Potential Client Bug? (maybe)


Status
Not open for further replies.

josecgomez

Well-known member
Aug 6, 2018
137
35
@Steve I tried to post this to the news group but I guess its white listed? Anyways I'm re-posting here hopefully it gets to you (or someone) who can help

I have implemented the server side SQRL protocol by using @TechLiam 's
SQRL For Net middle-ware for dot net core and that works amazingly great.
However once I have deployed my server to a Linux subsystem using dot
net core I am running into a bizarre bug with GRC's client ( think )

Below I am going to describe the interaction I'm seeing from both the
Server and the Steve's client (via Fiddler Requests that Iv'e captured
and I will do my best to explain what I think the issue is. I would
really appreciate some feedback on this I have worked with TechLiam on
Slack and him and I both think it appears to be a client side bug though
it only seems to manifest if the server is running on Linux.

Server generates and presents a SQRL Link:
sqrl://localhost:44323/login-sqrl?
nut=ODU3NmZjODIxZTg4NGJiNTllMDE2NDM5N2FmYTUyNjM&can=aHR0cHM6Ly9sb2NhbGhv
c3Q6NDQzMjM

Clicking on this Link Brings up Steve's Client and I enter my password.
CPS Kicks in at LocalHost:25519
GET
/c3FybDovL2xvY2FsaG9zdDo0NDMyMy9sb2dpbi1zcXJsP251dD1PRFUzTm1aak9ESXhaVGc
0TkdKaU5UbGxNREUyTkRNNU4yRm1ZVFV5TmpNJmNhbj1hSFIwY0hNNkx5OXNiMk5oYkdodmM
zUTZORFF6TWpN HTTP/1.1

Which per the spec is the base 64 encoded nut and can (below)
sqrl://localhost:44323/login-sqrl?
nut=ODU3NmZjODIxZTg4NGJiNTllMDE2NDM5N2FmYTUyNjM&can=aHR0cHM6Ly9sb2NhbGhv
c3Q6NDQzMjM

Steve's Client Makes Query Request
-----------------
POST https://localhost:44323/login-sqrl?
nut=ODU3NmZjODIxZTg4NGJiNTllMDE2NDM5N2FmYTUyNjM&can=aHR0cHM6Ly9sb2NhbGhv
c3Q6NDQzMjM HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: GRC SQRL Client
Host: localhost:44323
Content-Length: 364

client=dmVyPTENCmNtZD1xdWVyeQ0KaWRrPXNIOXBTWFgyN1lnc182WDJiWkQ1SGhKWXRZa
UFQZzlnYm9FV3A5V0xUZVkNCm9wdD1zdWsNCg&server=c3FybDovL2xvY2FsaG9zdDo0NDM
yMy9sb2dpbi1zcXJsP251dD1PRFUzTm1aak9ESXhaVGc0TkdKaU5UbGxNREUyTkRNNU4yRm1
ZVFV5TmpNJmNhbj1hSFIwY0hNNkx5OXNiMk5oYkdodmMzUTZORFF6TWpN&ids=fK8duK3
_h1i4kBuMZed9zFSjDA9u-
j4aMIRWoLnRCmnyAHWaNyhoPFOveHCSYg93M_ETm20g3ADPWTlWERxGCQ
---------------------

It receives back this response form the server
dmVyPTEKbnV0PU5UTXhOemMwTURZeU9XRm1OR05pWW1JeE5UQTFZbUUwTXpFeE5qRmpOelkK
dGlmPTAwMDAwMDA0CnFyeT0vbG9naW4tc3FybD9udXQ9TlRNeE56YzBNRFl5T1dGbU5HTmlZ
bUl4TlRBMVltRTBNekV4TmpGak56WQo

