From dfbbed5d875acef951292d4895f6f8f8fe1f9ff8 Mon Sep 17 00:00:00 2001 From: Dominik Csapak Date: Fri, 12 Nov 2021 09:58:14 +0100 Subject: [PATCH] pve-rs/tfa: ignore and discard incomplete u2f entries it can happen that we have leftover entries with non-completed challenges. since a user cannot continue here in a sensible way, ignore and discard them Signed-off-by: Dominik Csapak Signed-off-by: Wolfgang Bumiller --- pve-rs/src/tfa/mod.rs | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/pve-rs/src/tfa/mod.rs b/pve-rs/src/tfa/mod.rs index 44cec74..d91278d 100644 --- a/pve-rs/src/tfa/mod.rs +++ b/pve-rs/src/tfa/mod.rs @@ -490,10 +490,13 @@ fn decode_old_entry(ty: &[u8], data: &[u8], user: &str) -> Result user_data.u2f.push(proxmox_tfa_api::TfaEntry::from_parts( - info, - decode_old_u2f_entry(value)?, - )), + b"u2f" => { + if let Some(entry) = decode_old_u2f_entry(value)? { + user_data + .u2f + .push(proxmox_tfa_api::TfaEntry::from_parts(info, entry)) + } + } b"oath" => user_data.totp.extend( decode_old_oath_entry(value, user)? .into_iter() @@ -513,12 +516,17 @@ fn decode_old_entry(ty: &[u8], data: &[u8], user: &str) -> Result Result { +fn decode_old_u2f_entry(data: JsonValue) -> Result, Error> { let mut obj = match data { JsonValue::Object(obj) => obj, _ => bail!("bad json type for u2f registration"), }; + // discard old partial u2f registrations + if obj.get("challenge").is_some() { + return Ok(None); + } + let reg = proxmox_tfa::u2f::Registration { key: proxmox_tfa::u2f::RegisteredKey { key_handle: base64::decode_config( @@ -538,7 +546,7 @@ fn decode_old_u2f_entry(data: JsonValue) -> Result