Fix security keys without attestation

Using libfido2 with windows://hello results in security key returning no attestation data. This currently fails due to fido_cred_verify_self failing. According to Yubico/libfido2#840 this is not a bug in libfido2, but openssh instead has to skip the verify call if no attestation is given. This fixes the issue by skipping attestation verification during key generation if there is no attestation. Fixes PowerShell/Win32-OpenSSH#2040 Signed-off-by: Michael Braun <[email protected]>
michael-dev · Nov 29, 2024 · 876378c · 876378c
1 parent 67ace92
commit 876378c
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/sk-usbhid.c b/sk-usbhid.c
@@ -961,13 +961,15 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 			    fido_strerr(r));
 			goto out;
 		}
-	} else {
+	} else if (strcmp(fido_cred_fmt(cred), "none") != 0) {
 		skdebug(__func__, "self-attested credential");
 		if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {
 			skdebug(__func__, "fido_cred_verify_self: %s",
 			    fido_strerr(r));
 			goto out;
 		}
+	} else {
+		skdebug(__func__, "no attestation data");
 	}
 	if ((response = calloc(1, sizeof(*response))) == NULL) {
 		skdebug(__func__, "calloc response failed");