Handle empty pinAuth fields.

CTAP2 specifies that an empty pinAuth field is special: it indicates that the device should block for touch, i.e. it's just a way of letting a user select from multiple authenticators[1]. This change handles empty pinAuth fields in GetAssertion and MakeCredential commands. [1] https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#using-pinToken-in-authenticatorMakeCredential
2019-04-20 16:26:32 -07:00
parent f28cf9c6d0
commit a5f794c0ff
3 changed files with 48 additions and 3 deletions
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@@ -702,6 +702,14 @@ uint8_t ctap_make_credential(CborEncoder * encoder, uint8_t * request, int lengt
        printf2(TAG_ERR,"error, parse_make_credential failed\n");
        return ret;
    }
+    if (MC.pinAuthEmpty)
+    {
+        if (!device_is_nfc() && !ctap_user_presence_test())
+        {
+                return CTAP2_ERR_OPERATION_DENIED;
+        }
+        return ctap_is_pin_set() == 1 ? CTAP2_ERR_PIN_INVALID : CTAP2_ERR_PIN_NOT_SET;
+    }
    if ((MC.paramsParsed & MC_requiredMask) != MC_requiredMask)
    {
        printf2(TAG_ERR,"error, required parameter(s) for makeCredential are missing\n");
@@ -1133,6 +1141,14 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
        return ret;
    }

+    if (GA.pinAuthEmpty)
+    {
+        if (!device_is_nfc() && !ctap_user_presence_test())
+        {
+                return CTAP2_ERR_OPERATION_DENIED;
+        }
+        return ctap_is_pin_set() == 1 ? CTAP2_ERR_PIN_INVALID : CTAP2_ERR_PIN_NOT_SET;
+    }
    if (GA.pinAuthPresent)
    {
        ret = verify_pin_auth(GA.pinAuth, GA.clientDataHash);