upstream: support FIDO tokens that return no attestation data, e.g.

recent WinHello. From Michael Braun via GHPR542 OpenBSD-Commit-ID: a71b0542f2f7819ba0e33a88908e01b6fc49e4ce
author: djm@openbsd.org <djm@openbsd.org> 2024-12-03 09:31:49 +0100
committer: Damien Miller <djm@mindrot.org> 2024-12-03 09:32:18 +0100
commit: d3a7ff7cecbc23cc37044bdf02e7118d05bf3c35 (patch)
tree: 22c68f38a4d2413898bb6b2a85c7703173ca58fe
parent: Add wtmpdb support as Y2038 safe wtmp replacement (diff)
download: openssh-d3a7ff7cecbc23cc37044bdf02e7118d05bf3c35.tar.xz
openssh-d3a7ff7cecbc23cc37044bdf02e7118d05bf3c35.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 36f089a57..427431b9a 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.46 2023/03/28 06:12:38 dtucker Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.47 2024/12/03 08:31:49 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -961,13 +961,15 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 			    fido_strerr(r));
 			goto out;
 		}
-	} else {
+	} else if (strcmp(fido_cred_fmt(cred), "none") != 0) {
 		skdebug(__func__, "self-attested credential");
 		if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {
 			skdebug(__func__, "fido_cred_verify_self: %s",
 			    fido_strerr(r));
 			goto out;
 		}
+	} else {
+		skdebug(__func__, "no attestation data");
 	}
 	if ((response = calloc(1, sizeof(*response))) == NULL) {
 		skdebug(__func__, "calloc response failed");
author	djm@openbsd.org <djm@openbsd.org>	2024-12-03 09:31:49 +0100
committer	Damien Miller <djm@mindrot.org>	2024-12-03 09:32:18 +0100
commit	d3a7ff7cecbc23cc37044bdf02e7118d05bf3c35 (patch)
tree	22c68f38a4d2413898bb6b2a85c7703173ca58fe
parent	Add wtmpdb support as Y2038 safe wtmp replacement (diff)
download	openssh-d3a7ff7cecbc23cc37044bdf02e7118d05bf3c35.tar.xz openssh-d3a7ff7cecbc23cc37044bdf02e7118d05bf3c35.zip