From 93681409a38a9db167e9217e884f5ca2823a3184 Mon Sep 17 00:00:00 2001
From: Conor Patrick <conorpp@vt.edu>
Date: Tue, 22 May 2018 21:36:23 -0400
Subject: [PATCH] device lockout after 8 attemtps

---
 ctap.c | 21 +++++++++++++++++++++
 ctap.h |  1 +
 2 files changed, 22 insertions(+)

diff --git a/ctap.c b/ctap.c
index 36e3137..2fbbf8f 100644
--- a/ctap.c
+++ b/ctap.c
@@ -1954,6 +1954,18 @@ uint8_t ctap_handle_packet(uint8_t * pkt_raw, int length, CTAP_RESPONSE * resp)
     printf1(TAG_CTAP,"cbor input structure: %d bytes\n", length);
     printf1(TAG_DUMP,"cbor req: "); dump_hex1(TAG_DUMP, pkt_raw, length);
 
+    switch(cmd)
+    {
+        case CTAP_MAKE_CREDENTIAL:
+        case CTAP_GET_ASSERTION:
+        case CTAP_CLIENT_PIN:
+            if (ctap_device_locked())
+            {
+                status = CTAP2_ERR_NOT_ALLOWED;
+                goto done;
+            }
+            break;
+    }
 
     switch(cmd)
     {
@@ -2011,6 +2023,8 @@ uint8_t ctap_handle_packet(uint8_t * pkt_raw, int length, CTAP_RESPONSE * resp)
             printf2(TAG_ERR,"error, invalid cmd\n");
     }
 
+done:
+
     if (status != CTAP1_ERR_SUCCESS)
     {
         resp->length = 0;
@@ -2074,15 +2088,22 @@ uint8_t ctap_decrement_pin_attempts()
     if (_flash_tries > 0)
     {
         _flash_tries--;
+        printf1(TAG_CP, "ATTEMPTS left: %d\n", _flash_tries);
     }
     else
     {
         DEVICE_LOCKOUT = 1;
+        printf1(TAG_CP, "Device locked!\n");
         return -1;
     }
     return 0;
 }
 
+int8_t ctap_device_locked()
+{
+    return DEVICE_LOCKOUT == 1;
+}
+
 int8_t ctap_leftover_pin_attempts()
 {
     return _flash_tries;
diff --git a/ctap.h b/ctap.h
index 7cb3581..ebcef95 100644
--- a/ctap.h
+++ b/ctap.h
@@ -230,6 +230,7 @@ void ctap_reset_pin_attempts();
 uint8_t ctap_is_pin_set();
 uint8_t ctap_pin_matches(uint8_t * pin, int len);
 void ctap_reset();
+int8_t ctap_device_locked();
 
 
 // Test for user presence