fix(cable): bounds-check slicing flagged by clippy::indexing_slicing

- `crypto::trial_decrypt_advert`: switch to `.get()` for all EID-key
  and candidate-advert subslices, returning `None` on length mismatch
  (the up-front length checks make this dead in practice, but the
  lint requires explicit bounded access).
- `crypto::reserved_bits_are_zero`: use `.first().copied()`.
- `digit_encode`: rewrite to iterate `chunks(CHUNK_SIZE)` over the
  input and use `.get()` on the zero-padding lookup; behaviour is
  preserved (verified by the existing unit test).
- `tunnel::CableTunnelMessage::from_slice`: use `split_first` instead
  of indexing `slice[0]` after a manual length check.
- `tunnel::decode_tunnel_server_domain`: use `KNOWN_TUNNEL_DOMAINS.get()`,
  convert the SHA-256 digest into a fixed `[u8; 32]`, and use
  `BASE32_CHARS.get()` / `TLDS.get()`.
- `tunnel::connect` (initial msg buffer) and the trace log: bound the
  buffer slice via `.get()`.
- `tunnel::send_cbor` padding-length byte: use `last_mut`.

Author: AlfioEmanueleFresta

libwebauthn/src/transport/cable/crypto.rs

@@ -26,11 +26,13 @@ pub fn derive(secret: &[u8], salt: Option<&[u8]>, purpose: KeyPurpose) -> Result
 }
 
 fn reserved_bits_are_zero(plaintext: &[u8]) -> bool {
-    plaintext[0] == 0
+    plaintext.first().copied() == Some(0)
 }
 
 #[instrument]
 pub fn trial_decrypt_advert(eid_key: &[u8], candidate_advert: &[u8]) -> Option<[u8; 16]> {
+    // Both lengths are checked up front so the subsequent slicing is in bounds;
+    // use `.get(..)` regardless so the clippy::indexing_slicing lint is satisfied.
     if candidate_advert.len() != 20 {
         warn!("candidate advert is not 20 bytes");
         return None;
@@ -41,15 +43,20 @@ pub fn trial_decrypt_advert(eid_key: &[u8], candidate_advert: &[u8]) -> Option<[
         return None;
     }
 
-    let expected_tag = hmac_sha256(&eid_key[32..], &candidate_advert[..16]).ok()?;
-    if expected_tag[..4] != candidate_advert[16..] {
-        warn!({ expected = ?expected_tag[..4], actual = ?candidate_advert[16..] },
+    let mac_key = eid_key.get(32..)?;
+    let advert_body = candidate_advert.get(..16)?;
+    let advert_tag = candidate_advert.get(16..)?;
+    let expected_tag = hmac_sha256(mac_key, advert_body).ok()?;
+    let expected_tag_truncated = expected_tag.get(..4)?;
+    if expected_tag_truncated != advert_tag {
+        warn!({ expected = ?expected_tag_truncated, actual = ?advert_tag },
               "candidate advert HMAC tag does not match");
         return None;
     }
 
-    let cipher = Aes256::new(GenericArray::from_slice(&eid_key[..32]));
-    let mut block = Block::clone_from_slice(&candidate_advert[..16]);
+    let aes_key = eid_key.get(..32)?;
+    let cipher = Aes256::new(GenericArray::from_slice(aes_key));
+    let mut block = Block::clone_from_slice(advert_body);
     cipher.decrypt_block(&mut block);
 
     if !reserved_bits_are_zero(&block) {

libwebauthn/src/transport/cable/digit_encode.rs

@@ -8,23 +8,22 @@ const PARTIAL_CHUNK_DIGITS: usize = 0x0fda8530;
 
 pub fn digit_encode(input: &[u8]) -> String {
     let mut output = String::new();
-    let mut input = input;
-    while input.len() >= CHUNK_SIZE {
+    for chunk_slice in input.chunks(CHUNK_SIZE) {
         let mut chunk = [0u8; 8];
-        chunk[..CHUNK_SIZE].copy_from_slice(&input[..CHUNK_SIZE]);
+        let (head, _) = chunk.split_at_mut(chunk_slice.len());
+        head.copy_from_slice(chunk_slice);
         let v = u64::from_le_bytes(chunk);
         let v = v.to_string();
-        output.push_str(&ZEROS[..CHUNK_DIGITS - v.len()]);
-        output.push_str(&v);
-        input = &input[CHUNK_SIZE..];
-    }
-    if !input.is_empty() {
-        let digits = 0x0F & (PARTIAL_CHUNK_DIGITS >> (4 * input.len()));
-        let mut chunk = [0u8; 8];
-        chunk[..input.len()].copy_from_slice(input);
-        let v = u64::from_le_bytes(chunk);
-        let v = v.to_string();
-        output.push_str(&ZEROS[..digits - v.len()]);
+        let digits = if chunk_slice.len() == CHUNK_SIZE {
+            CHUNK_DIGITS
+        } else {
+            0x0F & (PARTIAL_CHUNK_DIGITS >> (4 * chunk_slice.len()))
+        };
+        // ZEROS is 17 chars (CHUNK_DIGITS); slice within bounds.
+        let pad_len = digits.saturating_sub(v.len());
+        if let Some(pad) = ZEROS.get(..pad_len) {
+            output.push_str(pad);
+        }
         output.push_str(&v);
     }
     output

