allow an empty attestation certificate returned by a security key

enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware. ok markus@
author: djm <djm@openbsd.org> 2019-11-12 22:38:19 +0000
committer: djm <djm@openbsd.org> 2019-11-12 22:38:19 +0000
commit: db49089172740e5ecb81d5ed1b9ee0144909c9d0 (patch)
tree: 5f8cb692f56b53a3c2bf330874d875b0d119e675 /usr.bin/ssh/ssh-sk.c
parent: security keys typically need to be tapped/touched in order to perform (diff)
download: wireguard-openbsd-db49089172740e5ecb81d5ed1b9ee0144909c9d0.tar.xz
wireguard-openbsd-db49089172740e5ecb81d5ed1b9ee0144909c9d0.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.bin/ssh/ssh-sk.c b/usr.bin/ssh/ssh-sk.c
index c9408009b40..fcb0f66c4d7 100644
--- a/usr.bin/ssh/ssh-sk.c
+++ b/usr.bin/ssh/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.9 2019/11/12 19:34:40 markus Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.10 2019/11/12 22:38:19 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -296,7 +296,8 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
 	}
 	/* Check response validity */
 	if (resp->public_key == NULL || resp->key_handle == NULL ||
-	    resp->signature == NULL || resp->attestation_cert == NULL) {
+	    resp->signature == NULL ||
+	    (resp->attestation_cert == NULL && resp->attestation_cert_len != 0)) {
 		error("%s: sk_enroll response invalid", __func__);
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
author	djm <djm@openbsd.org>	2019-11-12 22:38:19 +0000
committer	djm <djm@openbsd.org>	2019-11-12 22:38:19 +0000
commit	db49089172740e5ecb81d5ed1b9ee0144909c9d0 (patch)
tree	5f8cb692f56b53a3c2bf330874d875b0d119e675 /usr.bin/ssh/ssh-sk.c
parent	security keys typically need to be tapped/touched in order to perform (diff)
download	wireguard-openbsd-db49089172740e5ecb81d5ed1b9ee0144909c9d0.tar.xz wireguard-openbsd-db49089172740e5ecb81d5ed1b9ee0144909c9d0.zip