kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

adds the PIN protocol trait (#292)

Browse Source 
* adds the PIN protocol trait

* improved documentation

* SharedSecret not mutable
This commit is contained in:
kaczmarczyck
2021-03-10 13:20:29 +01:00
committed by GitHub
parent 351e6c12c6
commit eb0a0770dd
7 changed files with 660 additions and 301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

460
src/ctap/client_pin.rs
View File

@@ -14,17 +14,14 @@
use super::command::AuthenticatorClientPinParameters;
use super::data_formats::{ClientPinSubCommand, CoseKey, GetAssertionHmacSecretInput};
use super::pin_protocol::{verify_pin_uv_auth_token, PinProtocol, SharedSecret};
use super::response::{AuthenticatorClientPinResponse, ResponseData};
use super::status_code::Ctap2StatusCode;
use super::storage::PersistentStore;
use alloc::str;
use alloc::string::String;
use alloc::vec;
use alloc::vec::Vec;
use arrayref::array_ref;
use core::convert::TryInto;
use crypto::cbc::{cbc_decrypt, cbc_encrypt};
use crypto::hmac::{hmac_256, verify_hmac_256_first_128bits};
use crypto::hmac::hmac_256;
use crypto::rng256::Rng256;
use crypto::sha256::Sha256;
use crypto::Hash256;
@@ -32,123 +29,82 @@ use crypto::Hash256;
use enum_iterator::IntoEnumIterator;
use subtle::ConstantTimeEq;
// Those constants have to be multiples of 16, the AES block size.
/// The prefix length of the PIN hash that is stored and compared.
///
/// The code assumes that this value is a multiple of the AES block length, fits
/// an u8 and is at most as long as a SHA256. The value is fixed for all PIN
/// protocols.
pub const PIN_AUTH_LENGTH: usize = 16;
/// The length of the pinUvAuthToken used throughout PIN protocols.
///
/// The code assumes that this value is a multiple of the AES block length. It
/// is fixed since CTAP2.1.
pub const PIN_TOKEN_LENGTH: usize = 32;
/// The length of the encrypted PINs when received by SetPin or ChangePin.
///
/// The code assumes that this value is a multiple of the AES block length. It
/// is fixed since CTAP2.1.
const PIN_PADDED_LENGTH: usize = 64;
const PIN_TOKEN_LENGTH: usize = 32;
/// Checks the given pin_auth against the truncated output of HMAC-SHA256.
/// Returns LEFT(HMAC(hmac_key, hmac_contents), 16) == pin_auth).
fn verify_pin_auth(hmac_key: &[u8], hmac_contents: &[u8], pin_auth: &[u8]) -> bool {
if pin_auth.len() != PIN_AUTH_LENGTH {
return false;
}
verify_hmac_256_first_128bits::<Sha256>(
hmac_key,
hmac_contents,
array_ref![pin_auth, 0, PIN_AUTH_LENGTH],
)
}
/// Encrypts the HMAC-secret outputs. To compute them, we first have to
/// decrypt the HMAC secret salt(s) that were encrypted with the shared secret.
/// The credRandom is used as a secret to HMAC those salts.
/// Computes and encrypts the HMAC-secret outputs.
///
/// To compute them, we first have to decrypt the HMAC secret salt(s) that were
/// encrypted with the shared secret. The credRandom is used as a secret in HMAC
/// for those salts.
fn encrypt_hmac_secret_output(
shared_secret: &[u8; 32],
rng: &mut impl Rng256,
shared_secret: &dyn SharedSecret,
salt_enc: &[u8],
cred_random: &[u8; 32],
) -> Result<Vec<u8>, Ctap2StatusCode> {
if salt_enc.len() != 32 && salt_enc.len() != 64 {
let decrypted_salts = shared_secret.decrypt(salt_enc)?;
if decrypted_salts.len() != 32 && decrypted_salts.len() != 64 {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
let aes_enc_key = crypto::aes256::EncryptionKey::new(shared_secret);
let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key);
// The specification specifically asks for a zero IV.
let iv = [0u8; 16];
// With the if clause restriction above, block_len can only be 2 or 4.
let block_len = salt_enc.len() / 16;
let mut blocks = vec![[0u8; 16]; block_len];
for i in 0..block_len {
blocks[i].copy_from_slice(&salt_enc[16 * i..16 * (i + 1)]);
let mut output = hmac_256::<Sha256>(&cred_random[..], &decrypted_salts[..32]).to_vec();
if decrypted_salts.len() == 64 {
let mut output2 = hmac_256::<Sha256>(&cred_random[..], &decrypted_salts[32..]).to_vec();
output.append(&mut output2);
}
cbc_decrypt(&aes_dec_key, iv, &mut blocks[..block_len]);
let mut decrypted_salt1 = [0u8; 32];
decrypted_salt1[..16].copy_from_slice(&blocks[0]);
decrypted_salt1[16..].copy_from_slice(&blocks[1]);
let output1 = hmac_256::<Sha256>(&cred_random[..], &decrypted_salt1[..]);
for i in 0..2 {
blocks[i].copy_from_slice(&output1[16 * i..16 * (i + 1)]);
}
if block_len == 4 {
let mut decrypted_salt2 = [0u8; 32];
decrypted_salt2[..16].copy_from_slice(&blocks[2]);
decrypted_salt2[16..].copy_from_slice(&blocks[3]);
let output2 = hmac_256::<Sha256>(&cred_random[..], &decrypted_salt2[..]);
for i in 0..2 {
blocks[i + 2].copy_from_slice(&output2[16 * i..16 * (i + 1)]);
}
}
cbc_encrypt(&aes_enc_key, iv, &mut blocks[..block_len]);
let mut encrypted_output = Vec::with_capacity(salt_enc.len());
for b in &blocks[..block_len] {
encrypted_output.extend(b);
}
Ok(encrypted_output)
shared_secret.encrypt(rng, &output)
}
/// Decrypts the new_pin_enc and outputs the found PIN.
fn decrypt_pin(
aes_dec_key: &crypto::aes256::DecryptionKey,
shared_secret: &dyn SharedSecret,
new_pin_enc: Vec<u8>,
) -> Option<Vec<u8>> {
if new_pin_enc.len() != PIN_PADDED_LENGTH {
return None;
) -> Result<Vec<u8>, Ctap2StatusCode> {
let decrypted_pin = shared_secret.decrypt(&new_pin_enc)?;
if decrypted_pin.len() != PIN_PADDED_LENGTH {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
let iv = [0u8; 16];
// Assuming PIN_PADDED_LENGTH % block_size == 0 here.
const BLOCK_COUNT: usize = PIN_PADDED_LENGTH / 16;
let mut blocks = [[0u8; 16]; BLOCK_COUNT];
for i in 0..BLOCK_COUNT {
blocks[i].copy_from_slice(&new_pin_enc[i * 16..(i + 1) * 16]);
}
cbc_decrypt(aes_dec_key, iv, &mut blocks);
// In CTAP 2.1, the specification changed. The new wording might lead to
// different behavior when there are non-zero bytes after zero bytes.
// This implementation consistently ignores those degenerate cases.
Some(
blocks
.iter()
.flatten()
.cloned()
.take_while(|&c| c != 0)
.collect::<Vec<u8>>(),
)
Ok(decrypted_pin.into_iter().take_while(|&c| c != 0).collect())
}
/// Stores the encrypted new PIN in the persistent storage, if it satisfies the
/// PIN policy. The PIN is decrypted and stripped from its padding. Next, the
