upstream: sk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flag
from response Now that all FIDO signing calls attempt first without PIN and then fall back to trying PIN only if that attempt fails, we can remove the hack^wtrick that removed the UV flag from the keys returned during enroll. By Corinna Vinschen OpenBSD-Commit-ID: 684517608c8491503bf80cd175425f0178d91d7f
This commit is contained in:
parent
940dc10729
commit
ff9809fdfd
10
sk-usbhid.c
10
sk-usbhid.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sk-usbhid.c,v 1.44 2022/09/02 04:20:02 djm Exp $ */
|
/* $OpenBSD: sk-usbhid.c,v 1.45 2022/09/14 00:14:37 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2019 Markus Friedl
|
* Copyright (c) 2019 Markus Friedl
|
||||||
* Copyright (c) 2020 Pedro Martelletto
|
* Copyright (c) 2020 Pedro Martelletto
|
||||||
|
@ -847,7 +847,6 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
|
||||||
struct sk_enroll_response *response = NULL;
|
struct sk_enroll_response *response = NULL;
|
||||||
size_t len;
|
size_t len;
|
||||||
int credprot;
|
int credprot;
|
||||||
int internal_uv;
|
|
||||||
int cose_alg;
|
int cose_alg;
|
||||||
int ret = SSH_SK_ERR_GENERAL;
|
int ret = SSH_SK_ERR_GENERAL;
|
||||||
int r;
|
int r;
|
||||||
|
@ -980,13 +979,6 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
response->flags = flags;
|
response->flags = flags;
|
||||||
if ((flags & SSH_SK_USER_VERIFICATION_REQD)) {
|
|
||||||
if (check_sk_options(sk->dev, "uv", &internal_uv) == 0 &&
|
|
||||||
internal_uv != -1) {
|
|
||||||
/* user verification handled by token */
|
|
||||||
response->flags &= ~SSH_SK_USER_VERIFICATION_REQD;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (pack_public_key(alg, cred, response) != 0) {
|
if (pack_public_key(alg, cred, response) != 0) {
|
||||||
skdebug(__func__, "pack_public_key failed");
|
skdebug(__func__, "pack_public_key failed");
|
||||||
goto out;
|
goto out;
|
||||||
|
|
Loading…
Reference in New Issue