Merge pull request #155 from solokeys/pin_lockout_ga

Pin lockout ga
2019-03-29 17:11:48 -04:00 · 2019-03-29 17:11:48 -04:00 · 3b3f47bfcf
commit 3b3f47bfcf
parent 4e21c0bd8f 6fa443b0bc
2 changed files with 30 additions and 28 deletions
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@ -1105,19 +1105,15 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
        return ret;
    }

-    if (ctap_is_pin_set() && GA.pinAuthPresent == 0)
+    if (GA.pinAuthPresent)
    {
-        printf2(TAG_ERR,"pinAuth is required\n");
-        return CTAP2_ERR_PIN_REQUIRED;
+        ret = verify_pin_auth(GA.pinAuth, GA.clientDataHash);
+        check_retr(ret);
+        getAssertionState.user_verified = 1;
    }
    else
    {
-        if (ctap_is_pin_set() || (GA.pinAuthPresent))
-        {
-            ret = verify_pin_auth(GA.pinAuth, GA.clientDataHash);
-            check_retr(ret);
-            getAssertionState.user_verified = 1;
-        }
+        getAssertionState.user_verified = 0;
    }

    if (!GA.rp.size || !GA.clientDataHashPresent)
@ -1198,6 +1194,9 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
        ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, &len, NULL);
        check_retr(ret);

+        ((CTAP_authData *)auth_data_buf)->head.flags &= ~(1 << 2);
+        ((CTAP_authData *)auth_data_buf)->head.flags |= (getAssertionState.user_verified << 2);
+        
        {
            unsigned int ext_encoder_buf_size = sizeof(auth_data_buf) - len;
            uint8_t * ext_encoder_buf = auth_data_buf + len;
--- a/tools/testing/tests/fido2.py
+++ b/tools/testing/tests/fido2.py
@ -905,22 +905,25 @@ class FIDO2Tests(Tester):
            expectedError=CtapError.ERR.SUCCESS,
        )

-        # self.testGA(
-        #     "Send GA request with no pinAuth, expect SUCCESS",
-        #     rp["id"],
-        #     cdh,
-        #     [
-        #         {
-        #             "type": "public-key",
-        #             "id": res_mc.auth_data.credential_data.credential_id,
-        #         }
-        #     ],
-        #     expectedError=CtapError.ERR.SUCCESS,
-        # )
-
        with Test("Check UV flag is set"):
            assert res_ga.auth_data.flags & (1 << 2)

+        res_ga = self.testGA(
+            "Send GA request with no pinAuth, expect SUCCESS",
+            rp["id"],
+            cdh,
+            [
+                {
+                    "type": "public-key",
+                    "id": res_mc.auth_data.credential_data.credential_id,
+                }
+            ],
+            expectedError=CtapError.ERR.SUCCESS,
+        )
+
+        with Test("Check UV flag is NOT set"):
+            assert not (res_ga.auth_data.flags & (1 << 2))
+
        self.testReset()

        with Test("Setting pin code, expect SUCCESS"):
@ -973,12 +976,12 @@ class FIDO2Tests(Tester):
            expectedError=CtapError.ERR.PIN_REQUIRED,
        )

-        # res_mc = self.testGA(
-        #     "Send GA request with no pin_auth, expect NO_CREDENTIALS",
-        #     rp["id"],
-        #     cdh,
-        #     expectedError=CtapError.ERR.NO_CREDENTIALS,
-        # )
+        res_mc = self.testGA(
+            "Send GA request with no pin_auth, expect NO_CREDENTIALS",
+            rp["id"],
+            cdh,
+            expectedError=CtapError.ERR.NO_CREDENTIALS,
+        )

        res = self.testCP(
            "Test getRetries, expect SUCCESS",