[openssh-commits] [openssh] 03/03: upstream: improve the testing of credentials against inserted FIDO

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Dec 3 10:27:56 AEDT 2021


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit b5601202145a03106012c22cb8980bcac2949f0b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Dec 2 23:23:13 2021 +0000

    upstream: improve the testing of credentials against inserted FIDO
    
    keys a little more: ask the token whether a particular key belongs to it in
    cases where the token support on-token user- verification (e.g. biometrics)
    rather than just assuming that it will accept it.
    
    Will reduce spurious "Confirm user presence" notifications for key
    handles that relate to FIDO keys that are not currently inserted in at
    least some cases.
    
    Motivated by bz3366; by Pedro Martelletto
    
    OpenBSD-Commit-ID: ffac7f3215842397800e1ae2e20229671a55a63d
---
 sk-usbhid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sk-usbhid.c b/sk-usbhid.c
index 89196c8b..331b93b3 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.35 2021/12/02 22:40:05 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.36 2021/12/02 23:23:13 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -434,12 +434,14 @@ sk_select_by_cred(const fido_dev_info_t *devlist, size_t ndevs,
 {
 	struct sk_usbhid **skv, *sk;
 	size_t skvcnt, i;
+	int internal_uv;
 
 	if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
 		skdebug(__func__, "sk_openv failed");
 		return NULL;
 	}
-	if (skvcnt == 1) {
+	if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv",
+	    &internal_uv) == 0 && internal_uv != -1) {
 		sk = skv[0];
 		skv[0] = NULL;
 		goto out;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list