From 3b53537077184090170ec65b4db9ef23f7a66853 Mon Sep 17 00:00:00 2001 From: Conor Patrick Date: Fri, 23 Aug 2019 13:09:23 +0800 Subject: [PATCH] refactor fido2 user presence handling & increase timeout to 29s --- fido2/ctap.c | 41 ++++++++++++++++++----------------------- fido2/ctap.h | 2 +- fido2/ctap_errors.h | 1 + 3 files changed, 20 insertions(+), 24 deletions(-) diff --git a/fido2/ctap.c b/fido2/ctap.c index 2536c9e..8f49102 100644 --- a/fido2/ctap.c +++ b/fido2/ctap.c @@ -437,7 +437,19 @@ static unsigned int get_credential_id_size(CTAP_credentialDescriptor * cred) static int ctap2_user_presence_test() { device_set_status(CTAPHID_STATUS_UPNEEDED); - return ctap_user_presence_test(CTAP2_UP_DELAY_MS); + int ret = ctap_user_presence_test(CTAP2_UP_DELAY_MS); + if ( ret > 0 ) + { + return CTAP1_ERR_SUCCESS; + } + else if (ret < 0) + { + return CTAP2_ERR_KEEPALIVE_CANCEL; + } + else + { + return CTAP2_ERR_ACTION_TIMEOUT; + } } static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * auth_data_buf, uint32_t * len, CTAP_credInfo * credInfo) @@ -470,15 +482,7 @@ static int ctap_make_auth_data(struct rpId * rp, CborEncoder * map, uint8_t * au int but; but = ctap2_user_presence_test(CTAP2_UP_DELAY_MS); - - if (!but) - { - return CTAP2_ERR_OPERATION_DENIED; - } - else if (but < 0) // Cancel - { - return CTAP2_ERR_KEEPALIVE_CANCEL; - } + check_retr(but); device_set_status(CTAPHID_STATUS_PROCESSING); @@ -707,10 +711,7 @@ uint8_t ctap_make_credential(CborEncoder * encoder, uint8_t * request, int lengt } if (MC.pinAuthEmpty) { - if (!ctap2_user_presence_test(CTAP2_UP_DELAY_MS)) - { - return CTAP2_ERR_OPERATION_DENIED; - } + check_retr( ctap2_user_presence_test(CTAP2_UP_DELAY_MS) ); return ctap_is_pin_set() == 1 ? CTAP2_ERR_PIN_AUTH_INVALID : CTAP2_ERR_PIN_NOT_SET; } if ((MC.paramsParsed & MC_requiredMask) != MC_requiredMask) @@ -1143,10 +1144,7 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length) if (GA.pinAuthEmpty) { - if (!ctap2_user_presence_test(CTAP2_UP_DELAY_MS)) - { - return CTAP2_ERR_OPERATION_DENIED; - } + check_retr( ctap2_user_presence_test(CTAP2_UP_DELAY_MS) ); return ctap_is_pin_set() == 1 ? CTAP2_ERR_PIN_AUTH_INVALID : CTAP2_ERR_PIN_NOT_SET; } if (GA.pinAuthPresent) @@ -1656,14 +1654,11 @@ uint8_t ctap_request(uint8_t * pkt_raw, int length, CTAP_RESPONSE * resp) break; case CTAP_RESET: printf1(TAG_CTAP,"CTAP_RESET\n"); - if (ctap2_user_presence_test(CTAP2_UP_DELAY_MS)) + status = ctap2_user_presence_test(CTAP2_UP_DELAY_MS); + if (status == CTAP1_ERR_SUCCESS) { ctap_reset(); } - else - { - status = CTAP2_ERR_OPERATION_DENIED; - } break; case GET_NEXT_ASSERTION: printf1(TAG_CTAP,"CTAP_NEXT_ASSERTION\n"); diff --git a/fido2/ctap.h b/fido2/ctap.h index 51a5c11..6bfdf57 100644 --- a/fido2/ctap.h +++ b/fido2/ctap.h @@ -131,7 +131,7 @@ #define PIN_LOCKOUT_ATTEMPTS 8 // Number of attempts total #define PIN_BOOT_ATTEMPTS 3 // number of attempts per boot -#define CTAP2_UP_DELAY_MS 5000 +#define CTAP2_UP_DELAY_MS 29000 typedef struct { diff --git a/fido2/ctap_errors.h b/fido2/ctap_errors.h index a749651..fc2f257 100644 --- a/fido2/ctap_errors.h +++ b/fido2/ctap_errors.h @@ -49,6 +49,7 @@ #define CTAP2_ERR_PIN_POLICY_VIOLATION 0x37 #define CTAP2_ERR_PIN_TOKEN_EXPIRED 0x38 #define CTAP2_ERR_REQUEST_TOO_LARGE 0x39 +#define CTAP2_ERR_ACTION_TIMEOUT 0x3A #define CTAP1_ERR_OTHER 0x7F #define CTAP2_ERR_SPEC_LAST 0xDF #define CTAP2_ERR_EXTENSION_FIRST 0xE0