update to libfido2 46710ac06, picking up a few API changes

ok tb@ deraadt@

NB. major crank

9 files changed, 45 insertions, 37 deletions

diff --git a/lib/libfido2/README.openbsd b/lib/libfido2/README.openbsd
index dbfcfc1ecf1..124e0e34d65 100644
--- a/lib/libfido2/README.openbsd
+++ b/lib/libfido2/README.openbsd
@@ -1,4 +1,4 @@
-This is an import of https://github.com/Yubico/libfido2 2fa20b889 (20200810)
+This is an import of https://github.com/Yubico/libfido2 46710ac06 (20200815)
 
 Local changes:
 
diff --git a/lib/libfido2/man/fido_dev_get_touch_begin.3 b/lib/libfido2/man/fido_dev_get_touch_begin.3
index a1c5ce635c3..5c987a1a9ad 100644
--- a/lib/libfido2/man/fido_dev_get_touch_begin.3
+++ b/lib/libfido2/man/fido_dev_get_touch_begin.3
@@ -2,7 +2,7 @@
 .\" Use of this source code is governed by a BSD-style
 .\" license that can be found in the LICENSE file.
 .\"
-.Dd $Mdocdate: August 11 2020 $
+.Dd $Mdocdate: August 23 2020 $
 .Dt FIDO_DEV_GET_TOUCH_BEGIN 3
 .Os
 .Sh NAME
@@ -14,7 +14,7 @@
 .Ft int
 .Fn fido_dev_get_touch_begin "fido_dev_t *dev"
 .Ft int
-.Fn fido_dev_get_touch_status "fido_dev_t *dev" "int *touched" "int *pin_set" "int ms"
+.Fn fido_dev_get_touch_status "fido_dev_t *dev" "int *touched" "int ms"
 .Sh DESCRIPTION
 The functions described in this page allow an application to
 asynchronously wait for touch on a FIDO authenticator.
diff --git a/lib/libfido2/man/fido_dev_open.3 b/lib/libfido2/man/fido_dev_open.3
index 22f7baa1f58..1f78fdf3c7b 100644
--- a/lib/libfido2/man/fido_dev_open.3
+++ b/lib/libfido2/man/fido_dev_open.3
@@ -2,7 +2,7 @@
 .\" Use of this source code is governed by a BSD-style
 .\" license that can be found in the LICENSE file.
 .\"
-.Dd $Mdocdate: August 11 2020 $
+.Dd $Mdocdate: August 23 2020 $
 .Dt FIDO_DEV_OPEN 3
 .Os
 .Sh NAME
@@ -16,6 +16,7 @@
 .Nm fido_dev_is_fido2 ,
 .Nm fido_dev_supports_cred_prot ,
 .Nm fido_dev_supports_pin ,
+.Nm fido_dev_has_pin ,
 .Nm fido_dev_protocol ,
 .Nm fido_dev_build ,
 .Nm fido_dev_flags ,
@@ -44,6 +45,8 @@
 .Fn fido_dev_supports_cred_prot "const fido_dev_t *dev"
 .Ft bool
 .Fn fido_dev_supports_pin "const fido_dev_t *dev"
+.Ft bool
+.Fn fido_dev_has_pin "const fido_dev_t *dev"
 .Ft uint8_t
 .Fn fido_dev_protocol "const fido_dev_t *dev"
 .Ft uint8_t
@@ -139,6 +142,14 @@ if
 supports FIDO 2.0 Client PINs.
 .Pp
 The
+.Fn fido_dev_has_pin
+function returns
+.Dv true
+if
+.Fa dev
+has a FIDO 2.0 Client PIN set.
+.Pp
+The
 .Fn fido_dev_protocol
 function returns the CTAPHID protocol version identifier of
 .Fa dev .
diff --git a/lib/libfido2/shlib_version b/lib/libfido2/shlib_version
index 012c14171d3..d9961ea9fef 100644
--- a/lib/libfido2/shlib_version
+++ b/lib/libfido2/shlib_version
@@ -1,2 +1,2 @@
-major=3
+major=4
 minor=0
diff --git a/lib/libfido2/src/dev.c b/lib/libfido2/src/dev.c
index 6cc861909e6..c84962cd96e 100644
--- a/lib/libfido2/src/dev.c
+++ b/lib/libfido2/src/dev.c
@@ -123,30 +123,27 @@ static void
 fido_dev_set_flags(fido_dev_t *dev, const fido_cbor_info_t *info)
 {
 	char * const	*ptr;
+	const bool	*val;
 	size_t		 len;
 
 	ptr = fido_cbor_info_extensions_ptr(info);
 	len = fido_cbor_info_extensions_len(info);
 
