From 241f58657b8665c47fdb008e9751f1e99232bf1a Mon Sep 17 00:00:00 2001
From: Conor Patrick <conorpp94@gmail.com>
Date: Tue, 24 Mar 2020 22:11:10 -0400
Subject: [PATCH] consider credProtect with exclude list, and also check user
 presence

---
 fido2/ctap.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fido2/ctap.c b/fido2/ctap.c
index a3f9bf2..1cfc815 100644
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@@ -922,8 +922,13 @@ uint8_t ctap_make_credential(CborEncoder * encoder, uint8_t * request, int lengt
 
         if (ctap_authenticate_credential(&MC.rp, excl_cred))
         {
-            printf1(TAG_MC, "Cred %d failed!\r\n",i);
-            return CTAP2_ERR_CREDENTIAL_EXCLUDED;
+            if ( check_credential_metadata(&excl_cred->credential.id, MC.pinAuthPresent, 1) == 0)
+            {
+                ret = ctap2_user_presence_test();
+                check_retr(ret);
+                printf1(TAG_MC, "Cred %d failed!\r\n",i);
+                return CTAP2_ERR_CREDENTIAL_EXCLUDED;
+            }
         }
 
         ret = cbor_value_advance(&MC.excludeList);