kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into hid-init-sync

Browse Source
This commit is contained in:
kaczmarczyck
2020-11-20 14:42:02 +01:00
committed by GitHub
parent e1b419c104 8c60d4b97d
commit 9124de4ec6
3 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/crypto_test.yml vendored
View File

@@ -27,7 +27,7 @@ jobs:
- name: Set up OpenSK - name: Set up OpenSK
run: ./setup.sh run: ./setup.sh
- run: echo "::set-env name=RUSTFLAGS::-C target-feature=+aes" - run: echo "RUSTFLAGS=-C target-feature=+aes" >> $GITHUB_ENV
- name: Unit testing of crypto library (release mode) - name: Unit testing of crypto library (release mode)
uses: actions-rs/cargo@v1 uses: actions-rs/cargo@v1

25
src/ctap/hid/mod.rs
View File

@@ -298,7 +298,9 @@ impl CtapHid {
HidPacketIterator::none() HidPacketIterator::none()
} }
Err((cid, error)) => { Err((cid, error)) => {
if !self.is_allocated_channel(cid) { if !self.is_allocated_channel(cid)
&& error != receive::Error::UnexpectedContinuation
{
CtapHid::error_message(cid, CtapHid::ERR_INVALID_CHANNEL) CtapHid::error_message(cid, CtapHid::ERR_INVALID_CHANNEL)
} else { } else {
match error { match error {
@@ -514,6 +516,27 @@ mod test {
} }
} }
#[test]
fn test_spurious_continuation_packet() {
let mut rng = ThreadRng256 {};
let user_immediately_present = |_| Ok(());
let mut ctap_state = CtapState::new(&mut rng, user_immediately_present);
let mut ctap_hid = CtapHid::new();
let mut packet = [0x00; 64];
packet[0..7].copy_from_slice(&[0xC1, 0xC1, 0xC1, 0xC1, 0x00, 0x51, 0x51]);
let mut assembler_reply = MessageAssembler::new();
for pkt_reply in ctap_hid.process_hid_packet(&packet, DUMMY_CLOCK_VALUE, &mut ctap_state) {
// Continuation packets are silently ignored.
assert_eq!(
assembler_reply
.parse_packet(&pkt_reply, DUMMY_TIMESTAMP)
.unwrap(),
None
);
}
}
#[test] #[test]
fn test_command_init() { fn test_command_init() {
let mut rng = ThreadRng256 {}; let mut rng = ThreadRng256 {};

5
src/ctap/mod.rs
View File

@@ -392,12 +392,16 @@ where
let has_extension_output = use_hmac_extension || cred_protect_policy.is_some(); let has_extension_output = use_hmac_extension || cred_protect_policy.is_some();
let rp_id = rp.rp_id; let rp_id = rp.rp_id;
let rp_id_hash = Sha256::hash(rp_id.as_bytes());
if let Some(exclude_list) = exclude_list { if let Some(exclude_list) = exclude_list {
for cred_desc in exclude_list { for cred_desc in exclude_list {
if self if self
.persistent_store .persistent_store
.find_credential(&rp_id, &cred_desc.key_id, pin_uv_auth_param.is_none())? .find_credential(&rp_id, &cred_desc.key_id, pin_uv_auth_param.is_none())?
.is_some() .is_some()
|| self
.decrypt_credential_source(cred_desc.key_id, &rp_id_hash)?
.is_some()
{ {
// Perform this check, so bad actors can't brute force exclude_list // Perform this check, so bad actors can't brute force exclude_list
// without user interaction. // without user interaction.
@@ -446,7 +450,6 @@ where
let sk = crypto::ecdsa::SecKey::gensk(self.rng); let sk = crypto::ecdsa::SecKey::gensk(self.rng);
let pk = sk.genpk(); let pk = sk.genpk();
let rp_id_hash = Sha256::hash(rp_id.as_bytes());
let credential_id = if options.rk { let credential_id = if options.rk {
let random_id = self.rng.gen_uniform_u8x32().to_vec(); let random_id = self.rng.gen_uniform_u8x32().to_vec();
let credential_source = PublicKeyCredentialSource { let credential_source = PublicKeyCredentialSource {