/// length of the PIN is checked to fulfill policy requirements. Last, the PIN
/// is hashed, truncated to 16 bytes and persistently stored.
/// Stores a hash prefix of the new PIN in the persistent storage, if correct.
///
/// The new PIN is passed encrypted, so it is first decrypted and stripped from
/// padding. Next, it is checked against the PIN policy. Last, it is hashed and
/// truncated for persistent storage.
fn check_and_store_new_pin(
persistent_store: &mut PersistentStore,
aes_dec_key: &crypto::aes256::DecryptionKey,
shared_secret: &dyn SharedSecret,
new_pin_enc: Vec<u8>,
) -> Result<(), Ctap2StatusCode> {
let pin = decrypt_pin(aes_dec_key, new_pin_enc)
.ok_or(Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION)?;
let pin = decrypt_pin(shared_secret, new_pin_enc)?;
let min_pin_length = persistent_store.min_pin_length()? as usize;
let pin_length = str::from_utf8(&pin).unwrap_or("").chars().count();
if pin_length < min_pin_length || pin.len() == PIN_PADDED_LENGTH {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION);
}
let mut pin_hash = [0u8; 16];
pin_hash.copy_from_slice(&Sha256::hash(&pin[..])[..16]);
// The PIN length is always < 64.
let mut pin_hash = [0u8; PIN_AUTH_LENGTH];
pin_hash.copy_from_slice(&Sha256::hash(&pin[..])[..PIN_AUTH_LENGTH]);
// The PIN length is always < PIN_PADDED_LENGTH < 256.
persistent_store.set_pin(&pin_hash, pin_length as u8)?;
Ok(())
}
@@ -167,8 +123,7 @@ pub enum PinPermission {
}
pub struct ClientPin {
key_agreement_key: crypto::ecdh::SecKey,
pin_uv_auth_token: [u8; PIN_TOKEN_LENGTH],
pin_protocol_v1: PinProtocol,
consecutive_pin_mismatches: u8,
permissions: u8,
permissions_rp_id: Option<String>,
@@ -176,17 +131,16 @@ pub struct ClientPin {
impl ClientPin {
pub fn new(rng: &mut impl Rng256) -> ClientPin {
let key_agreement_key = crypto::ecdh::SecKey::gensk(rng);
let pin_uv_auth_token = rng.gen_uniform_u8x32();
ClientPin {
key_agreement_key,
pin_uv_auth_token,
pin_protocol_v1: PinProtocol::new(rng),
consecutive_pin_mismatches: 0,
permissions: 0,
permissions_rp_id: None,
}
}
/// Checks the given encrypted PIN hash against the stored PIN hash.
///
/// Decrypts the encrypted pin_hash and compares it to the stored pin_hash.
/// Resets or decreases the PIN retries, depending on success or failure.
/// Also, in case of failure, the key agreement key is randomly reset.
@@ -194,7 +148,7 @@ impl ClientPin {
&mut self,
rng: &mut impl Rng256,
persistent_store: &mut PersistentStore,
aes_dec_key: &crypto::aes256::DecryptionKey,
shared_secret: &dyn SharedSecret,
pin_hash_enc: Vec<u8>,
) -> Result<(), Ctap2StatusCode> {
match persistent_store.pin_hash()? {
@@ -206,14 +160,10 @@ impl ClientPin {
if pin_hash_enc.len() != PIN_AUTH_LENGTH {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID);
}
let pin_hash_dec = shared_secret.decrypt(&pin_hash_enc)?;
let iv = [0u8; 16];
let mut blocks = [[0u8; 16]; 1];
blocks[0].copy_from_slice(&pin_hash_enc);
cbc_decrypt(aes_dec_key, iv, &mut blocks);
if !bool::from(pin_hash.ct_eq(&blocks[0])) {
self.key_agreement_key = crypto::ecdh::SecKey::gensk(rng);
if !bool::from(pin_hash.ct_eq(&pin_hash_dec)) {
self.pin_protocol_v1.regenerate(rng);
if persistent_store.pin_retries()? == 0 {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_BLOCKED);
}
@@ -232,26 +182,6 @@ impl ClientPin {
Ok(())
}
/// Uses the self-owned and passed halves of the key agreement to generate the
/// shared secret for checking pin_auth and generating a decryption key.
fn exchange_decryption_key(
&self,
key_agreement: CoseKey,
pin_auth: &[u8],
authenticated_message: &[u8],
) -> Result<crypto::aes256::DecryptionKey, Ctap2StatusCode> {
let pk: crypto::ecdh::PubKey = CoseKey::try_into(key_agreement)?;
let shared_secret = self.key_agreement_key.exchange_x_sha256(&pk);
if !verify_pin_auth(&shared_secret, authenticated_message, pin_auth) {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret);
let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key);
Ok(aes_dec_key)
}
fn process_get_pin_retries(
&self,
persistent_store: &PersistentStore,
@@ -264,9 +194,8 @@ impl ClientPin {
}
fn process_get_key_agreement(&self) -> Result<AuthenticatorClientPinResponse, Ctap2StatusCode> {
let pk = self.key_agreement_key.genpk();
Ok(AuthenticatorClientPinResponse {
key_agreement: Some(CoseKey::from(pk)),
key_agreement: Some(self.pin_protocol_v1.get_public_key()),
pin_token: None,
retries: None,
})
@@ -282,9 +211,10 @@ impl ClientPin {
if persistent_store.pin_hash()?.is_some() {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
let pin_decryption_key =
self.exchange_decryption_key(key_agreement, &pin_auth, &new_pin_enc)?;
check_and_store_new_pin(persistent_store, &pin_decryption_key, new_pin_enc)?;
let shared_secret = self.pin_protocol_v1.decapsulate(key_agreement, 1)?;
shared_secret.verify(&new_pin_enc, &pin_auth)?;
check_and_store_new_pin(persistent_store, shared_secret.as_ref(), new_pin_enc)?;
persistent_store.reset_pin_retries()?;
Ok(())
}
@@ -301,14 +231,14 @@ impl ClientPin {
if persistent_store.pin_retries()? == 0 {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_BLOCKED);
}
let shared_secret = self.pin_protocol_v1.decapsulate(key_agreement, 1)?;
let mut auth_param_data = new_pin_enc.clone();
auth_param_data.extend(&pin_hash_enc);
let pin_decryption_key =
self.exchange_decryption_key(key_agreement, &pin_auth, &auth_param_data)?;
self.verify_pin_hash_enc(rng, persistent_store, &pin_decryption_key, pin_hash_enc)?;
shared_secret.verify(&auth_param_data, &pin_auth)?;
self.verify_pin_hash_enc(rng, persistent_store, shared_secret.as_ref(), pin_hash_enc)?;
check_and_store_new_pin(persistent_store, &pin_decryption_key, new_pin_enc)?;
self.pin_uv_auth_token = rng.gen_uniform_u8x32();
check_and_store_new_pin(persistent_store, shared_secret.as_ref(), new_pin_enc)?;
self.pin_protocol_v1.reset_pin_uv_auth_token(rng);
Ok(())
}
@@ -322,26 +252,13 @@ impl ClientPin {
if persistent_store.pin_retries()? == 0 {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_BLOCKED);
}
let pk: crypto::ecdh::PubKey = CoseKey::try_into(key_agreement)?;
let shared_secret = self.key_agreement_key.exchange_x_sha256(&pk);
let token_encryption_key = crypto::aes256::EncryptionKey::new(&shared_secret);
