Changeset 238246 in webkit

Timestamp:

Nov 15, 2018 1:24:51 PM (5 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthN] Use a real nonce for CTAPHID_INIT
​https://bugs.webkit.org/show_bug.cgi?id=191533
<rdar://problem/46103502>

Reviewed by Brent Fulgham.

Source/WebCore:

New tests are added into existing test files.

• Modules/webauthn/fido/FidoConstants.h:

Source/WebKit:

Use a real nonce for CTAPHID_INIT request according to:
​https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#ctaphid_init-0x06.
The challenge here is the new transaction needs to start in the next runloop otherwise a dead lock will form:
wrong nonce -> new transaction -> new nonce -> write init request -> read init response from last run as it
piped in the run loop -> wrong nonce of course -> ...
To break the above dead lock, we have to start the new transaction in the next run. However, that isn't
sufficient as the arrived init response will be piped in HidConnection::m_inputReports, which is designed
on purpose to store any data packets within (initialized, terminated) time interval to prevent data loss in
the case when HidConnection::registerDataReceivedCallback is called after the first data packet's arrival.
In order to break the dead lock completely, HidConnection::invalidateCache will bnnne called prior to every
send to delete any potential init response from last run. HidConnection::invalidateCache is not necessary
for other protocols though. The above scenario is more or less a design flaw in CTAP HID.

Of course, all above scenarios are covered in our mock tests.

• UIProcess/API/C/WKWebsiteDataStoreRef.cpp:

(WKWebsiteDataStoreSetWebAuthenticationMockConfiguration):

• UIProcess/WebAuthentication/Cocoa/HidConnection.h:

(WebKit::HidConnection::invalidateCache):

• UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:

(WebKit::MockHidConnection::send):
(WebKit::MockHidConnection::parseRequest):
(WebKit::MockHidConnection::feedReports):

• UIProcess/WebAuthentication/Mock/MockHidConnection.h:
• UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h:
• UIProcess/WebAuthentication/fido/CtapHidDriver.cpp:

(WebKit::CtapHidDriver::Worker::transact):
(WebKit::CtapHidDriver::CtapHidDriver):
(WebKit::CtapHidDriver::transact):
(WebKit::CtapHidDriver::continueAfterChannelAllocated):
(WebKit::CtapHidDriver::returnResponse):

• UIProcess/WebAuthentication/fido/CtapHidDriver.h:

LayoutTests:

• http/wpt/webauthn/ctap-hid-failure.https-expected.txt:
• http/wpt/webauthn/ctap-hid-failure.https.html:
• http/wpt/webauthn/ctap-hid-success.https-expected.txt:
• http/wpt/webauthn/ctap-hid-success.https.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/ctap-hid-failure.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/ctap-hid-failure.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/ctap-hid-success.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/ctap-hid-success.https.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/webauthn/fido/FidoConstants.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/HidConnection.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp (modified) (4 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.cpp (modified) (6 diffs)
• Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-11-15  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Use a real nonce for CTAPHID_INIT
+        https://bugs.webkit.org/show_bug.cgi?id=191533
+        <rdar://problem/46103502>
+
+        Reviewed by Brent Fulgham.
+
+        * http/wpt/webauthn/ctap-hid-failure.https-expected.txt:
+        * http/wpt/webauthn/ctap-hid-failure.https.html:
+        * http/wpt/webauthn/ctap-hid-success.https-expected.txt:
+        * http/wpt/webauthn/ctap-hid-success.https.html:
+
 2018-11-15  Justin Fan  <justin_fan@apple.com>
 

trunk/LayoutTests/http/wpt/webauthn/ctap-hid-failure.https-expected.txt

@@ -3 +3 @@
 PASS CTAP HID with init sub stage empty report error in a mock hid authenticator. 
 PASS CTAP HID with init sub stage wrong channel id error in a mock hid authenticator. 
+PASS CTAP HID with init sub stage wrong nonce error in a mock hid authenticator. 
 PASS CTAP HID with msg sub stage data not sent error in a mock hid authenticator. 
 PASS CTAP HID with msg sub stage empty report error in a mock hid authenticator. 

