        packet[..4].copy_from_slice(cid);
+        packet[4] = cmd | 0x80;
+        packet[6] = payload.len() as u8;
+        packet[7..][..payload.len()].copy_from_slice(payload);
+        packet
+    }
+
+    fn init_packet() -> HidPacket {
+        assemble_packet(&[0xFF; 4], 0x06, &[0x55; 8])
+    }
+
+    fn lock_packet(cid: &[u8; 4]) -> HidPacket {
+        assemble_packet(cid, 0x04, &[0x01; 1])
+    }
+
+    fn wink_packet(cid: &[u8; 4]) -> HidPacket {
+        assemble_packet(cid, 0x08, &[])
+    }
+
+    #[test]
+    fn test_wink() {
+        let env = TestEnv::default();
+        let mut ctap = Ctap::<TestEnv>::new(env);
+
+        // Send Init, receive Init response and check wink if disabled.
+        let mut init_response = ctap.process_hid_packet(&init_packet(), Transport::MainHid);
+        let response_packet = init_response.next().unwrap();
+        assert_eq!(response_packet[4], 0x86);
+        let cid = *array_ref!(response_packet, 15, 4);
+        assert!(!ctap.should_wink());
+
+        // Send Wink, receive Wink response and check wink is enabled.
+        let mut lock_response = ctap.process_hid_packet(&wink_packet(&cid), Transport::MainHid);
+        let response_packet = lock_response.next().unwrap();
+        assert_eq!(response_packet[4], 0x88);
+        assert!(ctap.should_wink());
+    }
+
+    #[test]
+    fn test_locked_channel_id() {
+        let env = TestEnv::default();
+        let mut ctap = Ctap::<TestEnv>::new(env);
+
+        // Send Init, receive Init response.
+        let mut init_response = ctap.process_hid_packet(&init_packet(), Transport::MainHid);
+        let response_packet = init_response.next().unwrap();
+        assert_eq!(response_packet[4], 0x86);
+        let cid = *array_ref!(response_packet, 15, 4);
+
+        // Send Lock, receive Lock response.
+        let mut lock_response = ctap.process_hid_packet(&lock_packet(&cid), Transport::MainHid);
+        let response_packet = lock_response.next().unwrap();
+        assert_eq!(response_packet[4], 0x84);
+
+        // Send another Init, receive Error.
+        let mut init_response = ctap.process_hid_packet(&init_packet(), Transport::MainHid);
+        let response_packet = init_response.next().unwrap();
+        assert_eq!(response_packet[4], 0xBF);
+    }
+
+    #[test]
+    #[cfg(feature = "vendor_hid")]
+    fn test_locked_transport() {
+        let env = TestEnv::default();
+        let mut ctap = Ctap::<TestEnv>::new(env);
+
+        // Send Init, receive Init response.
+        let mut init_response = ctap.process_hid_packet(&init_packet(), Transport::MainHid);
+        let response_packet = init_response.next().unwrap();
+        assert_eq!(response_packet[4], 0x86);
+        let cid = *array_ref!(response_packet, 15, 4);
+
+        // Send Lock, receive Lock response.
+        let mut lock_response = ctap.process_hid_packet(&lock_packet(&cid), Transport::MainHid);
+        let response_packet = lock_response.next().unwrap();
+        assert_eq!(response_packet[4], 0x84);
+
+        // Send Init on other transport, receive Error.
+        let mut init_response = ctap.process_hid_packet(&init_packet(), Transport::VendorHid);
+        let response_packet = init_response.next().unwrap();
+        assert_eq!(response_packet[4], 0xBF);
+    }
+}