diff options
| author | Damien Miller <djm@mindrot.org> | 2020-08-27 04:37:12 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 04:37:12 +0200 |
| commit | bbcc858ded3fbc46abfa7760e40389e3ca93884c (patch) | |
| tree | 0bb5dfff64eb542c718a4ad93adebae6bc84f493 | |
| parent | upstream: dummy firmware needs to match API version numner crank (for (diff) | |
| download | openssh-bbcc858ded3fbc46abfa7760e40389e3ca93884c.tar.xz openssh-bbcc858ded3fbc46abfa7760e40389e3ca93884c.zip | |
degrade semi-gracefully when libfido2 is too old
| -rw-r--r-- | configure.ac | 11 | ||||
| -rw-r--r-- | sk-usbhid.c | 21 |
2 files changed, 29 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index 0f15ef2bf..756e26572 100644 --- a/configure.ac +++ b/configure.ac @@ -3180,9 +3180,14 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then ], [ AC_MSG_ERROR([no usable libfido2 found]) ], [ $OTHERLIBS ] ) - AC_CHECK_LIB([fido2], [fido_cred_set_prot], [], - [ AC_MSG_ERROR([libfido2 missing fido_cred_set_prot; please use libfido2 >= 1.4.0]) ], - ) + saved_LIBS="$LIBS" + LIBS="$LIBS $LIBFIDO2" + AC_CHECK_FUNCS([ \ + fido_cred_set_prot \ + fido_dev_get_touch_status \ + fido_dev_supports_cred_prot \ + ]) + LIBS="$saved_LIBS" AC_CHECK_HEADER([fido.h], [], AC_MSG_ERROR([missing fido.h from libfido2])) AC_CHECK_HEADER([fido/credman.h], [], diff --git a/sk-usbhid.c b/sk-usbhid.c index 0305683fe..0b11e40aa 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c @@ -41,6 +41,17 @@ #include <fido.h> #include <fido/credman.h> +/* backwards compat for libfido2 */ +#ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT +#define fido_dev_supports_cred_prot(x) (0) +#endif +#ifndef HAVE_FIDO_DEV_GET_TOUCH_BEGIN +#define fido_dev_get_touch_begin(x) (FIDO_ERR_UNSUPPORTED_OPTION) +#endif +#ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS +#define fido_dev_get_touch_status(x, y, z) (FIDO_ERR_UNSUPPORTED_OPTION) +#endif + #ifndef SK_STANDALONE # include "log.h" # include "xmalloc.h" @@ -377,6 +388,11 @@ sk_select_by_touch(const fido_dev_info_t *devlist, size_t ndevs) size_t skvcnt, idx; int touch, ms_remain; +#ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS + skdebug(__func__, "libfido2 version does not support a feature needed for multiple tokens. Please upgrade to >=1.5.0"); + return NULL; +#endif + if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) { skdebug(__func__, "sk_openv failed"); return NULL; @@ -705,6 +721,11 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, goto out; } if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) { +#ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT + skdebug(__func__, "libfido2 version does not support a feature required for this operation. Please upgrade to >=1.5.0"); + ret = SSH_SK_ERR_UNSUPPORTED; + goto out; +#endif if (!fido_dev_supports_cred_prot(sk->dev)) { skdebug(__func__, "%s does not support credprot, " "refusing to create unprotected " |