Again per the spec Base64 Encoded (decoded below for easier reading)
ver=1
nut=NTMxNzc0MDYyOWFmNGNiYmIxNTA1YmE0MzExNjFjNzY
tif=00000004
qry=/login-sqrl?nut=NTMxNzc0MDYyOWFmNGNiYmIxNTA1YmE0MzExNjFjNzY
-------------------------------------------------
Now here is where things break, Steve's client makes an Ident call as
follows
------
POST https://localhost:44323/login-sqrl?
nut=NTMxNzc0MDYyOWFmNGNiYmIxNTA1YmE0MzExNjFjNzYsqrl://localhost:44323
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: GRC SQRL Client
Host: localhost:44323
Content-Length: 513

client=dmVyPTENCmNtZD1pZGVudA0KaWRrPXNIOXBTWFgyN1lnc182WDJiWkQ1SGhKWXRZa
UFQZzlnYm9FV3A5V0xUZVkNCnN1az1QcjFyVXZzbjFocGhkcDBJR3BUUjlfS01lODcyYVo3e
VJDdnFGVGhsbUVnDQp2dWs9a2tZclJPakVvZDVzZ3BxNUdLdzFPcUt1OFZXS19qcFktNXhnR
29mUkZ0WQ0Kb3B0PXN1aw0K&server=dmVyPTEKbnV0PU5UTXhOemMwTURZeU9XRm1OR05pW
W1JeE5UQTFZbUUwTXpFeE5qRmpOelkKdGlmPTAwMDAwMDA0CnFyeT0vbG9naW4tc3FybD9ud
XQ9TlRNeE56YzBNRFl5T1dGbU5HTmlZbUl4TlRBMVltRTBNekV4TmpGak56WQo&ids=U6GQM
0X6ItHNG5GpErDb_PCfkznSeHBpcDq_y_lWN_EW-
mIg64GZev6jxDXmVgKiRovZTmnvMJLZOsf-KCXqAA
__________________
Notice in the URL it has (for some reason) appended
sqrl://localhost:44323 to the nut

This ofcourse causes the server to blow up and yell that the nut is
invalid.
This ONLY happens if the code is running on a linux server via
dotnetcore, if I run the code in windows the client behaves fine.

Maybe the issue is on the server, maybe it's on the client it appears
that the client arbitrarely appends that to the query string of the nut
but I'm not sure why.

Any ideas?

Below are all the Requests from both sides in order (if it helps)

Server:
GET https://localhost:44323/login-sqrl HTTP/1.1
Host: localhost:44323
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=
0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://localhost:44323/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Cookie:
.AspNetCore.Antiforgery.B0YDRVyoCXY=CfDJ8Kh7DV8Fx6JDhytm1mknRVhx9tMiBogM
lY4Ln-bij_
9UCRfpzTbe2ZUpY9zhyyboRIejw4BFRkpg0LkCKMim3tFTuf0mO3Qbtqo0LlasicmJLgqUQH
D1C0T9h_QMSlol0OZJDghjhW2QhvI64TBE5-4; .AspNet.Consent=yes;
.AspNetCore.Antiforgery.xDUnTSsEGyY=CfDJ8Kh7DV8Fx6JDhytm1mknRVhv159MQeUt
ZdziaoPozCCTKt5U8_xdoRn2o0lN6BdLAHQ-
Cokz56UWhC9VutPN9bdixWdXCrVsAoWS4DUimZUaHqZCsaUZlZwF86gneNRVqOd0L4IwJDqU
Hhk9eW0wEaU;
.AspNetCore.Cookies=CfDJ8Kh7DV8Fx6JDhytm1mknRVgoWrjnWnfewqRFE1GUaiv8EsCo
Wb8eKzc5jppIi5A4ZwmYsjc5nCZRl8TZyFLKXvMedfhe42Z6-h55zlvZNifJtquUfNR-
SALVxWQgA7fmfwdIekmer3qpFsgOUFT6gGszpi7EKCh3UKvSzjKTpXYZJpOVgzPzq9wih_zf
rBHuEXbsaibG4_Tmt9p7xpHRmRPfaTQIKvgMhqy9oNixUh2Np8c59x-
QXdaoOTrRpwsl5KAjYtjMbAlrEcWRjYUxFQmxymRx1FFGuj6VTobRnsxPWBdYE8snsRiVq1Q
DFEE9COxI88bW-ts9gpm9SScegSa0va0zrrFk4KlxjYK8Np23SL7ZWCu_
9OO030NStIwoawwH8lsiZ4nyncvr3MAOulPRqisOrKFYbVuvYFw7R6LZM0dgEVqEG0jtecm7
S9hgSdhtowUwfFqIY23gXA11uWwhqU8kY3ivfM5NMZ08qKHsqmICPvWF-
bknef1tfGFbB8FkoRQIXR84TVGgEEJ-0LgFLMzORDrpj14ztbpBNYTtcIRlxEIJwQ-
XYW9O_tYW0wzFVywPmQ4zH9_G33-9bucSmi5eHtjdWeRVUbN5TV2m;
.AspNetCore.Antiforgery.kCU5FUDy0aU=CfDJ8ElG83N_F3xJiGn-
0lTrMurpcHFXly7rWi34Raqv19CwLW8XqMota0-
wxUFyTo8vkZmz19FUXJrQVYTsL_jbNuf2zQhAFTzHonhgGUVTlpZ_W7FEWe_
5OSTpwjSTDnW-gfQwSdA0S0jRthAxM3sWoMc