let pin_decryption_key = crypto::aes256::DecryptionKey::new(&token_encryption_key);
self.verify_pin_hash_enc(rng, persistent_store, &pin_decryption_key, pin_hash_enc)?;
// TODO(kaczmarczyck) can this be moved up in the specification?
let shared_secret = self.pin_protocol_v1.decapsulate(key_agreement, 1)?;
self.verify_pin_hash_enc(rng, persistent_store, shared_secret.as_ref(), pin_hash_enc)?;
if persistent_store.has_force_pin_change()? {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID);
}
// Assuming PIN_TOKEN_LENGTH % block_size == 0 here.
let iv = [0u8; 16];
let mut blocks = [[0u8; 16]; PIN_TOKEN_LENGTH / 16];
for (i, item) in blocks.iter_mut().take(PIN_TOKEN_LENGTH / 16).enumerate() {
item.copy_from_slice(&self.pin_uv_auth_token[i * 16..(i + 1) * 16]);
}
cbc_encrypt(&token_encryption_key, iv, &mut blocks);
let pin_token: Vec<u8> = blocks.iter().flatten().cloned().collect();
let pin_token = shared_secret.encrypt(rng, self.pin_protocol_v1.get_pin_uv_auth_token())?;
self.permissions = 0x03;
self.permissions_rp_id = None;
@@ -469,13 +386,23 @@ impl ClientPin {
Ok(ResponseData::AuthenticatorClientPin(response))
}
pub fn verify_pin_auth_token(&self, hmac_contents: &[u8], pin_auth: &[u8]) -> bool {
verify_pin_auth(&self.pin_uv_auth_token, &hmac_contents, &pin_auth)
pub fn verify_pin_auth_token(
&self,
hmac_contents: &[u8],
pin_auth: &[u8],
) -> Result<(), Ctap2StatusCode> {
// TODO(kaczmarczyck) pass the protocol number
verify_pin_uv_auth_token(
self.pin_protocol_v1.get_pin_uv_auth_token(),
hmac_contents,
pin_auth,
1,
)
}
pub fn reset(&mut self, rng: &mut impl Rng256) {
self.key_agreement_key = crypto::ecdh::SecKey::gensk(rng);
self.pin_uv_auth_token = rng.gen_uniform_u8x32();
self.pin_protocol_v1.regenerate(rng);
self.pin_protocol_v1.reset_pin_uv_auth_token(rng);
self.consecutive_pin_mismatches = 0;
self.permissions = 0;
self.permissions_rp_id = None;
@@ -483,6 +410,7 @@ impl ClientPin {
pub fn process_hmac_secret(
&self,
rng: &mut impl Rng256,
hmac_secret_input: GetAssertionHmacSecretInput,
cred_random: &[u8; 32],
) -> Result<Vec<u8>, Ctap2StatusCode> {
@@ -491,14 +419,9 @@ impl ClientPin {
salt_enc,
salt_auth,
} = hmac_secret_input;
let pk: crypto::ecdh::PubKey = CoseKey::try_into(key_agreement)?;
let shared_secret = self.key_agreement_key.exchange_x_sha256(&pk);
// HMAC-secret does the same 16 byte truncated check.
if !verify_pin_auth(&shared_secret, &salt_enc, &salt_auth) {
// Hard to tell what the correct error code here is.
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
encrypt_hmac_secret_output(&shared_secret, &salt_enc[..], cred_random)
let shared_secret = self.pin_protocol_v1.decapsulate(key_agreement, 1)?;
shared_secret.verify(&salt_enc, &salt_auth)?;
encrypt_hmac_secret_output(rng, shared_secret.as_ref(), &salt_enc[..], cred_random)
}
/// Check if the required command's token permission is granted.
@@ -560,8 +483,7 @@ impl ClientPin {
pin_uv_auth_token: [u8; PIN_TOKEN_LENGTH],
) -> ClientPin {
ClientPin {
key_agreement_key,
pin_uv_auth_token,
pin_protocol_v1: PinProtocol::new_test(key_agreement_key, pin_uv_auth_token),
consecutive_pin_mismatches: 0,
permissions: 0xFF,
permissions_rp_id: None,
@@ -571,10 +493,12 @@ impl ClientPin {
#[cfg(test)]
mod test {
use super::super::pin_protocol::SharedSecretV1;
use super::*;
use alloc::vec;
use crypto::rng256::ThreadRng256;
// Stores a PIN hash corresponding to the dummy PIN "1234".
/// Stores a PIN hash corresponding to the dummy PIN "1234".
fn set_standard_pin(persistent_store: &mut PersistentStore) {
let mut pin = [0u8; 64];
pin[..4].copy_from_slice(b"1234");
@@ -583,36 +507,20 @@ mod test {
persistent_store.set_pin(&pin_hash, 4).unwrap();
}
// Encrypts the message with a zero IV and key derived from shared_secret.
/// Encrypts the message with a zero IV and key derived from shared_secret.
fn encrypt_message(shared_secret: &[u8; 32], message: &[u8]) -> Vec<u8> {
assert!(message.len() % 16 == 0);
let block_len = message.len() / 16;
let mut blocks = vec![[0u8; 16]; block_len];
for i in 0..block_len {
blocks[i][..].copy_from_slice(&message[i * 16..(i + 1) * 16]);
}
let aes_enc_key = crypto::aes256::EncryptionKey::new(shared_secret);
let iv = [0u8; 16];
cbc_encrypt(&aes_enc_key, iv, &mut blocks);
blocks.iter().flatten().cloned().collect::<Vec<u8>>()
let mut rng = ThreadRng256 {};
let shared_secret = SharedSecretV1::new_test(*shared_secret);
shared_secret.encrypt(&mut rng, message).unwrap()
}
// Decrypts the message with a zero IV and key derived from shared_secret.
/// Decrypts the message with a zero IV and key derived from shared_secret.
fn decrypt_message(shared_secret: &[u8; 32], message: &[u8]) -> Vec<u8> {
assert!(message.len() % 16 == 0);
let block_len = message.len() / 16;
let mut blocks = vec![[0u8; 16]; block_len];
for i in 0..block_len {
blocks[i][..].copy_from_slice(&message[i * 16..(i + 1) * 16]);
}
let aes_enc_key = crypto::aes256::EncryptionKey::new(shared_secret);
let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key);
let iv = [0u8; 16];
cbc_decrypt(&aes_dec_key, iv, &mut blocks);
blocks.iter().flatten().cloned().collect::<Vec<u8>>()
let shared_secret = SharedSecretV1::new_test(*shared_secret);
shared_secret.decrypt(message).unwrap()
}
// Fails on PINs bigger than 64 bytes.
/// Fails on PINs bigger than 64 bytes.
fn encrypt_pin(shared_secret: &[u8; 32], pin: Vec<u8>) -> Vec<u8> {
assert!(pin.len() <= 64);
let mut padded_pin = [0u8; 64];
@@ -620,12 +528,12 @@ mod test {
encrypt_message(shared_secret, &padded_pin)
}
// Encrypts the dummy PIN "1234".
/// Encrypts the dummy PIN "1234".
fn encrypt_standard_pin(shared_secret: &[u8; 32]) -> Vec<u8> {
encrypt_pin(shared_secret, b"1234".to_vec())
}
// Encrypts the PIN hash corresponding to the dummy PIN "1234".
/// Encrypts the PIN hash corresponding to the dummy PIN "1234".
fn encrypt_standard_pin_hash(shared_secret: &[u8; 32]) -> Vec<u8> {
let mut pin = [0u8; 64];
pin[..4].copy_from_slice(b"1234");
@@ -643,9 +551,7 @@ mod test {
0xC4, 0x12,
];
persistent_store.set_pin(&pin_hash, 4).unwrap();
let shared_secret = [0x88; 32];
let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret);
let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key);
let shared_secret = SharedSecretV1::new_test([0x88; 32]);
