diff options
| author | Yicheng Li <yichengli@chromium.org> | 2020-07-16 14:02:47 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-07-21 00:25:25 +0000 |
| commit | 2a50e993189539323b6d54a97482524f01cc7347 (patch) | |
| tree | cb481c2276d63740ded713d6cc59909ae461a344 | |
| parent | c870cf3dbe00e887ffc816c9345818b530192d09 (diff) | |
| download | chrome-ec-2a50e993189539323b6d54a97482524f01cc7347.tar.gz | |
u2f: Correct versioned key handle offset error
To reuse u2f_origin_user_keypair(), u2f_sign extracts the
key handle bytes from versioned and non-versioned requests
according to the format. In the versioned path the code
incorrectly uses the non-versioned struct to extract the
key handle bytes, which would result in wrong private key and thus
non-verifiable signature in WebAuthn on version 1 key handles.
Both the bug and the fix do not affect the non-versioned path.
BUG=b:144861739
TEST=Added debug statements to verify that u2f_generate and u2f_sign
arrive at the same private key. With the previous buggy code
they get different private key.
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Change-Id: If79daeff98b01d050fcdc8dd69c809c184e6abb3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2303278
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
| -rw-r--r-- | common/u2f.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/common/u2f.c b/common/u2f.c index 27e1685696..eaeb38b08c 100644 --- a/common/u2f.c +++ b/common/u2f.c @@ -339,7 +339,7 @@ static enum vendor_cmd_rc u2f_sign(enum vendor_cmd_cc code, void *buf, &req->keyHandle, &kh_owned); } else if (input_size == sizeof(struct u2f_sign_versioned_req)) { version = req_versioned->keyHandle.version; - key_handle = (uint8_t *)&req->keyHandle; + key_handle = (uint8_t *)&req_versioned->keyHandle; hash = req_versioned->hash; flags = req_versioned->flags; kh_size = sizeof(struct u2f_versioned_key_handle); |