_________________
CPS Image
GET http://localhost:25519/1576169112349.gif HTTP/1.1
Host: localhost:25519
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Cookie:
.AspNetCore.Antiforgery.B0YDRVyoCXY=CfDJ8Kh7DV8Fx6JDhytm1mknRVhx9tMiBogM
lY4Ln-bij_
9UCRfpzTbe2ZUpY9zhyyboRIejw4BFRkpg0LkCKMim3tFTuf0mO3Qbtqo0LlasicmJLgqUQH
D1C0T9h_QMSlol0OZJDghjhW2QhvI64TBE5-4;
.AspNetCore.Antiforgery.xDUnTSsEGyY=CfDJ8Kh7DV8Fx6JDhytm1mknRVhv159MQeUt
ZdziaoPozCCTKt5U8_xdoRn2o0lN6BdLAHQ-
Cokz56UWhC9VutPN9bdixWdXCrVsAoWS4DUimZUaHqZCsaUZlZwF86gneNRVqOd0L4IwJDqU
Hhk9eW0wEaU; .AspNetCore.Antiforgery.kCU5FUDy0aU=CfDJ8ElG83N_F3xJiGn-
0lTrMurpcHFXly7rWi34Raqv19CwLW8XqMota0-
wxUFyTo8vkZmz19FUXJrQVYTsL_jbNuf2zQhAFTzHonhgGUVTlpZ_W7FEWe_
5OSTpwjSTDnW-gfQwSdA0S0jRthAxM3sWoMc


___________________
CPS URL after Image Load
GET
D1PRFUzTm1aak9ESXhaVGc0TkdKaU5UbGxNREUyTkRNNU4yRm1ZVFV5TmpNJmNhbj1hSFIwY
0hNNkx5OXNiMk5oYkdodmMzUTZORFF6TWpN HTTP/1.1
Host: localhost:25519
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=
0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Cookie:
.AspNetCore.Antiforgery.B0YDRVyoCXY=CfDJ8Kh7DV8Fx6JDhytm1mknRVhx9tMiBogM
lY4Ln-bij_
9UCRfpzTbe2ZUpY9zhyyboRIejw4BFRkpg0LkCKMim3tFTuf0mO3Qbtqo0LlasicmJLgqUQH
D1C0T9h_QMSlol0OZJDghjhW2QhvI64TBE5-4;
.AspNetCore.Antiforgery.xDUnTSsEGyY=CfDJ8Kh7DV8Fx6JDhytm1mknRVhv159MQeUt
ZdziaoPozCCTKt5U8_xdoRn2o0lN6BdLAHQ-
Cokz56UWhC9VutPN9bdixWdXCrVsAoWS4DUimZUaHqZCsaUZlZwF86gneNRVqOd0L4IwJDqU
Hhk9eW0wEaU; .AspNetCore.Antiforgery.kCU5FUDy0aU=CfDJ8ElG83N_F3xJiGn-
0lTrMurpcHFXly7rWi34Raqv19CwLW8XqMota0-
wxUFyTo8vkZmz19FUXJrQVYTsL_jbNuf2zQhAFTzHonhgGUVTlpZ_W7FEWe_
5OSTpwjSTDnW-gfQwSdA0S0jRthAxM3sWoMc

