From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-perl-rs 2/2] pve-rs/tfa: ignore and discard incomplete u2f entries
Date: Fri, 12 Nov 2021 09:58:14 +0100 [thread overview]
Message-ID: <20211112085814.1643605-2-d.csapak@proxmox.com> (raw)
In-Reply-To: <20211112085814.1643605-1-d.csapak@proxmox.com>
it can happen that we have leftover entries with non-completed challenges.
since a user cannot continue here in a sensible way, ignore and discard
them
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
pve-rs/src/tfa/mod.rs | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/pve-rs/src/tfa/mod.rs b/pve-rs/src/tfa/mod.rs
index 44cec74..d91278d 100644
--- a/pve-rs/src/tfa/mod.rs
+++ b/pve-rs/src/tfa/mod.rs
@@ -490,10 +490,13 @@ fn decode_old_entry(ty: &[u8], data: &[u8], user: &str) -> Result<TfaUserData, E
.map_err(|err| format_err!("failed to parse json data in tfa entry - {}", err))?;
match ty {
- b"u2f" => user_data.u2f.push(proxmox_tfa_api::TfaEntry::from_parts(
- info,
- decode_old_u2f_entry(value)?,
- )),
+ b"u2f" => {
+ if let Some(entry) = decode_old_u2f_entry(value)? {
+ user_data
+ .u2f
+ .push(proxmox_tfa_api::TfaEntry::from_parts(info, entry))
+ }
+ }
b"oath" => user_data.totp.extend(
decode_old_oath_entry(value, user)?
.into_iter()
@@ -513,12 +516,17 @@ fn decode_old_entry(ty: &[u8], data: &[u8], user: &str) -> Result<TfaUserData, E
Ok(user_data)
}
-fn decode_old_u2f_entry(data: JsonValue) -> Result<proxmox_tfa::u2f::Registration, Error> {
+fn decode_old_u2f_entry(data: JsonValue) -> Result<Option<proxmox_tfa::u2f::Registration>, Error> {
let mut obj = match data {
JsonValue::Object(obj) => obj,
_ => bail!("bad json type for u2f registration"),
};
+ // discard old partial u2f registrations
+ if obj.get("challenge").is_some() {
+ return Ok(None);
+ }
+
let reg = proxmox_tfa::u2f::Registration {
key: proxmox_tfa::u2f::RegisteredKey {
key_handle: base64::decode_config(
@@ -538,7 +546,7 @@ fn decode_old_u2f_entry(data: JsonValue) -> Result<proxmox_tfa::u2f::Registratio
bail!("invalid extra data in u2f entry");
}
- Ok(reg)
+ Ok(Some(reg))
}
fn decode_old_oath_entry(
--
2.30.2
next prev parent reply other threads:[~2021-11-12 8:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-12 8:58 [pve-devel] [PATCH proxmox-perl-rs 1/2] pve-rs/tfa: fix off by one trimming Dominik Csapak
2021-11-12 8:58 ` Dominik Csapak [this message]
2021-11-12 9:23 ` [pve-devel] applied-series: " Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211112085814.1643605-2-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox