On Mon, Aug 04, 2014 at 03:21:23PM +0000, Viktor Dukhovni wrote:
> On Mon, Aug 04, 2014 at 05:43:47AM +0000, Mitra, Rituparna (STSD) wrote:
>
> > 1. app1: sends a CGI POST request to app2 ? the POST request has the
> > UN (username).
> >
> > 2. app2: does a CGI GET to receive the UN within app1?s POST request.
> >
> > 3. app2: has app1?s x509 certificate already stored, since it has to
> > allow SSO from app1 ? gets verification ctx from here.
> >
> > 4. app2: uses the UN (containing ! character) to form a hashdata,
> >
> > 5. app2: passes hashdata to EVP_VerifyUpdate(ctx, .. )
> >
> > 6. app2: calls EVP_VerifyFinal -- this eventually fails during public
> > key check (EVP_PKEY_verify), due to the ! character in UN
>
> Sorry, that's not the reason. Your mistake is elsewhere. In
> particular the signature is likely incorrect or signed something
> other than what you expected.
Another possibility is that the signature happens to contain a NUL
byte when the input is "!test", and the code is not correctly
processing strings with embedded NUL bytes. (Even if that is the
problem, the SSO design is still wrong).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
