diff options
author | Damien Miller <djm@mindrot.org> | 2020-08-27 12:37:12 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-08-27 12:37:12 +1000 |
commit | bbcc858ded3fbc46abfa7760e40389e3ca93884c (patch) | |
tree | 0bb5dfff64eb542c718a4ad93adebae6bc84f493 | |
parent | 9cbbdc12cb6a2ab1e9ffe9974cca91d213c185c2 (diff) |
degrade semi-gracefully when libfido2 is too old
-rw-r--r-- | configure.ac | 11 | ||||
-rw-r--r-- | sk-usbhid.c | 21 |
2 files changed, 29 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index 0f15ef2bf..756e26572 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -3180,9 +3180,14 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then | |||
3180 | ], [ AC_MSG_ERROR([no usable libfido2 found]) ], | 3180 | ], [ AC_MSG_ERROR([no usable libfido2 found]) ], |
3181 | [ $OTHERLIBS ] | 3181 | [ $OTHERLIBS ] |
3182 | ) | 3182 | ) |
3183 | AC_CHECK_LIB([fido2], [fido_cred_set_prot], [], | 3183 | saved_LIBS="$LIBS" |
3184 | [ AC_MSG_ERROR([libfido2 missing fido_cred_set_prot; please use libfido2 >= 1.4.0]) ], | 3184 | LIBS="$LIBS $LIBFIDO2" |
3185 | ) | 3185 | AC_CHECK_FUNCS([ \ |
3186 | fido_cred_set_prot \ | ||
3187 | fido_dev_get_touch_status \ | ||
3188 | fido_dev_supports_cred_prot \ | ||
3189 | ]) | ||
3190 | LIBS="$saved_LIBS" | ||
3186 | AC_CHECK_HEADER([fido.h], [], | 3191 | AC_CHECK_HEADER([fido.h], [], |
3187 | AC_MSG_ERROR([missing fido.h from libfido2])) | 3192 | AC_MSG_ERROR([missing fido.h from libfido2])) |
3188 | AC_CHECK_HEADER([fido/credman.h], [], | 3193 | AC_CHECK_HEADER([fido/credman.h], [], |
diff --git a/sk-usbhid.c b/sk-usbhid.c index 0305683fe..0b11e40aa 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
@@ -41,6 +41,17 @@ | |||
41 | #include <fido.h> | 41 | #include <fido.h> |
42 | #include <fido/credman.h> | 42 | #include <fido/credman.h> |
43 | 43 | ||
44 | /* backwards compat for libfido2 */ | ||
45 | #ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT | ||
46 | #define fido_dev_supports_cred_prot(x) (0) | ||
47 | #endif | ||
48 | #ifndef HAVE_FIDO_DEV_GET_TOUCH_BEGIN | ||
49 | #define fido_dev_get_touch_begin(x) (FIDO_ERR_UNSUPPORTED_OPTION) | ||
50 | #endif | ||
51 | #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS | ||
52 | #define fido_dev_get_touch_status(x, y, z) (FIDO_ERR_UNSUPPORTED_OPTION) | ||
53 | #endif | ||
54 | |||
44 | #ifndef SK_STANDALONE | 55 | #ifndef SK_STANDALONE |
45 | # include "log.h" | 56 | # include "log.h" |
46 | # include "xmalloc.h" | 57 | # include "xmalloc.h" |
@@ -377,6 +388,11 @@ sk_select_by_touch(const fido_dev_info_t *devlist, size_t ndevs) | |||
377 | size_t skvcnt, idx; | 388 | size_t skvcnt, idx; |
378 | int touch, ms_remain; | 389 | int touch, ms_remain; |
379 | 390 | ||
391 | #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS | ||
392 | skdebug(__func__, "libfido2 version does not support a feature needed for multiple tokens. Please upgrade to >=1.5.0"); | ||
393 | return NULL; | ||
394 | #endif | ||
395 | |||
380 | if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) { | 396 | if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) { |
381 | skdebug(__func__, "sk_openv failed"); | 397 | skdebug(__func__, "sk_openv failed"); |
382 | return NULL; | 398 | return NULL; |
@@ -705,6 +721,11 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, | |||
705 | goto out; | 721 | goto out; |
706 | } | 722 | } |
707 | if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) { | 723 | if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) { |
724 | #ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT | ||
725 | skdebug(__func__, "libfido2 version does not support a feature required for this operation. Please upgrade to >=1.5.0"); | ||
726 | ret = SSH_SK_ERR_UNSUPPORTED; | ||
727 | goto out; | ||
728 | #endif | ||
708 | if (!fido_dev_supports_cred_prot(sk->dev)) { | 729 | if (!fido_dev_supports_cred_prot(sk->dev)) { |
709 | skdebug(__func__, "%s does not support credprot, " | 730 | skdebug(__func__, "%s does not support credprot, " |
710 | "refusing to create unprotected " | 731 | "refusing to create unprotected " |