trunk/LayoutTests/http/wpt/webauthn/ctap-hid-failure.https.html

@@ -41 +41 @@
     promise_test(function(t) {
         if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "wrong-nonce" } });
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(defaultOptions), "Operation timed out.");
+    }, "CTAP HID with init sub stage wrong nonce error in a mock hid authenticator.");
+
+    promise_test(function(t) {
+        if (window.testRunner)
             testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "msg", error: "data-not-sent" } });
         return promiseRejects(t, "NotAllowedError", navigator.credentials.create(defaultOptions), "Operation timed out.");

trunk/LayoutTests/http/wpt/webauthn/ctap-hid-success.https-expected.txt

@@ -4 +4 @@
 PASS CTAP HID with continue after empty report in a mock hid authenticator. 
 PASS CTAP HID with continue after wrong channel id in a mock hid authenticator. 
+PASS CTAP HID with continue after wrong nonce error in a mock hid authenticator. 
 

trunk/LayoutTests/http/wpt/webauthn/ctap-hid-success.https.html

@@ -55 +55 @@
         });
     }, "CTAP HID with continue after wrong channel id in a mock hid authenticator.");
+
+    promise_test(function(t) {
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "wrong-nonce", payloadBase64: testCreationMessageBase64, continueAfterErrorData: true } });
+        return navigator.credentials.create(defaultOptions).then(credential => {
+            assert_not_equals(credential, undefined);
+            assert_not_equals(credential, null);
+        });
+    }, "CTAP HID with continue after wrong nonce error in a mock hid authenticator.");
 </script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-11-15  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Use a real nonce for CTAPHID_INIT
+        https://bugs.webkit.org/show_bug.cgi?id=191533
+        <rdar://problem/46103502>
+
+        Reviewed by Brent Fulgham.
+
+        New tests are added into existing test files.
+
+        * Modules/webauthn/fido/FidoConstants.h:
+
 2018-11-15  Justin Fan  <justin_fan@apple.com>
 

trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h

@@ -161 +161 @@
 const size_t kHidContinuationPacketDataSize = kHidMaxPacketSize - kHidContinuationPacketHeader;
 const size_t kHidInitResponseSize = 17;
+const size_t kHidInitNonceLength = 8;
 
 const uint8_t kHidMaxLockSeconds = 10;

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-11-15  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Use a real nonce for CTAPHID_INIT
+        https://bugs.webkit.org/show_bug.cgi?id=191533
+        <rdar://problem/46103502>
+
+        Reviewed by Brent Fulgham.
+
+        Use a real nonce for CTAPHID_INIT request according to:
+        https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#ctaphid_init-0x06.
+        The challenge here is the new transaction needs to start in the next runloop otherwise a dead lock will form:
+        wrong nonce -> new transaction -> new nonce -> write init request -> read init response from last run as it
+        piped in the run loop -> wrong nonce of course -> ...
+        To break the above dead lock, we have to start the new transaction in the next run. However, that isn't
+        sufficient as the arrived init response will be piped in HidConnection::m_inputReports, which is designed
+        on purpose to store any data packets within (initialized, terminated) time interval to prevent data loss in
+        the case when HidConnection::registerDataReceivedCallback is called after the first data packet's arrival.
+        In order to break the dead lock completely, HidConnection::invalidateCache will bnnne called prior to every
+        send to delete any potential init response from last run. HidConnection::invalidateCache is not necessary
+        for other protocols though. The above scenario is more or less a design flaw in CTAP HID.
+
+        Of course, all above scenarios are covered in our mock tests.
+
+        * UIProcess/API/C/WKWebsiteDataStoreRef.cpp:
+        (WKWebsiteDataStoreSetWebAuthenticationMockConfiguration):
+        * UIProcess/WebAuthentication/Cocoa/HidConnection.h:
+        (WebKit::HidConnection::invalidateCache):
+        * UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:
+        (WebKit::MockHidConnection::send):
+        (WebKit::MockHidConnection::parseRequest):
+        (WebKit::MockHidConnection::feedReports):
+        * UIProcess/WebAuthentication/Mock/MockHidConnection.h:
+        * UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h:
+        * UIProcess/WebAuthentication/fido/CtapHidDriver.cpp:
+        (WebKit::CtapHidDriver::Worker::transact):
+        (WebKit::CtapHidDriver::CtapHidDriver):
+        (WebKit::CtapHidDriver::transact):
+        (WebKit::CtapHidDriver::continueAfterChannelAllocated):
+        (WebKit::CtapHidDriver::returnResponse):
+        * UIProcess/WebAuthentication/fido/CtapHidDriver.h:
+
 2018-11-15  Oriol Brufau  <obrufau@igalia.com>
 

