From 3dc7af05c1af111a543ec25afb5bed2cfbd04327 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Tue, 20 Sep 2022 15:07:48 +0200
Subject: [PATCH] More fixes.

---
 src/fido/cbor.c                 |  4 ++--
 src/fido/cbor_client_pin.c      |  3 ++-
 src/fido/cbor_make_credential.c | 14 +++++++-------
 src/fido/fido.h                 |  2 +-
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/fido/cbor.c b/src/fido/cbor.c
index 696868d..dc2a26e 100644
--- a/src/fido/cbor.c
+++ b/src/fido/cbor.c
@@ -34,7 +34,7 @@ size_t cbor_len = 0;
 
 int cbor_parse(const uint8_t *data, size_t len) {
     if (len == 0)
-        return -CTAP1_ERR_INVALID_LEN;
+        return CTAP1_ERR_INVALID_LEN;
     driver_prepare_response();
     if (data[0] == CTAP_MAKE_CREDENTIAL)
         return cbor_make_credential(data + 1, len - 1);
@@ -44,7 +44,7 @@ int cbor_parse(const uint8_t *data, size_t len) {
         return cbor_reset();
     else if (data[0] == CTAP_CLIENT_PIN)
         return cbor_client_pin(data + 1, len - 1);
-    return -CTAP2_ERR_INVALID_CBOR;
+    return CTAP2_ERR_INVALID_CBOR;
 }
 
 void cbor_thread() {
diff --git a/src/fido/cbor_client_pin.c b/src/fido/cbor_client_pin.c
index 9581f34..4441bc1 100644
--- a/src/fido/cbor_client_pin.c
+++ b/src/fido/cbor_client_pin.c
@@ -472,6 +472,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
             CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
         }
         uint8_t retries = *file_get_data(ef_pin) - 1;
+        flash_write_data_to_file(ef_pin, &retries, 1);
         uint8_t paddedNewPin[64];
         ret = decrypt(pinUvAuthProtocol, sharedSecret, pinHashEnc.data, pinHashEnc.len, paddedNewPin);
         if (ret != 0) {
@@ -485,7 +486,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
             if (retries == 0) {
                 CBOR_ERROR(CTAP2_ERR_PIN_BLOCKED);
             }
-            if (++new_pin_mismatches == 3)  {
+            if (++new_pin_mismatches >= 3)  {
                 needs_power_cycle = true;
                 CBOR_ERROR(CTAP2_ERR_PIN_AUTH_BLOCKED);
             }
diff --git a/src/fido/cbor_make_credential.c b/src/fido/cbor_make_credential.c
index 80fd0a2..782ba22 100644
--- a/src/fido/cbor_make_credential.c
+++ b/src/fido/cbor_make_credential.c
@@ -161,7 +161,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
 
     uint8_t rp_id_hash[32];
     mbedtls_sha256((uint8_t *)rp.id.data, rp.id.len, rp_id_hash, 0);
-    printf("IEEEEEE 1\n");
+
     int curve = -1, alg = 0;
     if (pubKeyCredParams_len == 0)
         CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
@@ -196,7 +196,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
             if (!file_has_data(ef_pin))
                 CBOR_ERROR(CTAP2_ERR_PIN_NOT_SET);
             else
-                CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
+                CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
         }
         else {
             if (pinUvAuthProtocol == 0)
@@ -230,7 +230,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
             CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
         //Check pinUvAuthToken permissions. See 6.1.2.11
     }
-    printf("IEEEEEE 2\n");
+
     for (int e = 0; e < excludeList_len; e++) { //12.1
         if (excludeList[e].type.present == false || excludeList[e].id.present == false)
             CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
@@ -298,7 +298,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
         mbedtls_curve = MBEDTLS_ECP_DP_CURVE448;
     else
         CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_ALGORITHM);
-    printf("IEEEEEE 3\n");
+
     mbedtls_ecdsa_context ekey;
     mbedtls_ecdsa_init(&ekey);
     uint8_t key_path[KEY_PATH_LEN];
@@ -362,7 +362,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
 
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
     rs = cbor_encoder_get_buffer_size(&encoder, cbor_buf);
-    printf("IEEEEEE 4\n");
+
     size_t aut_data_len = 32 + 1 + 4 + (16 + 2 + cred_id_len + rs) + ext_len;
     aut_data = (uint8_t *)calloc(1, aut_data_len + clientDataHash.len);
     uint8_t *pa = aut_data;
@@ -395,7 +395,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
     }
     ret = mbedtls_ecdsa_write_signature(&ekey, MBEDTLS_MD_SHA256, hash, 32, sig, sizeof(sig), &olen, random_gen, NULL);
     mbedtls_ecdsa_free(&ekey);
-    printf("IEEEEEE 5\n");
+
     cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
     CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 3));
 
@@ -421,7 +421,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
 
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
     resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1);
-    printf("IEEEEEE 6\n");
+
     err:
         CBOR_FREE_BYTE_STRING(clientDataHash);
     CBOR_FREE_BYTE_STRING(pinUvAuthParam);
diff --git a/src/fido/fido.h b/src/fido/fido.h
index 396e4a1..765d45a 100644
--- a/src/fido/fido.h
+++ b/src/fido/fido.h
@@ -63,7 +63,7 @@ extern void init_fido();
 #define FIDO2_PERMISSION_LBW    0x10
 #define FIDO2_PERMISSION_ACFG   0x20
 
-#define MAX_PIN_RETRIES 3
+#define MAX_PIN_RETRIES 8
 extern bool getUserVerifiedFlagValue();
 
 typedef struct known_app {