tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sk_sign: set FIDO2 uv attribute explicitely for WinHello 

WinHello via libfido2 performs user verification by default.
However, if we stick to that, there's no way to differentiate
between keys created with or without "-O  verify-required".
Set FIDO2 uv attribute explicitely to FIDO_OPT_FALSE, then check
if user verification has been requested.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
This commit is contained in:
Corinna Vinschen 2022-02-11 14:33:41 +01:00 committed by Damien Miller
parent 242c044ab1
commit 2886975c0a
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sk-usbhid.c
View File

@ -1216,6 +1216,14 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
goto out;
}
/*
* WinHello requests the PIN by default. Make "uv" request explicit
* to allow keys with and without -O verify-required to make sense.
*/
if (pin == NULL && fido_dev_is_winhello (sk->dev) &&
(r = fido_assert_set_uv(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
skdebug(__func__, "fido_assert_set_uv: %s", fido_strerr(r));
}
if (pin == NULL && (flags & SSH_SK_USER_VERIFICATION_REQD)) {
if (check_sk_options(sk->dev, "uv", &internal_uv) < 0 ||
internal_uv != 1) {