diff options
| author | Yicheng Li <yichengli@chromium.org> | 2020-08-17 11:08:45 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-08-26 02:21:43 +0000 |
| commit | 1e0753b2ad142d1de9a03b1b667cadcdc13b9d13 (patch) | |
| tree | 6788f552898e8dc9b3ae36daed26db036d3e1be5 | |
| parent | 4b4bbc8d761225b260625584dadbc6d4e623ef2d (diff) | |
| download | chrome-ec-1e0753b2ad142d1de9a03b1b667cadcdc13b9d13.tar.gz | |
u2f: Remove legacy KH support
U2f key handles generated before January 2019 do not mix in user
secrets. These legacy key handles should no longer be in use since
it's been > 10 releases.
Another change will remove this concept on u2fd side.
BUG=b:165018526
TEST=build cr50
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Change-Id: I57a6a77e512591f14ef8c818ec6027a6ae21189d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2358425
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
| -rw-r--r-- | board/cr50/u2f.c | 11 | ||||
| -rw-r--r-- | common/u2f.c | 91 | ||||
| -rw-r--r-- | include/u2f_impl.h | 24 |
3 files changed, 5 insertions, 121 deletions
diff --git a/board/cr50/u2f.c b/board/cr50/u2f.c index 7fe1f6484f..12af471ff9 100644 --- a/board/cr50/u2f.c +++ b/board/cr50/u2f.c @@ -166,17 +166,6 @@ static int _derive_key(enum dcrypto_appid appid, const uint32_t input[8], return result; } -int u2f_origin_key(const uint8_t *seed, p256_int *d) -{ - uint32_t tmp[P256_NDIGITS]; - - memcpy(tmp, seed, sizeof(tmp)); - if (!_derive_key(U2F_ORIGIN, tmp, tmp)) - return EC_ERROR_UNKNOWN; - return DCRYPTO_p256_key_from_bytes(NULL, NULL, d, - (const uint8_t *)tmp) == 0; -} - int u2f_origin_user_keyhandle(const uint8_t *origin, const uint8_t *user, const uint8_t *origin_seed, struct u2f_key_handle *key_handle) diff --git a/common/u2f.c b/common/u2f.c index 91cb4ab121..8e625c7ff5 100644 --- a/common/u2f.c +++ b/common/u2f.c @@ -24,38 +24,6 @@ #define AES_BLOCK_LEN 16 #define KH_LEN 64 -/* De-interleave 64 bytes into two 32 arrays. */ -static void deinterleave64(const uint8_t *in, uint8_t *a, uint8_t *b) -{ - size_t i; - - for (i = 0; i < 32; ++i) { - a[i] = in[2 * i + 0]; - b[i] = in[2 * i + 1]; - } -} - -/* (un)wrap w/ the origin dependent KEK. */ -static int wrap_kh(const uint8_t *origin, const uint8_t *in, uint8_t *out, - enum encrypt_mode mode) -{ - uint8_t kek[SHA256_DIGEST_SIZE]; - uint8_t iv[AES_BLOCK_LEN] = { 0 }; - int i; - - /* KEK derivation */ - if (u2f_gen_kek(origin, kek, sizeof(kek))) - return EC_ERROR_UNKNOWN; - - DCRYPTO_aes_init(kek, 256, iv, CIPHER_MODE_CBC, mode); - - for (i = 0; i < 4; i++) - DCRYPTO_aes_block(in + i * AES_BLOCK_LEN, - out + i * AES_BLOCK_LEN); - - return EC_SUCCESS; -} - static int individual_cert(const p256_int *d, const p256_int *pk_x, const p256_int *pk_y, uint8_t *cert, const int n) { @@ -284,27 +252,6 @@ static int verify_versioned_kh_owned( return rc; } -static int verify_legacy_kh_owned(const uint8_t *app_id, - const uint8_t *key_handle, - uint8_t *origin_seed) -{ - uint8_t unwrapped_kh[KH_LEN]; - uint8_t kh_app_id[U2F_APPID_SIZE]; - - p256_int app_id_p256; - p256_int kh_app_id_p256; - - /* Unwrap key handle */ - if (wrap_kh(app_id, key_handle, unwrapped_kh, DECRYPT_MODE)) - return 0; - deinterleave64(unwrapped_kh, kh_app_id, origin_seed); - - /* Return whether appId (i.e. origin) matches. */ - p256_from_bin(app_id, &app_id_p256); - p256_from_bin(kh_app_id, &kh_app_id_p256); - return p256_cmp(&app_id_p256, &kh_app_id_p256) == 0; -} - /* Below, we depend on the response not being larger than than the request. */ BUILD_ASSERT(sizeof(struct u2f_sign_resp) <= sizeof(struct u2f_sign_req)); @@ -324,15 +271,11 @@ static enum vendor_cmd_rc u2f_sign(enum vendor_cmd_cc code, void *buf, int kh_owned = 0; /* Origin private key. */ - uint8_t legacy_origin_seed[SHA256_DIGEST_SIZE]; p256_int origin_d; /* Hash, and corresponding signature. */ p256_int h, r, s; - /* Whether the key handle uses the legacy key derivation scheme. */ - int legacy_kh = 0; - /* Version of KH; 0 if KH is not versioned. */ uint8_t version; @@ -369,26 +312,8 @@ static enum vendor_cmd_rc u2f_sign(enum vendor_cmd_cc code, void *buf, if (verify_owned_rc != EC_SUCCESS) return VENDOR_RC_INTERNAL_ERROR; - if (!kh_owned) { - if ((flags & SIGN_LEGACY_KH) == 0) - return VENDOR_RC_PASSWORD_REQUIRED; - - /* Legacy KH must be version 0. */ - if (version != 0) - return VENDOR_RC_PASSWORD_REQUIRED; - - /* - * We have a key handle which is not valid for the new scheme, - * but may be a valid legacy key handle, and we have been asked - * to sign legacy key handles. - */ - if (verify_legacy_kh_owned(req->appId, - (uint8_t *)&req->keyHandle, - legacy_origin_seed)) - legacy_kh = 1; - else - return VENDOR_RC_PASSWORD_REQUIRED; - } + if (!kh_owned) + return VENDOR_RC_PASSWORD_REQUIRED; /* We might not actually need to sign anything. */ if ((flags & U2F_AUTH_CHECK_ONLY) == U2F_AUTH_CHECK_ONLY) @@ -409,15 +334,9 @@ static enum vendor_cmd_rc u2f_sign(enum vendor_cmd_cc code, void *buf, } /* Re-create origin-specific key. */ - if (legacy_kh) { - if (u2f_origin_key(legacy_origin_seed, &origin_d) != EC_SUCCESS) - return VENDOR_RC_INTERNAL_ERROR; - } else { - if (u2f_origin_user_keypair(key_handle, keypair_input_size, - &origin_d, NULL, - NULL) != EC_SUCCESS) - return VENDOR_RC_INTERNAL_ERROR; - } + if (u2f_origin_user_keypair(key_handle, keypair_input_size, &origin_d, + NULL, NULL) != EC_SUCCESS) + return VENDOR_RC_INTERNAL_ERROR; /* Prepare hash to sign. */ p256_from_bin(hash, &h); diff --git a/include/u2f_impl.h b/include/u2f_impl.h index 2c63d11d87..fd2cc05ba1 100644 --- a/include/u2f_impl.h +++ b/include/u2f_impl.h @@ -30,30 +30,6 @@ enum touch_state pop_check_presence(int consume); /* ---- platform cryptography hooks ---- */ /** - * Generate an origin-specific ECDSA keypair. - * - * Calculates a diversified chip-unique 256b value. - * - * @param seed ptr to store 32-byte seed to regenerate this key on this chip - * @param d pointer to ECDSA private key - * @param pk_x pointer to public key point - * @param pk_y pointer to public key point - * - * @return EC_SUCCESS if a valid keypair was created. - */ -int u2f_origin_keypair(uint8_t *seed, p256_int *d, - p256_int *pk_x, p256_int *pk_y); - -/** - * Reconstitute the origin ECDSA private key from its seed. - * - * @param seed value returned by origin_keypair. - * @param d ptr to store the retrieved private key. - * @return EC_SUCCESS if we retrieved the key. - */ -int u2f_origin_key(const uint8_t *seed, p256_int *d); - -/** * Pack the specified origin, user secret and origin-specific seed * into a key handle. * |