Re: [PATCH] Early request for comments: U2F authentication

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I’ve spent some time (together with Christian and Thomas) hacking on
U2F support in OpenSSH, and I’m happy to provide a first patch — it’s
not complete, but it should be good enough to get the discussion going
:). Please see the two attached files for the patch.

This is great - I'm looking forward to it! :)

I've implemented U2F into another (C-based) application these days. While searching for some relevant OpenSSL-specific "help" I stumbled upon your OpenSSH patch.
I think there's a small bug:

+	if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) {
+		ERR_error_string(ERR_get_error(), errorbuf);
+		fatal("EVP_VerifyInit() failed: %s (reason: %s)",
+				errorbuf, ERR_reason_error_string(err));

You should use "EVP_sha256()" instead of "EVP_ecdsa()" here (we have a ECDSA signature on the SHA256 hash)

+	if ((err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey)) == -1) {
+		ERR_error_string(ERR_get_error(), errorbuf);
+		error("Verifying the U2F registration signature failed: %s (reason: %s)",
+				errorbuf, ERR_reason_error_string(err));
+		goto out;
+	}

You test EVP_VerifyFinal() only against "-1". This catches OpenSSL library errors and such. But if the signature check itself fails, you get "0". So, the only valid result here should be "1".

When you change EVP_ecdsa() to EVP_sha256() above, EVP_VerifyFinal() should return "1" on valid data.


Best regards

   -Klaus
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux