Safer largeBlob buffer swapping

Author: BryanJacobs

python_tests/ctap/test_largeblobs.py

@@ -160,6 +160,7 @@ def test_get_empty_largeblob_arr(self):
     @parameterized.expand([
         ("empty", 0),
         ("short", 10),
+        ("short2", 78),
         ("onepacket", 200),
         ("onepacket2", 240),
         ("medium", 100),
@@ -176,8 +177,33 @@ def test_set_and_get_large_blobs(self, _, num_bytes):
         res = LargeBlobs(self.ctap2).read_blob_array()
         self.assertEqual(blob_array, res)
 
+    def test_set_fragmented_low_level(self):
+        blob_array = secrets.token_bytes(170)
+        h = hashes.Hash(hashes.SHA256())
+        h.update(blob_array)
+        blob_array += h.finalize()[:16]
+
+        self.ctap2.large_blobs(offset=0, set=blob_array[:10], length=len(blob_array))
+        self.ctap2.large_blobs(offset=10, set=blob_array[10:20])
+        self.ctap2.large_blobs(offset=20, set=blob_array[20:])
+        res = self.ctap2.large_blobs(offset=0, get=200)
+
+        self.assertEqual(blob_array, res[1])
+
+    def test_set_fragmented_incomplete_low_level(self):
+        blob_array = secrets.token_bytes(170)
+        h = hashes.Hash(hashes.SHA256())
+        h.update(blob_array)
+        blob_array += h.finalize()[:16]
+
+        self.ctap2.large_blobs(offset=0, set=blob_array[:10], length=len(blob_array))
+        self.ctap2.large_blobs(offset=10, set=blob_array[10:20])
+        res = self.ctap2.large_blobs(offset=0, get=200)
+
+        self.assertEqual(17, len(res[1]))
+
     def test_get_beyond_end(self):
-        blob_array = secrets.token_bytes(54)
+        blob_array = secrets.token_bytes(62)
         h = hashes.Hash(hashes.SHA256())
         h.update(blob_array)
         blob_array += h.finalize()[:16]
@@ -188,6 +214,18 @@ def test_get_beyond_end(self):
 
         self.assertEqual(blob_array, res[1])
 
+    def test_rejects_with_invalid_hash(self):
+        blob_array = secrets.token_bytes(62)
+        h = hashes.Hash(hashes.SHA256())
+        h.update(blob_array)
+        blob_array += h.finalize()[:16]
+        blob_array = blob_array[:-1] + bytes([blob_array[-1] + 1])
+
+        with self.assertRaises(CtapError) as e:
+            self.ctap2.large_blobs(offset=0, set=blob_array, length=len(blob_array))
+
+        self.assertEqual(CtapError.ERR.INTEGRITY_FAILURE, e.exception.code)
+
     def test_set_and_get_large_blobs_high_level(self):
         cred = self.make_large_blob_key()
 

src/main/java/us/q3q/fido2/FIDO2Applet.java

@@ -348,11 +348,11 @@ public final class FIDO2Applet extends Applet implements ExtendedLength {
     /**
      * Storage for the largeBlobs extension
      */
-    private byte[] largeBlobStore;
+    private final byte[][] largeBlobStores;
     /**
-     * Double buffer for the large blob store
+     * Which large blob store is in use
      */
-    private byte[] pendingLargeBlobStore;
+    private byte largeBlobStoreIndex = 0;
     /**
      * Length of the currently stored large-blob array
      */
@@ -3773,7 +3773,7 @@ private void handleLargeBlobs(APDU apdu, byte[] reqBuffer, short lc) {
             sendErrorByte(apdu, FIDOConstants.CTAP1_ERR_INVALID_PARAMETER);
         }
 
