[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-anastasis] branch master updated: fix hashing of PIN entries
From: |
gnunet |
Subject: |
[taler-anastasis] branch master updated: fix hashing of PIN entries |
Date: |
Thu, 18 Mar 2021 21:30:17 +0100 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository anastasis.
The following commit(s) were added to refs/heads/master by this push:
new 63449e8 fix hashing of PIN entries
63449e8 is described below
commit 63449e8b9c6d5f821d843d11ad77f09a0fb5051c
Author: Christian Grothoff <grothoff@gnunet.org>
AuthorDate: Thu Mar 18 21:30:14 2021 +0100
fix hashing of PIN entries
---
src/include/anastasis.h | 13 ++--
src/lib/anastasis_recovery.c | 22 ++++---
src/reducer/anastasis_api_recovery_redux.c | 95 +++++++++++++++++++++++++++---
src/util/anastasis_crypto.c | 2 +-
4 files changed, 105 insertions(+), 27 deletions(-)
diff --git a/src/include/anastasis.h b/src/include/anastasis.h
index 972b110..b58000b 100644
--- a/src/include/anastasis.h
+++ b/src/include/anastasis.h
@@ -260,9 +260,10 @@ ANASTASIS_challenge_start (struct ANASTASIS_Challenge *c,
/**
- * Challenge answer from the user like input SMS pin. Is referenced to
+ * Challenge answer for a security question. Is referenced to
* a challenge and sends back an AnswerFeedback. Convenience
- * wrapper around #ANASTASIS_challenge_start that hashes @a answer.
+ * wrapper around #ANASTASIS_challenge_start that hashes @a answer
+ * for security questions.
*
* @param c reference to the challenge which is answered
* @param psp information about payment made for the recovery
@@ -282,10 +283,10 @@ ANASTASIS_challenge_answer (struct ANASTASIS_Challenge *c,
/**
- * Challenge answer from the user like input SMS pin. Is referenced to
- * a challenge and sends back an AnswerFeedback. Convenience
- * wrapper around #ANASTASIS_challenge_start that hashes @a answer.
- * Variant for numeric answers.
+ * Challenge answer from the user like input SMS TAN or e-mail wpin. Is
+ * referenced to a challenge and sends back an AnswerFeedback.
+ * Convenience wrapper around #ANASTASIS_challenge_start that hashes
+ * numeric (unsalted) @a answer. Variant for numeric answers.
*
* @param c reference to the challenge which is answered
* @param psp information about payment made for the recovery
diff --git a/src/lib/anastasis_recovery.c b/src/lib/anastasis_recovery.c
index b9c5bfa..c4a52e5 100644
--- a/src/lib/anastasis_recovery.c
+++ b/src/lib/anastasis_recovery.c
@@ -495,18 +495,16 @@ ANASTASIS_challenge_answer2 (struct ANASTASIS_Challenge
*c,
ANASTASIS_AnswerFeedback af,
void *af_cls)
{
- char answer_s[40];
-
- GNUNET_snprintf (answer_s,
- sizeof (answer_s),
- "%llu",
- (unsigned long long) answer);
- return ANASTASIS_challenge_answer (c,
- psp,
- timeout,
- answer_s,
- af,
- af_cls);
+ struct GNUNET_HashCode answer_s;
+
+ ANASTASIS_hash_answer (answer,
+ &answer_s);
+ return ANASTASIS_challenge_start (c,
+ psp,
+ timeout,
+ &answer_s,
+ af,
+ af_cls);
}
diff --git a/src/reducer/anastasis_api_recovery_redux.c
b/src/reducer/anastasis_api_recovery_redux.c
index 5cdd6d5..75fa5f2 100644
--- a/src/reducer/anastasis_api_recovery_redux.c
+++ b/src/reducer/anastasis_api_recovery_redux.c
@@ -528,14 +528,18 @@ solve_challenge_cb (void *cls,
const struct ANASTASIS_PaymentSecretP *psp = NULL;
struct ANASTASIS_PaymentSecretP ps;
struct GNUNET_TIME_Relative timeout = GNUNET_TIME_UNIT_ZERO;
- struct GNUNET_JSON_Specification spec[] = {
+ struct GNUNET_JSON_Specification tspec[] = {
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_relative_time ("timeout",
&timeout)),
+ GNUNET_JSON_spec_end ()
+ };
+ struct GNUNET_JSON_Specification pspec[] = {
