Finishing touches on ES for PIN/PUK sets

Related #25
CSIS · May 10, 2017 · 0aed5ad · 0aed5ad
1 parent b1f676f
commit 0aed5ad
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 23 deletions.
diff --git a/EnrollmentStation/DlgSettings.Designer.cs b/EnrollmentStation/DlgSettings.Designer.cs
diff --git a/EnrollmentStation/Properties/AssemblyInfo.cs b/EnrollmentStation/Properties/AssemblyInfo.cs
@@ -31,5 +31,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("0.3.5.0")]
-[assembly: AssemblyFileVersion("0.3.5.0")]
+[assembly: AssemblyVersion("0.3.5.1")]
+[assembly: AssemblyFileVersion("0.3.5.1")]
diff --git a/YubicoLib/YubikeyPiv/YubikeyPivDevice.cs b/YubicoLib/YubikeyPiv/YubikeyPivDevice.cs
@@ -429,18 +429,31 @@ private static int GetDataOffsetAndLength(byte[] data, out int dataLength)
         public void BlockPin()
         {
             string randomPin = "PASSWORD";
+
+            // Note: A flaw in the Yubikey means that it will return remaining tries in "groups" of 16. For this reason, we need to block the PIN one more time to see if we still can do it.
+            // Example: Tries is 17. On the first failed attempt, the Yubikey will return 0 tries remaining ("blocked"), but a second attempt will return 15 tries remaining.
 
-            int tmpRemaining;
+            int attempts;
             do
             {
-                bool success = VerifyPin(randomPin, out tmpRemaining);
+                attempts = 0;
 
-                if (success)
+                int tmpRemaining;
+                do
                 {
-                    // Wow, someone had PASSWORD as their PIN. Alter our test.
-                    randomPin = "DROWSSAP";
-                }
-            } while (tmpRemaining > 0);
+                    bool success = VerifyPin(randomPin, out tmpRemaining);
+
+                    if (success)
+                    {
+                        // Wow, someone had PASSWORD as their PIN. Alter our test.
+                        randomPin = "DROWSSAP";
+                    }
+
+                    if (tmpRemaining > 0)
+                        attempts++;
+
+                } while (tmpRemaining > 0);
+            } while (attempts > 0);
         }
 
         public bool UnblockPin(string puk, string newPin)
@@ -466,17 +479,30 @@ public void BlockPuk()
         {
             string randomPin = "PASSWORD";
 
-            int tmpRemaining;
+            // Note: A flaw in the Yubikey means that it will return remaining tries in "groups" of 16. For this reason, we need to block the PUK one more time to see if we still can do it.
+            // Example: Tries is 17. On the first failed attempt, the Yubikey will return 0 tries remaining ("blocked"), but a second attempt will return 15 tries remaining.
+
+            int attempts;
             do
             {
-                bool success = ChangePuk(randomPin, randomPin, out tmpRemaining);
+                attempts = 0;
 
-                if (success)
+                int tmpRemaining;
+                do
                 {
-                    // Wow, someone had PASSWORD as their PUK. Alter our test.
-                    randomPin = "DROWSSAP";
-                }
-            } while (tmpRemaining > 0);
+                    bool success = ChangePuk(randomPin, randomPin, out tmpRemaining);
+
+                    if (success)
+                    {
+                        // Wow, someone had PASSWORD as their PUK. Alter our test.
+                        randomPin = "DROWSSAP";
+                    }
+
+                    if (tmpRemaining > 0)
+                        attempts++;
+
+                } while (tmpRemaining > 0);
+            } while (attempts > 0);
         }
     }
 }