mozilla/authenticator-rs

CTAPHID report size incorrectly limited

tmthrgd opened this issue · 0 comments

tmthrgd commented

authenticator-rs imposes a maximum HID report size of MAX_HID_RPT_SIZE = 64 bytes. This limit isn't part of either the CTAP 2.0 or CTAP 2.1 specs, although the spec is a tad vague about this. (All references will be to the CTAP 2.0 spec as 2.1 is still a draft).

USB 1.x Full Speed devices are limited to just 64-byte report sizes, but USB 2.0 (from 2001) introduced High Speed devices which can have report sizes up 1024-bytes (from what I've been able to find). The Linux kernel can support HID reports up to 16KiB in size since v5.11.

§ 8.1.8. says (emphasis mine):

The description further assumes (but is not limited to) a full-speed USB device (12 Mbit/s). Although not excluded per se, USB low-speed devices are not practical to use given the 8-byte report size limitation together with the protocol overhead.

§ 8.1.8.1. says (emphasis mine):

The device implements two endpoints (except the control endpoint 0), one for IN and one for OUT transfers. The packet size is vendor defined, but the reference implementation assumes a full-speed device with two 64-byte endpoints.

The actual endpoint order, intervals, endpoint numbers and endpoint packet size may be defined freely by the vendor and the host application is responsible for querying these values and handle these accordingly. For the sake of clarity, the values listed above are used in the following examples.

§ 8.1.8.2. says:

The length values specified by the HID_INPUT_REPORT_BYTES and the HID_OUTPUT_REPORT_BYTES should typically match the respective endpoint sizes defined in the endpoint descriptors.

While § 8.1.4. does say:

With a packet size of 64 bytes (max for full-speed devices), this means that the maximum message payload length is 64 - 7 + 128 * (64 - 5) = 7609 bytes.

This is clearly only an example of how to calculate the maximum message size. There's nothing else in the spec (from what I can see) that would impose a 64-byte maximum report size.

This implementation shouldn't be imposing a limit on the maximum HID report size (except where USB might have a limit) and certainly not one as small as 64-bytes.