Allow to set maximum credentials count to store

Nitrokey · May 23, 2023 · 7b11a45 · 7b11a45
1 parent 0ebdfd1
commit 7b11a45
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/examples/usbip.rs b/examples/usbip.rs
@@ -300,6 +300,7 @@ impl trussed_usbip::Apps<VirtClient, dispatch::Dispatch> for Apps {
             CustomStatus::ReverseHotpSuccess as u8,
             CustomStatus::ReverseHotpError as u8,
             [0x42, 0x42, 0x42, 0x42],
+            0xFFFF,
         );
         let otp = oath_authenticator::Authenticator::new(
             builder.build("otp", dispatch::BACKENDS),

diff --git a/src/authenticator.rs b/src/authenticator.rs
@@ -42,6 +42,9 @@ pub struct Options {
 
     /// A serial number to be returned in YK Challenge-Response and Status commands
     pub serial_number: [u8; 4],
+
+    /// A maximum number of credentials allowed to store
+    pub max_resident_credentials_allowed: u16,
 }
 
 impl Options {
@@ -50,12 +53,14 @@ impl Options {
         custom_status_reverse_hotp_success: u8,
         custom_status_reverse_hotp_error: u8,
         serial_number: [u8; 4],
+        max_resident_credentials_allowed: u16,
     ) -> Self {
         Self {
             location,
             custom_status_reverse_hotp_success,
             custom_status_reverse_hotp_error,
             serial_number,
+            max_resident_credentials_allowed,
         }
     }
 }
@@ -590,6 +595,11 @@ where
             self.user_present()?;
         }
 
+        // Abort if the credentials count limit is reached
+        if self.count_credentials()? >= self.options.max_resident_credentials_allowed {
+            return Err(Status::NotEnoughMemory);
+        }
+
         // info_now!("recv {:?}", &register);
 
         // Allow to overwrite existing credentials by default
@@ -1428,6 +1438,27 @@ where
             .map_err(|_| NotEnoughMemory)?;
         Ok(())
     }
+
+    fn count_credentials(&mut self) -> Result<u16> {
+        let mut counter: u16 = 0;
+
+        let first_file = try_syscall!(self.trussed.read_dir_files_first(
+            self.options.location,
+            Self::credential_directory(),
+            None
+        ))
+        .map_err(|_| iso7816::Status::KeyReferenceNotFound)?
+        .data;
+        if first_file.is_none() {
+            return Ok(0);
+        }
+        counter += 1;
+
+        while syscall!(self.trussed.read_dir_files_next()).data.is_none() {
+            counter += 1;
+        }
+        Ok(counter)
+    }
 }
 
 impl<T> iso7816::App for Authenticator<T> {