Regression in 6cb93: Could not decode encrypted box - cbor: cannot unmarshal positive integer

[zopieux]

OS: Linux (archlinux) Browser: Chromium Working commit: f5702c617a7479e1f9c405238a0a627ef7527ebe Failing commit: 6cb93bc085eb3ad48c1c943f791aa7bcb2336f54

Error when authenticating with a website using 6cb93bc085eb3ad48c1c943f791aa7bcb2336f54 (previously registered in vault.json)

panic: ERROR: Could not decode encrypted box - cbor: cannot unmarshal positive integer into Go value of type virtual_fido.encryptedBox

goroutine 135 [running]:
github.com/bulwarkid/virtual-fido/virtual_fido.checkErr(...)
        /virtual_fido/util.go:23
github.com/bulwarkid/virtual-fido/virtual_fido.(*u2fServer).openKeyHandle(0xc000068b00, {0xc0000ce140, 0x10, 0x10})
        /virtual_fido/u2f.go:131 +0x33a
github.com/bulwarkid/virtual-fido/virtual_fido.(*u2fServer).handleU2FAuthenticate(0xc000068b00, {0xd5?, 0x77?, 0x71?, 0x0?}, {0xc0000245a0, 0x51, 0x51})
        /virtual_fido/u2f.go:174 +0x13f
github.com/bulwarkid/virtual-fido/virtual_fido.(*u2fServer).handleU2FMessage(0x40edff?, {0xc0000fc000?, 0x78fea0?, 0x1000000790e20?})
        /virtual_fido/u2f.go:106 +0x24d
github.com/bulwarkid/virtual-fido/virtual_fido.(*ctapHIDChannel).handleDataMessage(0xc0000fc000?, 0x7113cf?, {0x80?, 0x0?, 0x0?}, {0xc0000fc000, 0x5a, 0x80})
        /virtual_fido/ctap_hid.go:341 +0x190
github.com/bulwarkid/virtual-fido/virtual_fido.(*ctapHIDChannel).handleFinalizedMessage(0xc002230040, 0x61c7f2?, {0x7a1c0?, 0xc0?, 0x0?}, {0xc0000fc000, 0x5a, 0x80})
        /virtual_fido/ctap_hid.go:307 +0x147
created by github.com/bulwarkid/virtual-fido/virtual_fido.(*ctapHIDChannel).handleIntermediateMessage
        /virtual_fido/ctap_hid.go:261 +0x36d
exit status 2

Please tell me if you need more verbose logs.

[zopieux]

Fun fact though: the commit (f5702c617a7479e1f9c405238a0a627ef7527ebe) that works under Chromium fails with Firefox (unrelated to #15 I suppose) with the same panic, for the same website.

[cmdli]

Huh, that commit shouldn't have touched the U2F code, and it looks like we may be getting odd data from the website for the key handle. What website is this? If I can reproduce it locally, it will be a lot easier to fix since I can see what data the website is sending back.

[zopieux]

It's a French bank sadly (boursorama-banque.com), you'd need to open an account, which I don't think you'd want :-)

How else can I help?

[cmdli]

I can take a look at this; if you go into u2f.go and enable the logging by turning on new Logger("[U2F]", *true*) and then run it again and give me the logs, that will be super helpful. I'm guessing that something is messing up in the protocol and garbage data is being interpreted as the key handle.

[zopieux]

I've uploaded the logs here. Thanks!

[cmdli]

So, taking a look at the logs, it looks like the device is being given a well-formed request, but the key handle it is being provided is not correct (or perhaps not created by this device). The device shouldn't crash in this case, it should just return an error response to the website, so I fixed that in https://github.com/bulwarkid/virtual-fido/commit/e48308c7ff298d1449dd7cc8715f51ee645ac0b1. That commit should cause an error to the website instead of crashing the device, at least.

Is there any chance there are multiple devices registered to the account? The website could have been trying a different one and VirtualFIDO just handled it poorly. If this is the only device on the account, then another problem must exist; something would be corrupting the key handle here.

[zopieux]

There is a single FIDO key registered on that website for my account, if I understand your question correctly. I'll try your commit this week, thanks again for looking at this.

[cmdli]

Closing this as inactive; feel free to reopen as necessary.