Re: [ATTN MAINTAINER] openssh
Corinna Vinschen via Cygwin-apps writes: > On Nov 28 10:53, Achim Gratz wrote: >> Achim Gratz writes: >> > These patches work for 32bit also and I believe they are correct, but >> > that build should not be made available due to a bug in libfido2 that >> > crashes when trying to free the memory associated with the WebAuthn >> > payload returned. Without these patches applied you can still use the >> > fallback to USB-HID when you are an administrator. >> >> The call into WebAuthn completely messes up the stack apparently. The >> returned object looks OK once you realize it is a version 1 and thus the >> extension fields are bogus, but the whole thing crashes if you do just >> one more call. Gdb session: >> >> https://paste.c-net.org/SerumLoser >> >> Any ideas what that might be? > > For the bystanders, on a hunch I created a libfido2 patch to change > the calling convention for the dynamically loaded windows functions. > Let's see if Achim's testing now succeeds on 32 bit... It does, your hunches are _that_ good. :-) So, once the new libfido2 hits the release area you can pull in the OpenSSH patches and re-release that to take advantage of the now correctly working Webauthn suppport. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Q+, Q and microQ: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds
Re: [ATTN MAINTAINER] openssh
On Nov 28 10:53, Achim Gratz wrote: > Achim Gratz writes: > > These patches work for 32bit also and I believe they are correct, but > > that build should not be made available due to a bug in libfido2 that > > crashes when trying to free the memory associated with the WebAuthn > > payload returned. Without these patches applied you can still use the > > fallback to USB-HID when you are an administrator. > > The call into WebAuthn completely messes up the stack apparently. The > returned object looks OK once you realize it is a version 1 and thus the > extension fields are bogus, but the whole thing crashes if you do just > one more call. Gdb session: > > https://paste.c-net.org/SerumLoser > > Any ideas what that might be? For the bystanders, on a hunch I created a libfido2 patch to change the calling convention for the dynamically loaded windows functions. Let's see if Achim's testing now succeeds on 32 bit... Corinna
Re: [ATTN MAINTAINER] openssh
Achim Gratz writes: > These patches work for 32bit also and I believe they are correct, but > that build should not be made available due to a bug in libfido2 that > crashes when trying to free the memory associated with the WebAuthn > payload returned. Without these patches applied you can still use the > fallback to USB-HID when you are an administrator. The call into WebAuthn completely messes up the stack apparently. The returned object looks OK once you realize it is a version 1 and thus the extension fields are bogus, but the whole thing crashes if you do just one more call. Gdb session: https://paste.c-net.org/SerumLoser Any ideas what that might be? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables
[ATTN MAINTAINER] openssh
Here are my fixes to make transparent WebAuthn through libfido2 work w/ OpenSSH. This is required for Win10 from release 1909; the access to USB-HID is since restricted to users with administrative privileges: https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/playground.git;a=shortlog;h=refs/heads/openssh The changes switch to a newer API available from libfido2 that is required for WebAuthn support (which needs the unhashed data instead of the SH256 like the actual FIDO2-Token), make that protocol the preferred one (so that WebAuthn is always used when available w/o being dependent on the order of the device enumeration) and lastly prevent some extra (optional) PIN prompts from WinHello that do not happen when using the USB-HID interface either. The PIN patches were inspired by an OpensSSH-portable fork that seems to be maintened by some folks who also work on libfido, although they seem to have missed a few spots and I opted for slightly different patches. The use of the new API is properly wired into the configury. Unfortunately libfido2 does not provide a way to determine if WebAuthn support has been compiled in (the one exposed function is a predicate that always returns false on builds that do not use WebAuthn), so I'm currently using a heuristic that eventually should be replaced by a configure option. Also, it would probably be a good idea to decide at runtime whether to use WebAuthn or not (maybe via an environment or config variable). These patches work for 32bit also and I believe they are correct, but that build should not be made available due to a bug in libfido2 that crashes when trying to free the memory associated with the WebAuthn payload returned. Without these patches applied you can still use the fallback to USB-HID when you are an administrator. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for KORG EX-800 and Poly-800MkII V0.9: http://Synth.Stromeko.net/Downloads.html#KorgSDada