______________________
Client First Query
POST https://localhost:44323/login-sqrl?
nut=ODU3NmZjODIxZTg4NGJiNTllMDE2NDM5N2FmYTUyNjM&can=aHR0cHM6Ly9sb2NhbGhv
c3Q6NDQzMjM HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: GRC SQRL Client
Host: localhost:44323
Content-Length: 364

client=dmVyPTENCmNtZD1xdWVyeQ0KaWRrPXNIOXBTWFgyN1lnc182WDJiWkQ1SGhKWXRZa
UFQZzlnYm9FV3A5V0xUZVkNCm9wdD1zdWsNCg&server=c3FybDovL2xvY2FsaG9zdDo0NDM
yMy9sb2dpbi1zcXJsP251dD1PRFUzTm1aak9ESXhaVGc0TkdKaU5UbGxNREUyTkRNNU4yRm1
ZVFV5TmpNJmNhbj1hSFIwY0hNNkx5OXNiMk5oYkdodmMzUTZORFF6TWpN&ids=fK8duK3
_h1i4kBuMZed9zFSjDA9u-
j4aMIRWoLnRCmnyAHWaNyhoPFOveHCSYg93M_ETm20g3ADPWTlWERxGCQ
___________________
Server's Reponse
HTTP/1.1 200 OK
Date: Thu, 12 Dec 2019 16:45:16 GMT
Content-Type: application/x-www-form-urlencoded
Server: Kestrel
Content-Length: 175

dmVyPTEKbnV0PU5UTXhOemMwTURZeU9XRm1OR05pWW1JeE5UQTFZbUUwTXpFeE5qRmpOelkK
dGlmPTAwMDAwMDA0CnFyeT0vbG9naW4tc3FybD9udXQ9TlRNeE56YzBNRFl5T1dGbU5HTmlZ
bUl4TlRBMVltRTBNekV4TmpGak56WQo
_____________
Clients Iden Post
POST https://localhost:44323/login-sqrl?
nut=NTMxNzc0MDYyOWFmNGNiYmIxNTA1YmE0MzExNjFjNzYsqrl://localhost:44323
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: GRC SQRL Client
Host: localhost:44323
Content-Length: 513

client=dmVyPTENCmNtZD1pZGVudA0KaWRrPXNIOXBTWFgyN1lnc182WDJiWkQ1SGhKWXRZa
UFQZzlnYm9FV3A5V0xUZVkNCnN1az1QcjFyVXZzbjFocGhkcDBJR3BUUjlfS01lODcyYVo3e
VJDdnFGVGhsbUVnDQp2dWs9a2tZclJPakVvZDVzZ3BxNUdLdzFPcUt1OFZXS19qcFktNXhnR
29mUkZ0WQ0Kb3B0PXN1aw0K&server=dmVyPTEKbnV0PU5UTXhOemMwTURZeU9XRm1OR05pW
W1JeE5UQTFZbUUwTXpFeE5qRmpOelkKdGlmPTAwMDAwMDA0CnFyeT0vbG9naW4tc3FybD9ud
XQ9TlRNeE56YzBNRFl5T1dGbU5HTmlZbUl4TlRBMVltRTBNekV4TmpGak56WQo&ids=U6GQM
0X6ItHNG5GpErDb_PCfkznSeHBpcDq_y_lWN_EW-
mIg64GZev6jxDXmVgKiRovZTmnvMJLZOsf-KCXqAA
__________
Server's Response
HTTP/1.1 200 OK
Date: Thu, 12 Dec 2019 16:45:16 GMT
Content-Type: application/x-www-form-urlencoded
Server: Kestrel
Content-Length: 175

dmVyPTEKbnV0PVl6Qm1ObUV3WmpCbE5UbGpOR0ZoTURoa056SXpPR1UwWXpGbU9ERTFOREkK
dGlmPTAwMDAwMDY0CnFyeT0vbG9naW4tc3FybD9udXQ9WXpCbU5tRXdaakJsTlRsak5HRmhN
RGhrTnpJek9HVTBZekZtT0RFMU5ESQo
__________________
Clients next Post
POST https://localhost:44323/login-sqrl?
nut=YzBmNmEwZjBlNTljNGFhMDhkNzIzOGU0YzFmODE1NDIsqrl://localhost:44323
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: GRC SQRL Client
Host: localhost:44323
Content-Length: 513