GNUNET_JSON_spec_fixed_auto ("payment_secret",
&ps),
GNUNET_JSON_spec_end ()
};
+
json_t *challenge;
if (NULL == ri)
@@ -549,6 +553,20 @@ solve_challenge_cb (void *cls,
return;
}
+ if (GNUNET_OK !=
+ GNUNET_JSON_parse (sctx->args,
+ tspec,
+ NULL, NULL))
+ {
+ GNUNET_break_op (0);
+ ANASTASIS_redux_fail_ (sctx->cb,
+ sctx->cb_cls,
+ TALER_EC_ANASTASIS_REDUCER_INPUT_INVALID,
+ "'timeout' malformed");
+ sctx_free (sctx);
+ return;
+ }
+
/* Check if we got a payment_secret */
challenge = find_challenge_in_ri (sctx->state,
&sctx->uuid);
@@ -562,13 +580,34 @@ solve_challenge_cb (void *cls,
sctx_free (sctx);
return;
}
+
if (NULL !=
- json_object_get (challenge,
+ json_object_get (sctx->args,
"payment_secret"))
{
+ /* check if we got payment secret in args */
if (GNUNET_OK !=
GNUNET_JSON_parse (sctx->args,
- spec,
+ pspec,
+ NULL, NULL))
+ {
+ GNUNET_break_op (0);
+ ANASTASIS_redux_fail_ (sctx->cb,
+ sctx->cb_cls,
+ TALER_EC_ANASTASIS_REDUCER_INPUT_INVALID,
+ "'payment_secret' malformed");
+ sctx_free (sctx);
+ return;
+ }
+ psp = &ps;
+ }
+ else if (NULL !=
+ json_object_get (challenge,
+ "payment_secret"))
+ {
+ if (GNUNET_OK !=
+ GNUNET_JSON_parse (challenge,
+ pspec,
NULL, NULL))
{
GNUNET_break_op (0);
@@ -1034,15 +1073,19 @@ select_challenge_cb (void *cls,
const struct ANASTASIS_PaymentSecretP *psp = NULL;
struct ANASTASIS_PaymentSecretP ps;
struct GNUNET_TIME_Relative timeout = GNUNET_TIME_UNIT_ZERO;
- struct GNUNET_JSON_Specification spec[] = {
+ struct GNUNET_JSON_Specification tspec[] = {
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_relative_time ("timeout",
&timeout)),
+ GNUNET_JSON_spec_end ()
+ };
+ struct GNUNET_JSON_Specification pspec[] = {
GNUNET_JSON_spec_fixed_auto ("payment_secret",
&ps),
GNUNET_JSON_spec_end ()
};
+
if (NULL == ri)
{
GNUNET_break_op (0);
@@ -1054,8 +1097,44 @@ select_challenge_cb (void *cls,
return;
}
- /* Check if we got a payment_secret */
+ if (GNUNET_OK !=
+ GNUNET_JSON_parse (sctx->args,
+ tspec,
+ NULL, NULL))
+ {
+ GNUNET_break_op (0);
+ ANASTASIS_redux_fail_ (sctx->cb,
+ sctx->cb_cls,
+ TALER_EC_ANASTASIS_REDUCER_INPUT_INVALID,
+ "'timeout' malformed");
+ sctx_free (sctx);
+ return;
+ }
+
+ /* NOTE: do we need both ways to pass payment secrets? */
+ if (NULL !=
+ json_object_get (sctx->args,
+ "payment_secret"))
+ {
+ /* check if we got payment secret in args */
+ if (GNUNET_OK !=
+ GNUNET_JSON_parse (sctx->args,
+ pspec,
+ NULL, NULL))
+ {
+ GNUNET_break_op (0);
+ ANASTASIS_redux_fail_ (sctx->cb,
+ sctx->cb_cls,
+ TALER_EC_ANASTASIS_REDUCER_INPUT_INVALID,
+ "'payment_secret' malformed");
+ sctx_free (sctx);
+ return;
+ }
+ psp = &ps;
+ }
+ else
{
+ /* Check if we got a payment_secret in state */
json_t *challenge = find_challenge_in_ri (sctx->state,
&sctx->uuid);
@@ -1074,14 +1153,14 @@ select_challenge_cb (void *cls,
"payment_secret"))
{
if (GNUNET_OK !=
- GNUNET_JSON_parse (sctx->args,
- spec,
+ GNUNET_JSON_parse (challenge,
+ pspec,
NULL, NULL))
{
GNUNET_break_op (0);
ANASTASIS_redux_fail_ (sctx->cb,
sctx->cb_cls,
- TALER_EC_ANASTASIS_REDUCER_STATE_INVALID,
+ TALER_EC_ANASTASIS_REDUCER_INPUT_INVALID,
"'payment_secret' malformed");
sctx_free (sctx);
return;
diff --git a/src/util/anastasis_crypto.c b/src/util/anastasis_crypto.c
index 9695035..1b8b4b9 100644
--- a/src/util/anastasis_crypto.c
+++ b/src/util/anastasis_crypto.c
@@ -40,7 +40,7 @@ void
ANASTASIS_hash_answer (uint64_t code,
struct GNUNET_HashCode *hashed_code)
{
- char cbuf[32];
+ char cbuf[40];
GNUNET_snprintf (cbuf,
sizeof (cbuf),
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-anastasis] branch master updated: fix hashing of PIN entries,
gnunet <=