upstream: allow an empty attestation certificate returned by a

security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware. ok markus@ OpenBSD-Commit-ID: 135eeeb937088ef6830a25ca0bbe678dfd2c57cc
author: djm@openbsd.org <djm@openbsd.org> 2019-11-12 22:38:19 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-13 10:15:47 +1100
commit: fccff339cab5aa66f2554e0188b83f980683490b (patch)
tree: da5d2b82dc137b6afe8b9b14f28bc600fdbcc31e /ssh-sk.c
parent: e44bb61824e36d0d181a08489c16c378c486a974 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/ssh-sk.c b/ssh-sk.c
index ff9c6f282..41fa164b7 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.9 2019/11/12 19:34:40 markus Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.10 2019/11/12 22:38:19 djm Exp $ */
 /*
 * Copyright (c) 2019 Google LLC
 *
@@ -300,7 +300,8 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
        }
        /* Check response validity */
        if (resp->public_key == NULL || resp->key_handle == NULL ||
-            resp->signature == NULL || resp->attestation_cert == NULL) {
+            resp->signature == NULL ||
+            (resp->attestation_cert == NULL && resp->attestation_cert_len != 0)) {
                error("%s: sk_enroll response invalid", __func__);
                r = SSH_ERR_INVALID_FORMAT;
                goto out;
author	djm@openbsd.org <djm@openbsd.org>	2019-11-12 22:38:19 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-13 10:15:47 +1100
commit	fccff339cab5aa66f2554e0188b83f980683490b (patch)
tree	da5d2b82dc137b6afe8b9b14f28bc600fdbcc31e /ssh-sk.c
parent	e44bb61824e36d0d181a08489c16c378c486a974 (diff)