Yubico Forum ...visit our web-store at 2015-02-06T16:00:53+01:00 https://forum.yubico.com/feed.php?f=26&t=1601 2015-02-06T16:00:17+01:00 2015-02-06T16:00:17+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6838#p6838 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]>
Brendan

Statistics: Posted by brendanhoar — Fri Feb 06, 2015 4:00 pm

]]> 2015-02-06T16:00:53+01:00 2015-02-06T13:34:06+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6837#p6837 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> dain wrote:

The new version (0.1.10) of the Android app has been released and pushed to the Play store. I'll now consider my work on the topic completed.


UPDATE: nevermind, fixed in 0.1.11 (I'd been testing 0.1.10). You can ignore the report below.

Dain - 0.1.0 seems to be crashing on my Samsung Galaxy S5 whenever it (successfully?) reads the Neo. I've sent in the crash report via the automated system. Luckily I also kept the credential I needed in slot 2 for YubiTOTP use. Here's a manual excerpt:

Exception class name
java.lang.ClassCastException

Source file
SharePreferencesImpl.java

Source Class
android.app.SharePreferencesImpl

Source method
getStringSet

Line number
232

beginning of stack trace (perhaps some typos in my transcription)
java.lang.ClassCastException: java.lang.String cannot be cast to java.util.Set at android.app.SharedPreferencesImpl.getStringSet(SharedPreferencesImpl.java:232) at com.yubico.yubioath.c.a.a(Unknown Source) at com.yubico.yubioath.c.b.a(Unknown Source) at com.yubico.yubioath.c.b.<init>(Unknown Source) at com.yubico.yubioath.MainActivity.onNewIntenet...

Brendan

Statistics: Posted by brendanhoar — Fri Feb 06, 2015 1:34 pm

]]> 2015-02-05T14:05:14+01:00 2015-02-05T14:05:14+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6832#p6832 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> Statistics: Posted by dain — Thu Feb 05, 2015 2:05 pm

]]> 2015-02-05T13:44:29+01:00 2015-02-05T13:44:29+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6831#p6831 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]>
The second makes a start at making the --disable-systray code path actually work. Now authentication does work. It'll crash on seeing the non-existend "send_message()" function if anything goes wrong, and the main window doesn't actually do anything useful either. But it's a start...

Statistics: Posted by dwmw2 — Thu Feb 05, 2015 1:44 pm

]]> 2015-02-05T12:39:58+01:00 2015-02-05T12:39:58+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6829#p6829 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> https://github.com/Yubico/yubioath-desktop/pull/18

This fixes the password handling, at least. Now I can authenticate. I do have to use systray mode because the --disable-systray mode crashes on asking for a password. as shown above. And in systray mode, it took me a long time to work out that although clicking on the icon in the systray does nothing, I can right-click and choose 'Show Code' from the resulting menu.

And it still breaks when anything *else* talks to the Yubikey while it's running.

Statistics: Posted by dwmw2 — Thu Feb 05, 2015 12:39 pm

]]> 2015-02-05T12:05:19+01:00 2015-02-05T12:05:19+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6828#p6828 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> Tom2 wrote:

a minor patch for the Yubico Authenticator Desktop version should fix the systray bug.
https://github.com/Yubico/yubioath-desktop

Test it out if you can.

Thanks!


I'm not sure what the systray bug is but this version still isn't working at all once a password is set.

Code:

$ python yubico_authenticator.py   --disable-systray
list of readers
<function readers at 0x7f857cfd8320>
using reader
Yubico Yubikey NEO CCID 00 00
Traceback (most recent call last):
  File "yubico_authenticator.py", line 232, in <module>
    password, ok = QtGui.QInputDialog.getText(self, "Password", "Password:", QtGui.QLineEdit.Password)
NameError: name 'self' is not defined
Exception AttributeError: AttributeError("'NoneType' object has no attribute 'disconnect'",) in <bound method PCSCCardConnection.__del__ of <smartcard.pcsc.PCSCCardConnection.PCSCCardConnection object at 0x7f857cfdee90>> ignored


And given that my password is still the pre-KitKat rendering of "naïve ♡" I doubt it was going to work even if it *did* manage to prompt me for the password without crashing :)

Statistics: Posted by dwmw2 — Thu Feb 05, 2015 12:05 pm

]]> 2015-02-05T11:42:01+01:00 2015-02-05T11:42:01+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6827#p6827 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> https://github.com/Yubico/yubioath-desktop

Test it out if you can.

Thanks!

