From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 27 May 2021 20:06:25 +0000 (+0200)
Subject: fido2: properly handle case when no PINs are specified during auth
X-Git-Tag: v249-rc1~129^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1ce8f69dbd9b6dc931defb32cb7ee0229935d176;p=thirdparty%2Fsystemd.git

fido2: properly handle case when no PINs are specified during auth

Also, drop redundant check for has_client_pin, which can never happen,
since we already filtered this case a bit further up.
---

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 573aef238cd..3da64b549a5 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -325,15 +325,15 @@ static int fido2_use_hmac_hash_specific_token(
         if (FLAGS_SET(required, FIDO2ENROLL_PIN)) {
                 char **i;
 
-                if (!has_client_pin)
-                        log_warning("Weird, device asked for client PIN, but does not advertise it as feature. Ignoring.");
-
-                /* OK, we needed a pin, try with all pins in turn */
-                STRV_FOREACH(i, pins) {
-                        r = sym_fido_dev_get_assert(d, a, *i);
-                        if (r != FIDO_ERR_PIN_INVALID)
-                                break;
-                }
+                /* OK, we need a pin, try with all pins in turn */
+                if (strv_isempty(pins))
+                        r = FIDO_ERR_PIN_REQUIRED;
+                else
+                        STRV_FOREACH(i, pins) {
+                                r = sym_fido_dev_get_assert(d, a, *i);
+                                if (r != FIDO_ERR_PIN_INVALID)
+                                        break;
+                        }
         } else
                 r = sym_fido_dev_get_assert(d, a, NULL);