mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-17 15:11:21 +00:00
degrade semi-gracefully when libfido2 is too old
This commit is contained in:
Damien Miller
parent
9cbbdc12cb
commit
bbcc858ded
11
configure.ac
11
configure.ac
@ -3180,9 +3180,14 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
|
||||
], [ AC_MSG_ERROR([no usable libfido2 found]) ],
|
||||
[ $OTHERLIBS ]
|
||||
)
|
||||
AC_CHECK_LIB([fido2], [fido_cred_set_prot], [],
|
||||
[ AC_MSG_ERROR([libfido2 missing fido_cred_set_prot; please use libfido2 >= 1.4.0]) ],
|
||||
)
|
||||
saved_LIBS="$LIBS"
|
||||
LIBS="$LIBS $LIBFIDO2"
|
||||
AC_CHECK_FUNCS([ \
|
||||
fido_cred_set_prot \
|
||||
fido_dev_get_touch_status \
|
||||
fido_dev_supports_cred_prot \
|
||||
])
|
||||
LIBS="$saved_LIBS"
|
||||
AC_CHECK_HEADER([fido.h], [],
|
||||
AC_MSG_ERROR([missing fido.h from libfido2]))
|
||||
AC_CHECK_HEADER([fido/credman.h], [],
|
||||
|
||||
21
sk-usbhid.c
21
sk-usbhid.c
@ -41,6 +41,17 @@
|
||||
#include <fido.h>
|
||||
#include <fido/credman.h>
|
||||
|
||||
/* backwards compat for libfido2 */
|
||||
#ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT
|
||||
#define fido_dev_supports_cred_prot(x) (0)
|
||||
#endif
|
||||
#ifndef HAVE_FIDO_DEV_GET_TOUCH_BEGIN
|
||||
#define fido_dev_get_touch_begin(x) (FIDO_ERR_UNSUPPORTED_OPTION)
|
||||
#endif
|
||||
#ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
|
||||
#define fido_dev_get_touch_status(x, y, z) (FIDO_ERR_UNSUPPORTED_OPTION)
|
||||
#endif
|
||||
|
||||
#ifndef SK_STANDALONE
|
||||
# include "log.h"
|
||||
# include "xmalloc.h"
|
||||
@ -377,6 +388,11 @@ sk_select_by_touch(const fido_dev_info_t *devlist, size_t ndevs)
|
||||
size_t skvcnt, idx;
|
||||
int touch, ms_remain;
|
||||
|
||||
#ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
|
||||
skdebug(__func__, "libfido2 version does not support a feature needed for multiple tokens. Please upgrade to >=1.5.0");
|
||||
return NULL;
|
||||
#endif
|
||||
|
||||
if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
|
||||
skdebug(__func__, "sk_openv failed");
|
||||
return NULL;
|
||||
@ -705,6 +721,11 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
|
||||
goto out;
|
||||
}
|
||||
if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) {
|
||||
#ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT
|
||||
skdebug(__func__, "libfido2 version does not support a feature required for this operation. Please upgrade to >=1.5.0");
|
||||
ret = SSH_SK_ERR_UNSUPPORTED;
|
||||
goto out;
|
||||
#endif
|
||||
if (!fido_dev_supports_cred_prot(sk->dev)) {
|
||||
skdebug(__func__, "%s does not support credprot, "
|
||||
"refusing to create unprotected "
|
||||
|
||||
Loading…
Reference in New Issue
Block a user