skip key_lookup() on Windows (#802)

2025-09-25 19:08:56 +02:00 · 2025-09-22 14:28:15 -04:00 · 2025-09-22 14:28:15 -04:00 · 1b893e63ae
commit 1b893e63ae
parent 6958bcc3df
1 changed files with 4 additions and 4 deletions
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@ -774,9 +774,6 @@ static int
 key_lookup(fido_dev_t *dev, const char *application, const uint8_t *user_id,
    size_t user_id_len, const char *pin)
 {
-#ifdef HAVE_FIDO_DEV_IS_WINHELLO
-	return FIDO_OK;
-#else
 	fido_assert_t* assert = NULL;
 	uint8_t message[32];
 	int r = FIDO_ERR_INTERNAL;
@ -830,7 +827,6 @@ out:
 	fido_assert_free(&assert);

 	return r;
-#endif  /* HAVE_FIDO_DEV_IS_WINHELLO */
 }

 int
@ -897,6 +893,9 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 		goto out;
 	}
 	skdebug(__func__, "using device %s", sk->path);
+	// Windows: can skip key_lookup() as it will not be overwritten regardless, per above comment:
+	// Don't overwrite existing credentials on FIDO authenticators.
+#ifndef WINDOWS
 	if ((flags & SSH_SK_RESIDENT_KEY) != 0 &&
 	    (flags & SSH_SK_FORCE_OPERATION) == 0 &&
 	    (r = key_lookup(sk->dev, application, user_id, sizeof(user_id),
@ -910,6 +909,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 		}
 		goto out;
 	}
+#endif /* !WINDOWS */
 	if ((cred = fido_cred_new()) == NULL) {
 		skdebug(__func__, "fido_cred_new failed");
 		goto out;