[openssh-commits] [openssh] 01/01: degrade semi-gracefully when libfido2 is too old
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Aug 27 12:37:29 AEST 2020
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit bbcc858ded3fbc46abfa7760e40389e3ca93884c
Author: Damien Miller <djm at mindrot.org>
Date: Thu Aug 27 12:37:12 2020 +1000
degrade semi-gracefully when libfido2 is too old
---
configure.ac | 11 ++++++++---
sk-usbhid.c | 21 +++++++++++++++++++++
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0f15ef2b..756e2657 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3180,9 +3180,14 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
], [ AC_MSG_ERROR([no usable libfido2 found]) ],
[ $OTHERLIBS ]
)
- AC_CHECK_LIB([fido2], [fido_cred_set_prot], [],
- [ AC_MSG_ERROR([libfido2 missing fido_cred_set_prot; please use libfido2 >= 1.4.0]) ],
- )
+ saved_LIBS="$LIBS"
+ LIBS="$LIBS $LIBFIDO2"
+ AC_CHECK_FUNCS([ \
+ fido_cred_set_prot \
+ fido_dev_get_touch_status \
+ fido_dev_supports_cred_prot \
+ ])
+ LIBS="$saved_LIBS"
AC_CHECK_HEADER([fido.h], [],
AC_MSG_ERROR([missing fido.h from libfido2]))
AC_CHECK_HEADER([fido/credman.h], [],
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 0305683f..0b11e40a 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -41,6 +41,17 @@
#include <fido.h>
#include <fido/credman.h>
+/* backwards compat for libfido2 */
+#ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT
+#define fido_dev_supports_cred_prot(x) (0)
+#endif
+#ifndef HAVE_FIDO_DEV_GET_TOUCH_BEGIN
+#define fido_dev_get_touch_begin(x) (FIDO_ERR_UNSUPPORTED_OPTION)
+#endif
+#ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
+#define fido_dev_get_touch_status(x, y, z) (FIDO_ERR_UNSUPPORTED_OPTION)
+#endif
+
#ifndef SK_STANDALONE
# include "log.h"
# include "xmalloc.h"
@@ -377,6 +388,11 @@ sk_select_by_touch(const fido_dev_info_t *devlist, size_t ndevs)
size_t skvcnt, idx;
int touch, ms_remain;
+#ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
+ skdebug(__func__, "libfido2 version does not support a feature needed for multiple tokens. Please upgrade to >=1.5.0");
+ return NULL;
+#endif
+
if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
skdebug(__func__, "sk_openv failed");
return NULL;
@@ -705,6 +721,11 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
goto out;
}
if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) {
+#ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT
+ skdebug(__func__, "libfido2 version does not support a feature required for this operation. Please upgrade to >=1.5.0");
+ ret = SSH_SK_ERR_UNSUPPORTED;
+ goto out;
+#endif
if (!fido_dev_supports_cred_prot(sk->dev)) {
skdebug(__func__, "%s does not support credprot, "
"refusing to create unprotected "
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list