1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-18 12:28:09 +00:00

core/webauthn: Cache user verification for 3 minutes.

This commit is contained in:
Andrew Kozlik 2020-05-01 16:03:40 +02:00 committed by matejcik
parent b867ac1d01
commit 5469acfabf
2 changed files with 19 additions and 1 deletions

View File

@ -1,3 +1,5 @@
import utime
import storage.sd_salt
from trezor import config, ui, wire
from trezor.messages import ButtonRequestType
@ -14,6 +16,9 @@ if False:
from typing import Any, NoReturn, Optional, Tuple
_last_successful_unlock = 0
def can_lock_device() -> bool:
"""Return True if the device has a PIN set or SD-protect enabled."""
return config.has_pin() or storage.sd_salt.is_enabled()
@ -81,7 +86,17 @@ async def verify_user_pin(
prompt: str = "Enter your PIN",
allow_cancel: bool = True,
retry: bool = True,
cache_time_ms: int = 0,
) -> None:
global _last_successful_unlock
if (
cache_time_ms
and _last_successful_unlock
and utime.ticks_ms() - _last_successful_unlock <= cache_time_ms
and config.is_unlocked()
):
return
if config.has_pin():
pin = await request_pin(ctx, prompt, config.get_pin_rem(), allow_cancel)
config.ensure_not_wipe_code(pin_to_int(pin))
@ -93,6 +108,7 @@ async def verify_user_pin(
except SdCardUnavailable:
raise wire.PinCancelled("SD salt is unavailable")
if config.unlock(pin_to_int(pin), salt):
_last_successful_unlock = utime.ticks_ms()
return
elif not config.has_pin():
raise RuntimeError
@ -102,6 +118,7 @@ async def verify_user_pin(
ctx, "Wrong PIN, enter again", config.get_pin_rem(), allow_cancel
)
if config.unlock(pin_to_int(pin), salt):
_last_successful_unlock = utime.ticks_ms()
return
raise wire.PinInvalid

View File

@ -141,6 +141,7 @@ _U2F_CONFIRM_TIMEOUT_MS = const(
) # maximum U2F pollling interval, Chrome uses 200 ms
_FIDO2_CONFIRM_TIMEOUT_MS = const(60 * 1000)
_POPUP_TIMEOUT_MS = const(4 * 1000)
_UV_CACHE_TIME_MS = const(3 * 60 * 1000) # user verification cache time
# hid error codes
_ERR_NONE = const(0x00) # no error
@ -593,7 +594,7 @@ async def verify_user(keepalive_callback: KeepaliveCallback) -> bool:
try:
trezor.pin.keepalive_callback = keepalive_callback
await verify_user_pin()
await verify_user_pin(cache_time_ms=_UV_CACHE_TIME_MS)
ret = True
except (PinCancelled, PinInvalid):
ret = False