diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-19 22:23:19 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-20 09:27:29 +1100 |
commit | a70d92f236576c032a45c39e68ca0d71e958d19d (patch) | |
tree | 400d69ea26ab873458581f682a0a24e85bbac442 | |
parent | 26369a5f7d9c4e4ef44a3e04910126e1bcea43d8 (diff) |
upstream: adjust on-wire signature encoding for ecdsa-sk keys to
better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you
update both your clients and servers.
OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
-rw-r--r-- | PROTOCOL.u2f | 13 | ||||
-rw-r--r-- | ssh-ecdsa-sk.c | 10 | ||||
-rw-r--r-- | ssh-sk.c | 10 |
3 files changed, 18 insertions, 15 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 7b1049c3e..4e3896419 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f | |||
@@ -175,15 +175,18 @@ The signature returned from U2F hardware takes the following format: | |||
175 | For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1 | 175 | For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1 |
176 | format data in the pre-authentication attack surface. Therefore, the | 176 | format data in the pre-authentication attack surface. Therefore, the |
177 | signature format used on the wire in SSH2_USERAUTH_REQUEST packets will | 177 | signature format used on the wire in SSH2_USERAUTH_REQUEST packets will |
178 | be reformatted slightly and the ecdsa_signature_blob value has the encoding: | 178 | be reformatted to better match the existing signature encoding: |
179 | 179 | ||
180 | mpint r | 180 | string "sk-ecdsa-sha2-nistp256@openssh.com" |
181 | mpint s | 181 | string ecdsa_signature |
182 | byte flags | 182 | byte flags |
183 | uint32 counter | 183 | uint32 counter |
184 | 184 | ||
185 | Where 'r' and 's' are extracted by the client or token middleware from the | 185 | Where the "ecdsa_signature" field follows the RFC5656 ECDSA signature |
186 | ecdsa_signature field returned from the hardware. | 186 | encoding: |
187 | |||
188 | mpint r | ||
189 | mpint s | ||
187 | 190 | ||
188 | For Ed25519 keys the signature is encoded as: | 191 | For Ed25519 keys the signature is encoded as: |
189 | 192 | ||
diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c index 355924657..7bdecd584 100644 --- a/ssh-ecdsa-sk.c +++ b/ssh-ecdsa-sk.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-ecdsa-sk.c,v 1.1 2019/10/31 21:15:14 djm Exp $ */ | 1 | /* $OpenBSD: ssh-ecdsa-sk.c,v 1.2 2019/11/19 22:23:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2010 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2010 Damien Miller. All rights reserved. |
@@ -77,7 +77,9 @@ ssh_ecdsa_sk_verify(const struct sshkey *key, | |||
77 | if ((b = sshbuf_from(signature, signaturelen)) == NULL) | 77 | if ((b = sshbuf_from(signature, signaturelen)) == NULL) |
78 | return SSH_ERR_ALLOC_FAIL; | 78 | return SSH_ERR_ALLOC_FAIL; |
79 | if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || | 79 | if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || |
80 | sshbuf_froms(b, &sigbuf) != 0) { | 80 | sshbuf_froms(b, &sigbuf) != 0 || |
81 | sshbuf_get_u8(b, &sig_flags) != 0 || | ||
82 | sshbuf_get_u32(b, &sig_counter) != 0) { | ||
81 | ret = SSH_ERR_INVALID_FORMAT; | 83 | ret = SSH_ERR_INVALID_FORMAT; |
82 | goto out; | 84 | goto out; |
83 | } | 85 | } |
@@ -92,9 +94,7 @@ ssh_ecdsa_sk_verify(const struct sshkey *key, | |||
92 | 94 | ||
93 | /* parse signature */ | 95 | /* parse signature */ |
94 | if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || | 96 | if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || |
95 | sshbuf_get_bignum2(sigbuf, &sig_s) != 0 || | 97 | sshbuf_get_bignum2(sigbuf, &sig_s) != 0) { |
96 | sshbuf_get_u8(sigbuf, &sig_flags) != 0 || | ||
97 | sshbuf_get_u32(sigbuf, &sig_counter) != 0) { | ||
98 | ret = SSH_ERR_INVALID_FORMAT; | 98 | ret = SSH_ERR_INVALID_FORMAT; |
99 | goto out; | 99 | goto out; |
100 | } | 100 | } |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.15 2019/11/18 16:08:57 naddy Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.16 2019/11/19 22:23:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -411,13 +411,13 @@ sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) | |||
411 | if ((r = sshbuf_put_bignum2_bytes(inner_sig, | 411 | if ((r = sshbuf_put_bignum2_bytes(inner_sig, |
412 | resp->sig_r, resp->sig_r_len)) != 0 || | 412 | resp->sig_r, resp->sig_r_len)) != 0 || |
413 | (r = sshbuf_put_bignum2_bytes(inner_sig, | 413 | (r = sshbuf_put_bignum2_bytes(inner_sig, |
414 | resp->sig_s, resp->sig_s_len)) != 0 || | 414 | resp->sig_s, resp->sig_s_len)) != 0) { |
415 | (r = sshbuf_put_u8(inner_sig, resp->flags)) != 0 || | ||
416 | (r = sshbuf_put_u32(inner_sig, resp->counter)) != 0) { | ||
417 | debug("%s: buffer error: %s", __func__, ssh_err(r)); | 415 | debug("%s: buffer error: %s", __func__, ssh_err(r)); |
418 | goto out; | 416 | goto out; |
419 | } | 417 | } |
420 | if ((r = sshbuf_put_stringb(sig, inner_sig)) != 0) { | 418 | if ((r = sshbuf_put_stringb(sig, inner_sig)) != 0 || |
419 | (r = sshbuf_put_u8(sig, resp->flags)) != 0 || | ||
420 | (r = sshbuf_put_u32(sig, resp->counter)) != 0) { | ||
421 | debug("%s: buffer error: %s", __func__, ssh_err(r)); | 421 | debug("%s: buffer error: %s", __func__, ssh_err(r)); |
422 | goto out; | 422 | goto out; |
423 | } | 423 | } |