upstream: sk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flag

from response

Now that all FIDO signing calls attempt first without PIN and then
fall back to trying PIN only if that attempt fails, we can remove the
hack^wtrick that removed the UV flag from the keys returned during
enroll.

By Corinna Vinschen

OpenBSD-Commit-ID: 684517608c8491503bf80cd175425f0178d91d7f

diff --git a/sk-usbhid.c b/sk-usbhid.c
index 3ba2cf26815bde6f3b31fb0f20de1dd1ed0b6f4d..46e09c26cc2b10e8ee6e026a02caa9b29d401f4d 100644 (file)
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.44 2022/09/02 04:20:02 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.45 2022/09/14 00:14:37 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -847,7 +847,6 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
        struct sk_enroll_response *response = NULL;
        size_t len;
        int credprot;
-       int internal_uv;
        int cose_alg;
        int ret = SSH_SK_ERR_GENERAL;
        int r;
@@ -980,13 +979,6 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
                goto out;
        }
        response->flags = flags;
-       if ((flags & SSH_SK_USER_VERIFICATION_REQD)) {
-               if (check_sk_options(sk->dev, "uv", &internal_uv) == 0 &&
-                   internal_uv != -1) {
-                       /* user verification handled by token */
-                       response->flags &= ~SSH_SK_USER_VERIFICATION_REQD;
-               }
-       }
        if (pack_public_key(alg, cred, response) != 0) {
                skdebug(__func__, "pack_public_key failed");
                goto out;