Rename and use HARDWARE_FAILURE error
This commit is contained in:
Julien Cretin
@@ -81,17 +81,10 @@ pub enum Ctap2StatusCode {
|
|||||||
/// This type of error is unexpected and the current state is undefined.
|
/// This type of error is unexpected and the current state is undefined.
|
||||||
CTAP2_ERR_VENDOR_INTERNAL_ERROR = 0xF2,
|
CTAP2_ERR_VENDOR_INTERNAL_ERROR = 0xF2,
|
||||||
|
|
||||||
/// The persistent storage invariant is broken.
|
/// The hardware is malfunctioning.
|
||||||
///
|
///
|
||||||
/// There can be multiple reasons:
|
/// It may be possible that some of those errors are actually internal errors.
|
||||||
/// - The persistent storage has not been erased before its first usage.
|
CTAP2_ERR_VENDOR_HARDWARE_FAILURE = 0xF3,
|
||||||
/// - The persistent storage has been tempered with by a third party.
|
|
||||||
/// - The flash is malfunctioning (including the Tock driver).
|
|
||||||
///
|
|
||||||
/// In the first 2 cases the persistent storage should be completely erased. If the error
|
|
||||||
/// reproduces, it may indicate a software bug or a hardware deficiency. In both cases, the
|
|
||||||
/// error should be reported.
|
|
||||||
CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE = 0xF3,
|
|
||||||
|
|
||||||
CTAP2_ERR_VENDOR_LAST = 0xFF,
|
CTAP2_ERR_VENDOR_LAST = 0xFF,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -216,7 +216,7 @@ impl PersistentStore {
|
|||||||
&& credential.user_handle == new_credential.user_handle
|
&& credential.user_handle == new_credential.user_handle
|
||||||
{
|
{
|
||||||
if old_key.is_some() {
|
if old_key.is_some() {
|
||||||
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE);
|
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
|
||||||
}
|
}
|
||||||
old_key = Some(key);
|
old_key = Some(key);
|
||||||
}
|
}
|
||||||
@@ -231,7 +231,7 @@ impl PersistentStore {
|
|||||||
None => key::CREDENTIALS
|
None => key::CREDENTIALS
|
||||||
.take(MAX_SUPPORTED_RESIDENTIAL_KEYS)
|
.take(MAX_SUPPORTED_RESIDENTIAL_KEYS)
|
||||||
.find(|key| !keys.contains(key))
|
.find(|key| !keys.contains(key))
|
||||||
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE)?,
|
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?,
|
||||||
// This is an existing credential being updated, we reuse its key.
|
// This is an existing credential being updated, we reuse its key.
|
||||||
Some(x) => x,
|
Some(x) => x,
|
||||||
};
|
};
|
||||||
@@ -298,7 +298,7 @@ impl PersistentStore {
|
|||||||
match self.store.find(key::GLOBAL_SIGNATURE_COUNTER)? {
|
match self.store.find(key::GLOBAL_SIGNATURE_COUNTER)? {
|
||||||
None => Ok(INITIAL_SIGNATURE_COUNTER),
|
None => Ok(INITIAL_SIGNATURE_COUNTER),
|
||||||
Some(value) if value.len() == 4 => Ok(u32::from_ne_bytes(*array_ref!(&value, 0, 4))),
|
Some(value) if value.len() == 4 => Ok(u32::from_ne_bytes(*array_ref!(&value, 0, 4))),
|
||||||
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE),
|
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -317,9 +317,9 @@ impl PersistentStore {
|
|||||||
let master_keys = self
|
let master_keys = self
|
||||||
.store
|
.store
|
||||||
.find(key::MASTER_KEYS)?
|
.find(key::MASTER_KEYS)?
