From a22b3b3a26748558d18d007a53f9463703abfefc Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 14 Sep 2022 00:14:37 +0000 Subject: [PATCH] sk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flag from response Now that all FIDO signing calls attempt first without PIN and then fall back to trying PIN only if that attempt fails, we can remove the hack^wtrick that removed the UV flag from the keys returned during enroll. By Corinna Vinschen --- usr.bin/ssh/sk-usbhid.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/usr.bin/ssh/sk-usbhid.c b/usr.bin/ssh/sk-usbhid.c index 66197f4ea42..430ce648a5f 100644 --- a/usr.bin/ssh/sk-usbhid.c +++ b/usr.bin/ssh/sk-usbhid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sk-usbhid.c,v 1.44 2022/09/02 04:20:02 djm Exp $ */ +/* $OpenBSD: sk-usbhid.c,v 1.45 2022/09/14 00:14:37 djm Exp $ */ /* * Copyright (c) 2019 Markus Friedl * Copyright (c) 2020 Pedro Martelletto @@ -722,7 +722,6 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, struct sk_enroll_response *response = NULL; size_t len; int credprot; - int internal_uv; int cose_alg; int ret = SSH_SK_ERR_GENERAL; int r; @@ -848,13 +847,6 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, goto out; } response->flags = flags; - if ((flags & SSH_SK_USER_VERIFICATION_REQD)) { - if (check_sk_options(sk->dev, "uv", &internal_uv) == 0 && - internal_uv != -1) { - /* user verification handled by token */ - response->flags &= ~SSH_SK_USER_VERIFICATION_REQD; - } - } if (pack_public_key(alg, cred, response) != 0) { skdebug(__func__, "pack_public_key failed"); goto out; -- 2.20.1