let mut client_pin = ClientPin::new(&mut rng);
let pin_hash_enc = vec![
@@ -656,7 +562,7 @@ mod test {
client_pin.verify_pin_hash_enc(
&mut rng,
&mut persistent_store,
&aes_dec_key,
&shared_secret,
pin_hash_enc
),
Ok(())
@@ -667,7 +573,7 @@ mod test {
client_pin.verify_pin_hash_enc(
&mut rng,
&mut persistent_store,
&aes_dec_key,
&shared_secret,
pin_hash_enc
),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID)
@@ -682,7 +588,7 @@ mod test {
client_pin.verify_pin_hash_enc(
&mut rng,
&mut persistent_store,
&aes_dec_key,
&shared_secret,
pin_hash_enc
),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_BLOCKED)
@@ -694,7 +600,7 @@ mod test {
client_pin.verify_pin_hash_enc(
&mut rng,
&mut persistent_store,
&aes_dec_key,
&shared_secret,
pin_hash_enc
),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID)
@@ -705,7 +611,7 @@ mod test {
client_pin.verify_pin_hash_enc(
&mut rng,
&mut persistent_store,
&aes_dec_key,
&shared_secret,
pin_hash_enc
),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID)
@@ -731,8 +637,10 @@ mod test {
#[test]
fn test_process_get_key_agreement() {
let mut rng = ThreadRng256 {};
let client_pin = ClientPin::new(&mut rng);
let pk = client_pin.key_agreement_key.genpk();
let key_agreement_key = crypto::ecdh::SecKey::gensk(&mut rng);
let pk = key_agreement_key.genpk();
let pin_uv_auth_token = [0x91; PIN_TOKEN_LENGTH];
let client_pin = ClientPin::new_test(key_agreement_key, pin_uv_auth_token);
let expected_response = Ok(AuthenticatorClientPinResponse {
key_agreement: Some(CoseKey::from(pk)),
pin_token: None,
@@ -745,9 +653,12 @@ mod test {
fn test_process_set_pin() {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
let mut client_pin = ClientPin::new(&mut rng);
let pk = client_pin.key_agreement_key.genpk();
let shared_secret = client_pin.key_agreement_key.exchange_x_sha256(&pk);
let key_agreement_key = crypto::ecdh::SecKey::gensk(&mut rng);
let pk = key_agreement_key.genpk();
let pre_secret = key_agreement_key.exchange_x(&pk);
let pin_uv_auth_token = [0x91; PIN_TOKEN_LENGTH];
let mut client_pin = ClientPin::new_test(key_agreement_key, pin_uv_auth_token);
let shared_secret = Sha256::hash(&pre_secret);
let key_agreement = CoseKey::from(pk);
let new_pin_enc = encrypt_standard_pin(&shared_secret);
let pin_auth = hmac_256::<Sha256>(&shared_secret, &new_pin_enc[..])[..16].to_vec();
@@ -762,14 +673,18 @@ mod test {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
set_standard_pin(&mut persistent_store);
let mut client_pin = ClientPin::new(&mut rng);
let pk = client_pin.key_agreement_key.genpk();
let shared_secret = client_pin.key_agreement_key.exchange_x_sha256(&pk);
let key_agreement_key = crypto::ecdh::SecKey::gensk(&mut rng);
let pk = key_agreement_key.genpk();
let pre_secret = key_agreement_key.exchange_x(&pk);
let pin_uv_auth_token = [0x91; PIN_TOKEN_LENGTH];
let mut client_pin = ClientPin::new_test(key_agreement_key, pin_uv_auth_token);
let shared_secret = Sha256::hash(&pre_secret);
let key_agreement = CoseKey::from(pk);
let new_pin_enc = encrypt_standard_pin(&shared_secret);
let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret);
let mut auth_param_data = new_pin_enc.clone();
auth_param_data.extend(&pin_hash_enc);
let pin_auth = hmac_256::<Sha256>(&shared_secret, &auth_param_data[..])[..16].to_vec();
assert_eq!(
client_pin.process_change_pin(
@@ -817,10 +732,14 @@ mod test {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
set_standard_pin(&mut persistent_store);
let mut client_pin = ClientPin::new(&mut rng);
let pk = client_pin.key_agreement_key.genpk();
let shared_secret = client_pin.key_agreement_key.exchange_x_sha256(&pk);
let key_agreement_key = crypto::ecdh::SecKey::gensk(&mut rng);
let pk = key_agreement_key.genpk();
let pre_secret = key_agreement_key.exchange_x(&pk);
let pin_uv_auth_token = [0x91; PIN_TOKEN_LENGTH];
let mut client_pin = ClientPin::new_test(key_agreement_key, pin_uv_auth_token);
let shared_secret = Sha256::hash(&pre_secret);
let key_agreement = CoseKey::from(pk);
let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret);
assert!(client_pin
.process_get_pin_token(
@@ -849,10 +768,14 @@ mod test {
let mut persistent_store = PersistentStore::new(&mut rng);
set_standard_pin(&mut persistent_store);
assert_eq!(persistent_store.force_pin_change(), Ok(()));
let mut client_pin = ClientPin::new(&mut rng);
let pk = client_pin.key_agreement_key.genpk();
let shared_secret = client_pin.key_agreement_key.exchange_x_sha256(&pk);
let key_agreement_key = crypto::ecdh::SecKey::gensk(&mut rng);
let pk = key_agreement_key.genpk();
let pre_secret = key_agreement_key.exchange_x(&pk);
let pin_uv_auth_token = [0x91; PIN_TOKEN_LENGTH];
let mut client_pin = ClientPin::new_test(key_agreement_key, pin_uv_auth_token);
let shared_secret = Sha256::hash(&pre_secret);
let key_agreement = CoseKey::from(pk);
let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret);
assert_eq!(
client_pin.process_get_pin_token(
@@ -870,10 +793,14 @@ mod test {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
set_standard_pin(&mut persistent_store);
let mut client_pin = ClientPin::new(&mut rng);
let pk = client_pin.key_agreement_key.genpk();
let shared_secret = client_pin.key_agreement_key.exchange_x_sha256(&pk);
let key_agreement_key = crypto::ecdh::SecKey::gensk(&mut rng);
let pk = key_agreement_key.genpk();
let pre_secret = key_agreement_key.exchange_x(&pk);
let pin_uv_auth_token = [0x91; PIN_TOKEN_LENGTH];
let mut client_pin = ClientPin::new_test(key_agreement_key, pin_uv_auth_token);
let shared_secret = Sha256::hash(&pre_secret);
let key_agreement = CoseKey::from(pk);
let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret);
assert!(client_pin
.process_get_pin_uv_auth_token_using_pin_with_permissions(
@@ -935,10 +862,14 @@ mod test {
let mut persistent_store = PersistentStore::new(&mut rng);
set_standard_pin(&mut persistent_store);
assert_eq!(persistent_store.force_pin_change(), Ok(()));
let mut client_pin = ClientPin::new(&mut rng);
let pk = client_pin.key_agreement_key.genpk();
let shared_secret = client_pin.key_agreement_key.exchange_x_sha256(&pk);
let key_agreement_key = crypto::ecdh::SecKey::gensk(&mut rng);
let pk = key_agreement_key.genpk();
