Do not return extensions if they are not requested OR are false.

Fixes #136 Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2025-12-20 12:03:32 +08:00 · 2025-03-30 19:32:25 +02:00
parent 64f371e6e5
commit c3ea413592
3 changed files with 98 additions and 94 deletions
--- a/src/fido/cbor_get_assertion.c
+++ b/src/fido/cbor_get_assertion.c
@@ -469,15 +469,16 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
        if (options.up == pfalse) {
            extensions.hmac_secret = NULL;
        }
-        if (extensions.hmac_secret != NULL) {
+        if (extensions.hmac_secret == ptrue) {
            l++;
        }
        if (credBlob == ptrue) {
            l++;
        }
-        if (extensions.thirdPartyPayment != NULL) {
+        if (extensions.thirdPartyPayment == ptrue) {
            l++;
        }
+        if (l > 0) {
            CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, l));
            if (credBlob == ptrue) {
                CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "credBlob"));
@@ -489,7 +490,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                    CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, NULL, 0));
                }
            }
-        if (extensions.hmac_secret != NULL) {
+            if (extensions.hmac_secret == ptrue) {

                CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "hmac-secret"));

@@ -541,7 +542,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                encrypt((uint8_t)hmacSecretPinUvAuthProtocol, sharedSecret, out1, (uint16_t)(salt_enc.len - poff), hmac_res);
                CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, hmac_res, salt_enc.len));
            }
-        if (extensions.thirdPartyPayment != NULL) {
+            if (extensions.thirdPartyPayment == ptrue) {
                CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "thirdPartyPayment"));
                if (selcred->extensions.thirdPartyPayment == ptrue) {
                    CBOR_CHECK(cbor_encode_boolean(&mapEncoder, true));
@@ -555,6 +556,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
            ext_len = cbor_encoder_get_buffer_size(&encoder, ext);
            flags |= FIDO2_AUT_FLAG_ED;
        }
+    }

    uint32_t ctr = get_sign_counter();

--- a/src/fido/cbor_make_credential.c
+++ b/src/fido/cbor_make_credential.c
@@ -348,13 +348,13 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
        cbor_encoder_init(&encoder, ext, sizeof(ext), 0);
        int l = 0;
        uint8_t minPinLen = 0;
-        if (extensions.hmac_secret != NULL) {
+        if (extensions.hmac_secret == ptrue) {
            l++;
        }
        if (extensions.credProtect != 0) {
            l++;
        }
-        if (extensions.minPinLength != NULL) {
+        if (extensions.minPinLength == ptrue) {
            file_t *ef_minpin = search_by_fid(EF_MINPINLEN, NULL, SPECIFY_EF);
            if (file_has_data(ef_minpin)) {
                uint8_t *minpin_data = file_get_data(ef_minpin);
@@ -372,6 +372,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
        if (extensions.credBlob.present == true) {
            l++;
        }
+        if (l > 0) {
            CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, l));
            if (extensions.credBlob.present == true) {
                CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "credBlob"));
@@ -381,10 +382,10 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
                CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "credProtect"));
                CBOR_CHECK(cbor_encode_uint(&mapEncoder, extensions.credProtect));
            }
-        if (extensions.hmac_secret != NULL) {
+            if (extensions.hmac_secret == ptrue) {

                CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "hmac-secret"));
-            CBOR_CHECK(cbor_encode_boolean(&mapEncoder, *extensions.hmac_secret));
+                CBOR_CHECK(cbor_encode_boolean(&mapEncoder, true));
            }
            if (minPinLen > 0) {

@@ -396,6 +397,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
            ext_len = cbor_encoder_get_buffer_size(&encoder, ext);
            flags |= FIDO2_AUT_FLAG_ED;
        }
+    }
    mbedtls_ecp_keypair ekey;
    mbedtls_ecp_keypair_init(&ekey);
    int ret = fido_load_key(curve, cred_id, &ekey);
--- a/tests/pico-fido/test_037_minpinlength.py
+++ b/tests/pico-fido/test_037_minpinlength.py
@@ -69,7 +69,7 @@ def test_minpin(SetMinPin, MCMinPin):

 def test_minpin_bad_rpid(SetMinPinWrongRpid, MCMinPin):
    assert not MCMinPin.auth_data.extensions
-    assert "minPinLength" not in MCMinPin.auth_data.extensions
+    #assert "minPinLength" not in MCMinPin.auth_data.extensions

 def test_setminpin(device, SetMinPin, MCMinPin):
    cfg = FidoConfig(device)