fix(pin): bounds-checked slicing in PIN/UV protocol 2 primitives

`PinUvAuthProtocolTwo::{encrypt, decrypt}` use `&key[32..]` to discard
the HMAC-key portion of the shared secret, and `authenticate` uses
`&key[..32]`. Both panic with an out-of-bounds slice index if the key
is shorter than 32 bytes.

This is reachable from device-controlled data: in `user_verification`,
`uv_proto.decrypt(&shared_secret, &encrypted_pin_uv_auth_token)?`
yields a pinUvAuthToken of `encrypted_pin_uv_auth_token.len() - 16`
bytes; a malicious authenticator returning a 16-byte IV-only ciphertext
decrypts to an empty token, which then panics
`PinUvAuthProtocolTwo::authenticate(token, clientDataHash)`.

Replace raw slice indexing with `.get(..32).ok_or(...)` /
`.get(32..).ok_or(...)`, returning `Error::Ctap(CtapError::Other)` on
short keys. Validate decrypted pinUvAuthToken length at the boundary
(16 bytes for PUAP1 per CTAP 2.2 §6.5.5.7 step 3.7, 32 bytes for
PUAP2). Update PUAP1 mocks to use a spec-correct 16-byte token. Add
regression tests for empty and 16-byte keys.

Author: AlfioEmanueleFresta

libwebauthn/src/pin.rs

@@ -362,7 +362,13 @@ impl PinUvAuthProtocol for PinUvAuthProtocolTwo {
 
     fn encrypt(&self, key: &[u8], plaintext: &[u8]) -> Result<Vec<u8>, Error> {
         // Discard the first 32 bytes of key. (This selects the AES-key portion of the shared secret.)
-        let key = &key[32..];
+        let key = key.get(32..).ok_or_else(|| {
+            error!(
+                key_len = key.len(),
+                "key shorter than 32 bytes; cannot select AES-key portion"
+            );
+            Error::Ctap(CtapError::Other)
+        })?;
 
         // Let iv be a 16-byte, random bytestring.
         let iv: [u8; 16] = thread_rng().gen();
@@ -383,7 +389,13 @@ impl PinUvAuthProtocol for PinUvAuthProtocolTwo {
 
     fn decrypt(&self, key: &[u8], ciphertext: &[u8]) -> Result<Vec<u8>, Error> {
         // Discard the first 32 bytes of key. (This selects the AES-key portion of the shared secret.)
-        let key = &key[32..];
+        let key = key.get(32..).ok_or_else(|| {
+            error!(
+                key_len = key.len(),
+                "key shorter than 32 bytes; cannot select AES-key portion"
+            );
+            Error::Ctap(CtapError::Other)
+        })?;
 
         // If demPlaintext is less than 16 bytes in length, return an error
         if ciphertext.len() < 16 {
@@ -409,7 +421,13 @@ impl PinUvAuthProtocol for PinUvAuthProtocolTwo {
     fn authenticate(&self, key: &[u8], message: &[u8]) -> Result<Vec<u8>, Error> {
         // If key is longer than 32 bytes, discard the excess. (This selects the HMAC-key portion of the shared secret.
         // When key is the pinUvAuthToken, it is exactly 32 bytes long and thus this step has no effect.)
-        let key = &key[..32];
+        let key = key.get(..32).ok_or_else(|| {
+            error!(
+                key_len = key.len(),
+                "key shorter than 32 bytes; cannot select HMAC-key portion"
+            );
+            Error::Ctap(CtapError::Other)
+        })?;
 
