Fix needs power cycle logic.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

src/fido/cbor_client_pin.c

@@ -334,10 +334,6 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
     }
     CBOR_PARSE_MAP_END(map, 1);
 
-    if (needs_power_cycle) {
-        CBOR_ERROR(CTAP2_ERR_PIN_AUTH_BLOCKED);
-    }
-
     cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0);
     if (subcommand == 0x0) {
         CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
@@ -423,6 +419,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         hsh[1] = pin_len;
         hsh[2] = 1; // New format indicator
         mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), paddedNewPin, pin_len, dhash);
+        mbedtls_platform_zeroize(paddedNewPin, sizeof(paddedNewPin));
         pin_derive_verifier(dhash, 16, hsh + 3);
         file_put_data(ef_pin, hsh, sizeof(hsh));
         low_flash_available();
@@ -434,6 +431,8 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         }
         mbedtls_platform_zeroize(hsh, sizeof(hsh));
         mbedtls_platform_zeroize(dhash, sizeof(dhash));
+        needs_power_cycle = false;
+
         goto err; //No return
     }
     else if (subcommand == 0x4) { //changePIN
@@ -462,6 +461,9 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
             CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
         }
+        if (needs_power_cycle) {
+            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_BLOCKED);
+        }
         uint8_t sharedSecret[64];
         int ret = ecdh((uint8_t)pinUvAuthProtocol, &hkey.ctx.mbed_ecdh.Qp, sharedSecret);
         if (ret != 0) {
@@ -591,6 +593,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         low_flash_available();
         resetPinUvAuthToken();
         resetPersistentPinUvAuthToken();
+        needs_power_cycle = false;
         goto err; // No return
     }
     else if (subcommand == 0x9 || subcommand == 0x5) { //getPinUvAuthTokenUsingPinWithPermissions
@@ -627,6 +630,9 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
             CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
         }
+        if (needs_power_cycle) {
+            CBOR_ERROR(CTAP2_ERR_PIN_AUTH_BLOCKED);
+        }
         uint8_t sharedSecret[64];
         int ret = ecdh((uint8_t)pinUvAuthProtocol, &hkey.ctx.mbed_ecdh.Qp, sharedSecret);
         if (ret != 0) {
@@ -724,6 +730,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
         CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x02));
         CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, pinUvAuthToken_enc, 32 + poff));
+        needs_power_cycle = false;
     }
     else {
         CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);

src/fido/fido.c

@@ -483,11 +483,13 @@ void scan_all() {
 }
 
 extern void init_otp();
+extern bool needs_power_cycle;
 void init_fido() {
     scan_all();
 #ifdef ENABLE_OTP_APP
     init_otp();
 #endif
+    needs_power_cycle = false;
 }
 
 bool wait_button_pressed() {

tests/pico-fido/test_010_pin.py

@@ -51,7 +51,7 @@ def test_lockout(device, resetdevice, client_pin):
         res = client_pin.get_pin_retries()
         assert res[0] == attempts
 
-        if err == CtapError.ERR.PIN_AUTH_BLOCKED:
+        if e.value.code == CtapError.ERR.PIN_AUTH_BLOCKED:
             device.reboot()
             client_pin = ClientPin(resetdevice.client()._backend.ctap2)