let pre_secret = key_agreement_key.exchange_x(&pk);
let pin_uv_auth_token = [0x91; PIN_TOKEN_LENGTH];
let mut client_pin = ClientPin::new_test(key_agreement_key, pin_uv_auth_token);
let shared_secret = Sha256::hash(&pre_secret);
let key_agreement = CoseKey::from(pk);
let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret);
assert_eq!(
client_pin.process_get_pin_uv_auth_token_using_pin_with_permissions(
@@ -991,9 +922,7 @@ mod test {
#[test]
fn test_decrypt_pin() {
let shared_secret = [0x88; 32];
let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret);
let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key);
let shared_secret = SharedSecretV1::new_test([0x88; 32]);
// "1234"
let new_pin_enc = vec![
@@ -1004,8 +933,8 @@ mod test {
0x18, 0x35, 0x06, 0x66, 0x97, 0x84, 0x68, 0xC2,
];
assert_eq!(
decrypt_pin(&aes_dec_key, new_pin_enc),
Some(b"1234".to_vec()),
decrypt_pin(&shared_secret, new_pin_enc),
Ok(b"1234".to_vec()),
);
// "123"
@@ -1017,26 +946,31 @@ mod test {
0x7C, 0xC7, 0x2D, 0x43, 0x74, 0x4C, 0x1D, 0x7E,
];
assert_eq!(
decrypt_pin(&aes_dec_key, new_pin_enc),
Some(b"123".to_vec()),
decrypt_pin(&shared_secret, new_pin_enc),
Ok(b"123".to_vec()),
);
// Encrypted PIN is too short.
let new_pin_enc = vec![0x44; 63];
assert_eq!(decrypt_pin(&aes_dec_key, new_pin_enc), None,);
assert_eq!(
decrypt_pin(&shared_secret, new_pin_enc),
Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)
);
// Encrypted PIN is too long.
let new_pin_enc = vec![0x44; 65];
assert_eq!(decrypt_pin(&aes_dec_key, new_pin_enc), None,);
assert_eq!(
decrypt_pin(&shared_secret, new_pin_enc),
Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)
);
}
#[test]
fn test_check_and_store_new_pin() {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
let shared_secret = [0x88; 32];
let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret);
let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key);
let shared_secret_hash = [0x88; 32];
let shared_secret = SharedSecretV1::new_test(shared_secret_hash);
let test_cases = vec![
// Accept PIN "1234".
@@ -1059,9 +993,9 @@ mod test {
];
for (pin, result) in test_cases {
let old_pin_hash = persistent_store.pin_hash().unwrap();
let new_pin_enc = encrypt_pin(&shared_secret, pin);
let new_pin_enc = encrypt_pin(&shared_secret_hash, pin);
assert_eq!(
check_and_store_new_pin(&mut persistent_store, &aes_dec_key, new_pin_enc),
check_and_store_new_pin(&mut persistent_store, &shared_secret, new_pin_enc),
result
);
if result.is_ok() {
@@ -1072,31 +1006,22 @@ mod test {
}
}
#[test]
fn test_verify_pin_auth() {
let hmac_key = [0x88; 16];
let pin_auth = [
0x88, 0x09, 0x41, 0x13, 0xF7, 0x97, 0x32, 0x0B, 0x3E, 0xD9, 0xBC, 0x76, 0x4F, 0x18,
0x56, 0x5D,
];
assert!(verify_pin_auth(&hmac_key, &[], &pin_auth));
assert!(!verify_pin_auth(&hmac_key, &[0x00], &pin_auth));
}
#[test]
fn test_encrypt_hmac_secret_output() {
let shared_secret = [0x55; 32];
let mut rng = ThreadRng256 {};
let shared_secret_hash = [0x88; 32];
let shared_secret = SharedSecretV1::new_test(shared_secret_hash);
let salt_enc = [0x5E; 32];
let cred_random = [0xC9; 32];
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random);
let output = encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random);
assert_eq!(output.unwrap().len(), 32);
let salt_enc = [0x5E; 48];
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random);
let output = encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random);
assert_eq!(output, Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER));
let salt_enc = [0x5E; 64];
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random);
let output = encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random);
assert_eq!(output.unwrap().len(), 64);
let mut salt_enc = [0x00; 32];
@@ -1108,45 +1033,50 @@ mod test {
let expected_output1 = hmac_256::<Sha256>(&cred_random, &salt1);
let expected_output2 = hmac_256::<Sha256>(&cred_random, &salt2);
let salt_enc1 = encrypt_message(&shared_secret, &salt1);
let salt_enc1 = encrypt_message(&shared_secret_hash, &salt1);
salt_enc.copy_from_slice(salt_enc1.as_slice());
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret, &output);
let output =
encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret_hash, &output);
assert_eq!(&output_dec, &expected_output1);
let salt_enc2 = &encrypt_message(&shared_secret, &salt2);
let salt_enc2 = &encrypt_message(&shared_secret_hash, &salt2);
salt_enc.copy_from_slice(salt_enc2.as_slice());
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret, &output);
let output =
encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret_hash, &output);
assert_eq!(&output_dec, &expected_output2);
let mut salt_enc = [0x00; 64];
let mut salt12 = [0x00; 64];
salt12[..32].copy_from_slice(&salt1);
salt12[32..].copy_from_slice(&salt2);
let salt_enc12 = encrypt_message(&shared_secret, &salt12);
let salt_enc12 = encrypt_message(&shared_secret_hash, &salt12);
salt_enc.copy_from_slice(salt_enc12.as_slice());
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret, &output);
let output =
encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret_hash, &output);
assert_eq!(&output_dec[..32], &expected_output1);
assert_eq!(&output_dec[32..], &expected_output2);
let mut salt_enc = [0x00; 64];
let mut salt02 = [0x00; 64];
salt02[32..].copy_from_slice(&salt2);
let salt_enc02 = encrypt_message(&shared_secret, &salt02);
let salt_enc02 = encrypt_message(&shared_secret_hash, &salt02);
salt_enc.copy_from_slice(salt_enc02.as_slice());
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret, &output);
let output =
encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret_hash, &output);
assert_eq!(&output_dec[32..], &expected_output2);
let mut salt_enc = [0x00; 64];
let mut salt10 = [0x00; 64];
salt10[..32].copy_from_slice(&salt1);
let salt_enc10 = encrypt_message(&shared_secret, &salt10);
let salt_enc10 = encrypt_message(&shared_secret_hash, &salt10);
salt_enc.copy_from_slice(salt_enc10.as_slice());
let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret, &output);
let output =
encrypt_hmac_secret_output(&mut rng, &shared_secret, &salt_enc, &cred_random).unwrap();
let output_dec = decrypt_message(&shared_secret_hash, &output);
assert_eq!(&output_dec[..32], &expected_output1);
}

