upstream: improve the testing of credentials against inserted FIDO

keys a little more: ask the token whether a particular key belongs to it in cases where the token support on-token user- verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. Motivated by bz3366; by Pedro Martelletto OpenBSD-Commit-ID: ffac7f3215842397800e1ae2e20229671a55a63d
author: djm@openbsd.org <djm@openbsd.org> 2021-12-02 23:23:13 +0000
committer: Damien Miller <djm@mindrot.org> 2021-12-03 10:27:40 +1100
commit: b5601202145a03106012c22cb8980bcac2949f0b (patch)
tree: ebb463b110af07671167ee4c8df937d12282abcd /sk-usbhid.c
parent: ca709e27c41c90f4565b17282c48dca7756e083c (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 89196c8b..331b93b3 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.35 2021/12/02 22:40:05 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.36 2021/12/02 23:23:13 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -434,12 +434,14 @@ sk_select_by_cred(const fido_dev_info_t *devlist, size_t ndevs,
 {
 	struct sk_usbhid **skv, *sk;
 	size_t skvcnt, i;
+	int internal_uv;
 
 	if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
 		skdebug(__func__, "sk_openv failed");
 		return NULL;
 	}
-	if (skvcnt == 1) {
+	if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv",
+	    &internal_uv) == 0 && internal_uv != -1) {
 		sk = skv[0];
 		skv[0] = NULL;
 		goto out;
author	djm@openbsd.org <djm@openbsd.org>	2021-12-02 23:23:13 +0000
committer	Damien Miller <djm@mindrot.org>	2021-12-03 10:27:40 +1100
commit	b5601202145a03106012c22cb8980bcac2949f0b (patch)
tree	ebb463b110af07671167ee4c8df937d12282abcd /sk-usbhid.c
parent	ca709e27c41c90f4565b17282c48dca7756e083c (diff)