sk-usbhid: fix key_lookup() on tokens with built-in UV

explicitly test whether the token performs built-in UV (e.g. biometric
tokens) and enable UV in that case. From Pedro Martelletto via GHPR#388

diff --git a/usr.bin/ssh/sk-usbhid.c b/usr.bin/ssh/sk-usbhid.c
index f06e33e..66197f4 100644 (file)
--- a/usr.bin/ssh/sk-usbhid.c
+++ b/usr.bin/ssh/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.43 2022/08/19 05:53:28 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.44 2022/09/02 04:20:02 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -658,6 +658,7 @@ key_lookup(fido_dev_t *dev, const char *application, const uint8_t *user_id,
        fido_assert_t *assert = NULL;
        uint8_t message[32];
        int r = FIDO_ERR_INTERNAL;
+       int sk_supports_uv, uv;
        size_t i;
 
        memset(message, '\0', sizeof(message));
@@ -677,7 +678,15 @@ key_lookup(fido_dev_t *dev, const char *application, const uint8_t *user_id,
                goto out;
        }
        if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
-               skdebug(__func__, "fido_assert_up: %s", fido_strerr(r));
+               skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
+               goto out;
+       }
+       uv = FIDO_OPT_OMIT;
+       if (pin == NULL && check_sk_options(dev, "uv", &sk_supports_uv) == 0 &&
+           sk_supports_uv != -1)
+               uv = FIDO_OPT_TRUE;
+       if ((r = fido_assert_set_uv(assert, uv)) != FIDO_OK) {
+               skdebug(__func__, "fido_assert_set_uv: %s", fido_strerr(r));
                goto out;
        }
        if ((r = fido_dev_get_assert(dev, assert, pin)) != FIDO_OK) {