Reject U2F assertion responses that assert CTAP2 flags.

(This doesn't apply to U2F register responses because there's no flags byte there.) Bug: 896980 Change-Id: I02c63d4bc63db4a8e2e7256a428d8349c34f5443 Reviewed-on: https://chromium-review.googlesource.com/c/1355242 Commit-Queue: Adam Langley <agl@chromium.org> Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Martin Kreichgauer <martinkr@google.com> Cr-Commit-Position: refs/heads/master@{#612300}

Reject U2F assertion responses that assert CTAP2 flags.
(This doesn't apply to U2F register responses because there's no flags byte there.) Bug: 896980 Change-Id: I02c63d4bc63db4a8e2e7256a428d8349c34f5443 Reviewed-on: https://chromium-review.googlesource.com/c/1355242 Commit-Queue: Adam Langley <agl@chromium.org> Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Martin Kreichgauer <martinkr@google.com> Cr-Commit-Position: refs/heads/master@{#612300}
fb0cacc9 · Adam Langley · Commit Bot · ecc7ffae · fb0cacc9 · fb0cacc9
Commit fb0cacc9 authored Nov 29, 2018 by Adam Langley Committed by Commit Bot Nov 29, 2018
Showing with 23 additions and 2 deletions

device/fido/authenticator_get_assertion_response.cc device/fido/authenticator_get_assertion_response.cc +8 -2

device/fido/ctap_response_unittest.cc device/fido/ctap_response_unittest.cc +15 -0

No files found.
--- a/device/fido/authenticator_get_assertion_response.cc
+++ b/device/fido/authenticator_get_assertion_response.cc
@@ -36,9 +36,15 @@ AuthenticatorGetAssertionResponse::CreateFromU2fSignResponse(
  if (key_handle.empty())
    return base::nullopt;
-  auto flags = u2f_data.subspan<kFlagIndex, kFlagLength>();
+  auto flags = u2f_data.subspan<kFlagIndex, kFlagLength>()[0];
+  if (flags &
+      (static_cast<uint8_t>(AuthenticatorData::Flag::kExtensionDataIncluded) |
+       static_cast<uint8_t>(AuthenticatorData::Flag::kAttestation))) {
+    // U2F responses cannot assert CTAP2 features.
+    return base::nullopt;
+  }
  auto counter = u2f_data.subspan<kCounterIndex, kCounterLength>();
-  AuthenticatorData authenticator_data(relying_party_id_hash, flags[0], counter,
+  AuthenticatorData authenticator_data(relying_party_id_hash, flags, counter,
                                       base::nullopt);
  auto signature =

--- a/device/fido/ctap_response_unittest.cc
+++ b/device/fido/ctap_response_unittest.cc
@@ -530,6 +530,21 @@ TEST(CTAPResponseTest, TestParseU2fSignWithNullResponse) {
  EXPECT_FALSE(response);
 }
+TEST(CTAPResponseTest, TestParseU2fSignWithCTAP2Flags) {
+  std::vector<uint8_t> sign_response = GetTestSignResponse();
+  // Set two flags that should only be set in CTAP2 responses and expect parsing
+  // to fail.
+  sign_response[0] |=
+      static_cast<uint8_t>(AuthenticatorData::Flag::kExtensionDataIncluded);
+  sign_response[0] |=
+      static_cast<uint8_t>(AuthenticatorData::Flag::kAttestation);
+  auto response = AuthenticatorGetAssertionResponse::CreateFromU2fSignResponse(
+      test_data::kApplicationParameter, sign_response,
+      GetTestCredentialRawIdBytes());
+  EXPECT_FALSE(response);
+}
 TEST(CTAPResponseTest, TestParseU2fSignWithNullCorruptedCounter) {
  // A sign response of less than 5 bytes.
  auto response = AuthenticatorGetAssertionResponse::CreateFromU2fSignResponse(