[fido] Large blob pin param: send sha256 of set

Calculate the pin param based on the hash of the set parameter instead of the raw value. Bug: 1114875 Change-Id: I1b443e4ce5d932445ae1e6bf965e5aee1b878369 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2487460 Auto-Submit: Nina Satragno <nsatragno@chromium.org> Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Martin Kreichgauer <martinkr@google.com> Cr-Commit-Position: refs/heads/master@{#819663}

[fido] Large blob pin param: send sha256 of set
Calculate the pin param based on the hash of the set parameter instead of the raw value. Bug: 1114875 Change-Id: I1b443e4ce5d932445ae1e6bf965e5aee1b878369 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2487460 Auto-Submit: Nina Satragno <nsatragno@chromium.org> Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Martin Kreichgauer <martinkr@google.com> Cr-Commit-Position: refs/heads/master@{#819663}
07e8ad92 · Nina Satragno · Commit Bot · 89e90c51 · 07e8ad92 · 07e8ad92
Commit 07e8ad92 authored Oct 22, 2020 by Nina Satragno Committed by Commit Bot Oct 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 6 deletions

device/fido/large_blob.cc device/fido/large_blob.cc +3 -3

device/fido/virtual_ctap2_device.cc device/fido/virtual_ctap2_device.cc +6 -3

No files found.
--- a/device/fido/large_blob.cc
+++ b/device/fido/large_blob.cc
@@ -91,9 +91,9 @@ void LargeBlobsRequest::SetPinParam(
  const std::array<uint8_t, 4> offset_array =
      fido_parsing_utils::Uint32LittleEndian(offset_);
  pin_auth.insert(pin_auth.end(), offset_array.begin(), offset_array.end());
-  if (set_) {
-    pin_auth.insert(pin_auth.end(), set_->begin(), set_->end());
-  }
+  std::array<uint8_t, crypto::kSHA256Length> set_hash =
+      crypto::SHA256Hash(*set_);
+  pin_auth.insert(pin_auth.end(), set_hash.begin(), set_hash.end());
  std::tie(pin_uv_auth_protocol_, pin_uv_auth_param_) =
      pin_uv_auth_token.PinAuth(pin_auth);
 }

--- a/device/fido/virtual_ctap2_device.cc
+++ b/device/fido/virtual_ctap2_device.cc
@@ -2344,9 +2344,9 @@ CtapDeviceResponseCode VirtualCtap2Device::OnLargeBlobs(
            AuthenticatorSupportedOptions::UserVerificationAvailability::
                kSupportedAndConfigured) {
      // verify(pinUvAuthToken,
-      //        32×0xff || h’0c00' || uint32LittleEndian(offset) ||
+      //        32×0xff || h’0c00' || uint32LittleEndian(offset) || SHA-256(
      //          contents of set byte string, i.e. not including an outer CBOR
-      //          tag with major type two,
+      //          tag with major type two),
      //        pinUvAuthParam)
      std::vector<uint8_t> pinauth_bytes;
      pinauth_bytes.insert(pinauth_bytes.begin(),
@@ -2357,7 +2357,10 @@ CtapDeviceResponseCode VirtualCtap2Device::OnLargeBlobs(
      auto offset_vec = fido_parsing_utils::Uint32LittleEndian(offset);
      pinauth_bytes.insert(pinauth_bytes.end(), offset_vec.begin(),
                           offset_vec.end());
-      pinauth_bytes.insert(pinauth_bytes.end(), set.begin(), set.end());
+      std::array<uint8_t, crypto::kSHA256Length> set_hash =
+          crypto::SHA256Hash(set);
+      pinauth_bytes.insert(pinauth_bytes.end(), set_hash.begin(),
+                           set_hash.end());
      CtapDeviceResponseCode pin_status = VerifyPINUVAuthToken(
          *device_info_, mutable_state()->pin_token, request_map,
          cbor::Value(