From b8914b025c3eb36535afb82dd7cd329e7af62c61 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 2 Dec 2021 23:23:13 +0000 Subject: [PATCH] improve the testing of credentials against inserted FIDO keys a little more: ask the token whether a particular key belongs to it in cases where the token support on-token user- verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. Motivated by bz3366; by Pedro Martelletto --- usr.bin/ssh/sk-usbhid.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr.bin/ssh/sk-usbhid.c b/usr.bin/ssh/sk-usbhid.c index 95930b9ab38..8deebf480fc 100644 --- a/usr.bin/ssh/sk-usbhid.c +++ b/usr.bin/ssh/sk-usbhid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sk-usbhid.c,v 1.35 2021/12/02 22:40:05 djm Exp $ */ +/* $OpenBSD: sk-usbhid.c,v 1.36 2021/12/02 23:23:13 djm Exp $ */ /* * Copyright (c) 2019 Markus Friedl * Copyright (c) 2020 Pedro Martelletto @@ -396,12 +396,14 @@ sk_select_by_cred(const fido_dev_info_t *devlist, size_t ndevs, { struct sk_usbhid **skv, *sk; size_t skvcnt, i; + int internal_uv; if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) { skdebug(__func__, "sk_openv failed"); return NULL; } - if (skvcnt == 1) { + if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv", + &internal_uv) == 0 && internal_uv != -1) { sk = skv[0]; skv[0] = NULL; goto out; -- 2.20.1