trunk/Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp

@@ -626 +626 @@
         if (error == "unsupported-options")
             hid.error = MockWebAuthenticationConfiguration::Hid::Error::UnsupportedOptions;
+        if (error == "wrong-nonce")
+            hid.error = MockWebAuthenticationConfiguration::Hid::Error::WrongNonce;
 
         if (auto payloadBase64 = static_cast<WKStringRef>(WKDictionaryGetItemForKey(hidRef, adoptWK(WKStringCreateWithUTF8CString("PayloadBase64")).get())))

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/HidConnection.h

@@ -60 +60 @@
     void registerDataReceivedCallback(DataReceivedCallback&&);
     void unregisterDataReceivedCallback();
+    void invalidateCache() { m_inputReports.clear(); }
 
     void receiveReport(Vector<uint8_t>&&);

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp

@@ -71 +71 @@
 {
     ASSERT(m_initialized);
-    assembleRequest(WTFMove(data));
-
-    auto sent = DataSent::Yes;
-    if (stagesMatch() && m_configuration.hid->error == Mock::Error::DataNotSent)
-        sent = DataSent::No;
-
-    auto task = BlockPtr<void()>::fromCallable([callback = WTFMove(callback), sent]() mutable {
+    auto task = BlockPtr<void()>::fromCallable([weakThis = makeWeakPtr(*this), data = WTFMove(data), callback = WTFMove(callback)]() mutable {
         ASSERT(!RunLoop::isMain());
-        RunLoop::main().dispatch([callback = WTFMove(callback), sent]() mutable {
+        RunLoop::main().dispatch([weakThis, data = WTFMove(data), callback = WTFMove(callback)]() mutable {
+            if (!weakThis)
+                return;
+
+            weakThis->assembleRequest(WTFMove(data));
+
+            auto sent = DataSent::Yes;
+            if (weakThis->stagesMatch() && weakThis->m_configuration.hid->error == Mock::Error::DataNotSent)
+                sent = DataSent::No;
             callback(sent);
         });
@@ -164 +166 @@
     }
 
+    // Store nonce.
+    if (m_subStage == Mock::SubStage::Init) {
+        m_nonce = m_requestMessage->getMessagePayload();
+        ASSERT(m_nonce.size() == kHidInitNonceLength);
+    }
+
     m_currentChannel = m_requestMessage->channelId();
     m_requestMessage = std::nullopt;
@@ -177 +185 @@
         Vector<uint8_t> payload;
         payload.reserveInitialCapacity(kHidInitResponseSize);
-        // FIXME(191533): Use a real nonce.
-        payload.appendVector(Vector<uint8_t>({ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }));
+        payload.appendVector(m_nonce);
+        if (stagesMatch() && m_configuration.hid->error == Mock::Error::WrongNonce)
+            payload[0]--;
         payload.grow(kHidInitResponseSize);
         cryptographicallyRandomValues(payload.data() + payload.size(), CtapChannelIdSize);
@@ -192 +201 @@
     std::optional<FidoHidMessage> message;
     if (m_stage == Mock::Stage::Info && m_subStage == Mock::SubStage::Msg) {
-        auto infoData = encodeAsCBOR(AuthenticatorGetInfoResponse({ ProtocolVersion::kCtap }, Vector<uint8_t>(kAaguidLength)));
+        auto infoData = encodeAsCBOR(AuthenticatorGetInfoResponse({ ProtocolVersion::kCtap }, Vector<uint8_t>(kAaguidLength, 0u)));
         infoData.insert(0, static_cast<uint8_t>(CtapDeviceResponseCode::kSuccess)); // Prepend status code.
         if (stagesMatch() && m_configuration.hid->error == Mock::Error::WrongChannelId)

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.h

@@ -66 +66 @@
     bool m_requireResidentKey { false };
     bool m_requireUserVerification  { false };
+    Vector<uint8_t> m_nonce;
 };
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h

@@ -58 +58 @@
             WrongChannelId,
             MaliciousPayload,
-            UnsupportedOptions
+            UnsupportedOptions,
+            WrongNonce
         };
 

