From f90baaf09556902663cef27bb1d67b9129d5b52c Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Sat, 1 Apr 2023 23:37:51 +0200
Subject: [PATCH] Do not respond a challenge-response command if no
 challenge-response app is configured.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/fido/otp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/fido/otp.c b/src/fido/otp.c
index 92856ac..cf8f2ef 100644
--- a/src/fido/otp.c
+++ b/src/fido/otp.c
@@ -413,6 +413,9 @@ int cmd_otp() {
         file_t *ef = search_dynamic_file(p1 == 0x30 || p1 == 0x20 ? EF_OTP_SLOT1 : EF_OTP_SLOT2);
         if (file_has_data(ef)) {
             otp_config_t *otp_config = (otp_config_t *)file_get_data(ef);
+            if (!(otp_config->cfg_flags & CHAL_YUBICO && otp_config->tkt_flags & CHAL_RESP)) {
+                return SW_WRONG_DATA();
+            }
             int ret = 0;
             if (p1 == 0x30 || p1 == 0x38) {
                 mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), otp_config->aes_key, KEY_SIZE, apdu.data, 8, res_APDU);