===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-pkcs11.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- src/usr.bin/ssh/ssh-pkcs11.c	2015/07/18 08:00:21	1.20
+++ src/usr.bin/ssh/ssh-pkcs11.c	2015/07/18 08:02:17	1.21
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.20 2015/07/18 08:00:21 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.21 2015/07/18 08:02:17 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -470,15 +470,23 @@
 			error("C_GetAttributeValue failed: %lu", rv);
 			continue;
 		}
-		/* check that none of the attributes are zero length */
-		if (attribs[0].ulValueLen == 0 ||
-		    attribs[1].ulValueLen == 0 ||
+		/*
+		 * Allow CKA_ID (always first attribute) to be empty, but
+		 * ensure that none of the others are zero length.
+		 * XXX assumes CKA_ID is always first.
+		 */
+		if (attribs[1].ulValueLen == 0 ||
 		    attribs[2].ulValueLen == 0) {
 			continue;
 		}
 		/* allocate buffers for attributes */
-		for (i = 0; i < 3; i++)
-			attribs[i].pValue = xmalloc(attribs[i].ulValueLen);
+		for (i = 0; i < 3; i++) {
+			if (attribs[i].ulValueLen > 0) {
+				attribs[i].pValue = xmalloc(
+				    attribs[i].ulValueLen);
+			}
+		}
+
 		/*
 		 * retrieve ID, modulus and public exponent of RSA key,
 		 * or ID, subject and value for certificates.