add size check of user-supplied challenges

spiretechnology · Aug 11, 2023 · f710048 · f710048
1 parent 013a3d7
commit f710048
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 0 deletions.
diff --git a/authenticate_verify.go b/authenticate_verify.go
@@ -25,6 +25,9 @@ func (w *webauthn) VerifyAuthentication(ctx context.Context, user User, res *Aut
 	if err != nil {
 		return nil, errutil.Wrapf(err, "decoding challenge")
 	}
+	if len(challengeBytesSlice) != spec.ChallengeSize {
+		return nil, errutil.Wrap(ErrInvalidChallenge)
+	}
 	challengeBytes := Challenge(challengeBytesSlice)
 	ok, err := w.options.Challenges.HasChallenge(ctx, user, challengeBytes)
 	if err != nil {

diff --git a/errors.go b/errors.go
@@ -12,4 +12,5 @@ var (
 	ErrCredentialNotFound    = errors.New("credential not found")
 	ErrNoCredentials         = errors.New("user has no credential")
 	ErrUnrecognizedChallenge = errors.New("unrecognized challenge")
+	ErrInvalidChallenge      = errors.New("invalid challenge size")
 )
diff --git a/register_verify.go b/register_verify.go
@@ -28,6 +28,9 @@ func (w *webauthn) VerifyRegistration(ctx context.Context, user User, res *Regis
 	if err != nil {
 		return nil, errutil.Wrapf(err, "decoding challenge")
 	}
+	if len(challengeBytesSlice) != spec.ChallengeSize {
+		return nil, errutil.Wrap(ErrInvalidChallenge)
+	}
 	challengeBytes := Challenge(challengeBytesSlice)
 	ok, err := w.options.Challenges.HasChallenge(ctx, user, challengeBytes)
 	if err != nil {