         // Return the result of computing HMAC-SHA-256 on key and message.
         hmac_sha256(key, message)
@@ -635,4 +653,37 @@ mod tests {
         let result = PinUvAuthProtocol::encapsulate(&proto, &key);
         assert!(matches!(result, Err(Error::Ctap(CtapError::Other))));
     }
+
+    #[test]
+    fn proto_two_authenticate_rejects_empty_key() {
+        let proto = PinUvAuthProtocolTwo::new();
+        let result = proto.authenticate(&[], b"clientDataHash");
+        assert!(matches!(result, Err(Error::Ctap(CtapError::Other))));
+    }
+
+    #[test]
+    fn proto_two_authenticate_rejects_short_key() {
+        let proto = PinUvAuthProtocolTwo::new();
+        let short_key = [0u8; 16];
+        let result = proto.authenticate(&short_key, b"hello");
+        assert!(matches!(result, Err(Error::Ctap(CtapError::Other))));
+    }
+
+    #[test]
+    fn proto_two_encrypt_rejects_short_key() {
+        let proto = PinUvAuthProtocolTwo::new();
+        let short_key = [0u8; 16];
+        let plaintext = [0u8; 16];
+        let result = proto.encrypt(&short_key, &plaintext);
+        assert!(matches!(result, Err(Error::Ctap(CtapError::Other))));
+    }
+
+    #[test]
+    fn proto_two_decrypt_rejects_short_key() {
+        let proto = PinUvAuthProtocolTwo::new();
+        let short_key = [0u8; 16];
+        let ct = [0u8; 32];
+        let result = proto.decrypt(&short_key, &ct);
+        assert!(matches!(result, Err(Error::Ctap(CtapError::Other))));
+    }
 }

libwebauthn/src/webauthn/pin_uv_auth_token.rs

@@ -359,6 +359,22 @@ where
                 let uv_auth_token =
                     uv_proto.decrypt(&shared_secret, &encrypted_pin_uv_auth_token)?;
 
+                // pinUvAuthToken is 16 bytes for PUAP1 and 32 bytes for PUAP2.
+                // Reject a shorter token before it is used as a key downstream.
+                let min_token_len = match uv_proto.version() {
+                    Ctap2PinUvAuthProtocol::One => 16,
+                    Ctap2PinUvAuthProtocol::Two => 32,
+                };
+                if uv_auth_token.len() < min_token_len {
+                    error!(
+                        protocol = ?uv_proto.version(),
+                        token_len = uv_auth_token.len(),
+                        min_expected = min_token_len,
+                        "Decrypted pinUvAuthToken is shorter than required"
+                    );
+                    return Err(Error::Ctap(CtapError::Other));
+                }
+
                 let token_identifier = Ctap2AuthTokenPermission::new(
                     uv_proto.version(),
                     ctap2_request.permissions(),
@@ -838,7 +854,7 @@ mod test {
         .unwrap();
         // We do here what the device would need to do, i.e. generate a new random
         // pinUvAuthToken (here all 5's), then encrypt it using the shared_secret.
-        let token = [5; 32];
+        let token = [5; 16];
         let encrypted_token = pin_protocol.encrypt(&shared_secret, &token).unwrap();
         let pin_resp = CborResponse::new_success_from_slice(
             to_vec(&Ctap2ClientPinResponse {
@@ -1182,7 +1198,7 @@ mod test {
                 .unwrap();
             // We do here what the device would need to do, i.e. generate a new random
             // pinUvAuthToken (here all 5's), then encrypt it using the shared_secret.
-            let token = [5; 32];
+            let token = [5; 16];
             let encrypted_token = pin_protocol.encrypt(&shared_secret, &token).unwrap();
             let pin_resp = CborResponse::new_success_from_slice(
                 to_vec(&Ctap2ClientPinResponse {
@@ -1322,7 +1338,7 @@ mod test {
                 .unwrap();
             // We do here what the device would need to do, i.e. generate a new random
             // pinUvAuthToken (here all 5's), then encrypt it using the shared_secret.
-            let token = [5; 32];
+            let token = [5; 16];
             let encrypted_token = pin_protocol.encrypt(&shared_secret, &token).unwrap();
             let pin_resp = CborResponse::new_success_from_slice(
                 to_vec(&Ctap2ClientPinResponse {