-	for (size_t i = 0; i < len; i++) {
-		if (strcmp(ptr[i], "credProtect") == 0) {
-			dev->flags |= FIDO_DEV_SUPPORTS_CRED_PROT;
-		}
-	}
+	for (size_t i = 0; i < len; i++)
+		if (strcmp(ptr[i], "credProtect") == 0)
+			dev->flags |= FIDO_DEV_CRED_PROT;
 
 	ptr = fido_cbor_info_options_name_ptr(info);
+	val = fido_cbor_info_options_value_ptr(info);
 	len = fido_cbor_info_options_len(info);
 
-	for (size_t i = 0; i < len; i++) {
-		/*
-		 * clientPin: PIN supported and set;
-		 * noclientPin: PIN supported but not set.
-		 */
-		if (strcmp(ptr[i], "clientPin") == 0 ||
-		    strcmp(ptr[i], "noclientPin") == 0) {
-			dev->flags |= FIDO_DEV_SUPPORTS_PIN;
+	for (size_t i = 0; i < len; i++)
+		if (strcmp(ptr[i], "clientPin") == 0) {
+			if (val[i] == true)
+				dev->flags |= FIDO_DEV_PIN_SET;
+			else
+				dev->flags |= FIDO_DEV_PIN_UNSET;
 		}
-	}
 }
 
 static int
@@ -461,12 +458,11 @@ fail:
 }
 
 int
-fido_dev_get_touch_status(fido_dev_t *dev, int *touched, int *pin_set, int ms)
+fido_dev_get_touch_status(fido_dev_t *dev, int *touched, int ms)
 {
 	int r;
 
 	*touched = 0;
-	*pin_set = 0;
 
 	if (fido_dev_is_fido2(dev) == false)
 		return (u2f_get_touch_status(dev, touched, ms));
@@ -474,8 +470,6 @@ fido_dev_get_touch_status(fido_dev_t *dev, int *touched, int *pin_set, int ms)
 	switch ((r = fido_rx_cbor_status(dev, ms))) {
 	case FIDO_ERR_PIN_INVALID:
 	case FIDO_ERR_PIN_AUTH_INVALID:
-		*pin_set = 1;
-		/* FALLTHROUGH */
 	case FIDO_ERR_PIN_NOT_SET:
 		*touched = 1;
 		break;
@@ -632,13 +626,19 @@ fido_dev_is_fido2(const fido_dev_t *dev)
 bool
 fido_dev_supports_pin(const fido_dev_t *dev)
 {
-	return (dev->flags & FIDO_DEV_SUPPORTS_PIN);
+	return (dev->flags & (FIDO_DEV_PIN_SET|FIDO_DEV_PIN_UNSET));
+}
+
+bool
+fido_dev_has_pin(const fido_dev_t *dev)
+{
+	return (dev->flags & FIDO_DEV_PIN_SET);
 }
 
 bool
 fido_dev_supports_cred_prot(const fido_dev_t *dev)
 {
-	return (dev->flags & FIDO_DEV_SUPPORTS_CRED_PROT);
+	return (dev->flags & FIDO_DEV_CRED_PROT);
 }
 
