libfido2-util: fix a regression in the pre-flight mechanism

The recently merged PR #32295 introduced support for the credProtect extension, but in doing so, it broke the discoverability of credentials by setting the policy to FIDO_CRED_PROT_UV_REQUIRED for UV-less, PIN-protected credentials. This policy would require us to pass the PIN to the token in the pre-flight request to be able to discover it, which defeats the purpose of pre-flight requests as they're supposed to be non-interactive. This commit restricts the usage of credProtect to UV credentials only.
2025-03-08 08:58:27 +03:00 · 2024-04-27 13:43:35 +02:00 · 2024-04-27 13:43:35 +02:00 · 70246e37bc
commit 70246e37bc
parent 42a5f47fbe
1 changed files with 1 additions and 1 deletions
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@ -779,7 +779,7 @@ int fido2_generate_hmac_hash(
                return log_oom();

        int extensions = FIDO_EXT_HMAC_SECRET;
-        if (FLAGS_SET(lock_with, FIDO2ENROLL_PIN) || FLAGS_SET(lock_with, FIDO2ENROLL_UV)) {
+        if (FLAGS_SET(lock_with, FIDO2ENROLL_UV)) {
                /* Attempt to use the "cred protect" extension, requiring user verification (UV) for this
                 * credential. If the authenticator doesn't support the extension, it will be ignored. */
                extensions |= FIDO_EXT_CRED_PROTECT;