-        if (offset < 0 || offset > (short) largeBlobStore.length) {
+        if (offset < 0 || offset > (short) largeBlobStores[largeBlobStoreIndex].length) {
             // Offset is mandatory and must be reasonable
             sendErrorByte(apdu, FIDOConstants.CTAP1_ERR_INVALID_PARAMETER);
         }
@@ -3804,7 +3804,7 @@ private void handleLargeBlobs(APDU apdu, byte[] reqBuffer, short lc) {
                 if (setTotalLength < 17) {
                     sendErrorByte(apdu, FIDOConstants.CTAP1_ERR_INVALID_PARAMETER);
                 }
-                if (setTotalLength > (short) largeBlobStore.length) {
+                if (setTotalLength > (short) largeBlobStores[largeBlobStoreIndex].length) {
                     sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_LARGE_BLOB_STORAGE_FULL);
                 }
             } else {
@@ -3875,8 +3875,9 @@ private void handleLargeBlobs(APDU apdu, byte[] reqBuffer, short lc) {
      */
     private void handleLargeBlobSet(APDU apdu, byte[] buffer, short incomingDataOffset,
                                     short blobWriteOffset, short incomingDataLength, short totalLength) {
+        final byte tempBlobStoreIndex = (byte)(largeBlobStoreIndex == 0 ? 1 : 0);
         Util.arrayCopyNonAtomic(buffer, incomingDataOffset,
-                pendingLargeBlobStore, blobWriteOffset, incomingDataLength);
+                largeBlobStores[tempBlobStoreIndex], blobWriteOffset, incomingDataLength);
         // Done with incoming request now
         bufferManager.informAPDUBufferAvailability(apdu, (short) 0xFF);
 
@@ -3889,11 +3890,11 @@ private void handleLargeBlobSet(APDU apdu, byte[] buffer, short incomingDataOffs
             byte[] scratch = bufferManager.getBufferForHandle(apdu, scratchHandle);
             short scratchOffset = bufferManager.getOffsetForHandle(scratchHandle);
 
-            sha256.doFinal(pendingLargeBlobStore, (short) 0, (short)(totalLength - 16),
+            sha256.doFinal(largeBlobStores[tempBlobStoreIndex], (short) 0, (short)(totalLength - 16),
                     scratch, scratchOffset);
 
             if (Util.arrayCompare(scratch, scratchOffset,
-                    pendingLargeBlobStore, (short)(totalLength - 16), (short) 16) != 0) {
+                    largeBlobStores[tempBlobStoreIndex], (short)(totalLength - 16), (short) 16) != 0) {
                 // hash mismatch
                 sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_INTEGRITY_FAILURE);
             }
@@ -3904,9 +3905,7 @@ private void handleLargeBlobSet(APDU apdu, byte[] buffer, short incomingDataOffs
             JCSystem.beginTransaction();
             boolean ok = false;
             try {
-                byte[] temp = pendingLargeBlobStore;
-                pendingLargeBlobStore = largeBlobStore;
-                largeBlobStore = temp;
+                largeBlobStoreIndex = tempBlobStoreIndex;
                 largeBlobStoreFill = totalLength;
             } finally {
                 if (ok) {
@@ -3953,7 +3952,7 @@ private void handleLargeBlobGet(APDU apdu, short numBytes, short offset) {
         outBuffer[writeIdx++] = (byte) 0xA1; // map - one key
         outBuffer[writeIdx++] = (byte) 0x01; // map key: config
         writeIdx = encodeIntLenTo(outBuffer, writeIdx, bytesToRetrieve, true);
-        writeIdx = Util.arrayCopyNonAtomic(largeBlobStore, offset,
+        writeIdx = Util.arrayCopyNonAtomic(largeBlobStores[largeBlobStoreIndex], offset,
                 outBuffer, writeIdx, bytesToRetrieve);
 
         if (outBuffer == bufferMem) {
@@ -5370,10 +5369,35 @@ private void authenticatorReset(APDU apdu) {
             }
         }
 
-        short pinIdx = pinRetryCounter.prepareIndex();
+        final short pinIdx = pinRetryCounter.prepareIndex();
+        final byte tempBlobStoreIndex = (byte)(largeBlobStoreIndex == 0 ? 1 : 0);
+        final byte realBlobStoreIndex = largeBlobStoreIndex;
 