 void
diff --git a/lib/libfido2/src/export.llvm b/lib/libfido2/src/export.llvm
index e04ad0658b5..ffbc1571014 100644
--- a/lib/libfido2/src/export.llvm
+++ b/lib/libfido2/src/export.llvm
@@ -159,6 +159,7 @@ _fido_dev_get_cbor_info
 _fido_dev_get_retry_count
 _fido_dev_get_touch_begin
 _fido_dev_get_touch_status
+_fido_dev_has_pin
 _fido_dev_info_free
 _fido_dev_info_manifest
 _fido_dev_info_manufacturer_string
diff --git a/lib/libfido2/src/extern.h b/lib/libfido2/src/extern.h
index 62acadfef84..4c036cbe074 100644
--- a/lib/libfido2/src/extern.h
+++ b/lib/libfido2/src/extern.h
@@ -159,8 +159,9 @@ uint32_t uniform_random(uint32_t);
 #endif
 
 /* internal device capability flags */
-#define FIDO_DEV_SUPPORTS_PIN		0x01
-#define FIDO_DEV_SUPPORTS_CRED_PROT	0x02
+#define FIDO_DEV_PIN_SET	0x01
+#define FIDO_DEV_PIN_UNSET	0x02
+#define FIDO_DEV_CRED_PROT	0x04
 
 /* miscellanea */
 #define FIDO_DUMMY_CLIENTDATA	""
diff --git a/lib/libfido2/src/fido.h b/lib/libfido2/src/fido.h
index edca4d9de20..d6e8974fee2 100644
--- a/lib/libfido2/src/fido.h
+++ b/lib/libfido2/src/fido.h
@@ -140,7 +140,7 @@ int fido_dev_get_assert(fido_dev_t *, fido_assert_t *, const char *);
 int fido_dev_get_cbor_info(fido_dev_t *, fido_cbor_info_t *);
 int fido_dev_get_retry_count(fido_dev_t *, int *);
 int fido_dev_get_touch_begin(fido_dev_t *);
-int fido_dev_get_touch_status(fido_dev_t *, int *, int *, int);
+int fido_dev_get_touch_status(fido_dev_t *, int *, int);
 int fido_dev_info_manifest(fido_dev_info_t *, size_t, size_t *);
 int fido_dev_make_cred(fido_dev_t *, fido_cred_t *, const char *);
 int fido_dev_open_with_info(fido_dev_t *);
@@ -182,10 +182,11 @@ uint8_t  fido_dev_flags(const fido_dev_t *);
 int16_t  fido_dev_info_vendor(const fido_dev_info_t *);
 int16_t  fido_dev_info_product(const fido_dev_info_t *);
 uint64_t fido_cbor_info_maxmsgsiz(const fido_cbor_info_t *);
-uint64_t fido_cbor_info_maxcredcntlst(const fido_cbor_info_t *ci);
+uint64_t fido_cbor_info_maxcredcntlst(const fido_cbor_info_t *);
 uint64_t fido_cbor_info_maxcredidlen(const fido_cbor_info_t *);
 uint64_t fido_cbor_info_fwversion(const fido_cbor_info_t *);
 
+bool fido_dev_has_pin(const fido_dev_t *);
 bool fido_dev_is_fido2(const fido_dev_t *);
 bool fido_dev_supports_pin(const fido_dev_t *);
 bool fido_dev_supports_cred_prot(const fido_dev_t *);
diff --git a/lib/libfido2/src/fido/param.h b/lib/libfido2/src/fido/param.h
index 763e364a966..14ee74e4d55 100644
--- a/lib/libfido2/src/fido/param.h
+++ b/lib/libfido2/src/fido/param.h
@@ -53,16 +53,10 @@
 #define CTAP_INIT_HEADER_LEN		7
 #define CTAP_CONT_HEADER_LEN		5
 
-/*
- * Maximal length of a CTAP HID report in bytes, excluding report ID (if
- * required on the given platform).
- */
+/* Maximum length of a CTAP HID report in bytes. */
 #define CTAP_MAX_REPORT_LEN		64
 
-/*
- * Minimal HID report length needed to transmit an INIT header + one byte of
- * payload data.
- */
+/* Minimum length of a CTAP HID report in bytes. */
 #define CTAP_MIN_REPORT_LEN		(CTAP_INIT_HEADER_LEN + 1)
 
 /* Randomness device on UNIX-like platforms. */