From fccff339cab5aa66f2554e0188b83f980683490b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 12 Nov 2019 22:38:19 +0000 Subject: upstream: allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware. ok markus@ OpenBSD-Commit-ID: 135eeeb937088ef6830a25ca0bbe678dfd2c57cc --- ssh-sk.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'ssh-sk.c') diff --git a/ssh-sk.c b/ssh-sk.c index ff9c6f282..41fa164b7 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.9 2019/11/12 19:34:40 markus Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.10 2019/11/12 22:38:19 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -300,7 +300,8 @@ sshsk_enroll(int type, const char *provider_path, const char *application, } /* Check response validity */ if (resp->public_key == NULL || resp->key_handle == NULL || - resp->signature == NULL || resp->attestation_cert == NULL) { + resp->signature == NULL || + (resp->attestation_cert == NULL && resp->attestation_cert_len != 0)) { error("%s: sk_enroll response invalid", __func__); r = SSH_ERR_INVALID_FORMAT; goto out; -- cgit v1.2.3