|
||||||
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE)?;
|
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?;
|
||||||
if master_keys.len() != 64 {
|
if master_keys.len() != 64 {
|
||||||
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE);
|
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
|
||||||
}
|
}
|
||||||
Ok(MasterKeys {
|
Ok(MasterKeys {
|
||||||
encryption: *array_ref![master_keys, 0, 32],
|
encryption: *array_ref![master_keys, 0, 32],
|
||||||
@@ -334,7 +334,7 @@ impl PersistentStore {
|
|||||||
Some(pin_hash) => pin_hash,
|
Some(pin_hash) => pin_hash,
|
||||||
};
|
};
|
||||||
if pin_hash.len() != PIN_AUTH_LENGTH {
|
if pin_hash.len() != PIN_AUTH_LENGTH {
|
||||||
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE);
|
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
|
||||||
}
|
}
|
||||||
Ok(Some(*array_ref![pin_hash, 0, PIN_AUTH_LENGTH]))
|
Ok(Some(*array_ref![pin_hash, 0, PIN_AUTH_LENGTH]))
|
||||||
}
|
}
|
||||||
@@ -354,7 +354,7 @@ impl PersistentStore {
|
|||||||
match self.store.find(key::PIN_RETRIES)? {
|
match self.store.find(key::PIN_RETRIES)? {
|
||||||
None => Ok(MAX_PIN_RETRIES),
|
None => Ok(MAX_PIN_RETRIES),
|
||||||
Some(value) if value.len() == 1 => Ok(value[0]),
|
Some(value) if value.len() == 1 => Ok(value[0]),
|
||||||
_ => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE),
|
_ => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -379,7 +379,7 @@ impl PersistentStore {
|
|||||||
match self.store.find(key::MIN_PIN_LENGTH)? {
|
match self.store.find(key::MIN_PIN_LENGTH)? {
|
||||||
None => Ok(DEFAULT_MIN_PIN_LENGTH),
|
None => Ok(DEFAULT_MIN_PIN_LENGTH),
|
||||||
Some(value) if value.len() == 1 => Ok(value[0]),
|
Some(value) if value.len() == 1 => Ok(value[0]),
|
||||||
_ => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE),
|
_ => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -437,7 +437,7 @@ impl PersistentStore {
|
|||||||
key_material::ATTESTATION_PRIVATE_KEY_LENGTH
|
key_material::ATTESTATION_PRIVATE_KEY_LENGTH
|
||||||
]))
|
]))
|
||||||
}
|
}
|
||||||
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE),
|
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -481,9 +481,9 @@ impl PersistentStore {
|
|||||||
let aaguid = self
|
let aaguid = self
|
||||||
.store
|
.store
|
||||||
.find(key::AAGUID)?
|
.find(key::AAGUID)?
|
||||||
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE)?;
|
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?;
|
||||||
if aaguid.len() != key_material::AAGUID_LENGTH {
|
if aaguid.len() != key_material::AAGUID_LENGTH {
|
||||||
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE);
|
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
|
||||||
}
|
}
|
||||||
Ok(*array_ref![aaguid, 0, key_material::AAGUID_LENGTH])
|
Ok(*array_ref![aaguid, 0, key_material::AAGUID_LENGTH])
|
||||||
}
|
}
|
||||||
@@ -521,9 +521,7 @@ impl From<persistent_store::StoreError> for Ctap2StatusCode {
|
|||||||
StoreError::InvalidArgument => Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR,
|
StoreError::InvalidArgument => Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR,
|
||||||
// This error is not expected. The storage has been tempered with. We could erase the
|
// This error is not expected. The storage has been tempered with. We could erase the
|
||||||
// storage.
|
// storage.
|
||||||
StoreError::InvalidStorage => {
|
StoreError::InvalidStorage => Ctap2StatusCode::CTAP2_ERR_VENDOR_HARDWARE_FAILURE,
|
||||||
Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE
|
|
||||||
}
|
|
||||||
// This error is not expected. The kernel is failing our syscalls.
|
// This error is not expected. The kernel is failing our syscalls.
|
||||||
StoreError::StorageError => Ctap2StatusCode::CTAP1_ERR_OTHER,
|
StoreError::StorageError => Ctap2StatusCode::CTAP1_ERR_OTHER,
|
||||||
}
|
}
|
||||||
@@ -566,7 +564,7 @@ impl<'a> IterCredentials<'a> {
|
|||||||
/// instead of statements only.
|
/// instead of statements only.
|
||||||
fn unwrap<T>(&mut self, x: Option<T>) -> Option<T> {
|
fn unwrap<T>(&mut self, x: Option<T>) -> Option<T> {
|
||||||
if x.is_none() {
|
if x.is_none() {
|
||||||
*self.result = Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INVALID_PERSISTENT_STORAGE);
|
*self.result = Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
|
||||||
}
|
}
|
||||||
x
|
x
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user