Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:03 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Feb 02, 2014 11:37 pm 
Offline

Joined: Sun Feb 02, 2014 11:18 pm
Posts: 5
I'm trying to do something similar to this comment: viewtopic.php?f=16&t=1078. I'm writing c# code to send a challenge to the yubikey and verify the response. I'm running the challenge through the System.Cryptography.HMACSHA1 class and comparing the response to the yubikey's output. I've configured the yubikey for a fixed 64 byte challenge to simplify things and it's almost working. The responses are identical except for the last 6 bytes from the yubikey, which are always 0x00. I'm calling the yubikey via the yk_challenge_response method of the ykpers library through PInvoke. Is there any reason this could be the desired behavior? I've looked over the yubikey-personalization code and I can't find any likely culprits. Thanks!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Feb 03, 2014 10:02 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Do you get the same behaviour using the ykchalresp binary shipped with ykpers?
I'm not directly familiar with the PInvoke methods, but how are you invoking the yk_challenge_response() method?

/klas


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 03, 2014 4:49 pm 
Offline

Joined: Sun Feb 02, 2014 11:18 pm
Posts: 5
Good thought, I just checked and using the prebuilt binary the last 6 bytes are filled in properly. This strongly implies that I'm invoking the method improperly. I've declared the ykpers method as:

Code:
 [DllImport("libykpers-1-1.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.Cdecl)]
        public static extern int yk_challenge_response(IntPtr yk, byte yk_cmd, int may_block, uint challenge_len, byte[] challenge, uint response_len, byte[] response);


then calling it with

Code:
YubiWrapper.yk_challenge_response(yk, YubiWrapper.SLOT_CHAL_HMAC2, 1, 64, m_challenge, 20, m_response);


does that look reasonable to you? I'll keep digging to see what I'm doing wrong. Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 03, 2014 5:01 pm 
Offline

Joined: Sun Feb 02, 2014 11:18 pm
Posts: 5
So I just dug into this a bit deeper and I think I found the issue. In ykchalresp.c, the response buffer is set to 64 bytes in length. Making this change in the C# invocation causes the entire response to get stuffed into the first 20 bytes of the 64 byte buffer. I'm not sure whether or not this is a bug (maybe it's a consequence of the yubikey's 64 byte buffer?), so I'd appreciate any input on why this is necessary.


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 04, 2014 8:19 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Yes, you need a buffer of 40 bytes, and for the reasons:
Each feature report packet is 8 bytes, of which 7 bytes is payload, which means that it should be enough with 32 bytes buffer for hmac-sha1, but: there is a two byte crc as well, which takes us into the next packet as well, so 40 bytes is needed for the response buffer.

Maybe this should be hidden from you by the library, but it isn't..

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group