fido2: make misadvertised clientPin feature fatal

We need really need to trust the feature set, since we are about to set it in stone storing the result in JSON, hence react a bit more allergic about token that misadvertise the feature. Note that I added this to be defensive, I am not aware any token that actually misadvertises this. hence it should be safe to make this fatal, and should this not work we can always revisit things.
2026-03-06 15:02:31 -08:00 · 2021-05-27 22:59:18 +02:00
parent 0735ed950a
commit ec543d18d4
1 changed files with 5 additions and 3 deletions
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -606,13 +606,15 @@ int fido2_generate_hmac_hash(

        r = sym_fido_dev_make_cred(d, c, NULL);
        if (r == FIDO_ERR_PIN_REQUIRED) {
+
+                if (!has_client_pin)
+                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                               "Token asks for PIN but doesn't advertise 'clientPin' feature.");
+
                for (;;) {
                        _cleanup_(strv_free_erasep) char **pin = NULL;
                        char **i;

-                        if (!has_client_pin)
-                                log_warning("Weird, device asked for client PIN, but does not advertise it as feature. Ignoring.");
-
                        r = ask_password_auto("Please enter security token PIN:", askpw_icon_name, NULL, "fido2-pin", "fido2-pin", USEC_INFINITY, 0, &pin);
                        if (r < 0)
                                return log_error_errno(r, "Failed to acquire user PIN: %m");