Thanks for the demo program, that helps. Turns out the OpenSSL version I was using was too old, and when upgrading to 1.0.1j, your suggestion (and demo program) work fine. I’ve attached a patch to fix my code. On Mon, Dec 15, 2014 at 2:23 PM, Klaus Keppler <kk@xxxxxxxxxxxxx> wrote: > > If I do that, EVP_VerifyFinal() will result in EVP_R_WRONG_PUBLIC_KEY_TYPE. >> > > This is strange... I don't get any error here, though I use the (same?) > ECDSA public key from the attestation certificate (using OpenSSL 1.0.1i, > but that shouldn't matter). > > Looking at the OpenSSL source, I can see that in crypto/evp/m_sha1.c, the >> sha* digests are defined with EVP_PKEY_RSA_method, which requires an RSA >> publickey, but we have an ECDSA publickey. The only digest working with >> ECDSA publickeys is crypto/evp/m_ecdsa.c AFAICT. >> > > Both EVP_PKEY_RSA_method and EVP_PKEY_ECDSA_method are #defined there as > "EVP_PKEY_NULL_method". (don't ask me why... I don't understand most of > that macro mess...) > > Unfortunately not. Could you share the code that you have please? Or is it >> not yet working? >> > > Voila: https://github.com/keppler/fido-u2f/blob/master/fido-example.c > It uses the example messages from the official specs, so should be easy to > reproduce. > > If I'm wrong at any point there, please let me know. > > Best regards > > -Klaus >
From b569b35ee5a328507bc07fc760978983241511c7 Mon Sep 17 00:00:00 2001 From: Michael Stapelberg <michael@xxxxxxxxxxxxx> Date: Fri, 19 Dec 2014 09:45:16 +0100 Subject: [PATCH] Bugfix: use EVP_sha256(), properly check verification result (Thanks Klaus Keppler) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Note that this requires a recent version of openssl. The one that Apple ships with OS X Yosemite is too old (“OpenSSL 0.9.8za 5 Jun 2014”). I’ve successfully tested it with OpenSSL 1.0.1j --- auth-u2f.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/auth-u2f.c b/auth-u2f.c index 07b8523..9830f37 100644 --- a/auth-u2f.c +++ b/auth-u2f.c @@ -375,7 +375,7 @@ input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt) cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, BASE64_DECODED_SIZE(strlen(clientdata))); pkey = X509_get_pubkey(x509); - if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) { + if ((err = EVP_VerifyInit(&mdctx, EVP_sha256())) != 1) { ERR_error_string(ERR_get_error(), errorbuf); fatal("EVP_VerifyInit() failed: %s (reason: %s)", errorbuf, ERR_reason_error_string(err)); @@ -388,10 +388,15 @@ input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt) EVP_VerifyUpdate(&mdctx, keyhandle, khlen); EVP_VerifyUpdate(&mdctx, pubkey, U2F_PUBKEY_LEN); - if ((err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey)) == -1) { - ERR_error_string(ERR_get_error(), errorbuf); - error("Verifying the U2F registration signature failed: %s (reason: %s)", - errorbuf, ERR_reason_error_string(err)); + err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey); + if (err == 0) { + error("Verifying the U2F registration signature failed: invalid signature"); + goto out; + } else if (err == -1) { + long e = ERR_get_error(); + ERR_error_string(e, errorbuf); + error("Verifying the U2F registration signature failed: %s (raw %lu) (reason: %s)", + errorbuf, e, ERR_reason_error_string(err)); goto out; } -- 2.2.1
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev