From: Kamil Szczęk <kamil@szczek.dev>
Date: Sat, 27 Apr 2024 11:43:35 +0000 (+0200)
Subject: libfido2-util: fix a regression in the pre-flight mechanism
X-Git-Tag: v256-rc2~118
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70246e37bc3361660205e17d1ea079e8846c4a54;p=thirdparty%2Fsystemd.git

libfido2-util: fix a regression in the pre-flight mechanism

The recently merged PR #32295 introduced support for the credProtect
extension, but in doing so, it broke the discoverability of credentials
by setting the policy to FIDO_CRED_PROT_UV_REQUIRED for UV-less,
PIN-protected credentials. This policy would require us to pass the PIN
to the token in the pre-flight request to be able to discover it,
which defeats the purpose of pre-flight requests as they're supposed
to be non-interactive.

This commit restricts the usage of credProtect to UV credentials only.
---

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 1cc81a6c610..17fb019ffce 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -779,7 +779,7 @@ int fido2_generate_hmac_hash(
                 return log_oom();
 
         int extensions = FIDO_EXT_HMAC_SECRET;
-        if (FLAGS_SET(lock_with, FIDO2ENROLL_PIN) || FLAGS_SET(lock_with, FIDO2ENROLL_UV)) {
+        if (FLAGS_SET(lock_with, FIDO2ENROLL_UV)) {
                 /* Attempt to use the "cred protect" extension, requiring user verification (UV) for this
                  * credential. If the authenticator doesn't support the extension, it will be ignored. */
                 extensions |= FIDO_EXT_CRED_PROTECT;