From 1ce8f69dbd9b6dc931defb32cb7ee0229935d176 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 27 May 2021 22:06:25 +0200 Subject: fido2: properly handle case when no PINs are specified during auth Also, drop redundant check for has_client_pin, which can never happen, since we already filtered this case a bit further up. --- src/shared/libfido2-util.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'src/shared/libfido2-util.c') diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index 573aef238c..3da64b549a 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -325,15 +325,15 @@ static int fido2_use_hmac_hash_specific_token( if (FLAGS_SET(required, FIDO2ENROLL_PIN)) { char **i; - if (!has_client_pin) - log_warning("Weird, device asked for client PIN, but does not advertise it as feature. Ignoring."); - - /* OK, we needed a pin, try with all pins in turn */ - STRV_FOREACH(i, pins) { - r = sym_fido_dev_get_assert(d, a, *i); - if (r != FIDO_ERR_PIN_INVALID) - break; - } + /* OK, we need a pin, try with all pins in turn */ + if (strv_isempty(pins)) + r = FIDO_ERR_PIN_REQUIRED; + else + STRV_FOREACH(i, pins) { + r = sym_fido_dev_get_assert(d, a, *i); + if (r != FIDO_ERR_PIN_INVALID) + break; + } } else r = sym_fido_dev_get_assert(d, a, NULL); -- cgit v1.2.1