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.cpp

@@ -30 +30 @@
 
 #include <WebCore/FidoConstants.h>
+#include <wtf/CryptographicallyRandomNumber.h>
 #include <wtf/RunLoop.h>
+#include <wtf/Vector.h>
 #include <wtf/text/Base64.h>
 
@@ -55 +57 @@
     m_callback = WTFMove(callback);
 
+    // HidConnection could hold data from other applications, and thereofore invalidate it before each transaction.
+    m_connection->invalidateCache();
     m_connection->send(m_requestMessage->popNextPacket(), [weakThis = makeWeakPtr(*this)](HidConnection::DataSent sent) mutable {
         ASSERT(RunLoop::isMain());
@@ -130 +134 @@
 CtapHidDriver::CtapHidDriver(UniqueRef<HidConnection>&& connection)
     : m_worker(makeUniqueRef<Worker>(WTFMove(connection)))
+    , m_nonce(kHidInitNonceLength)
 {
 }
@@ -137 +142 @@
     ASSERT(m_state == State::Idle);
     m_state = State::AllocateChannel;
+    m_channelId = kHidBroadcastChannel;
     m_requestData = WTFMove(data);
     m_responseCallback = WTFMove(callback);
 
     // Allocate a channel.
-    // FIXME(191533): Get a real nonce.
-    auto initCommand = FidoHidMessage::create(kHidBroadcastChannel, FidoHidDeviceCommand::kInit, { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 });
+    ASSERT(m_nonce.size() == kHidInitNonceLength);
+    cryptographicallyRandomValues(m_nonce.data(), m_nonce.size());
+    auto initCommand = FidoHidMessage::create(m_channelId, FidoHidDeviceCommand::kInit, m_nonce);
     ASSERT(initCommand);
     m_worker->transact(WTFMove(*initCommand), [weakThis = makeWeakPtr(*this)](std::optional<FidoHidMessage>&& response) mutable {
@@ -159 +166 @@
         return;
     }
+    ASSERT(message->channelId() == m_channelId);
+
+    auto payload = message->getMessagePayload();
+    ASSERT(payload.size() == kHidInitResponseSize);
+    // Restart the transaction in the next run loop when nonce mismatches.
+    if (memcmp(payload.data(), m_nonce.data(), m_nonce.size())) {
+        m_state = State::Idle;
+        RunLoop::main().dispatch([weakThis = makeWeakPtr(*this), data = WTFMove(m_requestData), callback = WTFMove(m_responseCallback)]() mutable {
+            if (!weakThis)
+                return;
+            weakThis->transact(WTFMove(data), WTFMove(callback));
+        });
+        return;
+    }
+
     m_state = State::Ready;
-    ASSERT(message->channelId() == m_channelId);
-
-    // FIXME(191534): Check Payload including nonce and everything
-    auto payload = message->getMessagePayload();
-    size_t index = 8;
-    ASSERT(payload.size() == kHidInitResponseSize);
+    auto index = kHidInitNonceLength;
     m_channelId = static_cast<uint32_t>(payload[index++]) << 24;
     m_channelId |= static_cast<uint32_t>(payload[index++]) << 16;
     m_channelId |= static_cast<uint32_t>(payload[index++]) << 8;
     m_channelId |= static_cast<uint32_t>(payload[index]);
+    // FIXME(191534): Check the reset of the payload.
     auto cmd = FidoHidMessage::create(m_channelId, FidoHidDeviceCommand::kCbor, m_requestData);
     ASSERT(cmd);
@@ -191 +209 @@
     // Reset state before calling the response callback to avoid being deleted.
     m_state = State::Idle;
-    m_channelId = fido::kHidBroadcastChannel;
-    m_requestData = { };
     m_responseCallback(WTFMove(response));
 }

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.h

@@ -63 +63 @@
     // Worker is the helper that maintains the transaction.
     // https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#arbitration
-    // FSM: Idle => Write => Read
+    // FSM: Idle => Write => Read.
     class Worker : public CanMakeWeakPtr<Worker> {
         WTF_MAKE_FAST_ALLOCATED;
@@ -103 +103 @@
     Vector<uint8_t> m_requestData;
     ResponseCallback m_responseCallback;
+    Vector<uint8_t> m_nonce;
 };