Fix needs power cycle logic.
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
@@ -334,10 +334,6 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
|
|||||||
}
|
}
|
||||||
CBOR_PARSE_MAP_END(map, 1);
|
CBOR_PARSE_MAP_END(map, 1);
|
||||||
|
|
||||||
if (needs_power_cycle) {
|
|
||||||
CBOR_ERROR(CTAP2_ERR_PIN_AUTH_BLOCKED);
|
|
||||||
}
|
|
||||||
|
|
||||||
cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0);
|
cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0);
|
||||||
if (subcommand == 0x0) {
|
if (subcommand == 0x0) {
|
||||||
CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
|
CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
|
||||||
@@ -423,6 +419,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
|
|||||||
hsh[1] = pin_len;
|
hsh[1] = pin_len;
|
||||||
hsh[2] = 1; // New format indicator
|
hsh[2] = 1; // New format indicator
|
||||||
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, dhash);
|
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, dhash);
|
||||||
|
mbedtls_platform_zeroize(paddedNewPin, sizeof(paddedNewPin));
|
||||||
pin_derive_verifier(dhash, 16, hsh + 3);
|
pin_derive_verifier(dhash, 16, hsh + 3);
|
||||||
file_put_data(ef_pin, hsh, sizeof(hsh));
|
file_put_data(ef_pin, hsh, sizeof(hsh));
|
||||||
low_flash_available();
|
low_flash_available();
|
||||||
@@ -434,6 +431,8 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
|
|||||||
}
|
}
|
||||||
mbedtls_platform_zeroize(hsh, sizeof(hsh));
|
mbedtls_platform_zeroize(hsh, sizeof(hsh));
|
||||||
mbedtls_platform_zeroize(dhash, sizeof(dhash));
|
mbedtls_platform_zeroize(dhash, sizeof(dhash));
|
||||||
|
needs_power_cycle = false;
|
||||||
|
|
||||||
goto err; //No return
|
goto err; //No return
|
||||||
}
|
}
|
||||||
else if (subcommand == 0x4) { //changePIN
|
else if (subcommand == 0x4) { //changePIN
|
||||||
@@ -462,6 +461,9 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
|
|||||||
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
|
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
|
||||||
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
|
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
|
||||||
}
|
}
|
||||||
|
if (needs_power_cycle) {
|
||||||
|
CBOR_ERROR(CTAP2_ERR_PIN_AUTH_BLOCKED);
|
||||||
|
}
|
||||||
uint8_t sharedSecret[64];
|
uint8_t sharedSecret[64];
|
||||||
int ret = ecdh((uint8_t)pinUvAuthProtocol, &hkey.ctx.mbed_ecdh.Qp, sharedSecret);
|
int ret = ecdh((uint8_t)pinUvAuthProtocol, &hkey.ctx.mbed_ecdh.Qp, sharedSecret);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
@@ -591,6 +593,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
|
|||||||
low_flash_available();
|
low_flash_available();
|
||||||
resetPinUvAuthToken();
|
resetPinUvAuthToken();
|
||||||
resetPersistentPinUvAuthToken();
|
resetPersistentPinUvAuthToken();
|
||||||
|
needs_power_cycle = false;
|
||||||
goto err; // No return
|
goto err; // No return
|
||||||
}
|
}
|
||||||
else if (subcommand == 0x9 || subcommand == 0x5) { //getPinUvAuthTokenUsingPinWithPermissions
|
else if (subcommand == 0x9 || subcommand == 0x5) { //getPinUvAuthTokenUsingPinWithPermissions
|
||||||
@@ -627,6 +630,9 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
|
|||||||
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
|
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
|
||||||
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
|
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
|
||||||
}
|
}
|
||||||
|
if (needs_power_cycle) {
|
||||||
|
CBOR_ERROR(CTAP2_ERR_PIN_AUTH_BLOCKED);
|
||||||
|
}
|
||||||
uint8_t sharedSecret[64];
|
uint8_t sharedSecret[64];
|
||||||
int ret = ecdh((uint8_t)pinUvAuthProtocol, &hkey.ctx.mbed_ecdh.Qp, sharedSecret);
|
int ret = ecdh((uint8_t)pinUvAuthProtocol, &hkey.ctx.mbed_ecdh.Qp, sharedSecret);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
@@ -724,6 +730,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
|
|||||||
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
|
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
|
||||||
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x02));
|
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x02));
|
||||||
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, pinUvAuthToken_enc, 32 + poff));
|
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, pinUvAuthToken_enc, 32 + poff));
|
||||||
|
needs_power_cycle = false;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
|
CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
|
||||||
|
|||||||
@@ -483,11 +483,13 @@ void scan_all() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
extern void init_otp();
|
extern void init_otp();
|
||||||
|
extern bool needs_power_cycle;
|
||||||
void init_fido() {
|
void init_fido() {
|
||||||
scan_all();
|
scan_all();
|
||||||
#ifdef ENABLE_OTP_APP
|
#ifdef ENABLE_OTP_APP
|
||||||
init_otp();
|
init_otp();
|
||||||
#endif
|
#endif
|
||||||
|
needs_power_cycle = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool wait_button_pressed() {
|
bool wait_button_pressed() {
|
||||||
|
|||||||
@@ -51,7 +51,7 @@ def test_lockout(device, resetdevice, client_pin):
|
|||||||
res = client_pin.get_pin_retries()
|
res = client_pin.get_pin_retries()
|
||||||
assert res[0] == attempts
|
assert res[0] == attempts
|
||||||
|
|
||||||
if err == CtapError.ERR.PIN_AUTH_BLOCKED:
|
if e.value.code == CtapError.ERR.PIN_AUTH_BLOCKED:
|
||||||
device.reboot()
|
device.reboot()
|
||||||
client_pin = ClientPin(resetdevice.client()._backend.ctap2)
|
client_pin = ClientPin(resetdevice.client()._backend.ctap2)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user