device lockout after 8 attemtps

2018-05-22 21:36:23 -04:00 · 2018-05-22 21:36:23 -04:00 · 93681409a3
commit 93681409a3
parent 6049f25bd4
2 changed files with 22 additions and 0 deletions
--- a/ctap.c
+++ b/ctap.c
@ -1954,6 +1954,18 @@ uint8_t ctap_handle_packet(uint8_t * pkt_raw, int length, CTAP_RESPONSE * resp)
    printf1(TAG_CTAP,"cbor input structure: %d bytes\n", length);
    printf1(TAG_DUMP,"cbor req: "); dump_hex1(TAG_DUMP, pkt_raw, length);

+    switch(cmd)
+    {
+        case CTAP_MAKE_CREDENTIAL:
+        case CTAP_GET_ASSERTION:
+        case CTAP_CLIENT_PIN:
+            if (ctap_device_locked())
+            {
+                status = CTAP2_ERR_NOT_ALLOWED;
+                goto done;
+            }
+            break;
+    }

    switch(cmd)
    {
@ -2011,6 +2023,8 @@ uint8_t ctap_handle_packet(uint8_t * pkt_raw, int length, CTAP_RESPONSE * resp)
            printf2(TAG_ERR,"error, invalid cmd\n");
    }

+done:
+
    if (status != CTAP1_ERR_SUCCESS)
    {
        resp->length = 0;
@ -2074,15 +2088,22 @@ uint8_t ctap_decrement_pin_attempts()
    if (_flash_tries > 0)
    {
        _flash_tries--;
+        printf1(TAG_CP, "ATTEMPTS left: %d\n", _flash_tries);
    }
    else
    {
        DEVICE_LOCKOUT = 1;
+        printf1(TAG_CP, "Device locked!\n");
        return -1;
    }
    return 0;
 }

+int8_t ctap_device_locked()
+{
+    return DEVICE_LOCKOUT == 1;
+}
+
 int8_t ctap_leftover_pin_attempts()
 {
    return _flash_tries;
--- a/ctap.h
+++ b/ctap.h
@ -230,6 +230,7 @@ void ctap_reset_pin_attempts();
 uint8_t ctap_is_pin_set();
 uint8_t ctap_pin_matches(uint8_t * pin, int len);
 void ctap_reset();
+int8_t ctap_device_locked();


 // Test for user presence