4
src/ctap/config_command.rs
View File

@@ -103,9 +103,7 @@ pub fn process_config(
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
}
}
if !client_pin.verify_pin_auth_token(&config_data, &auth_param) {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
client_pin.verify_pin_auth_token(&config_data, &auth_param)?;
}
match sub_command {

4
src/ctap/credential_management.rs
View File

@@ -290,9 +290,7 @@ pub fn process_credential_management(
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
}
}
if !client_pin.verify_pin_auth_token(&management_data, &pin_auth) {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
client_pin.verify_pin_auth_token(&management_data, &pin_auth)?;
// The RP ID permission is handled differently per subcommand below.
client_pin.has_permission(PinPermission::CredentialManagement)?;
}

4
src/ctap/large_blobs.rs
View File

@@ -101,9 +101,7 @@ impl LargeBlobs {
LittleEndian::write_u32(&mut offset_bytes, offset as u32);
message.extend(&offset_bytes);
message.extend(&Sha256::hash(set.as_slice()));
if !client_pin.verify_pin_auth_token(&message, &pin_uv_auth_param) {
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
client_pin.verify_pin_auth_token(&message, &pin_uv_auth_param)?;
}
if offset + set.len() > self.expected_length {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);

26
src/ctap/mod.rs
View File

@@ -24,6 +24,7 @@ pub mod data_formats;
pub mod hid;
mod key_material;
mod large_blobs;
mod pin_protocol;
pub mod response;
pub mod status_code;
mod storage;
@@ -648,12 +649,8 @@ where
// Specification is unclear, could be CTAP2_ERR_INVALID_OPTION.
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_NOT_SET);
}
if !self
.client_pin
.verify_pin_auth_token(&client_data_hash, &pin_auth)
{
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
self.client_pin
.verify_pin_auth_token(&client_data_hash, &pin_auth)?;
self.client_pin
.has_permission(PinPermission::MakeCredential)?;
self.client_pin.ensure_rp_id_permission(&rp_id)?;
@@ -816,10 +813,11 @@ where
if extensions.hmac_secret.is_some() || extensions.cred_blob {
let encrypted_output = if let Some(hmac_secret_input) = extensions.hmac_secret {
let cred_random = self.generate_cred_random(&credential.private_key, has_uv)?;
Some(
self.client_pin
.process_hmac_secret(hmac_secret_input, &cred_random)?,
)
Some(self.client_pin.process_hmac_secret(
self.rng,
hmac_secret_input,
&cred_random,
)?)
} else {
None
};
@@ -939,12 +937,8 @@ where
// Specification is unclear, could be CTAP2_ERR_UNSUPPORTED_OPTION.
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_NOT_SET);
}
if !self
.client_pin
.verify_pin_auth_token(&client_data_hash, &pin_auth)
{
return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID);
}
self.client_pin
.verify_pin_auth_token(&client_data_hash, &pin_auth)?;
self.client_pin
.has_permission(PinPermission::GetAssertion)?;
self.client_pin.ensure_rp_id_permission(&rp_id)?;