+        // Empty the large blob store OUTside the main transaction, since it's non-precious and double buffered
+        Util.arrayFillNonAtomic(largeBlobStores[tempBlobStoreIndex], (short) 0,
+                (short) largeBlobStores[tempBlobStoreIndex].length, (byte) 0x00);
+        Util.arrayCopyNonAtomic(CannedCBOR.INITIAL_LARGE_BLOB_ARRAY, (short) 0,
+                largeBlobStores[tempBlobStoreIndex], (short) 0, (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length);
         JCSystem.beginTransaction();
         boolean ok = false;
+        try {
+            largeBlobStoreIndex = tempBlobStoreIndex;
+            largeBlobStoreFill = (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length;
+            ok = true;
+        } finally {
+            if (ok) {
+                JCSystem.commitTransaction();
+            } else {
+                JCSystem.abortTransaction();
+            }
+        }
+        Util.arrayFillNonAtomic(largeBlobStores[realBlobStoreIndex], (short) 0,
+                (short) largeBlobStores[realBlobStoreIndex].length, (byte) 0x00);
+        Util.arrayCopyNonAtomic(CannedCBOR.INITIAL_LARGE_BLOB_ARRAY, (short) 0,
+                largeBlobStores[realBlobStoreIndex], (short) 0, (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length);
+
+        JCSystem.beginTransaction();
+        ok = false;
         try {
             random.generateData(hmacWrapperBytesUV, (short) 0, (short) hmacWrapperBytesUV.length);
             random.generateData(hmacWrapperBytesNoUV, (short) 0, (short) hmacWrapperBytesNoUV.length);
@@ -5388,10 +5412,6 @@ private void authenticatorReset(APDU apdu) {
             alwaysUv = FORCE_ALWAYS_UV;
             enterpriseAttestation = false;
             pinRetryCounter.reset(pinIdx);
-            Util.arrayFillNonAtomic(largeBlobStore, (short) 0, (short) largeBlobStore.length, (byte) 0x00);
-            Util.arrayCopyNonAtomic(CannedCBOR.INITIAL_LARGE_BLOB_ARRAY, (short) 0,
-                    largeBlobStore, (short) 0, (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length);
-            largeBlobStoreFill = (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length;
             Util.arrayFillNonAtomic(minPinRPIDs, (short) 0, (short) (MAX_RP_IDS_MIN_PIN_LENGTH * RP_HASH_LEN), (byte) 0x00);
 
             random.generateData(pinKDFSalt, (short) 0, (short) pinKDFSalt.length);
@@ -5574,7 +5594,7 @@ private void sendAuthInfo(APDU apdu) {
 
         buffer[offset++] = 0x0B; // map key: maxSerializedLargeBlobArray: 1 byte = 5
         buffer[offset++] = 0x19; // two-byte integer: 1 byte = 6
-        offset = Util.setShort(buffer, offset, (short) largeBlobStore.length); // 2 bytes = 8
+        offset = Util.setShort(buffer, offset, (short) largeBlobStores[largeBlobStoreIndex].length); // 2 bytes = 8
 
         buffer[offset++] = 0x0C; // map key: forcePinChange: 1 byte = 9
         buffer[offset++] = (byte)(forcePinChange ? 0xF5 : 0xF4); // 1 byte = 10
@@ -6798,10 +6818,11 @@ private FIDO2Applet(byte[] array, short offset, byte length) {
         highSecurityWrappingIV = new byte[IV_LEN];
         lowSecurityWrappingIV = new byte[IV_LEN];
         externalCredentialIV = new byte[IV_LEN];
-        largeBlobStore = new byte[largeBlobStoreSize];
-        pendingLargeBlobStore = new byte[largeBlobStoreSize];
+        largeBlobStores = new byte[2][largeBlobStoreSize];
+        Util.arrayCopyNonAtomic(CannedCBOR.INITIAL_LARGE_BLOB_ARRAY, (short) 0,
+                largeBlobStores[0], (short) 0, (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length);
         Util.arrayCopyNonAtomic(CannedCBOR.INITIAL_LARGE_BLOB_ARRAY, (short) 0,
-                largeBlobStore, (short) 0, (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length);
+                largeBlobStores[1], (short) 0, (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length);
         largeBlobStoreFill = (short) CannedCBOR.INITIAL_LARGE_BLOB_ARRAY.length;
         highSecurityWrappingKey = getTransientAESKey(); // Our most important treasure, from which all other crypto is born...
         lowSecurityWrappingKey = getPersistentAESKey(); // Not really a treasure