libwebauthn/src/transport/cable/tunnel.rs

@@ -61,11 +61,14 @@ impl CableTunnelMessage {
         }
     }
     pub fn from_slice(slice: &[u8]) -> Result<Self, Error> {
-        if slice.len() < 2 {
+        let (type_byte, payload) = slice
+            .split_first()
+            .ok_or(Error::Transport(TransportError::InvalidFraming))?;
+        if payload.is_empty() {
             return Err(Error::Transport(TransportError::InvalidFraming));
         }
 
-        let message_type = match slice[0] {
+        let message_type = match *type_byte {
             0 => CableTunnelMessageType::Shutdown,
             1 => CableTunnelMessageType::Ctap,
             2 => CableTunnelMessageType::Update,
@@ -76,7 +79,7 @@ impl CableTunnelMessage {
 
         Ok(Self {
             message_type,
-            payload: ByteBuf::from(slice[1..].to_vec()),
+            payload: ByteBuf::from(payload.to_vec()),
         })
     }
 
@@ -131,10 +134,9 @@ enum CableTunnelMessageType {
 
 pub fn decode_tunnel_server_domain(encoded: u16) -> Option<String> {
     if encoded < 256 {
-        if encoded as usize >= KNOWN_TUNNEL_DOMAINS.len() {
-            return None;
-        }
-        return Some(KNOWN_TUNNEL_DOMAINS[encoded as usize].to_string());
+        return KNOWN_TUNNEL_DOMAINS
+            .get(encoded as usize)
+            .map(|s| (*s).to_string());
     }
 
     let mut sha_input = SHA_INPUT.to_vec();
@@ -143,21 +145,22 @@ pub fn decode_tunnel_server_domain(encoded: u16) -> Option<String> {
     sha_input.push(0);
     let mut hasher = Sha256::default();
     hasher.update(&sha_input);
-    let digest = hasher.finalize();
-
-    let mut v = u64::from_le_bytes([
-        digest[0], digest[1], digest[2], digest[3], digest[4], digest[5], digest[6], digest[7],
-    ]);
-    let tld_index = v & 3;
+    // SHA-256 produces 32 bytes, so the first 8 bytes are always present.
+    let digest: [u8; 32] = hasher.finalize().into();
+    let mut digest_head = [0u8; 8];
+    digest_head.copy_from_slice(digest.get(..8)?);
+    let mut v = u64::from_le_bytes(digest_head);
+    let tld_index = (v & 3) as usize;
     v >>= 2;
 
     let mut ret = String::from("cable.");
     while v != 0 {
-        ret.push(BASE32_CHARS[(v & 31) as usize] as char);
+        let ch = *BASE32_CHARS.get((v & 31) as usize)?;
+        ret.push(ch as char);
         v >>= 5;
     }
 
-    ret.push_str(TLDS[tld_index as usize]);
+    ret.push_str(TLDS.get(tld_index)?);
     Some(ret)
 }
 
@@ -310,7 +313,10 @@ pub(crate) async fn do_handshake(
         }
     };
 
-    let initial_msg: Vec<u8> = initial_msg_buffer[..initial_msg_len].into();
+    let initial_msg: Vec<u8> = initial_msg_buffer
+        .get(..initial_msg_len)
+        .map(<[u8]>::to_vec)
+        .ok_or(TransportError::ConnectionFailed)?;
     trace!(
         { handshake = ?initial_msg },
         "Sending initial handshake message"
@@ -366,7 +372,7 @@ pub(crate) async fn do_handshake(
     };
 
     debug!(
-        { handshake = ?payload[..payload_len] },
+        { handshake = ?payload.get(..payload_len) },
         "Received handshake response"
     );
 
@@ -466,7 +472,9 @@ async fn connection_send(
 
     let mut padded_cbor_request = cbor_request.clone();
     padded_cbor_request.resize(padded_len, 0u8);
-    padded_cbor_request[padded_len - 1] = (extra_bytes - 1) as u8;
+    if let Some(last) = padded_cbor_request.last_mut() {
+        *last = (extra_bytes - 1) as u8;
+    }
 
     let frame = CableTunnelMessage::new(CableTunnelMessageType::Ctap, &padded_cbor_request);
     let frame_serialized = frame.to_vec();