From 4c51a158c4a40c9be91cf57e12cc15ec5f9b9d4d Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Thu, 4 Nov 2021 15:04:45 +0100
Subject: [PATCH] Handle pin_protocol field in HmacSecretInput

The December 08, 2020 version of the Client to Authenticator Protocol
(CTAP) specification added the pinUvAuthProtocol(0x04) field to the
input data for the hmac-secret extension in the
authenticatorGetAssertion command.  This patch checks that the value of
this field (if present) is set to 1 as we only support this pin
protocol.
	https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html
---
 src/lib.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/lib.rs b/src/lib.rs
index 5a61122..9591fa9 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1334,6 +1334,11 @@ where UP: UserPresence,
         credential_key: KeyId,
     ) -> Result<Option<ctap2::get_assertion::ExtensionsOutput>> {
         if let Some(hmac_secret) = &extensions.hmac_secret {
+            if let Some(pin_protocol) = hmac_secret.pin_protocol {
+                if pin_protocol != 1 {
+                    return Err(Error::InvalidParameter);
+                }
+            }
 
             // We derive credRandom as an hmac of the existing private key.
             // UV is used as input data since credRandom should depend UV