Statistics: Posted by Tom2 — Thu Feb 05, 2015 11:42 am

]]> 2015-02-04T14:20:06+01:00 2015-02-04T14:20:06+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6815#p6815 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> dain wrote:

Diff available here: https://github.com/Yubico/yubioath-andr ... bbf095d8de


That looks sane to me.

Statistics: Posted by dwmw2 — Wed Feb 04, 2015 2:20 pm

]]> 2015-02-04T14:06:07+01:00 2015-02-04T14:06:07+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6814#p6814 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> http://git.infradead.org/users/dwmw2/op ... ff/9a7acca

Statistics: Posted by dwmw2 — Wed Feb 04, 2015 2:06 pm

]]> 2015-02-04T11:44:04+01:00 2015-02-04T11:44:04+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6810#p6810 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> https://github.com/Yubico/yubioath-andr ... bbf095d8de

I'm going to do some more testing after lunch, but so far it seems to do the trick.

Statistics: Posted by dain — Wed Feb 04, 2015 11:44 am

]]> 2015-02-04T11:21:24+01:00 2015-02-04T11:21:24+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6809#p6809 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]>
I can also interoperate with the older Android. I tried setting a password of "¿", which in UTF-8 is bytes c2 bf. The way to get the older Android to use those bytes is to tell it the password is U+00C2 U+00BF, or "¿". As long as I actually type those correctly (unlike in the original, unedited version of this post), that works too.

So I think I'm going to modify the OpenConnect code so that if authentication fails, *and* if the passphrase has non-ASCII characters in it, it'll try the low 8 bits of each character as the old Android does.

My recommendation would be to make the Android app do the same. On KK that means trying the old PBKDF2WithHmacSHA1And8bit function to authenticate, if PBKDF2WithHmacSHA1 fails.

On older Android, you actually want to *start* by converting the UTF-8 byte representation of your passphrase from ISO8859-1, as described above, and using *that* as the input to the broken PBKDF2WithHmacSHA1. Which is just working around the brokenness that's fixed in KK. Use that when setting passphrases, and for the first attempt at authenticating. If authenticating with that fails, *then* just pass the original passphrase to the broken PBKDF2WithHmacSHA1 and try that.

Statistics: Posted by dwmw2 — Wed Feb 04, 2015 11:21 am

]]> 2015-02-04T10:38:15+01:00 2015-02-04T10:38:15+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6808#p6808 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]>
It sounds like the workaround for older Android is to take each byte of the UTF-8 byte stream and treat it as a Unicode code point (which is basically the same as converting from ISO8859-1), then use *that* as the input to the broken PBKDF2WithHmacSHA1 function.

So if you start with a passphrase of "naïve ♥", that looks like this in UTF-8:
6e 61 c3 af 76 65 20 e2 99 a5

If you interpret those bytes as ISO8859-1, you get
U+006E U+0061 U+00C3 U+00AF U+0076 …
or "naïve â¥".

That string, if passed to the broken PBKDF2WithHmacSHA1 function, should generate the correct result. AIUI.

That assumes you want to switch to using the sane representation, of course. Since Android already switched its default PBKDF2WithHmacSHA1, you already *have* a compatibility problem, with passphrases set on KK doing one thing and older versions another. I suspect you might do best to *try* both for unlocking, and always use the fixed version when setting a passphrase.

Statistics: Posted by dwmw2 — Wed Feb 04, 2015 10:38 am

]]> 2015-02-04T10:06:10+01:00 2015-02-04T10:06:10+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6807#p6807 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> http://android-developers.blogspot.se/2013/12/changes-to-secretkeyfactory-api-in.html

According to the link, it should correctly handle unicode characters in passwords in 4.4 (KitKat) and later. Can you confirm that you're running an older version of Android (otherwise my theory goes out the window)?

Statistics: Posted by dain — Wed Feb 04, 2015 10:06 am

]]> 2014-11-24T17:22:58+01:00 2014-11-24T17:22:58+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6339#p6339 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]>
That just leaves the crash when prompting for password, and the misbehaviour of the Android app.

Oh, and the fact that you need to call SCardBeginTransaction() / SCardEndTransaction(), and reselect the ykneo-oath applet, each time you talk to the device. Currently if anything else talks to the Yubikey the yubico-authenticator app stops working.

Statistics: Posted by dwmw2 — Mon Nov 24, 2014 5:22 pm

]]> 2014-11-24T11:38:42+01:00 2014-11-24T11:38:42+01:00 https://forum.yubico.com/viewtopic.php?t=1601&p=6333#p6333 <![CDATA[Re: [BUG] YubiOATH password handling is broken and inconsist]]> https://github.com/Yubico/yubioath-desktop

Statistics: Posted by Tom — Mon Nov 24, 2014 11:38 am

]]>