Added permissions support.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2022-11-23 13:00:28 +01:00
parent 54c0769dbd
commit 04868f2d7b
7 changed files with 45 additions and 7 deletions
--- a/src/fido/cbor_cred_mgmt.c
+++ b/src/fido/cbor_cred_mgmt.c
@@ -115,6 +115,8 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
    if(subcommand == 0x01) {
        if (verify(pinUvAuthProtocol, paut.data, (const uint8_t *)"\x01", 1, pinUvAuthParam.data) != CborNoError)
            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
+        if (!(paut.permissions & CTAP_PERMISSION_CM) || paut.has_rp_id == true)
+            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
        uint8_t existing = 0;
        for (int i = 0; i < MAX_RESIDENT_CREDENTIALS; i++) {
            if (file_has_data(search_dynamic_file(EF_CRED + i)))
@@ -131,6 +133,8 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
        if (subcommand == 0x02) {
            if (verify(pinUvAuthProtocol, paut.data, (const uint8_t *)"\x02", 1, pinUvAuthParam.data) != CborNoError)
                CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
+            if (!(paut.permissions & CTAP_PERMISSION_CM) || paut.has_rp_id == true)
+                CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
            rp_counter = 1;
            rp_total = 0;
        }
@@ -175,6 +179,8 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
            *(raw_subpara-1) = 0x04;
            if (verify(pinUvAuthProtocol, paut.data, raw_subpara-1, raw_subpara_len+1, pinUvAuthParam.data) != CborNoError)
                CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
+            if (!(paut.permissions & CTAP_PERMISSION_CM) || (paut.has_rp_id == true && memcmp(paut.rp_id_hash, rpIdHash.data, 32) != 0))
+                CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
            cred_counter = 1;
            cred_total = 0;
        }
@@ -284,6 +290,8 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
        *(raw_subpara - 1) = 0x06;
        if (verify(pinUvAuthProtocol, paut.data, raw_subpara-1, raw_subpara_len+1, pinUvAuthParam.data) != CborNoError)
            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
+        if (!(paut.permissions & CTAP_PERMISSION_CM) || (paut.has_rp_id == true && memcmp(paut.rp_id_hash, rpIdHash.data, 32) != 0))
+            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
        for (int i = 0; i < MAX_RESIDENT_CREDENTIALS; i++) {
            file_t *ef = search_dynamic_file(EF_CRED + i);
            if (file_has_data(ef) && memcmp(file_get_data(ef)+32, credentialId.id.data, MIN(file_get_size(ef)-32, credentialId.id.len)) == 0) {
@@ -316,6 +324,8 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
        *(raw_subpara - 1) = 0x07;
        if (verify(pinUvAuthProtocol, paut.data, raw_subpara-1, raw_subpara_len+1, pinUvAuthParam.data) != CborNoError)
            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
+        if (!(paut.permissions & CTAP_PERMISSION_CM) || (paut.has_rp_id == true && memcmp(paut.rp_id_hash, rpIdHash.data, 32) != 0))
+            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
        for (int i = 0; i < MAX_RESIDENT_CREDENTIALS; i++) {
            file_t *ef = search_dynamic_file(EF_CRED + i);
            if (file_has_data(ef) && memcmp(file_get_data(ef)+32, credentialId.id.data, MIN(file_get_size(ef)-32, credentialId.id.len)) == 0) {