From 70246e37bc3361660205e17d1ea079e8846c4a54 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Kamil=20Szcz=C4=99k?= Date: Sat, 27 Apr 2024 13:43:35 +0200 Subject: [PATCH] libfido2-util: fix a regression in the pre-flight mechanism The recently merged PR #32295 introduced support for the credProtect extension, but in doing so, it broke the discoverability of credentials by setting the policy to FIDO_CRED_PROT_UV_REQUIRED for UV-less, PIN-protected credentials. This policy would require us to pass the PIN to the token in the pre-flight request to be able to discover it, which defeats the purpose of pre-flight requests as they're supposed to be non-interactive. This commit restricts the usage of credProtect to UV credentials only. --- src/shared/libfido2-util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index 1cc81a6c610..17fb019ffce 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -779,7 +779,7 @@ int fido2_generate_hmac_hash( return log_oom(); int extensions = FIDO_EXT_HMAC_SECRET; - if (FLAGS_SET(lock_with, FIDO2ENROLL_PIN) || FLAGS_SET(lock_with, FIDO2ENROLL_UV)) { + if (FLAGS_SET(lock_with, FIDO2ENROLL_UV)) { /* Attempt to use the "cred protect" extension, requiring user verification (UV) for this * credential. If the authenticator doesn't support the extension, it will be ignored. */ extensions |= FIDO_EXT_CRED_PROTECT; -- 2.47.3