443
src/ctap/pin_protocol.rs Normal file
View File

@@ -0,0 +1,443 @@
// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
use crate::ctap::client_pin::PIN_TOKEN_LENGTH;
use crate::ctap::data_formats::CoseKey;
use crate::ctap::status_code::Ctap2StatusCode;
use alloc::boxed::Box;
use alloc::vec;
use alloc::vec::Vec;
use core::convert::TryInto;
use crypto::cbc::{cbc_decrypt, cbc_encrypt};
use crypto::hkdf::hkdf_empty_salt_256;
use crypto::hmac::{verify_hmac_256, verify_hmac_256_first_128bits};
use crypto::rng256::Rng256;
use crypto::sha256::Sha256;
use crypto::Hash256;
/// Implements common functions between existing PIN protocols for handshakes.
pub struct PinProtocol {
key_agreement_key: crypto::ecdh::SecKey,
pin_uv_auth_token: [u8; PIN_TOKEN_LENGTH],
}
impl PinProtocol {
/// This process is run by the authenticator at power-on.
///
/// This function implements "initialize" from the specification.
pub fn new(rng: &mut impl Rng256) -> PinProtocol {
let key_agreement_key = crypto::ecdh::SecKey::gensk(rng);
let pin_uv_auth_token = rng.gen_uniform_u8x32();
PinProtocol {
key_agreement_key,
pin_uv_auth_token,
}
}
/// Generates a fresh public key.
pub fn regenerate(&mut self, rng: &mut impl Rng256) {
self.key_agreement_key = crypto::ecdh::SecKey::gensk(rng);
}
/// Generates a fresh pinUvAuthToken.
pub fn reset_pin_uv_auth_token(&mut self, rng: &mut impl Rng256) {
self.pin_uv_auth_token = rng.gen_uniform_u8x32();
}
/// Returns the authenticators public key as a CoseKey structure.
pub fn get_public_key(&self) -> CoseKey {
CoseKey::from(self.key_agreement_key.genpk())
}
/// Processes the peer's encapsulated CoseKey and returns the shared secret.
pub fn decapsulate(
&self,
peer_cose_key: CoseKey,
pin_uv_auth_protocol: u64,
) -> Result<Box<dyn SharedSecret>, Ctap2StatusCode> {
let pk: crypto::ecdh::PubKey = CoseKey::try_into(peer_cose_key)?;
let handshake = self.key_agreement_key.exchange_x(&pk);
match pin_uv_auth_protocol {
1 => Ok(Box::new(SharedSecretV1::new(handshake))),
2 => Ok(Box::new(SharedSecretV2::new(handshake))),
_ => Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER),
}
}
/// Getter for pinUvAuthToken.
pub fn get_pin_uv_auth_token(&self) -> &[u8; PIN_TOKEN_LENGTH] {
&self.pin_uv_auth_token
}
/// This is used for debugging to inject key material.
#[cfg(test)]
pub fn new_test(
key_agreement_key: crypto::ecdh::SecKey,
pin_uv_auth_token: [u8; PIN_TOKEN_LENGTH],
) -> PinProtocol {
PinProtocol {
key_agreement_key,
pin_uv_auth_token,
}
}
}
/// Verifies the pinUvAuthToken for the given PIN protocol.
pub fn verify_pin_uv_auth_token(
token: &[u8; PIN_TOKEN_LENGTH],
message: &[u8],
signature: &[u8],
pin_uv_auth_protocol: u64,
) -> Result<(), Ctap2StatusCode> {
match pin_uv_auth_protocol {
1 => verify_v1(token, message, signature),
2 => verify_v2(token, message, signature),
_ => Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER),
}
}
pub trait SharedSecret {
/// Returns the encrypted plaintext.
fn encrypt(&self, rng: &mut dyn Rng256, plaintext: &[u8]) -> Result<Vec<u8>, Ctap2StatusCode>;
/// Returns the decrypted ciphertext.
fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>, Ctap2StatusCode>;
/// Verifies that the signature is a valid MAC for the given message.
fn verify(&self, message: &[u8], signature: &[u8]) -> Result<(), Ctap2StatusCode>;
}
fn aes256_cbc_encrypt(
rng: &mut dyn Rng256,
aes_enc_key: &crypto::aes256::EncryptionKey,
plaintext: &[u8],
has_iv: bool,
) -> Result<Vec<u8>, Ctap2StatusCode> {
if plaintext.len() % 16 != 0 {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
let iv = if has_iv {
let random_bytes = rng.gen_uniform_u8x32();
*array_ref!(random_bytes, 0, 16)
} else {
[0u8; 16]
};
let mut blocks = Vec::with_capacity(plaintext.len() / 16);
// TODO(https://github.com/rust-lang/rust/issues/74985) Use array_chunks when stable.
for block in plaintext.chunks_exact(16) {
blocks.push(*array_ref!(block, 0, 16));
}
cbc_encrypt(aes_enc_key, iv, &mut blocks);
let mut ciphertext = if has_iv { iv.to_vec() } else { vec![] };
ciphertext.extend(blocks.iter().flatten());
Ok(ciphertext)
}
fn aes256_cbc_decrypt(
aes_enc_key: &crypto::aes256::EncryptionKey,
ciphertext: &[u8],
has_iv: bool,
) -> Result<Vec<u8>, Ctap2StatusCode> {
if ciphertext.len() % 16 != 0 {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
let mut block_len = ciphertext.len() / 16;
// TODO(https://github.com/rust-lang/rust/issues/74985) Use array_chunks when stable.
let mut block_iter = ciphertext.chunks_exact(16);
let iv = if has_iv {
block_len -= 1;
let iv_block = block_iter
.next()
.ok_or(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)?;
*array_ref!(iv_block, 0, 16)
} else {
[0u8; 16]
};
let mut blocks = Vec::with_capacity(block_len);
for block in block_iter {
blocks.push(*array_ref!(block, 0, 16));
}
let aes_dec_key = crypto::aes256::DecryptionKey::new(aes_enc_key);
cbc_decrypt(&aes_dec_key, iv, &mut blocks);
Ok(blocks.iter().flatten().cloned().collect::<Vec<u8>>())
}
fn verify_v1(key: &[u8], message: &[u8], signature: &[u8]) -> Result<(), Ctap2StatusCode> {
if signature.len() != 16 {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
if verify_hmac_256_first_128bits::<Sha256>(key, message, array_ref![signature, 0, 16]) {
Ok(())
} else {
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
}
}
fn verify_v2(key: &[u8], message: &[u8], signature: &[u8]) -> Result<(), Ctap2StatusCode> {
if signature.len() != 32 {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
if verify_hmac_256::<Sha256>(key, message, array_ref![signature, 0, 32]) {
Ok(())
} else {
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
}
}
pub struct SharedSecretV1 {
common_secret: [u8; 32],
aes_enc_key: crypto::aes256::EncryptionKey,
}
impl SharedSecretV1 {
/// Creates a new shared secret from the handshake result.
fn new(handshake: [u8; 32]) -> SharedSecretV1 {
let common_secret = Sha256::hash(&handshake);
let aes_enc_key = crypto::aes256::EncryptionKey::new(&common_secret);
SharedSecretV1 {
common_secret,
aes_enc_key,
}
}
/// Creates a new shared secret for testing.
#[cfg(test)]
pub fn new_test(hash: [u8; 32]) -> SharedSecretV1 {
let aes_enc_key = crypto::aes256::EncryptionKey::new(&hash);
SharedSecretV1 {
common_secret: hash,
aes_enc_key,
}
}
}
impl SharedSecret for SharedSecretV1 {
fn encrypt(&self, rng: &mut dyn Rng256, plaintext: &[u8]) -> Result<Vec<u8>, Ctap2StatusCode> {
