From a70d92f236576c032a45c39e68ca0d71e958d19d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 19 Nov 2019 22:23:19 +0000 Subject: upstream: adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers. OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679 --- PROTOCOL.u2f | 13 ++++++++----- ssh-ecdsa-sk.c | 10 +++++----- ssh-sk.c | 10 +++++----- 3 files changed, 18 insertions(+), 15 deletions(-) diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 7b1049c3e..4e3896419 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f @@ -175,15 +175,18 @@ The signature returned from U2F hardware takes the following format: For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1 format data in the pre-authentication attack surface. Therefore, the signature format used on the wire in SSH2_USERAUTH_REQUEST packets will -be reformatted slightly and the ecdsa_signature_blob value has the encoding: +be reformatted to better match the existing signature encoding: - mpint r - mpint s + string "sk-ecdsa-sha2-nistp256@openssh.com" + string ecdsa_signature byte flags uint32 counter -Where 'r' and 's' are extracted by the client or token middleware from the -ecdsa_signature field returned from the hardware. +Where the "ecdsa_signature" field follows the RFC5656 ECDSA signature +encoding: + + mpint r + mpint s For Ed25519 keys the signature is encoded as: diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c index 355924657..7bdecd584 100644 --- a/ssh-ecdsa-sk.c +++ b/ssh-ecdsa-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa-sk.c,v 1.1 2019/10/31 21:15:14 djm Exp $ */ +/* $OpenBSD: ssh-ecdsa-sk.c,v 1.2 2019/11/19 22:23:19 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -77,7 +77,9 @@ ssh_ecdsa_sk_verify(const struct sshkey *key, if ((b = sshbuf_from(signature, signaturelen)) == NULL) return SSH_ERR_ALLOC_FAIL; if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || - sshbuf_froms(b, &sigbuf) != 0) { + sshbuf_froms(b, &sigbuf) != 0 || + sshbuf_get_u8(b, &sig_flags) != 0 || + sshbuf_get_u32(b, &sig_counter) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } @@ -92,9 +94,7 @@ ssh_ecdsa_sk_verify(const struct sshkey *key, /* parse signature */ if (sshbuf_get_bignum2(sigbuf, &sig_r) != 0 || - sshbuf_get_bignum2(sigbuf, &sig_s) != 0 || - sshbuf_get_u8(sigbuf, &sig_flags) != 0 || - sshbuf_get_u32(sigbuf, &sig_counter) != 0) { + sshbuf_get_bignum2(sigbuf, &sig_s) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } diff --git a/ssh-sk.c b/ssh-sk.c index df2f040ef..2b25c42ff 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.15 2019/11/18 16:08:57 naddy Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.16 2019/11/19 22:23:19 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -411,13 +411,13 @@ sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) if ((r = sshbuf_put_bignum2_bytes(inner_sig, resp->sig_r, resp->sig_r_len)) != 0 || (r = sshbuf_put_bignum2_bytes(inner_sig, - resp->sig_s, resp->sig_s_len)) != 0 || - (r = sshbuf_put_u8(inner_sig, resp->flags)) != 0 || - (r = sshbuf_put_u32(inner_sig, resp->counter)) != 0) { + resp->sig_s, resp->sig_s_len)) != 0) { debug("%s: buffer error: %s", __func__, ssh_err(r)); goto out; } - if ((r = sshbuf_put_stringb(sig, inner_sig)) != 0) { + if ((r = sshbuf_put_stringb(sig, inner_sig)) != 0 || + (r = sshbuf_put_u8(sig, resp->flags)) != 0 || + (r = sshbuf_put_u32(sig, resp->counter)) != 0) { debug("%s: buffer error: %s", __func__, ssh_err(r)); goto out; } -- cgit v1.2.3