Commit 99fa265
committed
fix(pin): bounds-checked slicing in PIN/UV protocol 2 primitives
`PinUvAuthProtocolTwo::{encrypt, decrypt}` use `&key[32..]` to discard
the HMAC-key portion of the shared secret, and `authenticate` uses
`&key[..32]`. Both panic with an out-of-bounds slice index if the key
is shorter than 32 bytes.
This is reachable from device-controlled data: in `user_verification`,
`uv_proto.decrypt(&shared_secret, &encrypted_pin_uv_auth_token)?`
yields a pinUvAuthToken of `encrypted_pin_uv_auth_token.len() - 16`
bytes; a malicious authenticator returning a 16-byte IV-only ciphertext
decrypts to an empty token, which then panics
`PinUvAuthProtocolTwo::authenticate(token, clientDataHash)`.
Replace raw slice indexing with `.get(..32).ok_or(...)` /
`.get(32..).ok_or(...)`, returning `Error::Ctap(CtapError::Other)` on
short keys. Validate decrypted pinUvAuthToken length at the boundary
(16 bytes for PUAP1 per CTAP 2.2 §6.5.5.7 step 3.7, 32 bytes for
PUAP2). Update PUAP1 mocks to use a spec-correct 16-byte token. Add
regression tests for empty and 16-byte keys.1 parent 234fdbc commit 99fa265
2 files changed
Lines changed: 73 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
362 | 362 | | |
363 | 363 | | |
364 | 364 | | |
365 | | - | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
366 | 372 | | |
367 | 373 | | |
368 | 374 | | |
| |||
383 | 389 | | |
384 | 390 | | |
385 | 391 | | |
386 | | - | |
| 392 | + | |
| 393 | + | |
| 394 | + | |
| 395 | + | |
| 396 | + | |
| 397 | + | |
| 398 | + | |
387 | 399 | | |
388 | 400 | | |
389 | 401 | | |
| |||
409 | 421 | | |
410 | 422 | | |
411 | 423 | | |
412 | | - | |
| 424 | + | |
| 425 | + | |
| 426 | + | |
| 427 | + | |
| 428 | + | |
| 429 | + | |
| 430 | + | |
413 | 431 | | |
414 | 432 | | |
415 | 433 | | |
| |||
635 | 653 | | |
636 | 654 | | |
637 | 655 | | |
| 656 | + | |
| 657 | + | |
| 658 | + | |
| 659 | + | |
| 660 | + | |
| 661 | + | |
| 662 | + | |
| 663 | + | |
| 664 | + | |
| 665 | + | |
| 666 | + | |
| 667 | + | |
| 668 | + | |
| 669 | + | |
| 670 | + | |
| 671 | + | |
| 672 | + | |
| 673 | + | |
| 674 | + | |
| 675 | + | |
| 676 | + | |
| 677 | + | |
| 678 | + | |
| 679 | + | |
| 680 | + | |
| 681 | + | |
| 682 | + | |
| 683 | + | |
| 684 | + | |
| 685 | + | |
| 686 | + | |
| 687 | + | |
| 688 | + | |
638 | 689 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
359 | 359 | | |
360 | 360 | | |
361 | 361 | | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
362 | 378 | | |
363 | 379 | | |
364 | 380 | | |
| |||
838 | 854 | | |
839 | 855 | | |
840 | 856 | | |
841 | | - | |
| 857 | + | |
842 | 858 | | |
843 | 859 | | |
844 | 860 | | |
| |||
1182 | 1198 | | |
1183 | 1199 | | |
1184 | 1200 | | |
1185 | | - | |
| 1201 | + | |
1186 | 1202 | | |
1187 | 1203 | | |
1188 | 1204 | | |
| |||
1322 | 1338 | | |
1323 | 1339 | | |
1324 | 1340 | | |
1325 | | - | |
| 1341 | + | |
1326 | 1342 | | |
1327 | 1343 | | |
1328 | 1344 | | |
| |||
0 commit comments