From d7b396212c5eb0ef95e4ee8af54d1a71f72022c0 Mon Sep 17 00:00:00 2001 From: "zahra.keshtkar" Date: Sat, 25 May 2024 14:23:09 +0330 Subject: [PATCH 1/3] Ensure BackupEligible flag consistency during login validation --- webauthn/login.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/webauthn/login.go b/webauthn/login.go index 73e69af..ceb2b5c 100644 --- a/webauthn/login.go +++ b/webauthn/login.go @@ -283,8 +283,11 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe // Handle step 17. loginCredential.Authenticator.UpdateCounter(parsedResponse.Response.AuthenticatorData.Counter) + // Check if the BackupEligible flag has changed. + if loginCredential.Flags.BackupEligible != parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() { + return nil, protocol.ErrBadRequest.WithDetails("BackupEligible flag should not change") + } - // TODO: The backup eligible flag shouldn't change. Should decide if we want to error if it does. // Update flags from response data. loginCredential.Flags.UserPresent = parsedResponse.Response.AuthenticatorData.Flags.HasUserPresent() loginCredential.Flags.UserVerified = parsedResponse.Response.AuthenticatorData.Flags.HasUserVerified() From 0254b23e8fde77b69299411afe077cee0bc71dc3 Mon Sep 17 00:00:00 2001 From: "zahra.keshtkar" Date: Sat, 25 May 2024 14:33:04 +0330 Subject: [PATCH 2/3] fix return message --- webauthn/login.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webauthn/login.go b/webauthn/login.go index ceb2b5c..260739d 100644 --- a/webauthn/login.go +++ b/webauthn/login.go @@ -285,7 +285,7 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe loginCredential.Authenticator.UpdateCounter(parsedResponse.Response.AuthenticatorData.Counter) // Check if the BackupEligible flag has changed. if loginCredential.Flags.BackupEligible != parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() { - return nil, protocol.ErrBadRequest.WithDetails("BackupEligible flag should not change") + return nil, protocol.ErrBadRequest.WithDetails("BackupEligible flag inconsistency detected during login validation") } // Update flags from response data. From e5f2d8199dbf6ad2d1f511c2ab398214c7f71735 Mon Sep 17 00:00:00 2001 From: "zahra.keshtkar" Date: Sat, 25 May 2024 14:46:28 +0330 Subject: [PATCH 3/3] Ensure BackupEligible and BackupState flag consistency during login validation --- webauthn/login.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webauthn/login.go b/webauthn/login.go index 260739d..c64a9e3 100644 --- a/webauthn/login.go +++ b/webauthn/login.go @@ -288,6 +288,11 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe return nil, protocol.ErrBadRequest.WithDetails("BackupEligible flag inconsistency detected during login validation") } + // Check for the invalid combination BE=0 and BS=1. + if !parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() && parsedResponse.Response.AuthenticatorData.Flags.HasBackupState() { + return nil, protocol.ErrBadRequest.WithDetails("Invalid flag combination: BE=0 and BS=1") + } + // Update flags from response data. loginCredential.Flags.UserPresent = parsedResponse.Response.AuthenticatorData.Flags.HasUserPresent() loginCredential.Flags.UserVerified = parsedResponse.Response.AuthenticatorData.Flags.HasUserVerified()