Merge SP1A.210311.001

Change-Id: Icc232e4382ad1df43912307e19aa40f579396b6b
author: Scott Lobdell <slobdell@google.com> 2021-03-11 19:08:54 +0000
committer: Scott Lobdell <slobdell@google.com> 2021-03-11 19:08:54 +0000
commit: a4bc4d3a2b36280f54cdad53b0bb0de8b4223d55 (patch)
tree: 0c8d19a6d8d901cb20498399ab3e3f8434aa1fcd /identity/aidl/default/libeic/EicPresentation.c
parent: 86bfa300dfbcf500ad04bede19a2b5f0e6d418b9 (diff)
parent: f4b38dd9acd9e6e5803ceda6c6a467c97512216e (diff)
1 files changed, 14 insertions, 11 deletions
diff --git a/identity/aidl/default/libeic/EicPresentation.c b/identity/aidl/default/libeic/EicPresentation.c
index 5e9a280d09..9e033b39fb 100644
--- a/identity/aidl/default/libeic/EicPresentation.c
+++ b/identity/aidl/default/libeic/EicPresentation.c
@@ -336,6 +336,18 @@ bool eicPresentationSetAuthToken(EicPresentation* ctx, uint64_t challenge, uint6
                                  int verificationTokenSecurityLevel,
                                  const uint8_t* verificationTokenMac,
                                  size_t verificationTokenMacSize) {
+    // It doesn't make sense to accept any tokens if eicPresentationCreateAuthChallenge()
+    // was never called.
+    if (ctx->authChallenge == 0) {
+        eicDebug("Trying validate tokens when no auth-challenge was previously generated");
+        return false;
+    }
+    // At least the verification-token must have the same challenge as what was generated.
+    if (verificationTokenChallenge != ctx->authChallenge) {
+        eicDebug("Challenge in verification token does not match the challenge "
+                 "previously generated");
+        return false;
+    }
     if (!eicOpsValidateAuthToken(
                 challenge, secureUserId, authenticatorId, hardwareAuthenticatorType, timeStamp, mac,
                 macSize, verificationTokenChallenge, verificationTokenTimestamp,
@@ -360,18 +372,9 @@ static bool checkUserAuth(EicPresentation* ctx, bool userAuthenticationRequired,
         return false;
     }
 
+    // Only ACP with auth-on-every-presentation - those with timeout == 0 - need the
+    // challenge to match...
     if (timeoutMillis == 0) {
-        if (ctx->authTokenChallenge == 0) {
-            eicDebug("No challenge in authToken");
-            return false;
-        }
-
-        // If we didn't create a challenge, too bad but user auth with
-        // timeoutMillis set to 0 needs it.
-        if (ctx->authChallenge == 0) {
-            eicDebug("No challenge was created for this session");
-            return false;
-        }
         if (ctx->authTokenChallenge != ctx->authChallenge) {
             eicDebug("Challenge in authToken (%" PRIu64
                      ") doesn't match the challenge "
author	Scott Lobdell <slobdell@google.com>	2021-03-11 19:08:54 +0000
committer	Scott Lobdell <slobdell@google.com>	2021-03-11 19:08:54 +0000
commit	a4bc4d3a2b36280f54cdad53b0bb0de8b4223d55 (patch)
tree	0c8d19a6d8d901cb20498399ab3e3f8434aa1fcd /identity/aidl/default/libeic/EicPresentation.c
parent	86bfa300dfbcf500ad04bede19a2b5f0e6d418b9 (diff)
parent	f4b38dd9acd9e6e5803ceda6c6a467c97512216e (diff)