Fix security keys without attestation

michael-dev · michael-dev · commit 876378c10807 · 2024-11-29T18:59:40.000+01:00
Using libfido2 with windows://hello results in security key returning no attestation data. This currently fails due to fido_cred_verify_self failing. According to Yubico/libfido2#840 this is not a bug in libfido2, but openssh instead has to skip the verify call if no attestation is given. This fixes the issue by skipping attestation verification during key generation if there is no attestation. Fixes PowerShell/Win32-OpenSSH#2040 Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
diff --git a/sk-usbhid.c b/sk-usbhid.c
@@ -961,13 +961,15 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 			    fido_strerr(r));
 			goto out;
 		}
-	} else {
+	} else if (strcmp(fido_cred_fmt(cred), "none") != 0) {
 		skdebug(__func__, "self-attested credential");
 		if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {
 			skdebug(__func__, "fido_cred_verify_self: %s",
 			    fido_strerr(r));
 			goto out;
 		}
+	} else {
+		skdebug(__func__, "no attestation data");
 	}
 	if ((response = calloc(1, sizeof(*response))) == NULL) {
 		skdebug(__func__, "calloc response failed");

Original file line number	Diff line number	Diff line change
`@@ -961,13 +961,15 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,`
`961`	`961`	`fido_strerr(r));`
`962`	`962`	`goto out;`
`963`	`963`	`}`
`964`		`- } else {`
	`964`	`+ } else if (strcmp(fido_cred_fmt(cred), "none") != 0) {`
`965`	`965`	`skdebug(__func__, "self-attested credential");`
`966`	`966`	`if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {`
`967`	`967`	`skdebug(__func__, "fido_cred_verify_self: %s",`
`968`	`968`	`fido_strerr(r));`
`969`	`969`	`goto out;`
`970`	`970`	`}`
	`971`	`+ } else {`
	`972`	`+ skdebug(__func__, "no attestation data");`
`971`	`973`	`}`
`972`	`974`	`if ((response = calloc(1, sizeof(*response))) == NULL) {`
`973`	`975`	`skdebug(__func__, "calloc response failed");`