commit 500fb579164c307d8475ce69e7c74f928e6000ac
parent 5184962409258470aaae933acd83f57ed2339f69
Author: Christian Grothoff <christian@grothoff.org>
Date: Sun, 18 Feb 2024 12:43:48 +0100
consider pin/auth attempts left before refusing
Diffstat:
6 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/src/challenger/challenger-httpd_authorize.c b/src/challenger/challenger-httpd_authorize.c
@@ -138,6 +138,8 @@ CH_handler_authorize (struct CH_HandlerContext *hc,
{
json_t *last_address;
uint32_t address_attempts_left;
+ uint32_t pin_transmissions_left;
+ uint32_t auth_attempts_left;
enum GNUNET_DB_QueryStatus qs;
/* authorize_start will return 0 if a 'redirect_uri' was
@@ -149,7 +151,9 @@ CH_handler_authorize (struct CH_HandlerContext *hc,
state,
redirect_uri,
&last_address,
- &address_attempts_left);
+ &address_attempts_left,
+ &pin_transmissions_left,
+ &auth_attempts_left);
switch (qs)
{
case GNUNET_DB_STATUS_HARD_ERROR:
@@ -176,10 +180,12 @@ CH_handler_authorize (struct CH_HandlerContext *hc,
case GNUNET_DB_STATUS_SUCCESS_ONE_RESULT:
break;
}
- if (0 == address_attempts_left)
+ if ( (0 == address_attempts_left) &&
+ (0 == pin_transmissions_left) &&
+ (0 == auth_attempts_left) )
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
- "Refusing authorization: zero address attempts left\n");
+ "Refusing authorization: zero attempts left\n");
json_decref (last_address);
return TALER_MHD_redirect_with_oauth_status (
hc->connection,
diff --git a/src/challenger/challenger-httpd_solve.c b/src/challenger/challenger-httpd_solve.c
@@ -272,7 +272,6 @@ CH_handler_solve (struct CH_HandlerContext *hc,
if ( (NULL != bc->state) &&
(0 == bc->addr_left) &&
- (0 == bc->pin_transmissions_left) &&
(0 == bc->auth_attempts_left) )
{
GNUNET_log (GNUNET_ERROR_TYPE_INFO,
diff --git a/src/challengerdb/pg_authorize_start.c b/src/challengerdb/pg_authorize_start.c
@@ -34,7 +34,9 @@ CH_PG_authorize_start (void *cls,
const char *client_state,
const char *client_redirect_uri,
json_t **last_address,
- uint32_t *address_attempts_left)
+ uint32_t *address_attempts_left,
+ uint32_t *pin_transmissions_left,
+ uint32_t *auth_attempts_left)
{
struct PostgresClosure *pg = cls;
struct GNUNET_PQ_QueryParam params[] = {
@@ -56,6 +58,10 @@ CH_PG_authorize_start (void *cls,
NULL),
GNUNET_PQ_result_spec_uint32 ("address_attempts_left",
address_attempts_left),
+ GNUNET_PQ_result_spec_uint32 ("pin_transmissions_left",
+ pin_transmissions_left),
+ GNUNET_PQ_result_spec_uint32 ("auth_attempts_left",
+ auth_attempts_left),
GNUNET_PQ_result_spec_end
};
@@ -71,7 +77,9 @@ CH_PG_authorize_start (void *cls,
" AND ($5::VARCHAR=COALESCE(client_redirect_uri,$5::VARCHAR))"
" RETURNING"
" address"
- " ,address_attempts_left;");
+ " ,address_attempts_left"
+ " ,pin_transmissions_left"
+ " ,auth_attempts_left;");
return GNUNET_PQ_eval_prepared_singleton_select (pg->conn,
"authorize_start_validation",
params,
diff --git a/src/challengerdb/pg_authorize_start.h b/src/challengerdb/pg_authorize_start.h
@@ -40,6 +40,8 @@
* @param client_redirect_uri where to redirect at the end, NULL to use a unique one registered for the client
* @param[out] last_address set to the last address used
* @param[out] address_attempts_left set to number of address changing attempts left for this address
+ * @param[out] pin_transmissions_left set to number of times the PIN can still be re-requested
+ * @param[out] auth_attempts_left set to number of authentication attempts remaining
* @return transaction status:
* #GNUNET_DB_STATUS_SUCCESS_ONE_RESULT if the address was changed
* #GNUNET_DB_STATUS_SUCCESS_NO_RESULTS if we do not permit further changes to the address (attempts exhausted)
@@ -53,7 +55,9 @@ CH_PG_authorize_start (void *cls,
const char *client_state,
const char *client_redirect_uri,
json_t **last_address,
- uint32_t *address_attempts_left);
+ uint32_t *address_attempts_left,
+ uint32_t *pin_transmissions_left,
+ uint32_t *auth_attempts_left);
#endif
diff --git a/src/challengerdb/pg_validate_solve_pin.c b/src/challengerdb/pg_validate_solve_pin.c
@@ -51,6 +51,10 @@ CH_PG_validate_solve_pin (void *cls,
¬_found),
GNUNET_PQ_result_spec_bool ("solved",
solved),
+ GNUNET_PQ_result_spec_bool ("exhausted",
+ exhausted),
+ GNUNET_PQ_result_spec_bool ("no_challenge",
+ no_challenge),
GNUNET_PQ_result_spec_uint32 ("address_attempts_left",
addr_left),
GNUNET_PQ_result_spec_uint32 ("auth_attempts_left",
diff --git a/src/include/challenger_database_plugin.h b/src/include/challenger_database_plugin.h
@@ -231,6 +231,8 @@ struct CHALLENGER_DatabasePlugin
* @param client_redirect_uri where to redirect at the end, NULL to use a unique one registered for the client
* @param[out] last_address set to the last address used
* @param[out] address_attempts_left set to number change address operations left for this @a nonce
+ * @param[out] pin_transmissions_left set to number of times the PIN can still be re-requested
+ * @param[out] auth_attempts_left set to number of authentication attempts remaining
* @return transaction status:
* #GNUNET_DB_STATUS_SUCCESS_ONE_RESULT if the address was changed
* #GNUNET_DB_STATUS_SUCCESS_NO_RESULTS if we do not permit further changes to the address (attempts exhausted)
@@ -244,7 +246,9 @@ struct CHALLENGER_DatabasePlugin
const char *client_state,
const char *client_redirect_uri,
json_t **last_address,
- uint32_t *address_attempts_left);
+ uint32_t *address_attempts_left,
+ uint32_t *pin_transmissions_left,
+ uint32_t *auth_attempts_left);
/**
