upstream: improve the testing of credentials against inserted FIDO

keys a little more: ask the token whether a particular key belongs to it in
cases where the token support on-token user- verification (e.g. biometrics)
rather than just assuming that it will accept it.

Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.

Motivated by bz3366; by Pedro Martelletto

OpenBSD-Commit-ID: ffac7f3215842397800e1ae2e20229671a55a63d

diff --git a/sk-usbhid.c b/sk-usbhid.c
index 89196c8b99669c31fb1062b622c5778cbfc60291..331b93b338d48f2d996d8d675e0fd950f44b456b 100644 (file)
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.35 2021/12/02 22:40:05 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.36 2021/12/02 23:23:13 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -434,12 +434,14 @@ sk_select_by_cred(const fido_dev_info_t *devlist, size_t ndevs,
 {
        struct sk_usbhid **skv, *sk;
        size_t skvcnt, i;
+       int internal_uv;
 
        if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
                skdebug(__func__, "sk_openv failed");
                return NULL;
        }
-       if (skvcnt == 1) {
+       if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv",
+           &internal_uv) == 0 && internal_uv != -1) {
                sk = skv[0];
                skv[0] = NULL;
                goto out;