Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix error type for third invalid PIN entry #60

Merged
merged 1 commit into from
Feb 20, 2024
Merged

Fix error type for third invalid PIN entry #60

merged 1 commit into from
Feb 20, 2024

Conversation

robin-nitrokey
Copy link
Member

If the user provides a wrong PIN and the persistent or per-boot PIN retry counter reaches its limit, we have to return the PinBlocked (persistent) or PinAuthBlocked (per boot) error code instead of PinInvalid. The previous implementation checked the persistent retry counter twice instead of checking both counters.

This patch fixes this problem by using the combined State::pin_blocked method instead of manually checking the persistent and runtime state directly.

It also replaces a raw subtraction when computing the remaining retries with a saturating sub, just to be sure.

sosthene-nitrokey
sosthene-nitrokey approved these changes Feb 20, 2024
View reviewed changes
src/ctap2.rs
if self.state.persistent.pin_blocked() {
return Err(Error::PinAuthBlocked);
}
self.state.pin_blocked()?;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having 3 methods in state.rs called pin_blocked is confusing. Makes me wish for jump to definition in code review

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was confused by the very same and had to look it up manually - but still makes sense as it is I guess

@robin-nitrokey
Fix error type for third invalid PIN entry
6e9fa17 
If the user provides a wrong PIN and the persistent or per-boot PIN
retry counter reaches its limit, we have to return the PinBlocked
(persistent) or PinAuthBlocked (per boot) error code instead of
PinInvalid.  The previous implementation checked the persistent retry
counter twice instead of checking both counters.

This patch fixes this problem by using the combined State::pin_blocked
method instead of manually checking the persistent and runtime state
directly.

It also replaces a raw subtraction when computing the remaining retries
with a saturating sub, just to be sure.
@robin-nitrokey robin-nitrokey merged commit 6e9fa17 into main Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daringer daringer daringer approved these changes

@sosthene-nitrokey sosthene-nitrokey sosthene-nitrokey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@robin-nitrokey @daringer @sosthene-nitrokey