u2f: Switch FIPS call back to DCRYPTO for 5.7/6.7stabilize-rust-13555.B-cr50_stabstabilize-rust-13514.B-cr50_stabstabilize-13532.B-cr50_stabstabilize-13525.B-cr50_stabstabilize-13505.85.B-cr50_stabstabilize-13505.73.B-cr50_stabstabilize-13505.65.B-cr50_stabstabilize-13505.63.B-cr50_stabstabilize-13505.111.B-cr50_stabstabilize-13505.100.B-cr50_stabstabilize-13505.1.B-cr50_stabstabilize-13482.B-cr50_stabrelease-R87-13505.B-cr50_stab

There is a fips_rand_bytes() call in u2f. Since 5.7/6.7 will be
released without FIPS support (and the plan is to move u2f to FIPS
later), change that call back to DCRYPTO_ladder_random.

This does not affect the canonical (non-versioned) u2f. This only
affects the generation of versioned KHs for WebAuthn purposes.

BUG=none
TEST=make -j BOARD=cr50

Signed-off-by: Yicheng Li <yichengli@chromium.org>
Change-Id: I78142efd1b3a8339cce44adc4d3f8e26151b30ce
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2419178
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 12 insertions, 8 deletions

diff --git a/common/u2f.c b/common/u2f.c
index 8e625c7ff5..5205809379 100644
--- a/common/u2f.c
+++ b/common/u2f.c
@@ -10,7 +10,6 @@
 #include "cryptoc/sha256.h"
 #include "dcrypto.h"
 #include "extension.h"
-#include "fips_rand.h"
 #include "system.h"
 #include "u2f_impl.h"
 #include "u2f.h"
@@ -108,6 +107,9 @@ static enum vendor_cmd_rc u2f_generate(enum vendor_cmd_cc code, void *buf,
 
 	size_t response_buf_size = *response_size;
 
+	/* Authorization salt for versioned KHs */
+	uint8_t *authorization_salt;
+
 	*response_size = 0;
 
 	if (input_size != sizeof(struct u2f_generate_req))
@@ -160,17 +162,19 @@ static enum vendor_cmd_rc u2f_generate(enum vendor_cmd_cc code, void *buf,
 		copy_kh_pubkey_out(&opk_x, &opk_y, &kh_buf.kh, buf);
 		*response_size = sizeof(struct u2f_generate_resp);
 	} else {
-		if (!fips_rand_bytes(kh_buf.vkh.authorization_salt,
-				     U2F_AUTHORIZATION_SALT_SIZE))
+		authorization_salt = od_seed;
+		/* Generate in word-aligned array so that TRNG doesn't crash */
+		if (!DCRYPTO_ladder_random(authorization_salt))
 			return VENDOR_RC_INTERNAL_ERROR;
 
-		if (u2f_authorization_hmac(kh_buf.vkh.authorization_salt,
-					   &kh_buf.vkh.header,
-					   req->authTimeSecretHash,
-					   kh_buf.vkh.authorization_hmac) !=
-		    EC_SUCCESS)
+		if (u2f_authorization_hmac(
+			    authorization_salt, &kh_buf.vkh.header,
+			    req->authTimeSecretHash,
+			    kh_buf.vkh.authorization_hmac) != EC_SUCCESS)
 			return VENDOR_RC_INTERNAL_ERROR;
 
+		memcpy(&kh_buf.vkh.authorization_salt, authorization_salt,
+		       U2F_AUTHORIZATION_SALT_SIZE);
 		copy_versioned_kh_pubkey_out(&opk_x, &opk_y, &kh_buf.vkh, buf);
 		*response_size = sizeof(struct u2f_generate_versioned_resp);
 	}