[openssh-commits] [openssh] 03/03: sk_sign: set FIDO2 uv attribute explicitely for WinHello
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Aug 5 15:02:33 AEST 2022
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 2886975c0ad9244e60dc5e4be34fde3aa573a4b5
Author: Corinna Vinschen <vinschen at redhat.com>
Date: Fri Feb 11 14:33:41 2022 +0100
sk_sign: set FIDO2 uv attribute explicitely for WinHello
WinHello via libfido2 performs user verification by default.
However, if we stick to that, there's no way to differentiate
between keys created with or without "-O verify-required".
Set FIDO2 uv attribute explicitely to FIDO_OPT_FALSE, then check
if user verification has been requested.
Signed-off-by: Corinna Vinschen <vinschen at redhat.com>
---
sk-usbhid.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 06bf0e85..a82110ef 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1216,6 +1216,14 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
goto out;
}
+ /*
+ * WinHello requests the PIN by default. Make "uv" request explicit
+ * to allow keys with and without -O verify-required to make sense.
+ */
+ if (pin == NULL && fido_dev_is_winhello (sk->dev) &&
+ (r = fido_assert_set_uv(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
+ skdebug(__func__, "fido_assert_set_uv: %s", fido_strerr(r));
+ }
if (pin == NULL && (flags & SSH_SK_USER_VERIFICATION_REQD)) {
if (check_sk_options(sk->dev, "uv", &internal_uv) < 0 ||
internal_uv != 1) {
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list