client=dmVyPTENCmNtZD1pZGVudA0KaWRrPXNIOXBTWFgyN1lnc182WDJiWkQ1SGhKWXRZa
UFQZzlnYm9FV3A5V0xUZVkNCnN1az0ycklaaV8zc2trbnhEa2xNdzNuT0RIX3g2WlpzNVBVO
XJsM25rQWVUNWpVDQp2dWs9N3RNdmg2MUF2dnhCSHctZVZGOWpiTUNNWUZmVDMzRnVadGpNe
UpHMDVEUQ0Kb3B0PXN1aw0K&server=dmVyPTEKbnV0PVl6Qm1ObUV3WmpCbE5UbGpOR0ZoT
URoa056SXpPR1UwWXpGbU9ERTFOREkKdGlmPTAwMDAwMDY0CnFyeT0vbG9naW4tc3FybD9ud
XQ9WXpCbU5tRXdaakJsTlRsak5HRmhNRGhrTnpJek9HVTBZekZtT0RFMU5ESQo&ids=2H-
Uu31pIiof1skmeYGfLWovnLXzGAxx37TWCPYwacFVm39RkF60VqbQacGAEQVJoi4A4qqS0M1
3rmEWQMMoBA
_________
Servers Reponse
HTTP/1.1 200 OK
Date: Thu, 12 Dec 2019 16:45:16 GMT
Content-Type: application/x-www-form-urlencoded
Server: Kestrel
Content-Length: 175

dmVyPTEKbnV0PU5tUTRZV1V6TjJZNFpUQXpOR1pqTkdFMVkyVmlOelk1WVRabE5tWTBNbVkK
dGlmPTAwMDAwMDY0CnFyeT0vbG9naW4tc3FybD9udXQ9Tm1RNFlXVXpOMlk0WlRBek5HWmpO
R0UxWTJWaU56WTVZVFpsTm1ZME1tWQo

________________________
-Jose
 

PHolder

Well-known member
May 19, 2018
1,171
190
qry=/login-sqrl?nut=NTMxNzc0MDYyOWFmNGNiYmIxNTA1YmE0MzExNjFjNzY
I don't recall... but does the nut belong on the query line coming from the server? Steve's doc isn't clear on it
qry = /query-path The SQRL client initially makes contact with the remote web server by issuing the query contained in the SQRL link URL. But subsequent interactions may be made to different web server objects at the same domain and port as specified by the initial SQRL URL. The “qry” parameter is required in every reply. It instructs the client what server object to query in its next query, if any. To mitigate the potential for tampering, this qry parameter only supplies the full path from the root ( / ) and the object, not the scheme, domain name, or port. The scheme, domain and optional port override may only be specified once, in the initial URL, and they cannot subsequently be changed and will always be taken from the initially submitted SQRL URL.
If it doesn't belong there, the client may be acting incorrectly with it and this might be a server issue.
 

josecgomez

Well-known member
Aug 6, 2018
137
35
ok apologies to @Steve for blaming it on the client I was finally able to track down what the issue was
When the code runs on my box it runs in Windows but when I deploy it , it runs in Linux
The NewLine terminator for Linux is just \n while windows does \r\n turns out that according to the Spec ( i think) it requires the windows style terminator.
 

PHolder

Well-known member
May 19, 2018
1,171
190
Ah yes... Windows line termination... Not one of my favourite decisions in the spec. (That and the Intel endian-ness instead of network byte order.)
 
  • Like
Reactions: TechLiam

shanedk

Well-known member
May 20, 2018
419
112
The Little-Endian stuff is pretty frustrating, since pretty much everything defaults to Big-Endian.
 

Vela Nanashi

Well-known member
May 19, 2018
713
121
Little-Endian makes more sense to me personally. Since if you have a byte array the least significant digit/byte has the lowest index, rather than going backwards, it also happens to be the order of bytes in x86 processors natively, so you can load the data from file, into memory and then just shove it in the registers without having to reorder any bytes. But that is just me and I am not going to start a war over it :)
 
  • Like
Reactions: TechLiam

PHolder

Well-known member
May 19, 2018
1,171
190
Yes, it's exactly how I write my digits:
7 6 5 4 3 2 1 0 15 14 13 12 11 10 9 8 23 22 21 20 19 18 17 16 31 30 29 28 27 26 25 24
/sarcasm
 
  • Like
Reactions: TechLiam
Status
Not open for further replies.