aes256_cbc_encrypt(rng, &self.aes_enc_key, plaintext, false)
}
fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>, Ctap2StatusCode> {
aes256_cbc_decrypt(&self.aes_enc_key, ciphertext, false)
}
fn verify(&self, message: &[u8], signature: &[u8]) -> Result<(), Ctap2StatusCode> {
verify_v1(&self.common_secret, message, signature)
}
}
pub struct SharedSecretV2 {
aes_enc_key: crypto::aes256::EncryptionKey,
hmac_key: [u8; 32],
}
impl SharedSecretV2 {
/// Creates a new shared secret from the handshake result.
fn new(handshake: [u8; 32]) -> SharedSecretV2 {
let aes_key = hkdf_empty_salt_256::<Sha256>(&handshake, b"CTAP2 AES key");
SharedSecretV2 {
aes_enc_key: crypto::aes256::EncryptionKey::new(&aes_key),
hmac_key: hkdf_empty_salt_256::<Sha256>(&handshake, b"CTAP2 HMAC key"),
}
}
}
impl SharedSecret for SharedSecretV2 {
fn encrypt(&self, rng: &mut dyn Rng256, plaintext: &[u8]) -> Result<Vec<u8>, Ctap2StatusCode> {
aes256_cbc_encrypt(rng, &self.aes_enc_key, plaintext, true)
}
fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>, Ctap2StatusCode> {
aes256_cbc_decrypt(&self.aes_enc_key, ciphertext, true)
}
fn verify(&self, message: &[u8], signature: &[u8]) -> Result<(), Ctap2StatusCode> {
verify_v2(&self.hmac_key, message, signature)
}
}
#[cfg(test)]
mod test {
use super::*;
use crypto::rng256::ThreadRng256;
#[test]
fn test_pin_protocol_public_key() {
let mut rng = ThreadRng256 {};
let mut pin_protocol = PinProtocol::new(&mut rng);
let public_key = pin_protocol.get_public_key();
pin_protocol.regenerate(&mut rng);
let new_public_key = pin_protocol.get_public_key();
assert_ne!(public_key, new_public_key);
}
#[test]
fn test_pin_protocol_pin_uv_auth_token() {
let mut rng = ThreadRng256 {};
let mut pin_protocol = PinProtocol::new(&mut rng);
let token = *pin_protocol.get_pin_uv_auth_token();
pin_protocol.reset_pin_uv_auth_token(&mut rng);
let new_token = pin_protocol.get_pin_uv_auth_token();
assert_ne!(&token, new_token);
}
#[test]
fn test_shared_secret_v1_encrypt_decrypt() {
let mut rng = ThreadRng256 {};
let shared_secret = SharedSecretV1::new([0x55; 32]);
let plaintext = vec![0xAA; 64];
let ciphertext = shared_secret.encrypt(&mut rng, &plaintext).unwrap();
assert_eq!(shared_secret.decrypt(&ciphertext), Ok(plaintext));
}
#[test]
fn test_shared_secret_v1_verify() {
let shared_secret = SharedSecretV1::new([0x55; 32]);
let message = [0xAA];
let signature = [
0x8B, 0x60, 0x15, 0x7D, 0xF3, 0x44, 0x82, 0x2E, 0x54, 0x34, 0x7A, 0x01, 0xFB, 0x02,
0x48, 0xA6,
];
assert_eq!(shared_secret.verify(&message, &signature), Ok(()));
assert_eq!(
shared_secret.verify(&[0xBB], &signature),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
assert_eq!(
shared_secret.verify(&message, &[0x12; 16]),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
}
#[test]
fn test_shared_secret_v2_encrypt_decrypt() {
let mut rng = ThreadRng256 {};
let shared_secret = SharedSecretV2::new([0x55; 32]);
let plaintext = vec![0xAA; 64];
let ciphertext = shared_secret.encrypt(&mut rng, &plaintext).unwrap();
assert_eq!(shared_secret.decrypt(&ciphertext), Ok(plaintext));
}
#[test]
fn test_shared_secret_v2_verify() {
let shared_secret = SharedSecretV2::new([0x55; 32]);
let message = [0xAA];
let signature = [
0xC0, 0x3F, 0x2A, 0x22, 0x5C, 0xC3, 0x4E, 0x05, 0xC1, 0x0E, 0x72, 0x9C, 0x8D, 0xD5,
0x7D, 0xE5, 0x98, 0x9C, 0x68, 0x15, 0xEC, 0xE2, 0x3A, 0x95, 0xD5, 0x90, 0xE1, 0xE9,
0x3F, 0xF0, 0x1A, 0xAF,
];
assert_eq!(shared_secret.verify(&message, &signature), Ok(()));
assert_eq!(
shared_secret.verify(&[0xBB], &signature),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
assert_eq!(
shared_secret.verify(&message, &[0x12; 32]),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
}
#[test]
fn test_decapsulate_invalid() {
let mut rng = ThreadRng256 {};
let pin_protocol = PinProtocol::new(&mut rng);
let shared_secret = pin_protocol.decapsulate(pin_protocol.get_public_key(), 3);
assert_eq!(
shared_secret.err(),
Some(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)
);
}
#[test]
fn test_decapsulate_symmetric() {
let mut rng = ThreadRng256 {};
let pin_protocol1 = PinProtocol::new(&mut rng);
let pin_protocol2 = PinProtocol::new(&mut rng);
for protocol in 1..=2 {
let shared_secret1 = pin_protocol1
.decapsulate(pin_protocol2.get_public_key(), protocol)
.unwrap();
let shared_secret2 = pin_protocol2
.decapsulate(pin_protocol1.get_public_key(), protocol)
.unwrap();
let plaintext = vec![0xAA; 64];
let ciphertext = shared_secret1.encrypt(&mut rng, &plaintext).unwrap();
assert_eq!(plaintext, shared_secret2.decrypt(&ciphertext).unwrap());
}
}
#[test]
fn test_verify_pin_uv_auth_token_v1() {
let token = [0x91; PIN_TOKEN_LENGTH];
let message = [0xAA];
let signature = [
0x9C, 0x1C, 0xFE, 0x9D, 0xD7, 0x64, 0x6A, 0x06, 0xB9, 0xA8, 0x0F, 0x96, 0xAD, 0x50,
0x49, 0x68,
];
assert_eq!(
verify_pin_uv_auth_token(&token, &message, &signature, 1),
Ok(())
);
assert_eq!(
verify_pin_uv_auth_token(&[0x12; PIN_TOKEN_LENGTH], &message, &signature, 1),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
assert_eq!(
verify_pin_uv_auth_token(&token, &[0xBB], &signature, 1),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
assert_eq!(
verify_pin_uv_auth_token(&token, &message, &[0x12; 16], 1),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
}
#[test]
fn test_verify_pin_uv_auth_token_v2() {
let token = [0x91; PIN_TOKEN_LENGTH];
let message = [0xAA];
let signature = [
0x9C, 0x1C, 0xFE, 0x9D, 0xD7, 0x64, 0x6A, 0x06, 0xB9, 0xA8, 0x0F, 0x96, 0xAD, 0x50,
0x49, 0x68, 0x94, 0x90, 0x20, 0x53, 0x0F, 0xA3, 0xD2, 0x7A, 0x9F, 0xFD, 0xFA, 0x62,
0x36, 0x93, 0xF7, 0x84,
];
assert_eq!(
verify_pin_uv_auth_token(&token, &message, &signature, 2),
Ok(())
);
assert_eq!(
verify_pin_uv_auth_token(&[0x12; PIN_TOKEN_LENGTH], &message, &signature, 2),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
assert_eq!(
verify_pin_uv_auth_token(&token, &[0xBB], &signature, 2),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
assert_eq!(
verify_pin_uv_auth_token(&token, &message, &[0x12; 32], 2),
Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID)
);
}
#[test]
fn test_verify_pin_uv_auth_token_invalid_protocol() {
let token = [0x91; PIN_TOKEN_LENGTH];
let message = [0xAA];
let signature = [];
assert_eq!(
verify_pin_uv_auth_token(&token, &message, &signature, 3),
Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)
);
}
}